RE: [Xen-devel][PATCH]Fix a bug in sahf emulation in real mode c

To:	"Keir Fraser" <Keir.Fraser@xxxxxxxxxxxx>, "Xin, Xiaohui" <xiaohui.xin@xxxxxxxxx>, <xen-devel@xxxxxxxxxxxxxxxxxxx>
Subject:	RE: [Xen-devel][PATCH]Fix a bug in sahf emulation in real mode code
From:	"Tian, Kevin" <kevin.tian@xxxxxxxxx>
Date:	Tue, 5 Feb 2008 22:18:27 +0800
Delivery-date:	Tue, 05 Feb 2008 06:31:29 -0800
Envelope-to:	www-data@xxxxxxxxxxxxxxxxxx
In-reply-to:	<C3CDDA17.134B2%Keir.Fraser@xxxxxxxxxxxx>
List-help:	<mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id:	Xen developer discussion <xen-devel.lists.xensource.com>
List-post:	<mailto:xen-devel@lists.xensource.com>
List-subscribe:	<http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe:	<http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References:	<9A1462408D6D394C8A7A812E98F00A4D028E80A4@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> <C3CDDA17.134B2%Keir.Fraser@xxxxxxxxxxxx>
Sender:	xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index:	Achnya0E5qL4OD8DTDKC4PxC2VqEpwACfvqRAABvidAAAJ8SVAAKEKfg
Thread-topic:	[Xen-devel][PATCH]Fix a bug in sahf emulation in real mode code

We're also surprised to see such behavior and confused how that mapping gets added into monitor page table. Immediately then we found it's due to the shadow linear mapping to support 3-on-4 case, where a dummy L3 page is allocated and copied with 4 guest L3 entries. Then ml4e[0] is filled with that dummy L3 frame which satisfying shadow linear mapping, but also allows NULL pointer dereference. Actually for 0x202 case, some IDT entry in guest was touched but that vector is just not used.

Ideally this should also cause page fault on 4-on-4 case, but we guess that MBR for 64bit windows may be different with no SAHF used.

To recover guard on NULL dereference, a simple change is to use a different L4 entry...

Thanks,

Kevin

From: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx [mailto:xen-devel-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Keir Fraser
Sent: 2008年2月5日 17:17
To: Xin, Xiaohui; xen-devel@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-devel][PATCH]Fix a bug in sahf emulation in real mode code

It’s a bit concerning there is something mapped there, since it is the NULL page and will prevent us catching NULL dereferences.

-- Keir

On 5/2/08 09:13, "Xin, Xiaohui" <xiaohui.xin@xxxxxxxxx> wrote:

We got this fix, since we found EPT code cannot boot Windows guest when VMXASSIST is disabled.
At first, we were quite curious why shadow can boot the same Windows guest, it should met the same SAHF instructions, which is used in MBR of that Windows image.
At the error point, the regs->rflags is 0x202, and Xen search the page table for 0x202. For EPT we did not map the lower end of the monitor page table, that’s why we get hap_page_fault() from the fixup_page_fault() there.
And for shadow, seems there is already mapped in the page table, and fortunately the data write to there doesn’t cause any error. But it’s apparently not correct. J

Thanks
Xiaohui

From: Keir Fraser [mailto:Keir.Fraser@xxxxxxxxxxxx]
Sent: 2008年2月5日 16:47
To: Xin, Xiaohui; xen-devel@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-devel][PATCH]Fix a bug in sahf emulation in real mode code

Obviously we hadn’t hit very many SAHF instructions just yet! Or was this actually causing weird behaviours for some OSes?

-- Keir

On 5/2/08 07:35, "Xin, Xiaohui" <xiaohui.xin@xxxxxxxxx> wrote:
The patch fixes a bug in the sahf emulation in real mode code.

Signed-off-by Xin Xiaohui xiaohui.xin@xxxxxxxxx
Signed-off-by Tian Kevin <Kevin.tian@xxxxxxxxx>

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

WARNING - OLD ARCHIVES

xen-devel

RE: [Xen-devel][PATCH]Fix a bug in sahf emulation in real mode code