Re: [PATCH] x86/hvm: Fix use-after-free introduced by c/s 428607a

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Corneliu ZUZU <czuzu@bitdefender.com>,
	Xen-devel <xen-devel@lists.xen.org>
Cc: Jan Beulich <JBeulich@suse.com>
Subject: Re: [PATCH] x86/hvm: Fix use-after-free introduced by c/s 428607a
Date: Tue, 2 Feb 2016 10:04:22 +0000	[thread overview]
Message-ID: <56B07F26.3030204@citrix.com> (raw)
In-Reply-To: <56B06214.2060306@bitdefender.com>

On 02/02/16 08:00, Corneliu ZUZU wrote:
> On 2/1/2016 7:56 PM, Andrew Cooper wrote:
>> c/s 428607a "x86: shrink 'struct domain', was already PAGE_SIZE"
>> introduced a
>> use-after-free error during domain destruction, because of the order
>> in which
>> timers are torn down.
>>
>>    (XEN) Xen call trace:
>>    (XEN)    [<ffff82d08013344e>] spinlock.c#check_lock+0x1e/0x40
>>    (XEN)    [<ffff82d08013349b>] _spin_lock+0x11/0x52
>>    (XEN)    [<ffff82d0801e8076>] vpt.c#pt_lock+0x24/0x40
>>    (XEN)    [<ffff82d0801e88f4>] destroy_periodic_time+0x18/0x81
>>    (XEN)    [<ffff82d0801e1089>] rtc_deinit+0x53/0x78
>>    (XEN)    [<ffff82d0801d1e5a>] hvm_domain_destroy+0x52/0x69
>>    (XEN)    [<ffff82d08016a758>] arch_domain_destroy+0x1a/0x98
>>    (XEN)    [<ffff82d080107cd5>]
>> domain.c#complete_domain_destroy+0x6f/0x182
>>    (XEN)    [<ffff82d080126a19>]
>> rcupdate.c#rcu_process_callbacks+0x144/0x1a6
>>    (XEN)    [<ffff82d080132c52>] softirq.c#__do_softirq+0x82/0x8d
>>    (XEN)    [<ffff82d080132caa>] do_softirq+0x13/0x15
>>    (XEN)    [<ffff82d080248ae1>] entry.o#process_softirqs+0x21/0x30
>>    (XEN)
>>    (XEN)
>>    (XEN) ****************************************
>>    (XEN) Panic on CPU 3:
>>    (XEN) GENERAL PROTECTION FAULT
>>    (XEN) [error_code=0000]
>>    (XEN) ****************************************
>>
>> Defer the freeing of d->arch.hvm_domain.pl_time until all timers have
>> been
>> destroyed.
>>
>> For safety, NULL out the pointers after freeing them, in an attempt
>> to make
>> mistakes more obvious in the future.
>>
>> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
>> ---
>> CC: Jan Beulich <JBeulich@suse.com>
>> CC: Corneliu ZUZU <czuzu@bitdefender.com>
>> ---
>>   xen/arch/x86/hvm/hvm.c | 7 ++++++-
>>   1 file changed, 6 insertions(+), 1 deletion(-)
>>
>> diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
>> index f24400d..38c65b3 100644
>> --- a/xen/arch/x86/hvm/hvm.c
>> +++ b/xen/arch/x86/hvm/hvm.c
>> @@ -1674,8 +1674,10 @@ void hvm_domain_relinquish_resources(struct
>> domain *d)
>>   void hvm_domain_destroy(struct domain *d)
>>   {
>>       xfree(d->arch.hvm_domain.io_handler);
>> +    d->arch.hvm_domain.io_handler = NULL;
>> +
>>       xfree(d->arch.hvm_domain.params);
>> -    xfree(d->arch.hvm_domain.pl_time);
>> +    d->arch.hvm_domain.params = NULL;
>>         hvm_destroy_cacheattr_region_list(d);
>>   @@ -1686,6 +1688,9 @@ void hvm_domain_destroy(struct domain *d)
>>       rtc_deinit(d);
>>       stdvga_deinit(d);
>>       vioapic_deinit(d);
>> +
>> +    xfree(d->arch.hvm_domain.pl_time);
>> +    d->arch.hvm_domain.pl_time = NULL;
>>   }
>>     static int hvm_save_tsc_adjust(struct domain *d,
>> hvm_domain_context_t *h)
>
> Ups, really sorry, ashamed to say I've done the mistake of not
> actually testing this on a machine (working on ARM here). Won't happen
> again, if I'm to send another patch I'll be sure to actually setup an
> X86 Dom0 & at least do some basic tests.

At least a boot test would certainly be nice.  In this case however, the
build passed all but a single one of the XenServer sanity tests, and
even the failure here was just chance that the region got reused in a
way which would be noticed.

This is, after all, precisely the reason why development branches are
not generally known to be stable.

> Regarding the "set to NULL after free" practice, wouldn't it be wise
> to define an xfreeandnull(void**) macro and use the "unsafe" xfree
> only when it makes sense to (proly most of the time it won't)?

This idea has been suggested in the past.  I can't remember what became
of it.

~Andrew

next prev parent reply	other threads:[~2016-02-02 10:04 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-02-01 17:56 [PATCH] x86/hvm: Fix use-after-free introduced by c/s 428607a Andrew Cooper
2016-02-02  8:00 ` Corneliu ZUZU
2016-02-02 10:04   ` Andrew Cooper [this message]
2016-02-02 10:43 ` Jan Beulich
2016-02-02 10:48   ` Andrew Cooper
2016-02-02 10:52     ` Jan Beulich
2016-02-02 10:57       ` Andrew Cooper
2016-02-02 11:39       ` Corneliu ZUZU
2016-02-02 11:44         ` Jan Beulich
2016-02-02 12:05         ` Andrew Cooper
2016-02-02 12:51           ` Corneliu ZUZU

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=56B07F26.3030204@citrix.com \
    --to=andrew.cooper3@citrix.com \
    --cc=JBeulich@suse.com \
    --cc=czuzu@bitdefender.com \
    --cc=xen-devel@lists.xen.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.