From: Marcus Meissner <meissner@suse.de>
Subject: Re: [oss-security] Xen Security Advisory 9 (CVE-2012-2934) - PV guest host DoS (AMD erratum #121)
To: oss-security@lists.openwall.com
Date: Wed, 20 Jun 2012 11:45:07 +0200
Organization: SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendoerffer, HRB 16746 (AG Nuernberg)
Reply-To: oss-security@lists.openwall.com
Message-ID: <20120620094507.GD13893@suse.de>

Index: git/xen/arch/x86/cpu/amd.c
===================================================================
--- git.orig/xen/arch/x86/cpu/amd.c	2012-06-21 08:35:43.162741642 +0200
+++ git/xen/arch/x86/cpu/amd.c	2012-06-21 08:35:43.178741969 +0200
@@ -41,8 +41,11 @@
 integer_param("cpuid_mask_ext_ecx", opt_cpuid_mask_ext_ecx);
 integer_param("cpuid_mask_ext_edx", opt_cpuid_mask_ext_edx);
 
-static int opt_allow_unsafe;
+#ifdef __x86_64__
+/* 1 = allow, 0 = don't allow guest creation, -1 = don't allow boot */
+int __read_mostly opt_allow_unsafe;
 boolean_param("allow_unsafe", opt_allow_unsafe);
+#endif
 
 static inline void wrmsr_amd(unsigned int index, unsigned int lo, 
 		unsigned int hi)
@@ -558,10 +561,19 @@
 		clear_bit(X86_FEATURE_MCE, c->x86_capability);
 
 #ifdef __x86_64__
-	if (cpu_has_amd_erratum(c, AMD_ERRATUM_121) && !opt_allow_unsafe)
+	if (!cpu_has_amd_erratum(c, AMD_ERRATUM_121))
+		opt_allow_unsafe = 1;
+	else if (opt_allow_unsafe < 0)
 		panic("Xen will not boot on this CPU for security reasons.\n"
 		      "Pass \"allow_unsafe\" if you're trusting all your"
 		      " (PV) guest kernels.\n");
+	else if (!opt_allow_unsafe && c == &boot_cpu_data)
+		printk(KERN_WARNING
+		       "*** Xen will not allow creation of DomU-s on"
+		       " this CPU for security reasons. ***\n"
+		       KERN_WARNING
+		       "*** Pass \"allow_unsafe\" if you're trusting"
+		       " all your (PV) guest kernels. ***\n");
 
 	/* AMD CPUs do not support SYSENTER outside of legacy mode. */
 	clear_bit(X86_FEATURE_SEP, c->x86_capability);
Index: git/xen/arch/x86/domain.c
===================================================================
--- git.orig/xen/arch/x86/domain.c	2012-06-21 08:35:43.114740661 +0200
+++ git/xen/arch/x86/domain.c	2012-06-21 08:35:43.178741969 +0200
@@ -49,6 +49,7 @@
 #include <asm/msr.h>
 #include <asm/traps.h>
 #include <asm/nmi.h>
+#include <asm/amd.h>
 #include <xen/numa.h>
 #include <xen/iommu.h>
 #ifdef CONFIG_COMPAT
@@ -434,6 +435,20 @@
 
 #else /* __x86_64__ */
 
+    if ( d->domain_id && !is_idle_domain(d) &&
+         cpu_has_amd_erratum(&boot_cpu_data, AMD_ERRATUM_121) )
+    {
+        if ( !opt_allow_unsafe )
+        {
+            printk(XENLOG_G_ERR "Xen does not allow DomU creation on this CPU"
+                   " for security reasons.\n");
+            return -EPERM;
+        }
+        printk(XENLOG_G_WARNING
+               "Dom%d may compromise security on this CPU.\n",
+               d->domain_id);
+    }
+
     BUILD_BUG_ON(PDPT_L2_ENTRIES * sizeof(*d->arch.mm_perdomain_pt_pages)
                  != PAGE_SIZE);
     pg = alloc_domheap_page(NULL, MEMF_node(domain_to_node(d)));
Index: git/xen/include/asm-x86/amd.h
===================================================================
--- git.orig/xen/include/asm-x86/amd.h	2012-06-21 08:35:43.166741724 +0200
+++ git/xen/include/asm-x86/amd.h	2012-06-21 08:35:43.178741969 +0200
@@ -138,4 +138,7 @@
 		        AMD_MODEL_RANGE(0x12, 0x0, 0x0, 0x1, 0x0))
 
 int cpu_has_amd_erratum(const struct cpuinfo_x86 *, int, ...);
+#ifdef __x86_64__
+extern int opt_allow_unsafe;
+#endif
 #endif /* __AMD_H__ */
