|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-ia64-devel] [PATCH] Fix vulnerability of copy_to_user in PAL emulation
Hi,
TLB miss fault is expected here.
But the injection is already done at this point as follows:
<HVM's break>
=>vmx_ia64_handle_break
=>pal_emul
...
=>palcomm_init
=>vmx_vcpu_tpa
...
=>dtlb_fault
=>inject_guest_interruption(vcpu,IA64_DATA_TLB_VECTOR)
If vcpu_increment_iip(v) is unconditionally called,
IIP wrongly points to the address 0x801(IA64_DATA_TLB_VECTOR+1).
Thanks,
Kouya
Isaku Yamahata writes:
> On Wed, Dec 12, 2007 at 02:12:41PM +0900, Isaku Yamahata wrote:
> > On Wed, Dec 12, 2007 at 01:07:13PM +0900, Kouya Shimura wrote:
> > > diff -r 4054cd60895b xen/arch/ia64/vmx/vmx_fault.c
> > > --- a/xen/arch/ia64/vmx/vmx_fault.c Mon Dec 10 13:49:22 2007 +0000
> > > +++ b/xen/arch/ia64/vmx/vmx_fault.c Wed Dec 12 11:47:04 2007 +0900
> > > @@ -196,9 +197,10 @@ vmx_ia64_handle_break (unsigned long ifa
> > > return IA64_NO_FAULT;
> > > }
> > > else if (iim == DOMN_PAL_REQUEST) {
> > > - pal_emul(v);
> > > - vcpu_increment_iip(v);
> > > - return IA64_NO_FAULT;
> > > + fault = pal_emul(v);
> > > + if (fault == IA64_NO_FAULT)
> > > + vcpu_increment_iip(v);
> > > + return fault;
> > > } else if (iim == DOMN_SAL_REQUEST) {
> > > sal_emul(v);
> > > vcpu_increment_iip(v);
> >
> > Shouldn't we call vcpu_increment_iip(v); unconditionally?
> > If pal_emul() returns other than IA64_NO_FAULT,
> > guest will issue the same break instruction again with same argument
> > resulting in no forward progress.
>
> If you are expecting to inject tlb miss fault,
> the current returning path of vmx_ia64_handle_break() doesn't.
> So you have to patch there too.
>
> --
> yamahata
_______________________________________________
Xen-ia64-devel mailing list
Xen-ia64-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-ia64-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |