WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-ia64-devel

Re: [Xen-ia64-devel] [PATCH] Fix vulnerability of copy_to_user in PAL em

Hi,

TLB miss fault is expected here.
But the injection is already done at this point as follows:

<HVM's break>
=>vmx_ia64_handle_break
  =>pal_emul
    ...
      =>palcomm_init
        =>vmx_vcpu_tpa
          ...
             =>dtlb_fault
               =>inject_guest_interruption(vcpu,IA64_DATA_TLB_VECTOR)

If vcpu_increment_iip(v) is unconditionally called,
IIP wrongly points to the address 0x801(IA64_DATA_TLB_VECTOR+1).

Thanks,
Kouya

Isaku Yamahata writes:
> On Wed, Dec 12, 2007 at 02:12:41PM +0900, Isaku Yamahata wrote:
> > On Wed, Dec 12, 2007 at 01:07:13PM +0900, Kouya Shimura wrote:
> > > diff -r 4054cd60895b xen/arch/ia64/vmx/vmx_fault.c
> > > --- a/xen/arch/ia64/vmx/vmx_fault.c       Mon Dec 10 13:49:22 2007 +0000
> > > +++ b/xen/arch/ia64/vmx/vmx_fault.c       Wed Dec 12 11:47:04 2007 +0900
> > > @@ -196,9 +197,10 @@ vmx_ia64_handle_break (unsigned long ifa
> > >                  return IA64_NO_FAULT;
> > >              }
> > >              else if (iim == DOMN_PAL_REQUEST) {
> > > -                pal_emul(v);
> > > -                vcpu_increment_iip(v);
> > > -                return IA64_NO_FAULT;
> > > +                fault = pal_emul(v);
> > > +                if (fault == IA64_NO_FAULT)
> > > +                    vcpu_increment_iip(v);
> > > +                return fault;
> > >              } else if (iim == DOMN_SAL_REQUEST) {
> > >                  sal_emul(v);
> > >                  vcpu_increment_iip(v);
> > 
> > Shouldn't we call vcpu_increment_iip(v); unconditionally?
> > If pal_emul() returns other than IA64_NO_FAULT,
> > guest will issue the same break instruction again with same argument
> > resulting in no forward progress.
> 
> If you are expecting to inject tlb miss fault,
> the current returning path of vmx_ia64_handle_break() doesn't.
> So you have to patch there too.
> 
> -- 
> yamahata

_______________________________________________
Xen-ia64-devel mailing list
Xen-ia64-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-ia64-devel