WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

[Xen-devel] Re: [PATCH] Xen: fix various checks of unsigned integers < 0

To: Dan Magenheimer <dan.magenheimer@xxxxxxxxxx>
Subject: [Xen-devel] Re: [PATCH] Xen: fix various checks of unsigned integers < 0
From: Paolo Bonzini <pbonzini@xxxxxxxxxx>
Date: Fri, 29 Oct 2010 23:23:07 +0200
Cc: xen-devel@xxxxxxxxxxxxxxxxxxx, Tim Deegan <Tim.Deegan@xxxxxxxxxx>
Delivery-date: Fri, 29 Oct 2010 14:24:03 -0700
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=htK74bd86FldDUwxMrhlUxlJbHbFJH/BkRqNhXmuCk4=; b=pZ/xnA4QZrw1o2/ssmLwvgDQrcfNIgeyoRUD9QLwBlDfR1UjPluBY866O35QyIIE5I ZQ0Kq6/qtpfFmWZQcZhsggUFvsfwFM6+AweN47F2iv/slT2QuXxFnSQPvTPSMRncvyMw 5lTxUpY8yZeCwe8ISbzvwmVI07LUWj/GQdsjY=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=ftJ06ot9ii4RvbW5GNu9rhNyJmsJESpXg2kQbphjAWitA2GKQs/oPOzA9WSL2LQtMk g4cXEcKDPYRNzB42WErrNep4Lfdufo67KADiI0Hx8kiv8iWZpPDTTN+2jwqlTrLFmKC4 8cTgw9V6jc9jYe50fe6KZpUAC7uc/+cCg0ie8=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <2e35ec26-1314-4f30-b172-fbd9b08134c9@default>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <20101029140219.GD11016@xxxxxxxxxxxxxxxxxxxxxxx> <2e35ec26-1314-4f30-b172-fbd9b08134c9@default>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.9) Gecko/20100921 Fedora/3.1.4-1.fc13 Lightning/1.0b3pre Mnenhy/0.8.3 Thunderbird/3.1.4
On 10/29/2010 05:38 PM, Dan Magenheimer wrote:
Wow, I wonder how many times this code has executed
and returned the wrong (incorrectly sign-extended) value?

Probably never---which doesn't make the fix worthless, but is still never. :) The emulator is mostly used for real mode and MMIO, but this is long-mode code (which rules out real mode) and the CQO instruction doesn't access memory (which rules out MMIO).

To trigger the bug you probably have to cause a race between a thread doing MMIO and a thread replacing the MMIO instruction with a CQO. It can be done fairly reliably on KVM; until they were patched, this trick allowed to exploit emulator bugs and go from guest-ring3 to guest-ring0.

Paolo

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

<Prev in Thread] Current Thread [Next in Thread>