1. Patchew
  2. Xen
  3. View series

[PATCH] x86/IDT: Fix IDT generation for INT $0x80

Andrew Cooper posted 1 patch 9 months, 1 week ago
Patches applied successfully (tree, apply log)
git fetch https://gitlab.com/xen-project/patchew/xen tags/patchew/20250311212248.3630583-1-andrew.cooper3@citrix.com
xen/arch/x86/include/asm/gen-idt.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[PATCH] x86/IDT: Fix IDT generation for INT $0x80
Posted by Andrew Cooper 9 months, 1 week ago 
When PV is enabled, entry_int80 needs to be DPL3, not DPL0.

This causes the XSA-259 PoC to fail with:

  --- Xen Test Framework ---
  Environment: PV 64bit (Long mode 4 levels)
  XSA-259 PoC
  Error: Unexpected fault 0x800d0802, #GP[IDT[256]]
  Test result: ERROR

(Clearly I have a bug in XTF's rendering of the error code too.)

Reported-by: Luca Fancellu <luca.fancellu@arm.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
CC: Jan Beulich <JBeulich@suse.com>
CC: Roger Pau Monné <roger.pau@citrix.com>
CC: Luca Fancellu <luca.fancellu@arm.com>
---
 xen/arch/x86/include/asm/gen-idt.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/xen/arch/x86/include/asm/gen-idt.h b/xen/arch/x86/include/asm/gen-idt.h
index 9c8810edf9d7..d1da73248c1c 100644
--- a/xen/arch/x86/include/asm/gen-idt.h
+++ b/xen/arch/x86/include/asm/gen-idt.h
@@ -77,7 +77,7 @@ GEN16(6);
 GEN16(7);
 
 #ifdef CONFIG_PV
-GEN(0x80, entry_int80,      DPL0, manual);
+GEN(0x80, entry_int80,      DPL3, manual);
 #else
 GEN(0x80, entry_0x80,       DPL0, autogen);
 #endif
-- 
2.39.5
Re: [PATCH] x86/IDT: Fix IDT generation for INT $0x80
Posted by Luca Fancellu 9 months, 1 week ago 
Hi Andrew,

> On 11 Mar 2025, at 21:22, Andrew Cooper <andrew.cooper3@citrix.com> wrote:
> 
> When PV is enabled, entry_int80 needs to be DPL3, not DPL0.
> 
> This causes the XSA-259 PoC to fail with:
> 
>  --- Xen Test Framework ---
>  Environment: PV 64bit (Long mode 4 levels)
>  XSA-259 PoC
>  Error: Unexpected fault 0x800d0802, #GP[IDT[256]]
>  Test result: ERROR
> 
> (Clearly I have a bug in XTF's rendering of the error code too.)
> 
> Reported-by: Luca Fancellu <luca.fancellu@arm.com>
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

I’ve runned XTF on this one and I confirm it solves the issue:

Tested-by: Luca Fancellu <luca.fancellu@arm.com>
Re: [PATCH] x86/IDT: Fix IDT generation for INT $0x80
Posted by Andrew Cooper 9 months, 1 week ago 
On 11/03/2025 9:22 pm, Andrew Cooper wrote:
> When PV is enabled, entry_int80 needs to be DPL3, not DPL0.
>
> This causes the XSA-259 PoC to fail with:
>
>   --- Xen Test Framework ---
>   Environment: PV 64bit (Long mode 4 levels)
>   XSA-259 PoC
>   Error: Unexpected fault 0x800d0802, #GP[IDT[256]]
>   Test result: ERROR
>
> (Clearly I have a bug in XTF's rendering of the error code too.)

Fixes: 3da2149cf4dc ("x86/IDT: Generate bsp_idt[] at build time")

Adjusted locally.

~Andrew

> Reported-by: Luca Fancellu <luca.fancellu@arm.com>
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
> ---
> CC: Jan Beulich <JBeulich@suse.com>
> CC: Roger Pau Monné <roger.pau@citrix.com>
> CC: Luca Fancellu <luca.fancellu@arm.com>
> ---
>  xen/arch/x86/include/asm/gen-idt.h | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/xen/arch/x86/include/asm/gen-idt.h b/xen/arch/x86/include/asm/gen-idt.h
> index 9c8810edf9d7..d1da73248c1c 100644
> --- a/xen/arch/x86/include/asm/gen-idt.h
> +++ b/xen/arch/x86/include/asm/gen-idt.h
> @@ -77,7 +77,7 @@ GEN16(6);
>  GEN16(7);
>  
>  #ifdef CONFIG_PV
> -GEN(0x80, entry_int80,      DPL0, manual);
> +GEN(0x80, entry_int80,      DPL3, manual);
>  #else
>  GEN(0x80, entry_0x80,       DPL0, autogen);
>  #endif
Re: [PATCH] x86/IDT: Fix IDT generation for INT $0x80
Posted by Jan Beulich 9 months, 1 week ago 
On 11.03.2025 22:27, Andrew Cooper wrote:
> On 11/03/2025 9:22 pm, Andrew Cooper wrote:
>> When PV is enabled, entry_int80 needs to be DPL3, not DPL0.
>>
>> This causes the XSA-259 PoC to fail with:
>>
>>   --- Xen Test Framework ---
>>   Environment: PV 64bit (Long mode 4 levels)
>>   XSA-259 PoC
>>   Error: Unexpected fault 0x800d0802, #GP[IDT[256]]
>>   Test result: ERROR
>>
>> (Clearly I have a bug in XTF's rendering of the error code too.)
> 
> Fixes: 3da2149cf4dc ("x86/IDT: Generate bsp_idt[] at build time")

Reviewed-by: Jan Beulich <jbeulich@suse.com>

Jan
Re: [PATCH] x86/IDT: Fix IDT generation for INT $0x80
Posted by Andrew Cooper 9 months, 1 week ago 
On 11/03/2025 9:27 pm, Andrew Cooper wrote:
> On 11/03/2025 9:22 pm, Andrew Cooper wrote:
>> When PV is enabled, entry_int80 needs to be DPL3, not DPL0.
>>
>> This causes the XSA-259 PoC to fail with:
>>
>>   --- Xen Test Framework ---
>>   Environment: PV 64bit (Long mode 4 levels)
>>   XSA-259 PoC
>>   Error: Unexpected fault 0x800d0802, #GP[IDT[256]]
>>   Test result: ERROR
>>
>> (Clearly I have a bug in XTF's rendering of the error code too.)

Nope, it's a QEMU bug.  Under QEMU, we get:

--- Xen Test Framework ---
Environment: PV 64bit (Long mode 4 levels)
XSA-259 PoC
(XEN) [    3.982447] *** #GP/IDT ec 00000802
(XEN) [    3.982668] *** #GP/IDT ec 00000802, not permitted
(XEN) [    3.982849] *** #GP inject ec 00000802
Error: Unexpected fault 0x800d0802, #GP[IDT[256]]
Test result: ERROR


On real hardware:

(d1) --- Xen Test Framework ---
(d1) Environment: PV 64bit (Long mode 4 levels)
(d1) XSA-259 PoC
(XEN) *** #GP/IDT ec 00000402
(XEN) *** #GP/IDT ec 00000402, not permitted
(XEN) *** #GP inject ec 00000402
(d1) Success: Not vulnerable to XSA-259
(d1) Test result: SUCCESS

So it's by chance that Luca's testing even picked up this failure.  The
XSA-259 PoC can't distinguish between the #GP INT emulation path and the
INT80 fastpath's error path which injects #GP.

~Andrew
Re: [PATCH] x86/IDT: Fix IDT generation for INT $0x80
Posted by Andrew Cooper 9 months, 1 week ago 
On 11/03/2025 11:36 pm, Andrew Cooper wrote:
> On 11/03/2025 9:27 pm, Andrew Cooper wrote:
>> On 11/03/2025 9:22 pm, Andrew Cooper wrote:
>>> When PV is enabled, entry_int80 needs to be DPL3, not DPL0.
>>>
>>> This causes the XSA-259 PoC to fail with:
>>>
>>>   --- Xen Test Framework ---
>>>   Environment: PV 64bit (Long mode 4 levels)
>>>   XSA-259 PoC
>>>   Error: Unexpected fault 0x800d0802, #GP[IDT[256]]
>>>   Test result: ERROR
>>>
>>> (Clearly I have a bug in XTF's rendering of the error code too.)
> Nope, it's a QEMU bug.  Under QEMU, we get:
>
> --- Xen Test Framework ---
> Environment: PV 64bit (Long mode 4 levels)
> XSA-259 PoC
> (XEN) [    3.982447] *** #GP/IDT ec 00000802
> (XEN) [    3.982668] *** #GP/IDT ec 00000802, not permitted
> (XEN) [    3.982849] *** #GP inject ec 00000802
> Error: Unexpected fault 0x800d0802, #GP[IDT[256]]
> Test result: ERROR
>
>
> On real hardware:
>
> (d1) --- Xen Test Framework ---
> (d1) Environment: PV 64bit (Long mode 4 levels)
> (d1) XSA-259 PoC
> (XEN) *** #GP/IDT ec 00000402
> (XEN) *** #GP/IDT ec 00000402, not permitted
> (XEN) *** #GP inject ec 00000402
> (d1) Success: Not vulnerable to XSA-259
> (d1) Test result: SUCCESS
>
> So it's by chance that Luca's testing even picked up this failure.  The
> XSA-259 PoC can't distinguish between the #GP INT emulation path and the
> INT80 fastpath's error path which injects #GP.

And a patch submitted.

https://lore.kernel.org/qemu-devel/20250312000603.3666083-1-andrew.cooper3@citrix.com/T/#u

~Andrew

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.