From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Yang, Xiaowei" <xiaowei.yang@intel.com>
Subject: [PATCH] Protect Xen against accessing NULL-pointer
 triggered by Xenoprof Hypercall in dom0
Date: Wed, 21 Jan 2009 12:27:34 +0800
Message-ID: <4976A436.7070704@intel.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="------------060503040507020105080107"
Return-path: <xen-devel-bounces@lists.xensource.com>
List-Unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xensource.com>
List-Help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-Subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
Sender: xen-devel-bounces@lists.xensource.com
Errors-To: xen-devel-bounces@lists.xensource.com
To: "xen-devel@lists.xensource.com" <xen-devel@lists.xensource.com>
List-Id: xen-devel@lists.xenproject.org

This is a multi-part message in MIME format.
--------------060503040507020105080107
Content-Type: text/plain; charset=iso-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Xenoprof Hypercall in dom0 could trigger Xen accessing NULL-pointer and
results in fatal page fault. The patch prevents it.

Signed-off-by: Xiaowei Yang <xiaowei.yang@intel.com>

Thanks,
Xiaowei


--------------060503040507020105080107
Content-Type: text/x-patch;
 name="xenoprof.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="xenoprof.patch"

diff -r 4f6a2bbdff3f xen/common/xenoprof.c
--- a/xen/common/xenoprof.c	Tue Jan 13 15:53:47 2009 +0000
+++ b/xen/common/xenoprof.c	Tue Jan 13 22:45:27 2009 +0800
@@ -681,6 +681,8 @@ int do_xenoprof_op(int op, XEN_GUEST_HAN
     {
     case XENOPROF_init:
         ret = xenoprof_op_init(arg);
+        if ( !ret )
+            xenoprof_state = XENOPROF_INITIALIZED;
         break;
 
     case XENOPROF_get_buffer:
@@ -693,21 +695,19 @@ int do_xenoprof_op(int op, XEN_GUEST_HAN
         break;
 
     case XENOPROF_reset_active_list:
-    {
         reset_active_list();
         ret = 0;
         break;
-    }
+
     case XENOPROF_reset_passive_list:
-    {
         reset_passive_list();
         ret = 0;
         break;
-    }
+
     case XENOPROF_set_active:
     {
         domid_t domid;
-        if ( xenoprof_state != XENOPROF_IDLE )
+        if ( xenoprof_state != XENOPROF_INITIALIZED )
         {
             ret = -EPERM;
             break;
@@ -720,18 +720,18 @@ int do_xenoprof_op(int op, XEN_GUEST_HAN
         ret = add_active_list(domid);
         break;
     }
+
     case XENOPROF_set_passive:
-    {
-        if ( xenoprof_state != XENOPROF_IDLE )
+        if ( xenoprof_state != XENOPROF_INITIALIZED )
         {
             ret = -EPERM;
             break;
         }
         ret = add_passive_list(arg);
         break;
-    }
+
     case XENOPROF_reserve_counters:
-        if ( xenoprof_state != XENOPROF_IDLE )
+        if ( xenoprof_state != XENOPROF_INITIALIZED )
         {
             ret = -EPERM;
             break;
@@ -748,7 +748,6 @@ int do_xenoprof_op(int op, XEN_GUEST_HAN
             ret = -EPERM;
             break;
         }
-
         ret = xenoprof_arch_counter(arg);
         break;
 
@@ -766,8 +765,14 @@ int do_xenoprof_op(int op, XEN_GUEST_HAN
     case XENOPROF_enable_virq:
     {
         int i;
+
         if ( current->domain == xenoprof_primary_profiler )
         {
+            if ( xenoprof_state != XENOPROF_READY )
+            {
+                ret = -EPERM;
+                break;
+            }
             xenoprof_arch_enable_virq();
             xenoprof_reset_stat();
             for ( i = 0; i < pdomains; i++ )
@@ -835,7 +840,7 @@ int do_xenoprof_op(int op, XEN_GUEST_HAN
         if ( (xenoprof_state == XENOPROF_COUNTERS_RESERVED) ||
              (xenoprof_state == XENOPROF_READY) )
         {
-            xenoprof_state = XENOPROF_IDLE;
+            xenoprof_state = XENOPROF_INITIALIZED;
             xenoprof_arch_release_counters();
             xenoprof_arch_disable_virq();
             reset_passive_list();
@@ -845,7 +850,7 @@ int do_xenoprof_op(int op, XEN_GUEST_HAN
 
     case XENOPROF_shutdown:
         ret = -EPERM;
-        if ( xenoprof_state == XENOPROF_IDLE )
+        if ( xenoprof_state == XENOPROF_INITIALIZED )
         {
             activated = 0;
             adomains=0;
diff -r 4f6a2bbdff3f xen/include/xen/xenoprof.h
--- a/xen/include/xen/xenoprof.h	Tue Jan 13 15:53:47 2009 +0000
+++ b/xen/include/xen/xenoprof.h	Tue Jan 13 22:45:27 2009 +0800
@@ -19,9 +19,10 @@
 #define XENOPROF_DOMAIN_PASSIVE    2
 
 #define XENOPROF_IDLE              0
-#define XENOPROF_COUNTERS_RESERVED 1
-#define XENOPROF_READY             2
-#define XENOPROF_PROFILING         3
+#define XENOPROF_INITIALIZED       1
+#define XENOPROF_COUNTERS_RESERVED 2
+#define XENOPROF_READY             3
+#define XENOPROF_PROFILING         4
 
 #ifndef CONFIG_COMPAT
 typedef struct xenoprof_buf xenoprof_buf_t;

--------------060503040507020105080107
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

--------------060503040507020105080107--