[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-ia64-devel] [PATCH] Fix vulnerability of copy_to_user in PAL emulation

On Wed, Dec 12, 2007 at 01:07:13PM +0900, Kouya Shimura wrote:
> diff -r 4054cd60895b xen/arch/ia64/vmx/vmx_fault.c
> --- a/xen/arch/ia64/vmx/vmx_fault.c   Mon Dec 10 13:49:22 2007 +0000
> +++ b/xen/arch/ia64/vmx/vmx_fault.c   Wed Dec 12 11:47:04 2007 +0900
> @@ -196,9 +197,10 @@ vmx_ia64_handle_break (unsigned long ifa
>                  return IA64_NO_FAULT;
>              }
>              else if (iim == DOMN_PAL_REQUEST) {
> -                pal_emul(v);
> -                vcpu_increment_iip(v);
> -                return IA64_NO_FAULT;
> +                fault = pal_emul(v);
> +                if (fault == IA64_NO_FAULT)
> +                    vcpu_increment_iip(v);
> +                return fault;
>              } else if (iim == DOMN_SAL_REQUEST) {
>                  sal_emul(v);
>                  vcpu_increment_iip(v);

Shouldn't we call vcpu_increment_iip(v); unconditionally?
If pal_emul() returns other than IA64_NO_FAULT,
guest will issue the same break instruction again with same argument
resulting in no forward progress.

-- 
yamahata

_______________________________________________
Xen-ia64-devel mailing list
Xen-ia64-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-ia64-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.