[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH] ioemu: various fixes to 18383:dade7f0bdc8d

I encountered ioemu SEGV while plaing with guest firmware.
Usually guest firmware doesn't issue such IOs,
so it doesn't matter. But malicious guest can do.
The following patch fixes it.

BTW, is there any plan to port the c/s of 18383:dade7f0bdc8d
to ioemu-remote?

thanks,

ioemu: various fixes to 18394:dade7f0bdc8d

various fixes to 18394:dade7f0bdc8d
- fix xc_memory_op(): handles XENMEM_remove_from_phsymap case.
- fix ioemu segv with old firmware
  Without notifying ioemu of address, ioemu will segv.
- fix qemu-dm segv with malicous firmware
  If notifying ioemu more than once, ioemu will segv.
Usually such cases don't happen, but malicious guest can
do it intentionally.

Signed-off-by: Isaku Yamahata <yamahata@xxxxxxxxxxxxx>

diff -r 9b5e1e05e886 tools/ioemu/hw/cirrus_vga.c
--- a/tools/ioemu/hw/cirrus_vga.c       Mon Sep 01 17:50:13 2008 +0900
+++ b/tools/ioemu/hw/cirrus_vga.c       Tue Sep 09 20:58:04 2008 +0900
@@ -2553,7 +2553,11 @@
         end = begin + VGA_RAM_SIZE;
 
     fprintf(logfile,"mapping vram to %lx - %lx\n", begin, end);
-
+    if (!s->vram_mfns) {
+        fprintf(logfile, "Found old firmware skiping mapping vram\n");
+        return;
+    }
+    
     xatp.domid = domid;
     xatp.space = XENMAPSPACE_mfn;
 
diff -r 9b5e1e05e886 tools/ioemu/hw/vga.c
--- a/tools/ioemu/hw/vga.c      Mon Sep 01 17:50:13 2008 +0900
+++ b/tools/ioemu/hw/vga.c      Tue Sep 09 20:58:04 2008 +0900
@@ -2080,7 +2080,13 @@
 
     if (copy)
         memcpy(vram, xen_vga_state->vram_ptr, VGA_RAM_SIZE);
-    qemu_free(xen_vga_state->vram_ptr);
+    if (xen_vga_state->vram_mfns) {
+        /* In case this function is called more than once */
+        free(xen_vga_state->vram_mfns);
+        munmap(xen_vga_state->vram_ptr, VGA_RAM_SIZE);
+    } else {
+        qemu_free(xen_vga_state->vram_ptr);
+    }
     xen_vga_state->vram_ptr = vram;
     xen_vga_state->vram_mfns = pfn_list;
 #ifdef CONFIG_STUBDOM
diff -r 9b5e1e05e886 tools/libxc/xc_private.c
--- a/tools/libxc/xc_private.c  Mon Sep 01 17:50:13 2008 +0900
+++ b/tools/libxc/xc_private.c  Tue Sep 09 20:58:04 2008 +0900
@@ -307,6 +307,13 @@
             goto out1;
         }
         break;
+    case XENMEM_remove_from_physmap:
+        if ( lock_pages(arg, sizeof(struct xen_remove_from_physmap)) )
+        {
+            PERROR("Could not lock");
+            goto out1;
+        }
+        break;
     case XENMEM_current_reservation:
     case XENMEM_maximum_reservation:
     case XENMEM_maximum_gpfn:
@@ -339,6 +346,9 @@
         break;
     case XENMEM_add_to_physmap:
         unlock_pages(arg, sizeof(struct xen_add_to_physmap));
+        break;
+    case XENMEM_remove_from_physmap:
+        unlock_pages(arg, sizeof(struct xen_remove_from_physmap));
         break;
     case XENMEM_current_reservation:
     case XENMEM_maximum_reservation:


-- 
yamahata

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.