ia64/xen-unstable

changeset 16494:c76a9aa12d2e

hvm: Inject #UD for un-emulated instructions rather than crash guest

The CrashMe stress test (a process repeatedly forks child processes, and
the child processes initialize a buffer with random numbers, then treat
the buffer as code, and execute it) can crash 32-bit HVM RHEL5.1 guest
easily; this is because we haven't emulated all the instructions in
handle_mmio() yet.

The CrashMe process runs with root rights, and can access MMIO space in
an unknown way ("strace -f" shows the random codes running at CPL=3D3
don't call mmap(), and don't open any special files in /dev/ "); the gpa
may look like 0xa**** or 0xb****, or 0xfee0****. =20

Signed-off-by: Dexuan Cui <dexuan.cui@intel.com>
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
author Keir Fraser <keir.fraser@citrix.com>
date Wed Nov 28 13:04:47 2007 +0000 (2007-11-28)
parents bb31c9325d5f
children c00f31f27de6
files xen/arch/x86/hvm/platform.c
line diff
     1.1 --- a/xen/arch/x86/hvm/platform.c	Wed Nov 28 12:50:24 2007 +0000
     1.2 +++ b/xen/arch/x86/hvm/platform.c	Wed Nov 28 13:04:47 2007 +0000
     1.3 @@ -1051,13 +1051,18 @@ void handle_mmio(unsigned long gpa)
     1.4      }
     1.5  
     1.6      if ( mmio_decode(address_bytes, inst, mmio_op, &ad_size,
     1.7 -                     &op_size, &seg_sel) == DECODE_failure ) {
     1.8 -        printk("handle_mmio: failed to decode instruction\n");
     1.9 -        printk("mmio opcode: gpa 0x%lx, len %d:", gpa, inst_len);
    1.10 +                     &op_size, &seg_sel) == DECODE_failure )
    1.11 +    {
    1.12 +        gdprintk(XENLOG_WARNING,
    1.13 +                 "handle_mmio: failed to decode instruction\n");
    1.14 +        gdprintk(XENLOG_WARNING,
    1.15 +                 "mmio opcode: gpa 0x%lx, len %d:", gpa, inst_len);
    1.16          for ( i = 0; i < inst_len; i++ )
    1.17              printk(" %02x", inst[i] & 0xFF);
    1.18          printk("\n");
    1.19 -        domain_crash_synchronous();
    1.20 +
    1.21 +        hvm_inject_exception(TRAP_invalid_op, HVM_DELIVER_NO_ERROR_CODE, 0);
    1.22 +        return;
    1.23      }
    1.24  
    1.25      regs->eip += inst_len; /* advance %eip */