WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-ia64-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-ia64-devel] [PATCH] Fix vulnerability of copy_to_user in PAL em

from [Isaku Yamahata] [Permanent Link][Original]
To: Kouya Shimura <kouya@xxxxxxxxxxxxxx>
Subject: Re: [Xen-ia64-devel] [PATCH] Fix vulnerability of copy_to_user in PAL emulation
From: Isaku Yamahata <yamahata@xxxxxxxxxxxxx>
Date: Wed, 12 Dec 2007 14:23:45 +0900
Cc: Alex Williamson <alex.williamson@xxxxxx>, xen-ia64-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date: Tue, 11 Dec 2007 21:23:59 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <20071212051241.GD29252%yamahata@xxxxxxxxxxxxx>
List-help: <mailto:xen-ia64-devel-request@lists.xensource.com?subject=help>
List-id: Discussion of the ia64 port of Xen <xen-ia64-devel.lists.xensource.com>
List-post: <mailto:xen-ia64-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-ia64-devel>, <mailto:xen-ia64-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-ia64-devel>, <mailto:xen-ia64-devel-request@lists.xensource.com?subject=unsubscribe>
References: <7k8x41puy7.fsf@xxxxxxxxxxxxxxxxxxxxxxxxxx> <1197391269.7945.43.camel@lappy> <7k63z4pnda.fsf@xxxxxxxxxxxxxxxxxxxxxxxxxx> <20071212051241.GD29252%yamahata@xxxxxxxxxxxxx>
Sender: xen-ia64-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mutt/1.4.2.1i 
On Wed, Dec 12, 2007 at 02:12:41PM +0900, Isaku Yamahata wrote:
> On Wed, Dec 12, 2007 at 01:07:13PM +0900, Kouya Shimura wrote:
> > diff -r 4054cd60895b xen/arch/ia64/vmx/vmx_fault.c
> > --- a/xen/arch/ia64/vmx/vmx_fault.c Mon Dec 10 13:49:22 2007 +0000
> > +++ b/xen/arch/ia64/vmx/vmx_fault.c Wed Dec 12 11:47:04 2007 +0900
> > @@ -196,9 +197,10 @@ vmx_ia64_handle_break (unsigned long ifa
> >                  return IA64_NO_FAULT;
> >              }
> >              else if (iim == DOMN_PAL_REQUEST) {
> > -                pal_emul(v);
> > -                vcpu_increment_iip(v);
> > -                return IA64_NO_FAULT;
> > +                fault = pal_emul(v);
> > +                if (fault == IA64_NO_FAULT)
> > +                    vcpu_increment_iip(v);
> > +                return fault;
> >              } else if (iim == DOMN_SAL_REQUEST) {
> >                  sal_emul(v);
> >                  vcpu_increment_iip(v);
> 
> Shouldn't we call vcpu_increment_iip(v); unconditionally?
> If pal_emul() returns other than IA64_NO_FAULT,
> guest will issue the same break instruction again with same argument
> resulting in no forward progress.

If you are expecting to inject tlb miss fault,
the current returning path of vmx_ia64_handle_break() doesn't.
So you have to patch there too.

-- 
yamahata

_______________________________________________
Xen-ia64-devel mailing list
Xen-ia64-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-ia64-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-ia64-devel] [PATCH] Fix vulnerability of copy_to_user in PAL emulation, Isaku Yamahata
Next by Date:  Re: [Xen-ia64-devel] [PATCH] Fix vulnerability of copy_to_user in PAL emulation, Tristan Gingold
Previous by Thread:  Re: [Xen-ia64-devel] [PATCH] Fix vulnerability of copy_to_user in PAL emulation, Isaku Yamahata
Next by Thread:  Re: [Xen-ia64-devel] [PATCH] Fix vulnerability of copy_to_user in PAL emulation, Kouya Shimura
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy