[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen-unstable] waitqueue: Detect saved-stack overflow and crash the guest.

# HG changeset patch
# User Keir Fraser <keir@xxxxxxx>
# Date 1322149690 0
# Node ID 9b65336f688f3b6b15ae11d74cebf88cd41ad19d
# Parent  8e05b21ee6448ce56e4e56201472e87074344fa6
waitqueue: Detect saved-stack overflow and crash the guest.

Signed-off-by: Keir Fraser <keir@xxxxxxx>
---


diff -r 8e05b21ee644 -r 9b65336f688f xen/common/wait.c
--- a/xen/common/wait.c Thu Nov 24 15:45:19 2011 +0000
+++ b/xen/common/wait.c Thu Nov 24 15:48:10 2011 +0000
@@ -106,13 +106,16 @@
 static void __prepare_to_wait(struct waitqueue_vcpu *wqv)
 {
     char *cpu_info = (char *)get_cpu_info();
+
     asm volatile (
 #ifdef CONFIG_X86_64
         "push %%rax; push %%rbx; push %%rcx; push %%rdx; push %%rdi; "
         "push %%rbp; push %%r8; push %%r9; push %%r10; push %%r11; "
         "push %%r12; push %%r13; push %%r14; push %%r15; call 1f; "
         "1: mov 80(%%rsp),%%rdi; mov 96(%%rsp),%%rcx; mov %%rsp,%%rsi; "
-        "sub %%rsi,%%rcx; rep movsb; mov %%rsp,%%rsi; pop %%rax; "
+        "sub %%rsi,%%rcx; cmp %3,%%rcx; jbe 2f; "
+        "xor %%esi,%%esi; jmp 3f; "
+        "2: rep movsb; mov %%rsp,%%rsi; 3: pop %%rax; "
         "pop %%r15; pop %%r14; pop %%r13; pop %%r12; "
         "pop %%r11; pop %%r10; pop %%r9; pop %%r8; "
         "pop %%rbp; pop %%rdi; pop %%rdx; pop %%rcx; pop %%rbx; pop %%rax"
@@ -120,13 +123,20 @@
         "push %%eax; push %%ebx; push %%ecx; push %%edx; push %%edi; "
         "push %%ebp; call 1f; "
         "1: mov 8(%%esp),%%edi; mov 16(%%esp),%%ecx; mov %%esp,%%esi; "
-        "sub %%esi,%%ecx; rep movsb; mov %%esp,%%esi; pop %%eax; "
+        "sub %%esi,%%ecx; cmp %3,%%ecx; jbe 2f; "
+        "xor %%esi,%%esi; jmp 3f; "
+        "2: rep movsb; mov %%esp,%%esi; 3: pop %%eax; "
         "pop %%ebp; pop %%edi; pop %%edx; pop %%ecx; pop %%ebx; pop %%eax"
 #endif
         : "=S" (wqv->esp)
-        : "c" (cpu_info), "D" (wqv->stack)
+        : "c" (cpu_info), "D" (wqv->stack), "i" (PAGE_SIZE)
         : "memory" );
-    BUG_ON((cpu_info - (char *)wqv->esp) > PAGE_SIZE);
+
+    if ( unlikely(wqv->esp == 0) )
+    {
+        gdprintk(XENLOG_ERR, "Stack too large in %s\n", __FUNCTION__);
+        domain_crash_synchronous();
+    }
 }
 
 static void __finish_wait(struct waitqueue_vcpu *wqv)
@@ -162,6 +172,7 @@
     struct vcpu *curr = current;
     struct waitqueue_vcpu *wqv = curr->waitqueue_vcpu;
 
+    ASSERT(!in_atomic());
     ASSERT(list_empty(&wqv->list));
 
     spin_lock(&wq->lock);

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.