[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Ping: [Patch v2] x86/mm: Prevent leaking domain mappings in paging_log_dirty_op()

To: "Tim Deegan" <tim@xxxxxxx>
From: "Jan Beulich" <JBeulich@xxxxxxxx>
Date: Tue, 17 Dec 2013 09:14:02 +0000
Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Keir Fraser <keir@xxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxx>
Delivery-date: Tue, 17 Dec 2013 09:14:26 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

>>> On 10.12.13 at 15:50, Andrew Cooper <andrew.cooper3@xxxxxxxxxx> wrote:
> Coverity ID: 1135374 1135375 1135376 1135377
> 
> If {copy_to,clear}_guest_offset() fails, we would leak the domain mappings 
> for
> l4 thru l1.
> 
> Fixing this requires having conditional unmaps on the faulting path, which 
> in
> turn requires explicitly initialising the pointers to NULL because of the
> early ENOMEM exit.
> 
> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
> CC: Keir Fraser <keir@xxxxxxx>
> Reviewed-by: Jan Beulich <JBeulich@xxxxxxxx>
> CC: Tim Deegan <tim@xxxxxxx>

Tim?

> ---
> 
> Changes in v2:
>  * Reorder unmaps until after the unlock/unpause (Suggested by Jan)
> ---
>  xen/arch/x86/mm/paging.c |   14 ++++++++++++--
>  1 file changed, 12 insertions(+), 2 deletions(-)
> 
> diff --git a/xen/arch/x86/mm/paging.c b/xen/arch/x86/mm/paging.c
> index 4ba7669..21344e5 100644
> --- a/xen/arch/x86/mm/paging.c
> +++ b/xen/arch/x86/mm/paging.c
> @@ -330,8 +330,8 @@ int paging_log_dirty_op(struct domain *d, struct 
> xen_domctl_shadow_op *sc)
>  {
>      int rv = 0, clean = 0, peek = 1;
>      unsigned long pages = 0;
> -    mfn_t *l4, *l3, *l2;
> -    unsigned long *l1;
> +    mfn_t *l4 = NULL, *l3 = NULL, *l2 = NULL;
> +    unsigned long *l1 = NULL;
>      int i4, i3, i2;
>  
>      domain_pause(d);
> @@ -434,6 +434,16 @@ int paging_log_dirty_op(struct domain *d, struct 
> xen_domctl_shadow_op *sc)
>   out:
>      paging_unlock(d);
>      domain_unpause(d);
> +
> +    if ( l1 )
> +        unmap_domain_page(l1);
> +    if ( l2 )
> +        unmap_domain_page(l2);
> +    if ( l3 )
> +        unmap_domain_page(l3);
> +    if ( l4 )
> +        unmap_domain_page(l4);
> +
>      return rv;
>  }
>  
> -- 
> 1.7.10.4
> 
> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@xxxxxxxxxxxxx 
> http://lists.xen.org/xen-devel 




_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] Ping: [Patch v2] x86/mm: Prevent leaking domain mappings in paging_log_dirty_op()
  - From: Tim Deegan

References:
- Re: [Xen-devel] [Patch] x86/mm: Prevent leaking domain mappings in paging_log_dirty_op()
  - From: Jan Beulich
- [Xen-devel] [Patch v2] x86/mm: Prevent leaking domain mappings in paging_log_dirty_op()
  - From: Andrew Cooper

Prev by Date: [Xen-devel] [PATCH] x86/memshr: fix preemption in relinquish_shared_pages()
Next by Date: [Xen-devel] Ping: [PATCH 4/5] HVM: prevent leaking heap data from hvm_save_one()
Previous by thread: [Xen-devel] [Patch v2] x86/mm: Prevent leaking domain mappings in paging_log_dirty_op()
Next by thread: Re: [Xen-devel] Ping: [Patch v2] x86/mm: Prevent leaking domain mappings in paging_log_dirty_op()
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.