From patchwork Fri Apr 7 14:00:58 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrew Cooper X-Patchwork-Id: 9669557 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id EBE20602A0 for ; Fri, 7 Apr 2017 14:03:32 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DCE472654B for ; Fri, 7 Apr 2017 14:03:32 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D19962860B; Fri, 7 Apr 2017 14:03:32 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 54BE62654B for ; Fri, 7 Apr 2017 14:03:32 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cwUS3-000128-2s; Fri, 07 Apr 2017 14:01:23 +0000 Received: from mail6.bemta6.messagelabs.com ([193.109.254.103]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cwUS1-00011y-9y for xen-devel@lists.xen.org; Fri, 07 Apr 2017 14:01:21 +0000 Received: from [193.109.254.147] by server-3.bemta-6.messagelabs.com id AF/41-27751-0BB97E85; Fri, 07 Apr 2017 14:01:20 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrNLMWRWlGSWpSXmKPExsXitHRDpO6G2c8 jDI4d47VY8nExiwOjx9Hdv5kCGKNYM/OS8isSWDPmNq5hLnigWDGx8y5zA+MByS5GTg4JAX+J U4+fsYLYbAL6ErtffGICsUUE1CVOd1wEinNwMAv4SRx64AsSFhbwkNj17BQziM0ioCLRtuckG 4jNCxQ/vn0WG8RIOYnzx3+C1QgJqElc67/EDlEjKHFy5hMWEJtZQELi4IsXzBMYuWchSc1Ckl rAyLSKUb04tagstUjXSC+pKDM9oyQ3MTNH19DATC83tbg4MT01JzGpWC85P3cTIzAQGIBgB+O yv06HGCU5mJREeRV8nkQI8SXlp1RmJBZnxBeV5qQWH2KU4eBQkuD9NPN5hJBgUWp6akVaZg4w JGHSEhw8SiK8jLOA0rzFBYm5xZnpEKlTjIpS4rxWIAkBkERGaR5cGywOLjHKSgnzMgIdIsRTk FqUm1mCKv+KUZyDUUmYlxlkCk9mXgnc9FdAi5mAFvvcegqyuCQRISXVwBi188dL9TfGVe6Pzv jPnlg335vX8uBNsT13sit9RGV4DV/rRVZNv2w1K1o9Ob8zhWn+x9oFWxzfPPR4W86X2yC33e8 2x/x1t/9/aWB11W7w1Dpf8+KF3W/d1zOdNv4x/7PNxmWf+zfTvt3ZU6um8pT0lpbMi+MI8UpP Wbo9P2XuFMcgTyOeb0osxRmJhlrMRcWJAHxKqSt+AgAA X-Env-Sender: prvs=2637cee0f=Andrew.Cooper3@citrix.com X-Msg-Ref: server-9.tower-27.messagelabs.com!1491573678!96366213!1 X-Originating-IP: [66.165.176.89] X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni44OSA9PiAyMDMwMDc=\n, received_headers: No Received headers X-StarScan-Received: X-StarScan-Version: 9.4.12; banners=-,-,- X-VirusChecked: Checked Received: (qmail 49772 invoked from network); 7 Apr 2017 14:01:19 -0000 Received: from smtp.citrix.com (HELO SMTP.CITRIX.COM) (66.165.176.89) by server-9.tower-27.messagelabs.com with RC4-SHA encrypted SMTP; 7 Apr 2017 14:01:19 -0000 X-IronPort-AV: E=Sophos;i="5.37,165,1488844800"; d="scan'208";a="417910361" From: Andrew Cooper To: Xen-devel Date: Fri, 7 Apr 2017 15:00:58 +0100 Message-ID: <1491573658-3243-1-git-send-email-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.1.4 MIME-Version: 1.0 Cc: Andrew Cooper , Jan Beulich Subject: [Xen-devel] [PATCH v3 for-4.9] x86/emul: Poision the stubs with debug traps X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xen.org Sender: "Xen-devel" X-Virus-Scanned: ClamAV using ClamSMTP ...rather than leaving fragments of old instructions in place. This reduces the chances of something going further-wrong (as the debug trap will be caught and terminate the guest) in a cascade-failure where we end up executing the instruction fragments. Before: (XEN) d2v0 exception 6 (ec=0000) in emulation stub (line 6239) (XEN) d2v0 stub: c4 e1 44 77 c3 80 d0 82 ff ff ff d1 90 ec 90 After: (XEN) d3v0 exception 6 (ec=0000) in emulation stub (line 6239) (XEN) d3v0 stub: c4 e1 44 77 c3 cc cc cc cc cc cc cc cc cc cc To make this work, the int3 handler needs to be extended to attempt recovery rather than simply returning back to Xen context. While altering do_int3(), leave an obvious sign if an embedded breakpoint has been hit and not dealt with by debugging facilities. (XEN) Hit embedded breakpoint at ffff82d0803d01f6 [extable.c#stub_selftest+0xda/0xee] Extend the selftests to include int3, and add an extra printk indicating the start of the recovery selftests, to avoid leaving otherwise-spurious faults visible in the log. (XEN) build-id: 55d7e6f420b4f0ce277f776be620f43d7cb8646c (XEN) Running stub recovery selftests... (XEN) traps.c:3466: GPF (0000): ffff82d0bffff041 [ffff82d0bffff041] -> ffff82d08035937a (XEN) traps.c:813: Trap 12: ffff82d0bffff040 [ffff82d0bffff040] -> ffff82d08035937a (XEN) traps.c:1215: Trap 3: ffff82d0bffff041 [ffff82d0bffff041] -> ffff82d08035937a (XEN) ACPI sleep modes: S3 Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich --- CC: Jan Beulich v2: * Add selftest. Recover from int3. v3: * Leave embedded int3s as non-fatal, but make them obvious. --- xen/arch/x86/extable.c | 4 ++++ xen/arch/x86/traps.c | 18 ++++++++++++++++-- xen/arch/x86/x86_emulate.c | 4 ++-- 3 files changed, 22 insertions(+), 4 deletions(-) diff --git a/xen/arch/x86/extable.c b/xen/arch/x86/extable.c index 03af2c9..6fffe05 100644 --- a/xen/arch/x86/extable.c +++ b/xen/arch/x86/extable.c @@ -140,10 +140,14 @@ static int __init stub_selftest(void) { .opc = { 0x02, 0x04, 0x04, 0xc3 }, /* add (%rsp,%rax),%al */ .rax = 0xfedcba9876543210, .res.fields.trapnr = TRAP_stack_error }, + { .opc = { 0xcc, 0xc3, 0xc3, 0xc3 }, /* int3 */ + .res.fields.trapnr = TRAP_int3 }, }; unsigned long addr = this_cpu(stubs.addr) + STUB_BUF_SIZE / 2; unsigned int i; + printk("Running stub recovery selftests...\n"); + for ( i = 0; i < ARRAY_SIZE(tests); ++i ) { uint8_t *ptr = map_domain_page(_mfn(this_cpu(stubs.mfn))) + diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c index 5b9bf21..d69769f 100644 --- a/xen/arch/x86/traps.c +++ b/xen/arch/x86/traps.c @@ -1206,9 +1206,23 @@ void do_int3(struct cpu_user_regs *regs) if ( !guest_mode(regs) ) { - debugger_trap_fatal(TRAP_int3, regs); + unsigned long fixup; + + if ( (fixup = search_exception_table(regs)) != 0 ) + { + this_cpu(last_extable_addr) = regs->rip; + dprintk(XENLOG_DEBUG, "Trap %u: %p [%ps] -> %p\n", + TRAP_int3, _p(regs->rip), _p(regs->rip), _p(fixup)); + regs->rip = fixup; + return; + } + + if ( !debugger_trap_fatal(TRAP_int3, regs) ) + printk(XENLOG_DEBUG "Hit embedded breakpoint at %p [%ps]\n", + _p(regs->rip), _p(regs->rip)); + return; - } + } do_guest_trap(TRAP_int3, regs); } diff --git a/xen/arch/x86/x86_emulate.c b/xen/arch/x86/x86_emulate.c index 51df340..cc334ca 100644 --- a/xen/arch/x86/x86_emulate.c +++ b/xen/arch/x86/x86_emulate.c @@ -30,8 +30,8 @@ BUILD_BUG_ON(STUB_BUF_SIZE / 2 < MAX_INST_LEN + 1); \ ASSERT(!(stb).ptr); \ (stb).addr = this_cpu(stubs.addr) + STUB_BUF_SIZE / 2; \ - ((stb).ptr = map_domain_page(_mfn(this_cpu(stubs.mfn)))) + \ - ((stb).addr & ~PAGE_MASK); \ + memset(((stb).ptr = map_domain_page(_mfn(this_cpu(stubs.mfn)))) + \ + ((stb).addr & ~PAGE_MASK), 0xcc, STUB_BUF_SIZE / 2); \ }) #define put_stub(stb) ({ \ if ( (stb).ptr ) \