From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Stefan Bader <stefan.bader@canonical.com>,
Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
"xen-devel@lists.xensource.com" <xen-devel@lists.xensource.com>,
Kees Cook <keescook@chromium.org>,
David Vrabel <david.vrabel@citrix.com>
Subject: Re: [Xen-devel] [PATCH] Solved the Xen PV/KASLR riddle
Date: Thu, 28 Aug 2014 23:42:13 +0100 [thread overview]
Message-ID: <53FFB045.9010809@citrix.com> (raw)
In-Reply-To: <1409248903-19625-1-git-send-email-stefan.bader@canonical.com>
On 28/08/2014 19:01, Stefan Bader wrote:
>>> So not much further... but then I think I know what I do next. Probably should
>>> have done before. I'll replace the WARN_ON in vmalloc that triggers by a panic
>>> and at least get a crash dump of that situation when it occurs. Then I can dig
>>> in there with crash (really should have thought of that before)...
>> <nods> I dug a bit in the code (arch/x86/xen/mmu.c) but there is nothing there
>> that screams at me, so I fear I will have to wait until you get the crash
>> and get some clues from that.
> Ok, what a journey. So after long hours of painful staring at the code...
> (and btw, if someone could tell me how the heck one can do a mfn_to_pfn
> in crash, I really would appreaciate :-P)
The M2P map lives in the Xen reserved virtual address space in each PV
guest, and forms part of the PV ABI. It is mapped read-only, in the
native width of the guest.
32bit PV (PAE) at 0xF5800000
64bit PV at 0xFFFF800000000000
This is represented by the MACH2PHYS_VIRT_START symbol from the Xen
public header files. You should be able to blindly construct a pointer
to it (if you have nothing better to hand), as it will be hooked into
the guests pagetables before execution starts. Therefore,
"MACH2PHYS_VIRT_START[(unsigned long)pfn]" ought to do in a pinch.
~Andrew
WARNING: multiple messages have this Message-ID (diff)
From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Stefan Bader <stefan.bader@canonical.com>,
Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: David Vrabel <david.vrabel@citrix.com>,
"xen-devel@lists.xensource.com" <xen-devel@lists.xensource.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Kees Cook <keescook@chromium.org>
Subject: Re: [PATCH] Solved the Xen PV/KASLR riddle
Date: Thu, 28 Aug 2014 23:42:13 +0100 [thread overview]
Message-ID: <53FFB045.9010809@citrix.com> (raw)
In-Reply-To: <1409248903-19625-1-git-send-email-stefan.bader@canonical.com>
On 28/08/2014 19:01, Stefan Bader wrote:
>>> So not much further... but then I think I know what I do next. Probably should
>>> have done before. I'll replace the WARN_ON in vmalloc that triggers by a panic
>>> and at least get a crash dump of that situation when it occurs. Then I can dig
>>> in there with crash (really should have thought of that before)...
>> <nods> I dug a bit in the code (arch/x86/xen/mmu.c) but there is nothing there
>> that screams at me, so I fear I will have to wait until you get the crash
>> and get some clues from that.
> Ok, what a journey. So after long hours of painful staring at the code...
> (and btw, if someone could tell me how the heck one can do a mfn_to_pfn
> in crash, I really would appreaciate :-P)
The M2P map lives in the Xen reserved virtual address space in each PV
guest, and forms part of the PV ABI. It is mapped read-only, in the
native width of the guest.
32bit PV (PAE) at 0xF5800000
64bit PV at 0xFFFF800000000000
This is represented by the MACH2PHYS_VIRT_START symbol from the Xen
public header files. You should be able to blindly construct a pointer
to it (if you have nothing better to hand), as it will be hooked into
the guests pagetables before execution starts. Therefore,
"MACH2PHYS_VIRT_START[(unsigned long)pfn]" ought to do in a pinch.
~Andrew
next prev parent reply other threads:[~2014-08-28 23:01 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-08-08 11:20 Xen PV domain regression with KASLR enabled (kernel 3.16) Stefan Bader
2014-08-08 12:43 ` [Xen-devel] " David Vrabel
2014-08-08 14:35 ` Stefan Bader
2014-08-12 17:28 ` Kees Cook
2014-08-12 18:05 ` Stefan Bader
2014-08-12 18:53 ` Kees Cook
2014-08-12 19:07 ` Konrad Rzeszutek Wilk
2014-08-21 16:03 ` Kees Cook
2014-08-22 9:20 ` Stefan Bader
2014-08-26 16:01 ` Konrad Rzeszutek Wilk
2014-08-27 8:03 ` Stefan Bader
2014-08-27 20:49 ` Konrad Rzeszutek Wilk
2014-08-28 18:01 ` [PATCH] Solved the Xen PV/KASLR riddle Stefan Bader
2014-08-28 22:22 ` Kees Cook
2014-08-28 22:42 ` Andrew Cooper [this message]
2014-08-28 22:42 ` Andrew Cooper
2014-08-29 8:37 ` [Xen-devel] " Stefan Bader
2014-08-29 14:19 ` Andrew Cooper
2014-08-29 14:32 ` Stefan Bader
2014-08-29 14:43 ` Andrew Cooper
2014-08-29 14:08 ` Konrad Rzeszutek Wilk
2014-08-29 14:27 ` Stefan Bader
2014-08-29 14:31 ` David Vrabel
2014-08-29 14:35 ` Stefan Bader
2014-08-29 14:44 ` [Xen-devel] " Jan Beulich
2014-08-29 14:55 ` Konrad Rzeszutek Wilk
2014-09-01 4:03 ` Juergen Gross
2014-09-02 19:22 ` Konrad Rzeszutek Wilk
2014-09-03 4:07 ` Juergen Gross
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53FFB045.9010809@citrix.com \
--to=andrew.cooper3@citrix.com \
--cc=david.vrabel@citrix.com \
--cc=keescook@chromium.org \
--cc=konrad.wilk@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stefan.bader@canonical.com \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.