On 21/04/2025 6:53 pm, REIMA ISHII wrote:
> I am writing to follow up on the bug report I sent, regarding a BUG()
> triggered in Xen when performing a nested VMRUN with CR0.PG
> <http://CR0.PG>=0 in Long
> Mode. The issue was discussed with Andrew Cooper at that time, and I
> would like to check if there have been any updates or plans for
> addressing this issue.
>
> To briefly recap:
> - The problem occurs when an L1 hypervisor, while in 64-bit mode,
> executes VMRUN with CR0.PG <http://CR0.PG>=0 in VMCB12, targeting a
> 64-bit L2 guest.
> - Instead of raising VMEXIT_INVALID, the system encounters a BUG() at
> `nsvm_vmcb_guest_intercepts_exitcode`.
> - VMEXIT reason observed was 0x402 (AVIC_NOACCEL), although Xen does not
> support AVIC.
>
> Andrew pointed out that this could indicate either a missing validity
> check (as the state LMA=1 && PG=0 is invalid) or possible memory
> corruption.
>
> Given that this issue could potentially allow a guest VM to trigger a
> hypervisor panic, I believe it might be worth formally recognizing and
> addressing.
> May I kindly ask if this has been acknowledged as a bug internally, or
> if there are any plans to handle this case safely (e.g., raising
> VMEXIT_INVALID instead of BUG()) in future Xen releases?
>
> Thank you very much for your time

Sorry, also fell between the cracks.  I've opened
https://gitlab.com/xen-project/xen/-/issues/216

Again, no idea when I'll have time to look into this.

~Andrew

Reply via email to