[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen stable-4.8] xen/arm: p2m: Don't check the return of p2m_get_root_pointer() with BUG_ON()



commit 4ffb12e4253e9b28eaa21ef367fe6b2a2185ddff
Author:     Julien Grall <julien.grall@xxxxxxx>
AuthorDate: Mon Nov 4 15:28:17 2019 +0100
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Mon Nov 4 15:28:17 2019 +0100

    xen/arm: p2m: Don't check the return of p2m_get_root_pointer() with BUG_ON()
    
    It turns out that the BUG_ON() was actually reachable with well-crafted
    hypercalls. The BUG_ON() is here to prevent catch logical error, so
    crashing Xen is a bit over the top.
    
    While all the holes should now be fixed, it would be better to downgrade
    the BUG_ON() to something less fatal to prevent any more DoS.
    
    The BUG_ON() in p2m_get_entry() is now replaced by ASSERT_UNREACHABLE()
    to catch mistake in debug build and return INVALID_MFN for production
    build. The interface also requires to set page_order to give an idea of
    the size of "hole". So 'level' is now set so we report a hole of size of
    the an entry of the root page-table. This stays inline with what happen
    when the GFN is higher than p2m->max_mapped_gfn.
    
    The BUG_ON() in p2m_resolve_translation_fault() is now replaced by
    ASSERT_UNREACHABLE() to catch mistake in debug build and just report a
    fault for producion build.
    
    This is part of XSA-301.
    
    Reported-by: Julien Grall <Julien.Grall@xxxxxxx>
    Signed-off-by: Julien Grall <julien.grall@xxxxxxx>
    Reviewed-by: Stefano Stabellini <sstabellini@xxxxxxxxxx>
    master commit: 31b4f4ab6634f85163656b470dffc6d974917853
    master date: 2019-10-31 16:19:14 +0100
---
 xen/arch/arm/p2m.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/xen/arch/arm/p2m.c b/xen/arch/arm/p2m.c
index a460527940..e599b79b2e 100644
--- a/xen/arch/arm/p2m.c
+++ b/xen/arch/arm/p2m.c
@@ -359,7 +359,12 @@ mfn_t p2m_get_entry(struct p2m_domain *p2m, gfn_t gfn,
      * the table should always be non-NULL because the gfn is below
      * p2m->max_mapped_gfn and the root table pages are always present.
      */
-    BUG_ON(table == NULL);
+    if ( !table )
+    {
+        ASSERT_UNREACHABLE();
+        level = P2M_ROOT_LEVEL;
+        goto out;
+    }
 
     for ( level = P2M_ROOT_LEVEL; level < 3; level++ )
     {
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.8

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/xen-changelog

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.