[PATCH] Protect Xen against accessing NULL-pointer triggered by Xenoprof Hypercall in dom0

[PATCH] Protect Xen against accessing NULL-pointer triggered by Xenoprof Hypercall in dom0

[Yang, Xiaowei]

[-- Attachment #1: Type: text/plain, Size: 196 bytes --]

Xenoprof Hypercall in dom0 could trigger Xen accessing NULL-pointer and
results in fatal page fault. The patch prevents it.

Signed-off-by: Xiaowei Yang <xiaowei.yang@intel.com>

Thanks,
Xiaowei


[-- Attachment #2: xenoprof.patch --]
[-- Type: text/x-patch, Size: 3490 bytes --]

diff -r 4f6a2bbdff3f xen/common/xenoprof.c
--- a/xen/common/xenoprof.c	Tue Jan 13 15:53:47 2009 +0000
+++ b/xen/common/xenoprof.c	Tue Jan 13 22:45:27 2009 +0800
@@ -681,6 +681,8 @@ int do_xenoprof_op(int op, XEN_GUEST_HAN
     {
     case XENOPROF_init:
         ret = xenoprof_op_init(arg);
+        if ( !ret )
+            xenoprof_state = XENOPROF_INITIALIZED;
         break;
 
     case XENOPROF_get_buffer:
@@ -693,21 +695,19 @@ int do_xenoprof_op(int op, XEN_GUEST_HAN
         break;
 
     case XENOPROF_reset_active_list:
-    {
         reset_active_list();
         ret = 0;
         break;
-    }
+
     case XENOPROF_reset_passive_list:
-    {
         reset_passive_list();
         ret = 0;
         break;
-    }
+
     case XENOPROF_set_active:
     {
         domid_t domid;
-        if ( xenoprof_state != XENOPROF_IDLE )
+        if ( xenoprof_state != XENOPROF_INITIALIZED )
         {
             ret = -EPERM;
             break;
@@ -720,18 +720,18 @@ int do_xenoprof_op(int op, XEN_GUEST_HAN
         ret = add_active_list(domid);
         break;
     }
+
     case XENOPROF_set_passive:
-    {
-        if ( xenoprof_state != XENOPROF_IDLE )
+        if ( xenoprof_state != XENOPROF_INITIALIZED )
         {
             ret = -EPERM;
             break;
         }
         ret = add_passive_list(arg);
         break;
-    }
+
     case XENOPROF_reserve_counters:
-        if ( xenoprof_state != XENOPROF_IDLE )
+        if ( xenoprof_state != XENOPROF_INITIALIZED )
         {
             ret = -EPERM;
             break;
@@ -748,7 +748,6 @@ int do_xenoprof_op(int op, XEN_GUEST_HAN
             ret = -EPERM;
             break;
         }
-
         ret = xenoprof_arch_counter(arg);
         break;
 
@@ -766,8 +765,14 @@ int do_xenoprof_op(int op, XEN_GUEST_HAN
     case XENOPROF_enable_virq:
     {
         int i;
+
         if ( current->domain == xenoprof_primary_profiler )
         {
+            if ( xenoprof_state != XENOPROF_READY )
+            {
+                ret = -EPERM;
+                break;
+            }
             xenoprof_arch_enable_virq();
             xenoprof_reset_stat();
             for ( i = 0; i < pdomains; i++ )
@@ -835,7 +840,7 @@ int do_xenoprof_op(int op, XEN_GUEST_HAN
         if ( (xenoprof_state == XENOPROF_COUNTERS_RESERVED) ||
              (xenoprof_state == XENOPROF_READY) )
         {
-            xenoprof_state = XENOPROF_IDLE;
+            xenoprof_state = XENOPROF_INITIALIZED;
             xenoprof_arch_release_counters();
             xenoprof_arch_disable_virq();
             reset_passive_list();
@@ -845,7 +850,7 @@ int do_xenoprof_op(int op, XEN_GUEST_HAN
 
     case XENOPROF_shutdown:
         ret = -EPERM;
-        if ( xenoprof_state == XENOPROF_IDLE )
+        if ( xenoprof_state == XENOPROF_INITIALIZED )
         {
             activated = 0;
             adomains=0;
diff -r 4f6a2bbdff3f xen/include/xen/xenoprof.h
--- a/xen/include/xen/xenoprof.h	Tue Jan 13 15:53:47 2009 +0000
+++ b/xen/include/xen/xenoprof.h	Tue Jan 13 22:45:27 2009 +0800
@@ -19,9 +19,10 @@
 #define XENOPROF_DOMAIN_PASSIVE    2
 
 #define XENOPROF_IDLE              0
-#define XENOPROF_COUNTERS_RESERVED 1
-#define XENOPROF_READY             2
-#define XENOPROF_PROFILING         3
+#define XENOPROF_INITIALIZED       1
+#define XENOPROF_COUNTERS_RESERVED 2
+#define XENOPROF_READY             3
+#define XENOPROF_PROFILING         4
 
 #ifndef CONFIG_COMPAT
 typedef struct xenoprof_buf xenoprof_buf_t;

[-- Attachment #3: Type: text/plain, Size: 138 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

RE: [PATCH] Protect Xen against accessing NULL-pointer triggered by Xenoprof Hypercall in dom0

[Santos, Jose Renato G]

Xiaowei,

Could you please clarify what is the NULL pointer problem that you want to prevent with this patch?
Thanks

Renato 

> -----Original Message-----
> From: xen-devel-bounces@lists.xensource.com 
> [mailto:xen-devel-bounces@lists.xensource.com] On Behalf Of 
> Yang, Xiaowei
> Sent: Tuesday, January 20, 2009 8:28 PM
> To: xen-devel@lists.xensource.com
> Subject: [Xen-devel] [PATCH] Protect Xen against accessing 
> NULL-pointer triggered by Xenoprof Hypercall in dom0
> 
> Xenoprof Hypercall in dom0 could trigger Xen accessing 
> NULL-pointer and results in fatal page fault. The patch prevents it.
> 
> Signed-off-by: Xiaowei Yang <xiaowei.yang@intel.com>
> 
> Thanks,
> Xiaowei
> 
> 

Re: [PATCH] Protect Xen against accessing NULL-pointer triggered by Xenoprof Hypercall in dom0

[Yang, Xiaowei]

Santos, Jose Renato G wrote:
> Xiaowei,
> 
> Could you please clarify what is the NULL pointer problem that you want to prevent with this patch?
> Thanks
> 
Oh, let me put more details. For late coming CPUs that Xenoprof doesn't 
support yet, pointers cpu_type and model could be unassigned at init 
time and remains as NULL. However almost all Xenoprof internal functions 
doesn't check it before using. If the hyercall handler doesn't take care 
of it, dom0 could exploit it (e.g. XENOPROF_reserve_counters) to trigger 
Xen NULL-pointer access.

Thanks,
Xiaowei

> Renato
> 
>> -----Original Message-----
>> From: xen-devel-bounces@lists.xensource.com
>> [mailto:xen-devel-bounces@lists.xensource.com] On Behalf Of
>> Yang, Xiaowei
>> Sent: Tuesday, January 20, 2009 8:28 PM
>> To: xen-devel@lists.xensource.com
>> Subject: [Xen-devel] [PATCH] Protect Xen against accessing
>> NULL-pointer triggered by Xenoprof Hypercall in dom0
>>
>> Xenoprof Hypercall in dom0 could trigger Xen accessing
>> NULL-pointer and results in fatal page fault. The patch prevents it.
>>
>> Signed-off-by: Xiaowei Yang <xiaowei.yang@intel.com>
>>
>> Thanks,
>> Xiaowei
>>
>>

RE: [PATCH] Protect Xen against accessing NULL-pointer triggered by Xenoprof Hypercall in dom0

[Santos, Jose Renato G]

Thanks Xiaowei
Yes, that makes sense.
I guess it is good to prevent dom0 misbehavior to crash the system.
The patch looks good to me

Thanks

Renato
 

> -----Original Message-----
> From: Yang, Xiaowei [mailto:xiaowei.yang@intel.com] 
> Sent: Wednesday, January 21, 2009 4:50 PM
> To: Santos, Jose Renato G
> Cc: xen-devel@lists.xensource.com
> Subject: Re: [Xen-devel] [PATCH] Protect Xen against 
> accessing NULL-pointer triggered by Xenoprof Hypercall in dom0
> 
> Santos, Jose Renato G wrote:
> > Xiaowei,
> > 
> > Could you please clarify what is the NULL pointer problem 
> that you want to prevent with this patch?
> > Thanks
> > 
> Oh, let me put more details. For late coming CPUs that 
> Xenoprof doesn't support yet, pointers cpu_type and model 
> could be unassigned at init time and remains as NULL. However 
> almost all Xenoprof internal functions doesn't check it 
> before using. If the hyercall handler doesn't take care of 
> it, dom0 could exploit it (e.g. XENOPROF_reserve_counters) to 
> trigger Xen NULL-pointer access.
> 
> Thanks,
> Xiaowei
> 
> > Renato
> > 
> >> -----Original Message-----
> >> From: xen-devel-bounces@lists.xensource.com
> >> [mailto:xen-devel-bounces@lists.xensource.com] On Behalf Of Yang, 
> >> Xiaowei
> >> Sent: Tuesday, January 20, 2009 8:28 PM
> >> To: xen-devel@lists.xensource.com
> >> Subject: [Xen-devel] [PATCH] Protect Xen against accessing 
> >> NULL-pointer triggered by Xenoprof Hypercall in dom0
> >>
> >> Xenoprof Hypercall in dom0 could trigger Xen accessing 
> NULL-pointer 
> >> and results in fatal page fault. The patch prevents it.
> >>
> >> Signed-off-by: Xiaowei Yang <xiaowei.yang@intel.com>
> >>
> >> Thanks,
> >> Xiaowei
> >>
> >>
> 
>