[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] Use copy_from_user when accessing linear page table in shadow_fault().

# HG changeset patch
# User kaf24@xxxxxxxxxxxxxxxxxxxx
# Node ID 268f2b85f3137be92248f1e1fd0778fe5990a648
# Parent  19c55935580fda527f2d865919e51bfd6c2040e4
Use copy_from_user when accessing linear page table in shadow_fault().
This is safer, and direct access may crash hypervisor by some potential
bug. Also remove some tailing space.

Signed-off-by: Xin Li <xin.b.li@xxxxxxxxx>

diff -r 19c55935580f -r 268f2b85f313 xen/arch/x86/shadow32.c
--- a/xen/arch/x86/shadow32.c   Wed Apr 12 17:53:38 2006
+++ b/xen/arch/x86/shadow32.c   Thu Apr 13 09:10:19 2006
@@ -2886,7 +2886,7 @@
     SH_VVLOG("shadow_fault( va=%lx, code=%lu )",
              va, (unsigned long)regs->error_code);
     perfc_incrc(shadow_fault_calls);
-    
+
     check_pagetable(v, "pre-sf");
 
     /*
@@ -2917,7 +2917,16 @@
     // the mapping is in-sync, so the check of the PDE's present bit, above,
     // covers this access.
     //
-    orig_gpte = gpte = linear_pg_table[l1_linear_offset(va)];
+    if ( __copy_from_user(&gpte,
+                          &linear_pg_table[l1_linear_offset(va)],
+                          sizeof(gpte)) ) {
+        printk("%s() failed, crashing domain %d "
+               "due to a unaccessible linear page table (gpde=%" PRIpte "), 
va=%lx\n",
+               __func__, d->domain_id, l2e_get_intpte(gpde), va);
+        domain_crash_synchronous();
+    }
+    orig_gpte = gpte;
+
     if ( unlikely(!(l1e_get_flags(gpte) & _PAGE_PRESENT)) )
     {
         SH_VVLOG("shadow_fault - EXIT: gpte not present (%" PRIpte ") (gpde %" 
PRIpte ")",
@@ -2928,7 +2937,7 @@
     }
 
     /* Write fault? */
-    if ( regs->error_code & 2 )  
+    if ( regs->error_code & 2 )
     {
         int allow_writes = 0;
 
@@ -2942,7 +2951,7 @@
             else
             {
                 /* Write fault on a read-only mapping. */
-                SH_VVLOG("shadow_fault - EXIT: wr fault on RO page (%" PRIpte 
")", 
+                SH_VVLOG("shadow_fault - EXIT: wr fault on RO page (%" PRIpte 
")",
                          l1e_get_intpte(gpte));
                 perfc_incrc(shadow_fault_bail_ro_mapping);
                 goto fail;
@@ -2955,10 +2964,10 @@
         }
 
         /* User access violation in guest? */
-        if ( unlikely((regs->error_code & 4) && 
+        if ( unlikely((regs->error_code & 4) &&
                       !(l1e_get_flags(gpte) & _PAGE_USER)))
         {
-            SH_VVLOG("shadow_fault - EXIT: wr fault on super page (%" PRIpte 
")", 
+            SH_VVLOG("shadow_fault - EXIT: wr fault on super page (%" PRIpte 
")",
                     l1e_get_intpte(gpte));
             goto fail;
 
@@ -2980,7 +2989,7 @@
         /* Read-protection violation in guest? */
         if ( unlikely((regs->error_code & 1) ))
         {
-            SH_VVLOG("shadow_fault - EXIT: read fault on super page (%" PRIpte 
")", 
+            SH_VVLOG("shadow_fault - EXIT: read fault on super page (%" PRIpte 
")",
                     l1e_get_intpte(gpte));
             goto fail;
 

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.