[Xen-changelog] [xen-unstable] hvm: Inject #UD for un-emulated i

# HG changeset patch
# User Keir Fraser <keir.fraser@xxxxxxxxxx>
# Date 1196255087 0
# Node ID c76a9aa12d2e37ed5c6c2a3562c755ec3828af8a
# Parent  bb31c9325d5f86629de342a6515c6f28b92cf782
hvm: Inject #UD for un-emulated instructions rather than crash guest

The CrashMe stress test (a process repeatedly forks child processes, and
the child processes initialize a buffer with random numbers, then treat
the buffer as code, and execute it) can crash 32-bit HVM RHEL5.1 guest
easily; this is because we haven't emulated all the instructions in
handle_mmio() yet.

The CrashMe process runs with root rights, and can access MMIO space in
an unknown way ("strace -f" shows the random codes running at CPL=3D3
don't call mmap(), and don't open any special files in /dev/ "); the gpa
may look like 0xa**** or  0xb****, or 0xfee0****. =20

Signed-off-by: Dexuan Cui <dexuan.cui@xxxxxxxxx>
Signed-off-by: Keir Fraser <keir.fraser@xxxxxxxxxx>
---
 xen/arch/x86/hvm/platform.c |   13 +++++++++----
 1 files changed, 9 insertions(+), 4 deletions(-)

diff -r bb31c9325d5f -r c76a9aa12d2e xen/arch/x86/hvm/platform.c
--- a/xen/arch/x86/hvm/platform.c       Wed Nov 28 12:50:24 2007 +0000
+++ b/xen/arch/x86/hvm/platform.c       Wed Nov 28 13:04:47 2007 +0000
@@ -1051,13 +1051,18 @@ void handle_mmio(unsigned long gpa)
     }
 
     if ( mmio_decode(address_bytes, inst, mmio_op, &ad_size,
-                     &op_size, &seg_sel) == DECODE_failure ) {
-        printk("handle_mmio: failed to decode instruction\n");
-        printk("mmio opcode: gpa 0x%lx, len %d:", gpa, inst_len);
+                     &op_size, &seg_sel) == DECODE_failure )
+    {
+        gdprintk(XENLOG_WARNING,
+                 "handle_mmio: failed to decode instruction\n");
+        gdprintk(XENLOG_WARNING,
+                 "mmio opcode: gpa 0x%lx, len %d:", gpa, inst_len);
         for ( i = 0; i < inst_len; i++ )
             printk(" %02x", inst[i] & 0xFF);
         printk("\n");
-        domain_crash_synchronous();
+
+        hvm_inject_exception(TRAP_invalid_op, HVM_DELIVER_NO_ERROR_CODE, 0);
+        return;
     }
 
     regs->eip += inst_len; /* advance %eip */

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

<Prev in Thread]

Current Thread

[Next in Thread>

Previous by Date:

[Xen-changelog] [xen-unstable] x86_emulate: Emulate RDTSC instruction., Xen patchbot-unstable

Next by Date:

[Xen-changelog] [xen-unstable] Fix string length check for vsnprintf() in debugtrace_printk()., Xen patchbot-unstable

Previous by Thread:

[Xen-changelog] [xen-unstable] x86_emulate: Emulate RDTSC instruction., Xen patchbot-unstable

Next by Thread:

[Xen-changelog] [xen-unstable] Fix string length check for vsnprintf() in debugtrace_printk()., Xen patchbot-unstable

Indexes:

[Date] [Thread] [Top] [All Lists]