This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


[Xen-bugs] [Bug 1092] New: an unprivileged guest can crash a 3.1.0 hyper

To: xen-bugs@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-bugs] [Bug 1092] New: an unprivileged guest can crash a 3.1.0 hypervisor
From: bugzilla-daemon@xxxxxxxxxxxxxxxxxxx
Date: Sat, 20 Oct 2007 09:57:21 -0700
Delivery-date: Sat, 20 Oct 2007 09:57:51 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-bugs-request@lists.xensource.com?subject=help>
List-id: Xen Bugzilla <xen-bugs.lists.xensource.com>
List-post: <mailto:xen-bugs@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-bugs>, <mailto:xen-bugs-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-bugs>, <mailto:xen-bugs-request@lists.xensource.com?subject=unsubscribe>
Reply-to: bugs@xxxxxxxxxxxxxxxxxx
Sender: xen-bugs-bounces@xxxxxxxxxxxxxxxxxxx

           Summary: an unprivileged guest can crash a 3.1.0 hypervisor
           Product: Xen
           Version: unspecified
          Platform: x86-64
        OS/Version: NetBSD
            Status: NEW
          Severity: major
          Priority: P2
         Component: Hypervisor
        AssignedTo: xen-bugs@xxxxxxxxxxxxxxxxxxx
        ReportedBy: bouyer@xxxxxxxxxx

While working on NetBSD/amd64 Xen support, I found that if the %cs and/or %ss
registers are changed to e.g. 0x17 in the trap frame before HYPERVISOR_iret
in a syscall, the hypervisor will crash:
(XEN) extable.c:74: Pre-exception: ffff830000192084 -> ffff83000019c69f
(XEN) traps.c:1827: GPF (0020): ffff83000019c6e3 -> ffff83000019c6f9
(XEN) ----[ Xen-3.1.0  x86_64  debug=y  Not tainted ]----
(XEN) CPU:    0
(XEN) RIP:    e033:[<ffffffff8026ade9>]
(XEN) RFLAGS: 0000000000382446   CONTEXT: guest
(XEN) rax: 0000000000000001   rbx: 0000000000000001   rcx: 0000000000000000
(XEN) rdx: 0000000000000000   rsi: 000000000000000d   rdi: 0000000000000000
(XEN) rbp: ffffa000067cced8   rsp: ffffa000067ccde0   r8:  ffffa000067cccf8
(XEN) r9:  8080808080808080   r10: ffffa000067cccf8   r11: ffffffff80280190
(XEN) r12: 0000000000000100   r13: ffffffff802b4fd3   r14: 000000000000004f
(XEN) r15: 00007f7fffffedb0   cr0: 000000008005003b   cr4: 00000000000006f0
(XEN) cr3: 0000000006f89000   cr2: 00007f7fffffde98
(XEN) ds: 0017   es: 0017   fs: 0017   gs: 0000   ss: e02b   cs: e033
(XEN) Guest stack trace from rsp=ffffa000067ccde0:
(XEN)    ffffffff8021c1a5 0000003000000008 ffffa000067ccee8 ffffa000067cce08
(XEN)    0000000000000000 0000000000008000 0000000000525000 0000000000008000
(XEN)    ffffffff80102150 0000000000000000 8080808080808080 000000000040e304
(XEN)    00000000471a91ed 0000000000008000 ffffa000067ccee0 ffffffff803ffd80
(XEN)    ffffa00005e7fb40 ffffa000067ccf20 ffffa000067cce90 ffffa00005e65580
(XEN)    ffffa000067ccf10 ffffffff80276e82 00007f7fffffe9b0 000000000051d000
(XEN)    000000000000003b 0000000000410a38 0000000000000002 00000000ffffffff
(XEN)    0000000000516580 0000000000516580 0000000000400120 ffffa000067ccee8
(XEN)    ffffffff80278472 00007f7fffffee10 ffffffff8010630b 0000000000000000
(XEN)    0000000000525000 0000000000008000 ffffffff80102150 0000000000000000
(XEN)    8080808080808080 000000000040fc52 0000000000000202 0000000000516580
(XEN)    0000000000400120 000000000000004f 00007f7fffffedb0 00007f7fffffee10
(XEN)    0000000000516580 0000000000000003 0000000000000000 00007f7fffff0017
(XEN)    00007f7fffff0017 0000000000510017 0000000000000003 0000000000000000
(XEN)    0000000000000202 0000000000000017 0000000000000017 0000000000000017
(XEN)    0000000000000000 0000000000000023 0000000000000202 00007f7fffffef48
(XEN)    000000000000001b 0000000000000000 0000000000000000 0000000000000000
(XEN)    0000000000000000 ffffffff808eac70 0000000000000004 ffffa000067cd148
(XEN)    ffffffff808eab40 ffffa0000679df58 ffffa000067cd2f8 ffffa0000679dc88
(XEN)    0000000000000000 0000000000002000 00000000f9800000 ffffa0000679dec8
(XEN) ****************************************
(XEN) Panic on CPU 0:
(XEN) FATAL TRAP: vector = 3 (bkpt)
(XEN) [error_code=0000] , IN INTERRUPT CONTEXT
(XEN) ****************************************
(XEN) Reboot in five seconds...

The binary kernel causing this crash is available on request

Configure bugmail: 
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

Xen-bugs mailing list

<Prev in Thread] Current Thread [Next in Thread>