Re: [Xen-devel] [PATCH] Solved the Xen PV/KASLR riddle

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Stefan Bader <stefan.bader@canonical.com>
To: Andrew Cooper <andrew.cooper3@citrix.com>,
	Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	"xen-devel@lists.xensource.com" <xen-devel@lists.xensource.com>,
	Kees Cook <keescook@chromium.org>,
	David Vrabel <david.vrabel@citrix.com>
Subject: Re: [Xen-devel] [PATCH] Solved the Xen PV/KASLR riddle
Date: Fri, 29 Aug 2014 16:32:37 +0200	[thread overview]
Message-ID: <54008F05.9090403@canonical.com> (raw)
In-Reply-To: <54008BF2.5050905@citrix.com>

[-- Attachment #1: Type: text/plain, Size: 2157 bytes --]

On 29.08.2014 16:19, Andrew Cooper wrote:
> On 29/08/14 09:37, Stefan Bader wrote:
>> On 29.08.2014 00:42, Andrew Cooper wrote:
>>> On 28/08/2014 19:01, Stefan Bader wrote:
>>>>>> So not much further... but then I think I know what I do next. Probably should
>>>>>> have done before. I'll replace the WARN_ON in vmalloc that triggers by a panic
>>>>>> and at least get a crash dump of that situation when it occurs. Then I can dig
>>>>>> in there with crash (really should have thought of that before)...
>>>>> <nods> I dug a bit in the code (arch/x86/xen/mmu.c) but there is nothing there
>>>>> that screams at me, so I fear I will have to wait until you get the crash
>>>>> and get some clues from that.
>>>> Ok, what a journey. So after long hours of painful staring at the code...
>>>> (and btw, if someone could tell me how the heck one can do a mfn_to_pfn
>>>> in crash, I really would appreaciate :-P)
>>> The M2P map lives in the Xen reserved virtual address space in each PV
>>> guest, and forms part of the PV ABI.  It is mapped read-only, in the
>>> native width of the guest.
>>>
>>> 32bit PV (PAE) at 0xF5800000
>>> 64bit PV at 0xFFFF800000000000
>>>
>>> This is represented by the MACH2PHYS_VIRT_START symbol from the Xen
>>> public header files.  You should be able to blindly construct a pointer
>>> to it (if you have nothing better to hand), as it will be hooked into
>>> the guests pagetables before execution starts.  Therefore,
>>> "MACH2PHYS_VIRT_START[(unsigned long)pfn]" ought to do in a pinch.
>> machine_to_phys_mapping is set to that address but its not mapped inside the
>> crash dump. Somehow vtop in crash handles translations. I need to have a look at
>> their code, I guess.
>>
>> Thanks,
>> Stefan
> 
> What context is the crash dump?  If it is a Xen+dom0 kexec()d to native
> linux, then the m2p should still be accessible given dom0's cr3.  If it
> is some state copied off-host then you will need to adjust the copy to
> include that virtual range.

No its a domU dump of a PV guest taken with "xl dump-core" (or actually the
result of on-crash trigger).

> 
> ~Andrew
> 



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

next prev parent reply	other threads:[~2014-08-29 14:32 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-08-08 11:20 Xen PV domain regression with KASLR enabled (kernel 3.16) Stefan Bader
2014-08-08 12:43 ` [Xen-devel] " David Vrabel
2014-08-08 14:35   ` Stefan Bader
2014-08-12 17:28     ` Kees Cook
2014-08-12 18:05       ` Stefan Bader
2014-08-12 18:53         ` Kees Cook
2014-08-12 19:07           ` Konrad Rzeszutek Wilk
2014-08-21 16:03             ` Kees Cook
2014-08-22  9:20               ` Stefan Bader
2014-08-26 16:01                 ` Konrad Rzeszutek Wilk
2014-08-27  8:03                   ` Stefan Bader
2014-08-27 20:49                     ` Konrad Rzeszutek Wilk
2014-08-28 18:01                       ` [PATCH] Solved the Xen PV/KASLR riddle Stefan Bader
2014-08-28 22:22                         ` Kees Cook
2014-08-28 22:42                         ` [Xen-devel] " Andrew Cooper
2014-08-28 22:42                           ` Andrew Cooper
2014-08-29  8:37                           ` [Xen-devel] " Stefan Bader
2014-08-29 14:19                             ` Andrew Cooper
2014-08-29 14:32                               ` Stefan Bader [this message]
2014-08-29 14:43                                 ` Andrew Cooper
2014-08-29 14:08                         ` Konrad Rzeszutek Wilk
2014-08-29 14:27                           ` Stefan Bader
2014-08-29 14:31                             ` David Vrabel
2014-08-29 14:35                               ` Stefan Bader
2014-08-29 14:44                             ` [Xen-devel] " Jan Beulich
2014-08-29 14:55                               ` Konrad Rzeszutek Wilk
2014-09-01  4:03                                 ` Juergen Gross
2014-09-02 19:22                                   ` Konrad Rzeszutek Wilk
2014-09-03  4:07                                     ` Juergen Gross

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=54008F05.9090403@canonical.com \
    --to=stefan.bader@canonical.com \
    --cc=andrew.cooper3@citrix.com \
    --cc=david.vrabel@citrix.com \
    --cc=keescook@chromium.org \
    --cc=konrad.wilk@oracle.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=xen-devel@lists.xensource.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.