File xsa463-01.patch of Package xen.36400
From: Jan Beulich <jbeulich@suse.com>
Subject: x86/HVM: drop stdvga's "cache" struct member
Since 68e1183411be ("libxc: introduce a xc_dom_arch for hvm-3.0-x86_32
guests"), HVM guests are built using XEN_DOMCTL_sethvmcontext, which
ends up disabling stdvga caching because of arch_hvm_load() being
involved in the processing of the request. With that the field is
useless, and can be dropped. Drop the helper functions manipulating /
checking as well right away, but leave the use sites of
stdvga_cache_is_enabled() with the hard-coded result the function would
have produced, to aid validation of subsequent dropping of further code.
This is part of XSA-463 / CVE-2024-45818
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
(cherry picked from commit 53b7246bdfb3c280adcdf714918e4decb7e108f4)
--- a/xen/arch/x86/hvm/save.c
+++ b/xen/arch/x86/hvm/save.c
@@ -76,9 +76,6 @@ int arch_hvm_load(struct domain *d, stru
/* Time when restore started */
d->arch.hvm.sync_tsc = rdtsc();
- /* VGA state is not saved/restored, so we nobble the cache. */
- d->arch.hvm.stdvga.cache = STDVGA_CACHE_DISABLED;
-
return 0;
}
--- a/xen/arch/x86/hvm/stdvga.c
+++ b/xen/arch/x86/hvm/stdvga.c
@@ -101,37 +101,6 @@ static void vram_put(struct hvm_hw_stdvg
unmap_domain_page(p);
}
-static void stdvga_try_cache_enable(struct hvm_hw_stdvga *s)
-{
- /*
- * Caching mode can only be enabled if the the cache has
- * never been used before. As soon as it is disabled, it will
- * become out-of-sync with the VGA device model and since no
- * mechanism exists to acquire current VRAM state from the
- * device model, re-enabling it would lead to stale data being
- * seen by the guest.
- */
- if ( s->cache != STDVGA_CACHE_UNINITIALIZED )
- return;
-
- gdprintk(XENLOG_INFO, "entering caching mode\n");
- s->cache = STDVGA_CACHE_ENABLED;
-}
-
-static void stdvga_cache_disable(struct hvm_hw_stdvga *s)
-{
- if ( s->cache != STDVGA_CACHE_ENABLED )
- return;
-
- gdprintk(XENLOG_INFO, "leaving caching mode\n");
- s->cache = STDVGA_CACHE_DISABLED;
-}
-
-static bool_t stdvga_cache_is_enabled(const struct hvm_hw_stdvga *s)
-{
- return s->cache == STDVGA_CACHE_ENABLED;
-}
-
static int stdvga_outb(uint64_t addr, uint8_t val)
{
struct hvm_hw_stdvga *s = ¤t->domain->arch.hvm.stdvga;
@@ -171,7 +140,6 @@ static int stdvga_outb(uint64_t addr, ui
if ( !prev_stdvga && s->stdvga )
{
gdprintk(XENLOG_INFO, "entering stdvga mode\n");
- stdvga_try_cache_enable(s);
}
else if ( prev_stdvga && !s->stdvga )
{
@@ -468,7 +436,7 @@ static int stdvga_mem_write(const struct
};
struct hvm_ioreq_server *srv;
- if ( !stdvga_cache_is_enabled(s) || !s->stdvga )
+ if ( true || !s->stdvga )
goto done;
/* Intercept mmio write */
@@ -536,18 +504,12 @@ static bool_t stdvga_mem_accept(const st
* We cannot return X86EMUL_UNHANDLEABLE on anything other then the
* first cycle of an I/O. So, since we cannot guarantee to always be
* able to send buffered writes, we have to reject any multi-cycle
- * I/O and, since we are rejecting an I/O, we must invalidate the
- * cache.
- * Single-cycle write transactions are accepted even if the cache is
- * not active since we can assert, when in stdvga mode, that writes
- * to VRAM have no side effect and thus we can try to buffer them.
+ * I/O.
*/
- stdvga_cache_disable(s);
-
goto reject;
}
else if ( p->dir == IOREQ_READ &&
- (!stdvga_cache_is_enabled(s) || !s->stdvga) )
+ (true || !s->stdvga) )
goto reject;
/* s->lock intentionally held */
--- a/xen/include/asm-x86/hvm/io.h
+++ b/xen/include/asm-x86/hvm/io.h
@@ -141,19 +141,12 @@ struct vpci_arch_msix_entry {
int pirq;
};
-enum stdvga_cache_state {
- STDVGA_CACHE_UNINITIALIZED,
- STDVGA_CACHE_ENABLED,
- STDVGA_CACHE_DISABLED
-};
-
struct hvm_hw_stdvga {
uint8_t sr_index;
uint8_t sr[8];
uint8_t gr_index;
uint8_t gr[9];
bool_t stdvga;
- enum stdvga_cache_state cache;
uint32_t latch;
struct page_info *vram_page[64]; /* shadow of 0xa0000-0xaffff */
spinlock_t lock;
