# HG changeset patch
# User Keir Fraser <keir.fraser@xxxxxxxxxx>
# Date 1219760217 -3600
# Node ID c2472ded5c7c5a3958b2f23c62af738f9f5ecb99
# Parent c5a7ceb199cde8a1181aad6059ad17af8176ab05
x86 hvm: More checking around REP MOVS emulation.
Check for self-corrupting copies, and report hvm_copy errors to the
console log.
Signed-off-by: Keir Fraser <keir.fraser@xxxxxxxxxx>
---
xen/arch/x86/hvm/emulate.c | 45 ++++++++++++++++++++++++++++++++++++---------
1 files changed, 36 insertions(+), 9 deletions(-)
diff -r c5a7ceb199cd -r c2472ded5c7c xen/arch/x86/hvm/emulate.c
--- a/xen/arch/x86/hvm/emulate.c Tue Aug 26 14:11:39 2008 +0100
+++ b/xen/arch/x86/hvm/emulate.c Tue Aug 26 15:16:57 2008 +0100
@@ -571,7 +571,7 @@ static int hvmemul_rep_movs(
{
struct hvm_emulate_ctxt *hvmemul_ctxt =
container_of(ctxt, struct hvm_emulate_ctxt, ctxt);
- unsigned long saddr, daddr;
+ unsigned long saddr, daddr, bytes;
paddr_t sgpa, dgpa;
uint32_t pfec = PFEC_page_present;
p2m_type_t p2mt;
@@ -614,20 +614,47 @@ static int hvmemul_rep_movs(
return hvmemul_do_mmio(
dgpa, reps, bytes_per_rep, sgpa, IOREQ_WRITE, df, NULL);
+ /* RAM-to-RAM copy: emulate as equivalent of memmove(dgpa, sgpa, bytes). */
+ bytes = *reps * bytes_per_rep;
+
+ /* Adjust source address for reverse copy. */
if ( df )
- {
- sgpa -= (*reps - 1) * bytes_per_rep;
- dgpa -= (*reps - 1) * bytes_per_rep;
- }
-
- buf = xmalloc_bytes(*reps * bytes_per_rep);
+ sgpa -= bytes - bytes_per_rep;
+
+ /*
+ * Will first iteration copy fall within source range? If not then entire
+ * copy does not corrupt itself. If so, then this is more complex than
+ * can be emulated by a source-to-buffer-to-destination block copy.
+ */
+ if ( ((dgpa + bytes_per_rep) > sgpa) && (dgpa < (sgpa + bytes)) )
+ return X86EMUL_UNHANDLEABLE;
+
+ /* Adjust destination address for reverse copy. */
+ if ( df )
+ dgpa -= bytes - bytes_per_rep;
+
+ /* Allocate temporary buffer. Fall back to slow emulation if this fails. */
+ buf = xmalloc_bytes(bytes);
if ( buf == NULL )
return X86EMUL_UNHANDLEABLE;
- hvm_copy_from_guest_phys(buf, sgpa, *reps * bytes_per_rep);
- hvm_copy_to_guest_phys(dgpa, buf, *reps * bytes_per_rep);
+ /*
+ * We do a modicum of checking here, just for paranoia's sake and to
+ * definitely avoid copying an unitialised buffer into guest address space.
+ */
+ rc = hvm_copy_from_guest_phys(buf, sgpa, bytes);
+ if ( rc == HVMCOPY_okay )
+ rc = hvm_copy_to_guest_phys(dgpa, buf, bytes);
xfree(buf);
+
+ if ( rc != HVMCOPY_okay )
+ {
+ gdprintk(XENLOG_WARNING, "Failed memory-to-memory REP MOVS: sgpa=%"
+ PRIpaddr" dgpa=%"PRIpaddr" reps=%lu bytes_per_rep=%u\n",
+ sgpa, dgpa, *reps, bytes_per_rep);
+ return X86EMUL_UNHANDLEABLE;
+ }
return X86EMUL_OKAY;
}
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|
Home