From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Jason Andryuk <andryuk@aero.org>
Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com>,
Ian Jackson <ian.jackson@eu.citrix.com>,
Ian Campbell <ian.campbell@citrix.com>,
xen-devel@lists.xen.org
Subject: Re: [PATCH] libxc: Protect xc_domain_resume from clobbering domain registers
Date: Tue, 20 May 2014 10:53:50 +0100 [thread overview]
Message-ID: <537B262E.20600@citrix.com> (raw)
In-Reply-To: <1400524672-6141-1-git-send-email-andryuk@aero.org>
On 19/05/14 19:37, Jason Andryuk wrote:
> xc_domain_resume() expects the guest to be in state SHUTDOWN_suspend.
> However, nothing verifies the state before modify_returncode() modifies
> the domain's registers. This will crash guest processes or the kernel
> itself.
>
> This can be demonstrated with `LIBXL_SAVE_HELPER=/bin/false xl migrate`.
>
> Signed-off-by: Jason Andryuk <andryuk@aero.org>
> ---
> Changes since RFC:
> - Return -1 from modify_returncode
> - Set errno to EINVAL
> ---
> tools/libxc/xc_resume.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/tools/libxc/xc_resume.c b/tools/libxc/xc_resume.c
> index 18b4818..2163ad9 100644
> --- a/tools/libxc/xc_resume.c
> +++ b/tools/libxc/xc_resume.c
> @@ -39,6 +39,13 @@ static int modify_returncode(xc_interface *xch, uint32_t domid)
> return -1;
> }
Having looked at this more closely, there is also a bug in the hunk above.
xc_domain_getinfo() being the 'special' function that it is doesn't
always return the domain specified. If the given domid doesn't exist in
the system, you will get back the first domain with a higher domid.
The only safe way to use it is
if ( xc_domain_getinfo(xch, domid, 1, &info) != 1 ||
info.domid != domid )
{
error...
}
>
> + if ( !info.shutdown || (info.shutdown_reason != SHUTDOWN_suspend) )
> + {
> + ERROR("Domain not in suspended state");
ERROR("Dom %d not suspended: (shutdown %d, reason %d)", domid,
info.shutdown, info.shutdown_reason));
This way, someone unexpectedly finding this error message gets slightly
more information than "something wasn't how I expected it to be".
~Andrew
> + errno = EINVAL;
> + return -1;
> + }
> +
> if ( info.hvm )
> {
> /* HVM guests without PV drivers have no return code to modify. */
next prev parent reply other threads:[~2014-05-20 9:53 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-19 18:37 [PATCH] libxc: Protect xc_domain_resume from clobbering domain registers Jason Andryuk
2014-05-20 9:53 ` Andrew Cooper [this message]
2014-05-20 12:51 ` Jason Andryuk
2014-05-20 13:16 ` Andrew Cooper
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=537B262E.20600@citrix.com \
--to=andrew.cooper3@citrix.com \
--cc=andryuk@aero.org \
--cc=ian.campbell@citrix.com \
--cc=ian.jackson@eu.citrix.com \
--cc=stefano.stabellini@eu.citrix.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.