WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-changelog

[Xen-changelog] Fix x86/32 do_iret implementation, fixes VM86 mode.

To: xen-changelog@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-changelog] Fix x86/32 do_iret implementation, fixes VM86 mode.
From: Xen patchbot -unstable <patchbot-unstable@xxxxxxxxxxxxxxxxxxx>
Date: Fri, 13 Jan 2006 18:28:13 +0000
Delivery-date: Fri, 13 Jan 2006 18:36:16 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-changelog-request@lists.xensource.com?subject=help>
List-id: BK change log <xen-changelog.lists.xensource.com>
List-post: <mailto:xen-changelog@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=unsubscribe>
Reply-to: xen-devel@xxxxxxxxxxxxxxxxxxx
Sender: xen-changelog-bounces@xxxxxxxxxxxxxxxxxxx
# HG changeset patch
# User Ian.Campbell@xxxxxxxxxxxxx
# Node ID 19f5ffa02154db55a4fa5a67201e763d8626868b
# Parent  ec4ef8c5f04d9fef83acf5281a432a7821906520
Fix x86/32 do_iret implementation, fixes VM86 mode.

Do not clobber a freshly restored esp when performing an iret.

Signed-off-by: Keir Fraser <keir@xxxxxxxxxxxxx>
Signed-off-by: Ian Campbell <Ian.Campbell@xxxxxxxxxxxxx>

diff -r ec4ef8c5f04d -r 19f5ffa02154 xen/arch/x86/x86_32/traps.c
--- a/xen/arch/x86/x86_32/traps.c       Fri Jan 13 10:38:33 2006
+++ b/xen/arch/x86/x86_32/traps.c       Fri Jan 13 11:04:04 2006
@@ -157,14 +157,6 @@
         __asm__ __volatile__ ( "hlt" );
 }
 
-static inline void pop_from_guest_stack(
-    void *dst, struct cpu_user_regs *regs, unsigned int bytes)
-{
-    if ( unlikely(__copy_from_user(dst, (void __user *)regs->esp, bytes)) )
-        domain_crash_synchronous();
-    regs->esp += bytes;
-}
-
 asmlinkage unsigned long do_iret(void)
 {
     struct cpu_user_regs *regs = guest_cpu_user_regs();
@@ -175,22 +167,29 @@
         domain_crash_synchronous();
 
     /* Pop and restore EAX (clobbered by hypercall). */
-    pop_from_guest_stack(&regs->eax, regs, 4);
+    if ( unlikely(__copy_from_user(&regs->eax, (void __user *)regs->esp, 4)) )
+        domain_crash_synchronous();
+    regs->esp += 4;
 
     /* Pop and restore CS and EIP. */
-    pop_from_guest_stack(&regs->eip, regs, 8);
+    if ( unlikely(__copy_from_user(&regs->eip, (void __user *)regs->esp, 8)) )
+        domain_crash_synchronous();
+    regs->esp += 8;
 
     /*
      * Pop, fix up and restore EFLAGS. We fix up in a local staging area
      * to avoid firing the BUG_ON(IOPL) check in arch_getdomaininfo_ctxt.
      */
-    pop_from_guest_stack(&eflags, regs, 4);
+    if ( unlikely(__copy_from_user(&eflags, (void __user *)regs->esp, 4)) )
+        domain_crash_synchronous();
+    regs->esp += 4;
     regs->eflags = (eflags & ~X86_EFLAGS_IOPL) | X86_EFLAGS_IF;
 
     if ( VM86_MODE(regs) )
     {
         /* Return to VM86 mode: pop and restore ESP,SS,ES,DS,FS and GS. */
-        pop_from_guest_stack(&regs->esp, regs, 24);
+        if ( __copy_from_user(&regs->esp, (void __user *)regs->esp, 24) )
+            domain_crash_synchronous();
     }
     else if ( unlikely(RING_0(regs)) )
     {
@@ -199,7 +198,8 @@
     else if ( !RING_1(regs) )
     {
         /* Return to ring 2/3: pop and restore ESP and SS. */
-        pop_from_guest_stack(&regs->esp, regs, 8);
+        if ( __copy_from_user(&regs->esp, (void __user *)regs->esp, 8) )
+            domain_crash_synchronous();
     }
 
     /* No longer in NMI context. */

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-changelog] Fix x86/32 do_iret implementation, fixes VM86 mode., Xen patchbot -unstable <=