I encountered ioemu SEGV while plaing with guest firmware.
Usually guest firmware doesn't issue such IOs,
so it doesn't matter. But malicious guest can do.
The following patch fixes it.
BTW, is there any plan to port the c/s of 18383:dade7f0bdc8d
to ioemu-remote?
thanks,
ioemu: various fixes to 18394:dade7f0bdc8d
various fixes to 18394:dade7f0bdc8d
- fix xc_memory_op(): handles XENMEM_remove_from_phsymap case.
- fix ioemu segv with old firmware
Without notifying ioemu of address, ioemu will segv.
- fix qemu-dm segv with malicous firmware
If notifying ioemu more than once, ioemu will segv.
Usually such cases don't happen, but malicious guest can
do it intentionally.
Signed-off-by: Isaku Yamahata <yamahata@xxxxxxxxxxxxx>
diff -r 9b5e1e05e886 tools/ioemu/hw/cirrus_vga.c
--- a/tools/ioemu/hw/cirrus_vga.c Mon Sep 01 17:50:13 2008 +0900
+++ b/tools/ioemu/hw/cirrus_vga.c Tue Sep 09 20:58:04 2008 +0900
@@ -2553,7 +2553,11 @@
end = begin + VGA_RAM_SIZE;
fprintf(logfile,"mapping vram to %lx - %lx\n", begin, end);
-
+ if (!s->vram_mfns) {
+ fprintf(logfile, "Found old firmware skiping mapping vram\n");
+ return;
+ }
+
xatp.domid = domid;
xatp.space = XENMAPSPACE_mfn;
diff -r 9b5e1e05e886 tools/ioemu/hw/vga.c
--- a/tools/ioemu/hw/vga.c Mon Sep 01 17:50:13 2008 +0900
+++ b/tools/ioemu/hw/vga.c Tue Sep 09 20:58:04 2008 +0900
@@ -2080,7 +2080,13 @@
if (copy)
memcpy(vram, xen_vga_state->vram_ptr, VGA_RAM_SIZE);
- qemu_free(xen_vga_state->vram_ptr);
+ if (xen_vga_state->vram_mfns) {
+ /* In case this function is called more than once */
+ free(xen_vga_state->vram_mfns);
+ munmap(xen_vga_state->vram_ptr, VGA_RAM_SIZE);
+ } else {
+ qemu_free(xen_vga_state->vram_ptr);
+ }
xen_vga_state->vram_ptr = vram;
xen_vga_state->vram_mfns = pfn_list;
#ifdef CONFIG_STUBDOM
diff -r 9b5e1e05e886 tools/libxc/xc_private.c
--- a/tools/libxc/xc_private.c Mon Sep 01 17:50:13 2008 +0900
+++ b/tools/libxc/xc_private.c Tue Sep 09 20:58:04 2008 +0900
@@ -307,6 +307,13 @@
goto out1;
}
break;
+ case XENMEM_remove_from_physmap:
+ if ( lock_pages(arg, sizeof(struct xen_remove_from_physmap)) )
+ {
+ PERROR("Could not lock");
+ goto out1;
+ }
+ break;
case XENMEM_current_reservation:
case XENMEM_maximum_reservation:
case XENMEM_maximum_gpfn:
@@ -339,6 +346,9 @@
break;
case XENMEM_add_to_physmap:
unlock_pages(arg, sizeof(struct xen_add_to_physmap));
+ break;
+ case XENMEM_remove_from_physmap:
+ unlock_pages(arg, sizeof(struct xen_remove_from_physmap));
break;
case XENMEM_current_reservation:
case XENMEM_maximum_reservation:
--
yamahata
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|