On 21/04/2025 6:53 pm, REIMA ISHII wrote: > I am writing to follow up on the bug report I sent, regarding a BUG() > triggered in Xen when performing a nested VMRUN with CR0.PG > <http://CR0.PG>=0 in Long > Mode. The issue was discussed with Andrew Cooper at that time, and I > would like to check if there have been any updates or plans for > addressing this issue. > > To briefly recap: > - The problem occurs when an L1 hypervisor, while in 64-bit mode, > executes VMRUN with CR0.PG <http://CR0.PG>=0 in VMCB12, targeting a > 64-bit L2 guest. > - Instead of raising VMEXIT_INVALID, the system encounters a BUG() at > `nsvm_vmcb_guest_intercepts_exitcode`. > - VMEXIT reason observed was 0x402 (AVIC_NOACCEL), although Xen does not > support AVIC. > > Andrew pointed out that this could indicate either a missing validity > check (as the state LMA=1 && PG=0 is invalid) or possible memory > corruption. > > Given that this issue could potentially allow a guest VM to trigger a > hypervisor panic, I believe it might be worth formally recognizing and > addressing. > May I kindly ask if this has been acknowledged as a bug internally, or > if there are any plans to handle this case safely (e.g., raising > VMEXIT_INVALID instead of BUG()) in future Xen releases? > > Thank you very much for your time
Sorry, also fell between the cracks. I've opened https://gitlab.com/xen-project/xen/-/issues/216 Again, no idea when I'll have time to look into this. ~Andrew
