[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [BUG] assertion failure in do_grant_table_op()

  • To: xen-devel@xxxxxxxxxxxxx
  • From: Jann Horn <jannh@xxxxxxxxxx>
  • Date: Tue, 28 Nov 2017 21:07:26 +0100
  • Delivery-date: Tue, 28 Nov 2017 20:07:58 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
A fuzzer based on AFL and TriforceAFL discovered an assertion
violation in Xen 4.9.1.

The issue is that, when `opaque_out` is non-zero,
do_grant_table_op() assumes that the hypercall was preempted and a
continuation is generated. However, `opaque_out` also ends up being
non-zero if the guest called GNTTABOP_cache_flush with
`opaque_in != 0` and `count == 0`, in which case there is no more
work to do.

In release builds, this is not an issue: A guest that performs such
a nonsensical hypercall goes into an endless hypercall-calling loop,
which the guest can detect as a soft kernel lockup. This does not
interfere with the normal operation of the hypervisor and does not
even interfere with other tasks running in the guest if the guest
kernel supports preemption.


Reproducer:



root@pv-guest:~/borkmod2# cat borker.c
#include <linux/module.h>
#include <linux/kernel.h>

static int __init init_mod(void) {
  asm volatile (
    "mov $20, %%rax\n\t" /*__HYPERVISOR_grant_table_op*/
    "mov $0x800c, %%rdi\n\t" /*GNTTABOP_cache_flush|0x8000*/
    "mov $0, %%rsi\n\t"
    "mov $0, %%rdx\n\t"
    "syscall\n\t"
  : //out
  : //in
  : //clobber
    "cc","memory","rax","rdi","rsi","rdx","rcx","r11"
  );
  return -EINVAL;
}

module_init(init_mod);
root@pv-guest:~/borkmod2# cat Makefile
obj-m := borker.o
KDIR := /lib/modules/$(shell uname -r)/build
PWD := $(shell pwd)

all:
$(MAKE) -C $(KDIR) M=$(PWD) modules

clean:
$(MAKE) -C $(KDIR) M=$(PWD) clean

root@pv-guest:~/borkmod2# make
make -C /lib/modules/4.9.0-4-amd64/build M=/root/borkmod2 modules
make[1]: Entering directory '/usr/src/linux-headers-4.9.0-4-amd64'
  Building modules, stage 2.
  MODPOST 1 modules
make[1]: Leaving directory '/usr/src/linux-headers-4.9.0-4-amd64'
root@pv-guest:~/borkmod2# insmod borker.ko



Resulting panic on a debug build:



(XEN) Assertion 'rc < count' failed at grant_table.c:3273
(XEN) ----[ Xen-4.9.1  x86_64  debug=y   Not tainted ]----
(XEN) CPU:    0
(XEN) RIP:    e008:[<ffff82d08021579b>] do_grant_table_op+0x1e2c/0x2272
(XEN) RFLAGS: 0000000000010246   CONTEXT: hypervisor (d1v0)
(XEN) rax: 0000000000000000   rbx: ffff8300bfc57f18   rcx: ffff82d080378680
(XEN) rdx: ffff07ffffffffff   rsi: 0000000000000000   rdi: 000000000000000c
(XEN) rbp: ffff8300bfc57e68   rsp: ffff8300bfc57d88   r8:  0000000000000000
(XEN) r9:  deadbeefdeadf00d   r10: 0000000000007ff0   r11: 0000000000000246
(XEN) r12: 0000000000008000   r13: 0000000000000014   r14: 0000000000000000
(XEN) r15: 000000000000000c   cr0: 0000000080050033   cr4: 00000000001506e4
(XEN) cr3: 000000012282d000   cr2: ffff880014786918
(XEN) fsb: 00007fd847e48700   gsb: ffff880018c00000   gss: 0000000000000000
(XEN) ds: 0000   es: 0000   fs: 0000   gs: 0000   ss: e010   cs: e008
(XEN) Xen code around <ffff82d08021579b> (do_grant_table_op+0x1e2c/0x2272):
(XEN)  ff ff ff e9 3c f1 ff ff <0f> 0b 0f 0b 48 c7 c0 ea ff ff ff e9 75 f1 ff ff
(XEN) Xen stack trace from rsp=ffff8300bfc57d88:
(XEN)    ffff8300bfc57e68 ffff82d08028fb8f 000000000000006e ffff880018c0b8e0
(XEN)    0000000d00000000 ffffffff81059d42 000000000000e033 0000000000011002
(XEN)    ffffc9004029fd70 ffff8300bfc57de8 ffff82d000000000 000000008058fdd8
(XEN)    0000000000000000 00007ff0ffffffea ffff880018c0c160 0000000200000000
(XEN)    ffffffff81059d40 0000000033d80000 0000000000011002 000000000000000f
(XEN)    0000000000122831 ffff880018c182a8 0000000000011002 ffff8300bfc57f18
(XEN)    ffff8300bfc22000 0000000000000014 ffff82d08021396f deadbeefdeadf00d
(XEN)    ffff8300bfc57f08 ffff82d08035d14f 0300000000000000 000000000000800c
(XEN)    0000000000000000 0000000000000000 deadbeefdeadf00d deadbeefdeadf00d
(XEN)    0000000000000000 0000000000000000 0000000000000000 ffffffffffffffff
(XEN)    0000000000000000 0000000100000000 0000000000000000 ffff8300bfc22000
(XEN)    ffff88001417b000 ffff880013d46300 ffffffffc0070000 ffffffffc0070050
(XEN)    00007cff403a80c7 ffff82d080360ff6 ffff880013a15100 ffff880013a156b8
(XEN)    ffff880013a15100 ffff880018c18d10 ffffffffc0096000 0000000000000000
(XEN)    0000000000000246 0000000000007ff0 0000000000000013 000000000001f958
(XEN)    0000000000000014 ffffffffc009601e 0000000000000000 0000000000000000
(XEN)    000000000000800c 0001010000000000 ffffffffc009601e 000000000000e033
(XEN)    0000000000000246 ffffc90040817cd8 000000000000e02b 000000000009dfa3
(XEN)    003bb8b800000001 003bbd140009dfa3 000000000009dfb0 003bbcec00000000
(XEN)    ffff8300bfc22000 0000000000000000 00000000001506e4
(XEN) Xen call trace:
(XEN)    [<ffff82d08021579b>] do_grant_table_op+0x1e2c/0x2272
(XEN)    [<ffff82d08035d14f>] pv_hypercall+0x150/0x460
(XEN)    [<ffff82d080360ff6>] entry.o#test_all_events+0/0x30
(XEN)
(XEN)
(XEN) ****************************************
(XEN) Panic on CPU 0:
(XEN) Assertion 'rc < count' failed at grant_table.c:3273
(XEN) ****************************************
(XEN)
(XEN) Reboot in five seconds...

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.