[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [BUG] assertion failure in do_grant_table_op()
A fuzzer based on AFL and TriforceAFL discovered an assertion violation in Xen 4.9.1. The issue is that, when `opaque_out` is non-zero, do_grant_table_op() assumes that the hypercall was preempted and a continuation is generated. However, `opaque_out` also ends up being non-zero if the guest called GNTTABOP_cache_flush with `opaque_in != 0` and `count == 0`, in which case there is no more work to do. In release builds, this is not an issue: A guest that performs such a nonsensical hypercall goes into an endless hypercall-calling loop, which the guest can detect as a soft kernel lockup. This does not interfere with the normal operation of the hypervisor and does not even interfere with other tasks running in the guest if the guest kernel supports preemption. Reproducer: root@pv-guest:~/borkmod2# cat borker.c #include <linux/module.h> #include <linux/kernel.h> static int __init init_mod(void) { asm volatile ( "mov $20, %%rax\n\t" /*__HYPERVISOR_grant_table_op*/ "mov $0x800c, %%rdi\n\t" /*GNTTABOP_cache_flush|0x8000*/ "mov $0, %%rsi\n\t" "mov $0, %%rdx\n\t" "syscall\n\t" : //out : //in : //clobber "cc","memory","rax","rdi","rsi","rdx","rcx","r11" ); return -EINVAL; } module_init(init_mod); root@pv-guest:~/borkmod2# cat Makefile obj-m := borker.o KDIR := /lib/modules/$(shell uname -r)/build PWD := $(shell pwd) all: $(MAKE) -C $(KDIR) M=$(PWD) modules clean: $(MAKE) -C $(KDIR) M=$(PWD) clean root@pv-guest:~/borkmod2# make make -C /lib/modules/4.9.0-4-amd64/build M=/root/borkmod2 modules make[1]: Entering directory '/usr/src/linux-headers-4.9.0-4-amd64' Building modules, stage 2. MODPOST 1 modules make[1]: Leaving directory '/usr/src/linux-headers-4.9.0-4-amd64' root@pv-guest:~/borkmod2# insmod borker.ko Resulting panic on a debug build: (XEN) Assertion 'rc < count' failed at grant_table.c:3273 (XEN) ----[ Xen-4.9.1 x86_64 debug=y Not tainted ]---- (XEN) CPU: 0 (XEN) RIP: e008:[<ffff82d08021579b>] do_grant_table_op+0x1e2c/0x2272 (XEN) RFLAGS: 0000000000010246 CONTEXT: hypervisor (d1v0) (XEN) rax: 0000000000000000 rbx: ffff8300bfc57f18 rcx: ffff82d080378680 (XEN) rdx: ffff07ffffffffff rsi: 0000000000000000 rdi: 000000000000000c (XEN) rbp: ffff8300bfc57e68 rsp: ffff8300bfc57d88 r8: 0000000000000000 (XEN) r9: deadbeefdeadf00d r10: 0000000000007ff0 r11: 0000000000000246 (XEN) r12: 0000000000008000 r13: 0000000000000014 r14: 0000000000000000 (XEN) r15: 000000000000000c cr0: 0000000080050033 cr4: 00000000001506e4 (XEN) cr3: 000000012282d000 cr2: ffff880014786918 (XEN) fsb: 00007fd847e48700 gsb: ffff880018c00000 gss: 0000000000000000 (XEN) ds: 0000 es: 0000 fs: 0000 gs: 0000 ss: e010 cs: e008 (XEN) Xen code around <ffff82d08021579b> (do_grant_table_op+0x1e2c/0x2272): (XEN) ff ff ff e9 3c f1 ff ff <0f> 0b 0f 0b 48 c7 c0 ea ff ff ff e9 75 f1 ff ff (XEN) Xen stack trace from rsp=ffff8300bfc57d88: (XEN) ffff8300bfc57e68 ffff82d08028fb8f 000000000000006e ffff880018c0b8e0 (XEN) 0000000d00000000 ffffffff81059d42 000000000000e033 0000000000011002 (XEN) ffffc9004029fd70 ffff8300bfc57de8 ffff82d000000000 000000008058fdd8 (XEN) 0000000000000000 00007ff0ffffffea ffff880018c0c160 0000000200000000 (XEN) ffffffff81059d40 0000000033d80000 0000000000011002 000000000000000f (XEN) 0000000000122831 ffff880018c182a8 0000000000011002 ffff8300bfc57f18 (XEN) ffff8300bfc22000 0000000000000014 ffff82d08021396f deadbeefdeadf00d (XEN) ffff8300bfc57f08 ffff82d08035d14f 0300000000000000 000000000000800c (XEN) 0000000000000000 0000000000000000 deadbeefdeadf00d deadbeefdeadf00d (XEN) 0000000000000000 0000000000000000 0000000000000000 ffffffffffffffff (XEN) 0000000000000000 0000000100000000 0000000000000000 ffff8300bfc22000 (XEN) ffff88001417b000 ffff880013d46300 ffffffffc0070000 ffffffffc0070050 (XEN) 00007cff403a80c7 ffff82d080360ff6 ffff880013a15100 ffff880013a156b8 (XEN) ffff880013a15100 ffff880018c18d10 ffffffffc0096000 0000000000000000 (XEN) 0000000000000246 0000000000007ff0 0000000000000013 000000000001f958 (XEN) 0000000000000014 ffffffffc009601e 0000000000000000 0000000000000000 (XEN) 000000000000800c 0001010000000000 ffffffffc009601e 000000000000e033 (XEN) 0000000000000246 ffffc90040817cd8 000000000000e02b 000000000009dfa3 (XEN) 003bb8b800000001 003bbd140009dfa3 000000000009dfb0 003bbcec00000000 (XEN) ffff8300bfc22000 0000000000000000 00000000001506e4 (XEN) Xen call trace: (XEN) [<ffff82d08021579b>] do_grant_table_op+0x1e2c/0x2272 (XEN) [<ffff82d08035d14f>] pv_hypercall+0x150/0x460 (XEN) [<ffff82d080360ff6>] entry.o#test_all_events+0/0x30 (XEN) (XEN) (XEN) **************************************** (XEN) Panic on CPU 0: (XEN) Assertion 'rc < count' failed at grant_table.c:3273 (XEN) **************************************** (XEN) (XEN) Reboot in five seconds... _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel
|
![]() |
Lists.xenproject.org is hosted with RackSpace, monitoring our |