From patchwork Tue May 2 15:21:47 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Razvan Cojocaru X-Patchwork-Id: 9708245 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 12C4160245 for ; Tue, 2 May 2017 15:24:39 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 039C02847C for ; Tue, 2 May 2017 15:24:39 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id ECA8F2848E; Tue, 2 May 2017 15:24:38 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 6C0702847C for ; Tue, 2 May 2017 15:24:38 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1d5Zd5-0002a6-6B; Tue, 02 May 2017 15:22:19 +0000 Received: from mail6.bemta6.messagelabs.com ([193.109.254.103]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1d5Zd3-0002Zh-70 for xen-devel@lists.xen.org; Tue, 02 May 2017 15:22:17 +0000 Received: from [85.158.143.35] by server-4.bemta-6.messagelabs.com id 5C/5E-02956-824A8095; Tue, 02 May 2017 15:22:16 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprCIsWRWlGSWpSXmKPExsUSfTxjoa7GEo5 Ig5dzpCyWfFzM4sDocXT3b6YAxijWzLyk/IoE1owzX9pYC+arVRy81MbawHhAoYuRk0NIwF3i 0Lb1rF2MXED2GkaJGZPOsEEkrjFKnL5fAFN0699+JoiifYwS/fN3sYMk2AQMJVZvbAFrEBGQl rj2+TIjSBGzwHtGiX99a1lBEsICrhJvjs0Aa2ARUJU4NaMbzOYV8JTY2NvCDGJLCMhJnDw2mR XCzpFYtPE/SxcjB5AtJfG/VQlkpoTAJhaJfTvfsUPUyEg8mniTbQKjwAJGhlWMGsWpRWWpRbp GZnpJRZnpGSW5iZk5uoYGZnq5qcXFiempOYlJxXrJ+bmbGIGhxQAEOxjPLAg8xCjJwaQkyqv+ ij1SiC8pP6UyI7E4I76oNCe1+BCjDAeHkgTvk0UckUKCRanpqRVpmTnAIIdJS3DwKInwLgJJ8 xYXJOYWZ6ZDpE4xKkqJ804ESQiAJDJK8+DaYJF1iVFWSpiXEegQIZ6C1KLczBJU+VeM4hyMSs K830Gm8GTmlcBNfwW0mAlocbMs2OKSRISUVAOjzZ5pUl45DyqT4hKOBHtsZLEw1F+k4lmy+Nz F6Iodvg8Uni78fy0lVSr53l/rA4esi7WW5a8yNoydcTVj0u+6W/1tW5cK+0tsUqnpYhJvDU+X 1zrc/Sj+XcfZ3eq7WeeaRiWte315uRW3u+vOW9Z3nL94iBkKuBS4KP/ierzneYNEymLuZn8ll uKMREMt5qLiRAD4h+jHpwIAAA== X-Env-Sender: rcojocaru@bitdefender.com X-Msg-Ref: server-9.tower-21.messagelabs.com!1493738535!66196777!1 X-Originating-IP: [91.199.104.161] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 9.4.12; banners=-,-,- X-VirusChecked: Checked Received: (qmail 63030 invoked from network); 2 May 2017 15:22:16 -0000 Received: from mx01.bbu.dsd.mx.bitdefender.com (HELO mx01.bbu.dsd.mx.bitdefender.com) (91.199.104.161) by server-9.tower-21.messagelabs.com with DHE-RSA-AES128-GCM-SHA256 encrypted SMTP; 2 May 2017 15:22:16 -0000 Received: (qmail 20941 invoked from network); 2 May 2017 18:22:14 +0300 Received: from unknown (HELO mx-sr.buh.bitdefender.com) (10.17.80.103) by mx01.bbu.dsd.mx.bitdefender.com with AES256-GCM-SHA384 encrypted SMTP; 2 May 2017 18:22:14 +0300 Received: from smtp02.buh.bitdefender.net (smtp.bitdefender.biz [10.17.80.76]) by mx-sr.buh.bitdefender.com (Postfix) with ESMTP id 54FAC7FBDE for ; Tue, 2 May 2017 18:22:14 +0300 (EEST) Received: (qmail 19444 invoked from network); 2 May 2017 18:22:14 +0300 Received: from xen.dsd.ro (HELO xen.dsd.bitdefender.biz) (rcojocaru@bitdefender.com@10.10.14.109) by smtp02.buh.bitdefender.net with AES128-SHA256 encrypted SMTP; 2 May 2017 18:22:13 +0300 From: Razvan Cojocaru To: xen-devel@lists.xen.org Date: Tue, 2 May 2017 18:21:47 +0300 Message-Id: <1493738507-23431-1-git-send-email-rcojocaru@bitdefender.com> X-Mailer: git-send-email 1.9.1 X-BitDefender-Scanner: Clean, Agent: BitDefender qmail 3.1.6 on smtp02.buh.bitdefender.net, sigver: 7.71183 X-BitDefender-Spam: No (0) X-BitDefender-SpamStamp: Build: [Engines: 2.15.8.1074, Dats: 447924, Stamp: 3], Multi: [Enabled, t: (0.000010, 0.013602)], BW: [Enabled, t: (0.000007)], RBL DNSBL: [Disabled], APM: [Enabled, Score: 500, t: (0.005508), Flags: 85D2ED72; NN_LENGTH; NN_NO_CONTENT_TYPE; NN_LEGIT_SUMM_400_WORDS; NN_NO_LINK_NMD; NN_LEGIT_BITDEFENDER; NN_LEGIT_S_SQARE_BRACKETS; NN_LEGIT_MAILING_LIST_TO], SGN: [Enabled, t: (0.014834,0.000176)], URL: [Enabled, t: (0.000004)], RTDA: [Enabled, t: (0.416872), Hit: No, Details: v2.4.8; Id: 11.5eun82.1bf4fi5ct.5ucf], total: 0(775) X-BitDefender-CF-Stamp: none Cc: sstabellini@kernel.org, wei.liu2@citrix.com, Razvan Cojocaru , George.Dunlap@eu.citrix.com, andrew.cooper3@citrix.com, ian.jackson@eu.citrix.com, tim@xen.org, jbeulich@suse.com Subject: [Xen-devel] [PATCH V2] xen/hvm: fix hypervisor crash with hvm_save_one() X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: xen-devel-bounces@lists.xen.org Sender: "Xen-devel" X-Virus-Scanned: ClamAV using ClamSMTP hvm_save_cpu_ctxt() returns success without writing any data into hvm_domain_context_t when all VCPUs are offline. This can then crash the hypervisor (with FATAL PAGE FAULT) in hvm_save_one() via the "off < (ctxt.cur - sizeof(*desc))" for() test, where ctxt.cur remains 0, causing an underflow which leads the hypervisor to go off the end of the ctxt buffer. This has been broken since Xen 4.4 (c/s e019c606f59). It has happened in practice with an HVM Linux VM (Debian 8) queried around shutdown: (XEN) hvm.c:1595:d3v0 All CPUs offline -- powering off. (XEN) ----[ Xen-4.9-rc x86_64 debug=y Not tainted ]---- (XEN) CPU: 5 (XEN) RIP: e008:[] hvm_save_one+0x145/0x1fd (XEN) RFLAGS: 0000000000010286 CONTEXT: hypervisor (d0v2) (XEN) rax: ffff830492cbb445 rbx: 0000000000000000 rcx: ffff83039343b400 (XEN) rdx: 00000000ff88004d rsi: fffffffffffffff8 rdi: 0000000000000000 (XEN) rbp: ffff8304103e7c88 rsp: ffff8304103e7c48 r8: 0000000000000001 (XEN) r9: deadbeefdeadf00d r10: 0000000000000000 r11: 0000000000000282 (XEN) r12: 00007f43a3b14004 r13: 00000000fffffffe r14: 0000000000000000 (XEN) r15: ffff830400c41000 cr0: 0000000080050033 cr4: 00000000001526e0 (XEN) cr3: 0000000402e13000 cr2: ffff830492cbb447 (XEN) ds: 0000 es: 0000 fs: 0000 gs: 0000 ss: e010 cs: e008 (XEN) Xen code around (hvm_save_one+0x145/0x1fd): (XEN) 00 00 48 01 c8 83 c2 08 <66> 39 58 02 75 64 eb 08 48 89 c8 ba 08 00 00 00 (XEN) Xen stack trace from rsp=ffff8304103e7c48: (XEN) 0000041000000000 ffff83039343b400 ffff8304103e7c70 ffff8304103e7da8 (XEN) ffff830400c41000 00007f43a3b13004 ffff8304103b7000 ffffffffffffffea (XEN) ffff8304103e7d48 ffff82d0802683d4 ffff8300d19fd000 ffff82d0802320d8 (XEN) ffff830400c41000 0000000000000000 ffff8304103e7cd8 ffff82d08026ff3d (XEN) 0000000000000000 ffff8300d19fd000 ffff8304103e7cf8 ffff82d080232142 (XEN) 0000000000000000 ffff8300d19fd000 ffff8304103e7d28 ffff82d080207051 (XEN) ffff8304103e7d18 ffff830400c41000 0000000000000202 ffff830400c41000 (XEN) 0000000000000000 00007f43a3b13004 0000000000000000 deadbeefdeadf00d (XEN) ffff8304103e7e68 ffff82d080206c47 0700000000000000 ffff830410375bd0 (XEN) 0000000000000296 ffff830410375c78 ffff830410375c80 0000000000000003 (XEN) ffff8304103e7e68 ffff8304103b67c0 ffff8304103b7000 ffff8304103b67c0 (XEN) 0000000d00000037 0000000000000003 0000000000000002 00007f43a3b14004 (XEN) 00007ffd5d925590 0000000000000000 0000000100000000 0000000000000000 (XEN) 00000000ea8f8000 0000000000000000 00007ffd00000000 0000000000000000 (XEN) 00007f43a276f557 0000000000000000 00000000ea8f8000 0000000000000000 (XEN) 00007ffd5d9255e0 00007f43a23280b2 00007ffd5d926058 ffff8304103e7f18 (XEN) ffff8300d19fe000 0000000000000024 ffff82d0802053e5 deadbeefdeadf00d (XEN) ffff8304103e7f08 ffff82d080351565 010000003fffffff 00007f43a3b13004 (XEN) deadbeefdeadf00d deadbeefdeadf00d deadbeefdeadf00d deadbeefdeadf00d (XEN) ffff8800781425c0 ffff88007ce94300 ffff8304103e7ed8 ffff82d0802719ec (XEN) Xen call trace: (XEN) [] hvm_save_one+0x145/0x1fd (XEN) [] arch_do_domctl+0xa7a/0x259f (XEN) [] do_domctl+0x1862/0x1b7b (XEN) [] pv_hypercall+0x1ef/0x42c (XEN) [] entry.o#test_all_events+0/0x30 (XEN) (XEN) Pagetable walk from ffff830492cbb447: (XEN) L4[0x106] = 00000000dbc36063 ffffffffffffffff (XEN) L3[0x012] = 0000000000000000 ffffffffffffffff (XEN) (XEN) **************************************** (XEN) Panic on CPU 5: (XEN) FATAL PAGE FAULT (XEN) [error_code=0000] (XEN) Faulting linear address: ffff830492cbb447 (XEN) **************************************** Reported-by: Razvan Cojocaru Signed-off-by: Andrew Cooper Signed-off-by: Razvan Cojocaru Tested-by: Razvan Cojocaru Reviewed-by: Jan Beulich Acked-by: Tim Deegan --- Changes since V1: - Corrected patch description. - Now checking whether the function got back any data at all, prior to entering the for() loop. --- xen/common/hvm/save.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/xen/common/hvm/save.c b/xen/common/hvm/save.c index 78706f5..3bdd124 100644 --- a/xen/common/hvm/save.c +++ b/xen/common/hvm/save.c @@ -113,6 +113,9 @@ int hvm_save_one(struct domain *d, uint16_t typecode, uint16_t instance, const struct hvm_save_descriptor *desc; rv = -ENOENT; + if ( ctxt.cur < sizeof(*desc) ) + goto out; + for ( off = 0; off < (ctxt.cur - sizeof(*desc)); off += desc->length ) { desc = (void *)(ctxt.data + off); @@ -132,6 +135,7 @@ int hvm_save_one(struct domain *d, uint16_t typecode, uint16_t instance, } } + out: xfree(ctxt.data); return rv; }