[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CVE-2017-5754 - XEN silent_disable?


On Fri, 12 Jan 2018, Vincent Lefevre wrote:

> But I think I've found the reason:
> 
> In arch/x86/mm/kaiser.c:
> 
> void __init kaiser_check_boottime_disable(void)
> {
> [...]
>         if (boot_cpu_has(X86_FEATURE_XENPV))
>                 goto silent_disable;
> [...]
> disable:
>         pr_info("disabled\n");
> 
> silent_disable:
>         kaiser_enabled = 0;
>         setup_clear_cpu_cap(X86_FEATURE_KAISER);
> }
> 
> I must be in the "silent_disable" case (this is a Xen guest).
> 
> It's unfortunate that no-one mentions this case!
> 

It is an unfortunate situation all around, no doubt!  I did a quick 
websearch and found contrary opinions about whether Xen paravirtualization 
is affected or not, whether a patched server and a patched guest is 
necessary, and to what degree patching one or the other protects either, 
and from whom.

Very unfortunate.
Reply to: