ia64/xen-unstable

changeset 15886:487df63c4ae9

[IA64] Check slot for itr.d and itr.i and generate interrupt in case of error.

This avoids a buffer overflow in Xen.

Signed-off-by: Tristan Gingold <tgingold@free.fr>
author Alex Williamson <alex.williamson@hp.com>
date Mon Sep 17 10:59:27 2007 -0600 (2007-09-17)
parents b5488dee14af
children 0f16d41ebb0b
files xen/arch/ia64/vmx/vmmu.c xen/arch/ia64/vmx/vmx_virt.c
line diff
     1.1 --- a/xen/arch/ia64/vmx/vmmu.c	Mon Sep 17 09:28:58 2007 -0600
     1.2 +++ b/xen/arch/ia64/vmx/vmmu.c	Mon Sep 17 10:59:27 2007 -0600
     1.3 @@ -403,6 +403,12 @@ IA64FAULT vmx_vcpu_itr_i(VCPU *vcpu, u64
     1.4      }
     1.5      thash_purge_entries(vcpu, va, ps);
     1.6  #endif
     1.7 +
     1.8 +    if (slot >= NITRS) {
     1.9 +        panic_domain(NULL, "bad itr.i slot (%ld)", slot);
    1.10 +        return IA64_FAULT;
    1.11 +    }
    1.12 +        
    1.13      pte &= ~PAGE_FLAGS_RV_MASK;
    1.14      vcpu_get_rr(vcpu, va, &rid);
    1.15      rid = rid& RR_RID_MASK;
    1.16 @@ -431,6 +437,12 @@ IA64FAULT vmx_vcpu_itr_d(VCPU *vcpu, u64
    1.17          return IA64_FAULT;
    1.18      }
    1.19  #endif   
    1.20 +
    1.21 +    if (slot >= NDTRS) {
    1.22 +        panic_domain(NULL, "bad itr.d slot (%ld)", slot);
    1.23 +        return IA64_FAULT;
    1.24 +    }
    1.25 +
    1.26      pte &= ~PAGE_FLAGS_RV_MASK;
    1.27  
    1.28      /* This is a bad workaround
     2.1 --- a/xen/arch/ia64/vmx/vmx_virt.c	Mon Sep 17 09:28:58 2007 -0600
     2.2 +++ b/xen/arch/ia64/vmx/vmx_virt.c	Mon Sep 17 10:59:27 2007 -0600
     2.3 @@ -567,65 +567,8 @@ static IA64FAULT vmx_emul_tak(VCPU *vcpu
     2.4  static IA64FAULT vmx_emul_itr_d(VCPU *vcpu, INST64 inst)
     2.5  {
     2.6      u64 itir, ifa, pte, slot;
     2.7 -#ifdef  VMAL_NO_FAULT_CHECK
     2.8 -    IA64_PSR  vpsr;
     2.9 -    vpsr.val=vmx_vcpu_get_psr(vcpu);
    2.10 -    if ( vpsr.ic ) {
    2.11 -        set_illegal_op_isr(vcpu);
    2.12 -        illegal_op(vcpu);
    2.13 -        return IA64_FAULT;
    2.14 -    }
    2.15      ISR isr;
    2.16 -    if ( vpsr.cpl != 0) {
    2.17 -        /* Inject Privileged Operation fault into guest */
    2.18 -        set_privileged_operation_isr (vcpu, 0);
    2.19 -        privilege_op (vcpu);
    2.20 -        return IA64_FAULT;
    2.21 -    }
    2.22 -#endif // VMAL_NO_FAULT_CHECK
    2.23 -    if(vcpu_get_gr_nat(vcpu,inst.M45.r3,&slot)||vcpu_get_gr_nat(vcpu,inst.M45.r2,&pte)){
    2.24 -#ifdef  VMAL_NO_FAULT_CHECK
    2.25 -        set_isr_reg_nat_consumption(vcpu,0,0);
    2.26 -        rnat_comsumption(vcpu);
    2.27 -        return IA64_FAULT;
    2.28 -#endif // VMAL_NO_FAULT_CHECK
    2.29 -    }
    2.30  #ifdef  VMAL_NO_FAULT_CHECK
    2.31 -    if(is_reserved_rr_register(vcpu, slot)){
    2.32 -        set_illegal_op_isr(vcpu);
    2.33 -        illegal_op(vcpu);
    2.34 -        return IA64_FAULT;
    2.35 -    }
    2.36 -#endif // VMAL_NO_FAULT_CHECK
    2.37 -
    2.38 -    if (vcpu_get_itir(vcpu,&itir)){
    2.39 -        return(IA64_FAULT);
    2.40 -    }
    2.41 -    if (vcpu_get_ifa(vcpu,&ifa)){
    2.42 -        return(IA64_FAULT);
    2.43 -    }
    2.44 -#ifdef  VMAL_NO_FAULT_CHECK
    2.45 -    if (is_reserved_itir_field(vcpu, itir)) {
    2.46 -    	// TODO
    2.47 -    	return IA64_FAULT;
    2.48 -    }
    2.49 -    if (unimplemented_gva(vcpu,ifa) ) {
    2.50 -        isr.val = set_isr_ei_ni(vcpu);
    2.51 -        isr.code = IA64_RESERVED_REG_FAULT;
    2.52 -        vcpu_set_isr(vcpu, isr.val);
    2.53 -        unimpl_daddr(vcpu);
    2.54 -        return IA64_FAULT;
    2.55 -   }
    2.56 -#endif // VMAL_NO_FAULT_CHECK
    2.57 -
    2.58 -    return (vmx_vcpu_itr_d(vcpu,slot,pte,itir,ifa));
    2.59 -}
    2.60 -
    2.61 -static IA64FAULT vmx_emul_itr_i(VCPU *vcpu, INST64 inst)
    2.62 -{
    2.63 -    u64 itir, ifa, pte, slot;
    2.64 -#ifdef  VMAL_NO_FAULT_CHECK
    2.65 -    ISR isr;
    2.66      IA64_PSR  vpsr;
    2.67      vpsr.val=vmx_vcpu_get_psr(vcpu);
    2.68      if ( vpsr.ic ) {
    2.69 @@ -675,6 +618,79 @@ static IA64FAULT vmx_emul_itr_i(VCPU *vc
    2.70     }
    2.71  #endif // VMAL_NO_FAULT_CHECK
    2.72  
    2.73 +    if (slot >= NDTRS) {
    2.74 +        isr.val = set_isr_ei_ni(vcpu);
    2.75 +        isr.code = IA64_RESERVED_REG_FAULT;
    2.76 +        vcpu_set_isr(vcpu, isr.val);
    2.77 +        rsv_reg_field(vcpu);
    2.78 +        return IA64_FAULT;
    2.79 +    }
    2.80 +
    2.81 +    return (vmx_vcpu_itr_d(vcpu,slot,pte,itir,ifa));
    2.82 +}
    2.83 +
    2.84 +static IA64FAULT vmx_emul_itr_i(VCPU *vcpu, INST64 inst)
    2.85 +{
    2.86 +    u64 itir, ifa, pte, slot;
    2.87 +    ISR isr;
    2.88 +#ifdef  VMAL_NO_FAULT_CHECK
    2.89 +    IA64_PSR  vpsr;
    2.90 +    vpsr.val=vmx_vcpu_get_psr(vcpu);
    2.91 +    if ( vpsr.ic ) {
    2.92 +        set_illegal_op_isr(vcpu);
    2.93 +        illegal_op(vcpu);
    2.94 +        return IA64_FAULT;
    2.95 +    }
    2.96 +    if ( vpsr.cpl != 0) {
    2.97 +        /* Inject Privileged Operation fault into guest */
    2.98 +        set_privileged_operation_isr (vcpu, 0);
    2.99 +        privilege_op (vcpu);
   2.100 +        return IA64_FAULT;
   2.101 +    }
   2.102 +#endif // VMAL_NO_FAULT_CHECK
   2.103 +    if(vcpu_get_gr_nat(vcpu,inst.M45.r3,&slot)||vcpu_get_gr_nat(vcpu,inst.M45.r2,&pte)){
   2.104 +#ifdef  VMAL_NO_FAULT_CHECK
   2.105 +        set_isr_reg_nat_consumption(vcpu,0,0);
   2.106 +        rnat_comsumption(vcpu);
   2.107 +        return IA64_FAULT;
   2.108 +#endif // VMAL_NO_FAULT_CHECK
   2.109 +    }
   2.110 +#ifdef  VMAL_NO_FAULT_CHECK
   2.111 +    if(is_reserved_rr_register(vcpu, slot)){
   2.112 +        set_illegal_op_isr(vcpu);
   2.113 +        illegal_op(vcpu);
   2.114 +        return IA64_FAULT;
   2.115 +    }
   2.116 +#endif // VMAL_NO_FAULT_CHECK
   2.117 +
   2.118 +    if (vcpu_get_itir(vcpu,&itir)){
   2.119 +        return(IA64_FAULT);
   2.120 +    }
   2.121 +    if (vcpu_get_ifa(vcpu,&ifa)){
   2.122 +        return(IA64_FAULT);
   2.123 +    }
   2.124 +#ifdef  VMAL_NO_FAULT_CHECK
   2.125 +    if (is_reserved_itir_field(vcpu, itir)) {
   2.126 +    	// TODO
   2.127 +    	return IA64_FAULT;
   2.128 +    }
   2.129 +    if (unimplemented_gva(vcpu,ifa) ) {
   2.130 +        isr.val = set_isr_ei_ni(vcpu);
   2.131 +        isr.code = IA64_RESERVED_REG_FAULT;
   2.132 +        vcpu_set_isr(vcpu, isr.val);
   2.133 +        unimpl_daddr(vcpu);
   2.134 +        return IA64_FAULT;
   2.135 +   }
   2.136 +#endif // VMAL_NO_FAULT_CHECK
   2.137 +
   2.138 +    if (slot >= NITRS) {
   2.139 +        isr.val = set_isr_ei_ni(vcpu);
   2.140 +        isr.code = IA64_RESERVED_REG_FAULT;
   2.141 +        vcpu_set_isr(vcpu, isr.val);
   2.142 +        rsv_reg_field(vcpu);
   2.143 +        return IA64_FAULT;
   2.144 +    }
   2.145 + 
   2.146     return (vmx_vcpu_itr_i(vcpu,slot,pte,itir,ifa));
   2.147  }
   2.148