|
|
|
|
|
|
|
|
|
|
xen-bugs
[Xen-bugs] [Bug 1092] New: an unprivileged guest can crash a 3.1.0 hyper
http://bugzilla.xensource.com/bugzilla/show_bug.cgi?id=1092
Summary: an unprivileged guest can crash a 3.1.0 hypervisor
Product: Xen
Version: unspecified
Platform: x86-64
OS/Version: NetBSD
Status: NEW
Severity: major
Priority: P2
Component: Hypervisor
AssignedTo: xen-bugs@xxxxxxxxxxxxxxxxxxx
ReportedBy: bouyer@xxxxxxxxxx
While working on NetBSD/amd64 Xen support, I found that if the %cs and/or %ss
registers are changed to e.g. 0x17 in the trap frame before HYPERVISOR_iret
in a syscall, the hypervisor will crash:
(XEN) extable.c:74: Pre-exception: ffff830000192084 -> ffff83000019c69f
(XEN) traps.c:1827: GPF (0020): ffff83000019c6e3 -> ffff83000019c6f9
(XEN) ----[ Xen-3.1.0 x86_64 debug=y Not tainted ]----
(XEN) CPU: 0
(XEN) RIP: e033:[<ffffffff8026ade9>]
(XEN) RFLAGS: 0000000000382446 CONTEXT: guest
(XEN) rax: 0000000000000001 rbx: 0000000000000001 rcx: 0000000000000000
(XEN) rdx: 0000000000000000 rsi: 000000000000000d rdi: 0000000000000000
(XEN) rbp: ffffa000067cced8 rsp: ffffa000067ccde0 r8: ffffa000067cccf8
(XEN) r9: 8080808080808080 r10: ffffa000067cccf8 r11: ffffffff80280190
(XEN) r12: 0000000000000100 r13: ffffffff802b4fd3 r14: 000000000000004f
(XEN) r15: 00007f7fffffedb0 cr0: 000000008005003b cr4: 00000000000006f0
(XEN) cr3: 0000000006f89000 cr2: 00007f7fffffde98
(XEN) ds: 0017 es: 0017 fs: 0017 gs: 0000 ss: e02b cs: e033
(XEN) Guest stack trace from rsp=ffffa000067ccde0:
(XEN) ffffffff8021c1a5 0000003000000008 ffffa000067ccee8 ffffa000067cce08
(XEN) 0000000000000000 0000000000008000 0000000000525000 0000000000008000
(XEN) ffffffff80102150 0000000000000000 8080808080808080 000000000040e304
(XEN) 00000000471a91ed 0000000000008000 ffffa000067ccee0 ffffffff803ffd80
(XEN) ffffa00005e7fb40 ffffa000067ccf20 ffffa000067cce90 ffffa00005e65580
(XEN) ffffa000067ccf10 ffffffff80276e82 00007f7fffffe9b0 000000000051d000
(XEN) 000000000000003b 0000000000410a38 0000000000000002 00000000ffffffff
(XEN) 0000000000516580 0000000000516580 0000000000400120 ffffa000067ccee8
(XEN) ffffffff80278472 00007f7fffffee10 ffffffff8010630b 0000000000000000
(XEN) 0000000000525000 0000000000008000 ffffffff80102150 0000000000000000
(XEN) 8080808080808080 000000000040fc52 0000000000000202 0000000000516580
(XEN) 0000000000400120 000000000000004f 00007f7fffffedb0 00007f7fffffee10
(XEN) 0000000000516580 0000000000000003 0000000000000000 00007f7fffff0017
(XEN) 00007f7fffff0017 0000000000510017 0000000000000003 0000000000000000
(XEN) 0000000000000202 0000000000000017 0000000000000017 0000000000000017
(XEN) 0000000000000000 0000000000000023 0000000000000202 00007f7fffffef48
(XEN) 000000000000001b 0000000000000000 0000000000000000 0000000000000000
(XEN) 0000000000000000 ffffffff808eac70 0000000000000004 ffffa000067cd148
(XEN) ffffffff808eab40 ffffa0000679df58 ffffa000067cd2f8 ffffa0000679dc88
(XEN) 0000000000000000 0000000000002000 00000000f9800000 ffffa0000679dec8
(XEN)
(XEN) ****************************************
(XEN) Panic on CPU 0:
(XEN) FATAL TRAP: vector = 3 (bkpt)
(XEN) [error_code=0000] , IN INTERRUPT CONTEXT
(XEN) ****************************************
(XEN)
(XEN) Reboot in five seconds...
The binary kernel causing this crash is available on request
--
Configure bugmail:
http://bugzilla.xensource.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
_______________________________________________
Xen-bugs mailing list
Xen-bugs@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-bugs
|
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- [Xen-bugs] [Bug 1092] New: an unprivileged guest can crash a 3.1.0 hypervisor,
bugzilla-daemon <=
|
|
|
|
|