WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-changelog

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Xen-changelog] Use copy_from_user when accessing linear page table in s

from [Xen patchbot -unstable] [Permanent Link][Original]
To: xen-changelog@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-changelog] Use copy_from_user when accessing linear page table in shadow_fault().
From: Xen patchbot -unstable <patchbot-unstable@xxxxxxxxxxxxxxxxxxx>
Date: Thu, 13 Apr 2006 10:26:07 +0000
Delivery-date: Thu, 13 Apr 2006 03:28:04 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-changelog-request@lists.xensource.com?subject=help>
List-id: BK change log <xen-changelog.lists.xensource.com>
List-post: <mailto:xen-changelog@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=unsubscribe>
Reply-to: xen-devel@xxxxxxxxxxxxxxxxxxx
Sender: xen-changelog-bounces@xxxxxxxxxxxxxxxxxxx 
# HG changeset patch
# User kaf24@xxxxxxxxxxxxxxxxxxxx
# Node ID 268f2b85f3137be92248f1e1fd0778fe5990a648
# Parent  19c55935580fda527f2d865919e51bfd6c2040e4
Use copy_from_user when accessing linear page table in shadow_fault().
This is safer, and direct access may crash hypervisor by some potential
bug. Also remove some tailing space.

Signed-off-by: Xin Li <xin.b.li@xxxxxxxxx>

diff -r 19c55935580f -r 268f2b85f313 xen/arch/x86/shadow32.c
--- a/xen/arch/x86/shadow32.c   Wed Apr 12 17:53:38 2006
+++ b/xen/arch/x86/shadow32.c   Thu Apr 13 09:10:19 2006
@@ -2886,7 +2886,7 @@
     SH_VVLOG("shadow_fault( va=%lx, code=%lu )",
              va, (unsigned long)regs->error_code);
     perfc_incrc(shadow_fault_calls);
-    
+
     check_pagetable(v, "pre-sf");
 
     /*
@@ -2917,7 +2917,16 @@
     // the mapping is in-sync, so the check of the PDE's present bit, above,
     // covers this access.
     //
-    orig_gpte = gpte = linear_pg_table[l1_linear_offset(va)];
+    if ( __copy_from_user(&gpte,
+                          &linear_pg_table[l1_linear_offset(va)],
+                          sizeof(gpte)) ) {
+        printk("%s() failed, crashing domain %d "
+               "due to a unaccessible linear page table (gpde=%" PRIpte "), 
va=%lx\n",
+               __func__, d->domain_id, l2e_get_intpte(gpde), va);
+        domain_crash_synchronous();
+    }
+    orig_gpte = gpte;
+
     if ( unlikely(!(l1e_get_flags(gpte) & _PAGE_PRESENT)) )
     {
         SH_VVLOG("shadow_fault - EXIT: gpte not present (%" PRIpte ") (gpde %" 
PRIpte ")",
@@ -2928,7 +2937,7 @@
     }
 
     /* Write fault? */
-    if ( regs->error_code & 2 )  
+    if ( regs->error_code & 2 )
     {
         int allow_writes = 0;
 
@@ -2942,7 +2951,7 @@
             else
             {
                 /* Write fault on a read-only mapping. */
-                SH_VVLOG("shadow_fault - EXIT: wr fault on RO page (%" PRIpte 
")", 
+                SH_VVLOG("shadow_fault - EXIT: wr fault on RO page (%" PRIpte 
")",
                          l1e_get_intpte(gpte));
                 perfc_incrc(shadow_fault_bail_ro_mapping);
                 goto fail;
@@ -2955,10 +2964,10 @@
         }
 
         /* User access violation in guest? */
-        if ( unlikely((regs->error_code & 4) && 
+        if ( unlikely((regs->error_code & 4) &&
                       !(l1e_get_flags(gpte) & _PAGE_USER)))
         {
-            SH_VVLOG("shadow_fault - EXIT: wr fault on super page (%" PRIpte 
")", 
+            SH_VVLOG("shadow_fault - EXIT: wr fault on super page (%" PRIpte 
")",
                     l1e_get_intpte(gpte));
             goto fail;
 
@@ -2980,7 +2989,7 @@
         /* Read-protection violation in guest? */
         if ( unlikely((regs->error_code & 1) ))
         {
-            SH_VVLOG("shadow_fault - EXIT: read fault on super page (%" PRIpte 
")", 
+            SH_VVLOG("shadow_fault - EXIT: read fault on super page (%" PRIpte 
")",
                     l1e_get_intpte(gpte));
             goto fail;
 

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-changelog] Use copy_from_user when accessing linear page table in shadow_fault()., Xen patchbot -unstable <=
Previous by Date:  [Xen-changelog] Reset the cached state to XenbusStateInitialising on resume -- we're connecting, Xen patchbot -unstable
Next by Date:  [Xen-changelog] Unmap shadow vtable when freeing shadow table in free_shadow_pages()., Xen patchbot -unstable
Previous by Thread:  [Xen-changelog] Reset the cached state to XenbusStateInitialising on resume -- we're connecting, Xen patchbot -unstable
Next by Thread:  [Xen-changelog] Unmap shadow vtable when freeing shadow table in free_shadow_pages()., Xen patchbot -unstable
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy