[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-ia64-devel] [PATCH] Fix vulnerability of copy_to_user in PAL emulation

On Wed, Dec 12, 2007 at 02:12:41PM +0900, Isaku Yamahata wrote:
> On Wed, Dec 12, 2007 at 01:07:13PM +0900, Kouya Shimura wrote:
> > diff -r 4054cd60895b xen/arch/ia64/vmx/vmx_fault.c
> > --- a/xen/arch/ia64/vmx/vmx_fault.c Mon Dec 10 13:49:22 2007 +0000
> > +++ b/xen/arch/ia64/vmx/vmx_fault.c Wed Dec 12 11:47:04 2007 +0900
> > @@ -196,9 +197,10 @@ vmx_ia64_handle_break (unsigned long ifa
> >                  return IA64_NO_FAULT;
> >              }
> >              else if (iim == DOMN_PAL_REQUEST) {
> > -                pal_emul(v);
> > -                vcpu_increment_iip(v);
> > -                return IA64_NO_FAULT;
> > +                fault = pal_emul(v);
> > +                if (fault == IA64_NO_FAULT)
> > +                    vcpu_increment_iip(v);
> > +                return fault;
> >              } else if (iim == DOMN_SAL_REQUEST) {
> >                  sal_emul(v);
> >                  vcpu_increment_iip(v);
> 
> Shouldn't we call vcpu_increment_iip(v); unconditionally?
> If pal_emul() returns other than IA64_NO_FAULT,
> guest will issue the same break instruction again with same argument
> resulting in no forward progress.

If you are expecting to inject tlb miss fault,
the current returning path of vmx_ia64_handle_break() doesn't.
So you have to patch there too.

-- 
yamahata

_______________________________________________
Xen-ia64-devel mailing list
Xen-ia64-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-ia64-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.