Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Xen>
  3. Changelog
Fix a crash in gdbserver-xen where it references unmapped memory if
patchbot-unstable at lists
May 19, 2006, 8:40 AM
Post #1 of 1 (28 views)
Permalink
# HG changeset patch
# User kaf24@firebug.cl.cam.ac.uk
# Node ID 1855124935e2810ebb1e8c577dadacc079f6487e
# Parent aa17b7173325ca8a86c14f4111383d041290cd03
Fix a crash in gdbserver-xen where it references unmapped memory if
the page directory / page table pages are not present (for example
through dereferencing NULL in the gdb session). Changes:

- map_domain_va_32 has been rewritten to match map_domain_va_pae and
map_domain_va_64.

- All three functions have been extended to handle multiple vCPUs,
(untested, but shuld work), and check for _PAGE_PRESENT.

- Keir's workaround for the compile error in map_domain_va_64 has been
removed and hopefully fixed.

Signed-Off-By: Simon Kagstrom <simon.kagstrom@bth.se>
---
tools/libxc/xc_ptrace.c | 140 +++++++++++++++++++++---------------------------
1 files changed, 64 insertions(+), 76 deletions(-)

diff -r aa17b7173325 -r 1855124935e2 tools/libxc/xc_ptrace.c
--- a/tools/libxc/xc_ptrace.c Thu May 18 21:41:56 2006 +0100
+++ b/tools/libxc/xc_ptrace.c Fri May 19 15:22:11 2006 +0100
@@ -185,61 +185,34 @@ map_domain_va_32(
void *guest_va,
int perm)
{
- unsigned long pde, page;
- unsigned long va = (unsigned long)guest_va;
-
- static unsigned long cr3_phys[MAX_VIRT_CPUS];
- static uint32_t *cr3_virt[MAX_VIRT_CPUS];
- static unsigned long pde_phys[MAX_VIRT_CPUS];
- static uint32_t *pde_virt[MAX_VIRT_CPUS];
- static unsigned long page_phys[MAX_VIRT_CPUS];
- static uint32_t *page_virt[MAX_VIRT_CPUS];
- static int prev_perm[MAX_VIRT_CPUS];
-
- if (ctxt[cpu].ctrlreg[3] == 0)
- return NULL;
- if ( ctxt[cpu].ctrlreg[3] != cr3_phys[cpu] )
- {
- cr3_phys[cpu] = ctxt[cpu].ctrlreg[3];
- if ( cr3_virt[cpu] )
- munmap(cr3_virt[cpu], PAGE_SIZE);
- cr3_virt[cpu] = xc_map_foreign_range(
- xc_handle, current_domid, PAGE_SIZE, PROT_READ,
- cr3_phys[cpu] >> PAGE_SHIFT);
- if ( cr3_virt[cpu] == NULL )
- return NULL;
- }
- pde = to_ma(cpu, cr3_virt[cpu][vtopdi(va)]);
- if ( pde != pde_phys[cpu] )
- {
- pde_phys[cpu] = pde;
- if ( pde_virt[cpu] )
- munmap(pde_virt[cpu], PAGE_SIZE);
- pde_virt[cpu] = xc_map_foreign_range(
- xc_handle, current_domid, PAGE_SIZE, PROT_READ,
- pde_phys[cpu] >> PAGE_SHIFT);
- if ( pde_virt[cpu] == NULL )
- return NULL;
- }
- page = to_ma(cpu, pde_virt[cpu][vtopti(va)]);
-
- if ( (page != page_phys[cpu]) || (perm != prev_perm[cpu]) )
- {
- page_phys[cpu] = page;
- if ( page_virt[cpu] )
- munmap(page_virt[cpu], PAGE_SIZE);
- page_virt[cpu] = xc_map_foreign_range(
- xc_handle, current_domid, PAGE_SIZE, perm,
- page_phys[cpu] >> PAGE_SHIFT);
- if ( page_virt[cpu] == NULL )
- {
- page_phys[cpu] = 0;
- return NULL;
- }
- prev_perm[cpu] = perm;
- }
-
- return (void *)(((unsigned long)page_virt[cpu]) | (va & BSD_PAGE_MASK));
+ unsigned long l1p, p, va = (unsigned long)guest_va;
+ uint32_t *l2, *l1;
+ static void *v[MAX_VIRT_CPUS];
+
+ l2 = xc_map_foreign_range(
+ xc_handle, current_domid, PAGE_SIZE, PROT_READ, ctxt[cpu].ctrlreg[3] >> PAGE_SHIFT);
+ if ( l2 == NULL )
+ return NULL;
+
+ l1p = to_ma(cpu, l2[l2_table_offset(va)]);
+ munmap(l2, PAGE_SIZE);
+ if ( !(l1p & _PAGE_PRESENT) )
+ return NULL;
+ l1 = xc_map_foreign_range(xc_handle, current_domid, PAGE_SIZE, PROT_READ, l1p >> PAGE_SHIFT);
+ if ( l1 == NULL )
+ return NULL;
+
+ p = to_ma(cpu, l1[l1_table_offset(va)]);
+ munmap(l1, PAGE_SIZE);
+ if ( !(p & _PAGE_PRESENT) )
+ return NULL;
+ if ( v[cpu] != NULL )
+ munmap(v[cpu], PAGE_SIZE);
+ v[cpu] = xc_map_foreign_range(xc_handle, current_domid, PAGE_SIZE, perm, p >> PAGE_SHIFT);
+ if ( v[cpu] == NULL )
+ return NULL;
+
+ return (void *)((unsigned long)v[cpu] | (va & (PAGE_SIZE - 1)));
}


@@ -252,7 +225,7 @@ map_domain_va_pae(
{
unsigned long l2p, l1p, p, va = (unsigned long)guest_va;
uint64_t *l3, *l2, *l1;
- static void *v;
+ static void *v[MAX_VIRT_CPUS];

l3 = xc_map_foreign_range(
xc_handle, current_domid, PAGE_SIZE, PROT_READ, ctxt[cpu].ctrlreg[3] >> PAGE_SHIFT);
@@ -260,26 +233,32 @@ map_domain_va_pae(
return NULL;

l2p = to_ma(cpu, l3[l3_table_offset_pae(va)]);
+ munmap(l3, PAGE_SIZE);
+ if ( !(l2p & _PAGE_PRESENT) )
+ return NULL;
l2 = xc_map_foreign_range(xc_handle, current_domid, PAGE_SIZE, PROT_READ, l2p >> PAGE_SHIFT);
- munmap(l3, PAGE_SIZE);
if ( l2 == NULL )
return NULL;

l1p = to_ma(cpu, l2[l2_table_offset_pae(va)]);
+ munmap(l2, PAGE_SIZE);
+ if ( !(l1p & _PAGE_PRESENT) )
+ return NULL;
l1 = xc_map_foreign_range(xc_handle, current_domid, PAGE_SIZE, perm, l1p >> PAGE_SHIFT);
- munmap(l2, PAGE_SIZE);
if ( l1 == NULL )
return NULL;

p = to_ma(cpu, l1[l1_table_offset_pae(va)]);
- if ( v != NULL )
- munmap(v, PAGE_SIZE);
- v = xc_map_foreign_range(xc_handle, current_domid, PAGE_SIZE, perm, p >> PAGE_SHIFT);
munmap(l1, PAGE_SIZE);
- if ( v == NULL )
- return NULL;
-
- return (void *)((unsigned long)v | (va & (PAGE_SIZE - 1)));
+ if ( !(p & _PAGE_PRESENT) )
+ return NULL;
+ if ( v[cpu] != NULL )
+ munmap(v[cpu], PAGE_SIZE);
+ v[cpu] = xc_map_foreign_range(xc_handle, current_domid, PAGE_SIZE, perm, p >> PAGE_SHIFT);
+ if ( v[cpu] == NULL )
+ return NULL;
+
+ return (void *)((unsigned long)v[cpu] | (va & (PAGE_SIZE - 1)));
}

#ifdef __x86_64__
@@ -292,7 +271,7 @@ map_domain_va_64(
{
unsigned long l3p, l2p, l1p, l1e, p, va = (unsigned long)guest_va;
uint64_t *l4, *l3, *l2, *l1;
- static void *v;
+ static void *v[MAX_VIRT_CPUS];

if ((ctxt[cpu].ctrlreg[4] & 0x20) == 0 ) /* legacy ia32 mode */
return map_domain_va_32(xc_handle, cpu, guest_va, perm);
@@ -303,24 +282,33 @@ map_domain_va_64(
return NULL;

l3p = to_ma(cpu, l4[l4_table_offset(va)]);
+ munmap(l4, PAGE_SIZE);
+ if ( !(l3p & _PAGE_PRESENT) )
+ return NULL;
l3 = xc_map_foreign_range(xc_handle, current_domid, PAGE_SIZE, PROT_READ, l3p >> PAGE_SHIFT);
- munmap(l4, PAGE_SIZE);
if ( l3 == NULL )
return NULL;

l2p = to_ma(cpu, l3[l3_table_offset(va)]);
+ munmap(l3, PAGE_SIZE);
+ if ( !(l2p & _PAGE_PRESENT) )
+ return NULL;
l2 = xc_map_foreign_range(xc_handle, current_domid, PAGE_SIZE, PROT_READ, l2p >> PAGE_SHIFT);
- munmap(l3, PAGE_SIZE);
if ( l2 == NULL )
return NULL;

l1 = NULL;
l1e = to_ma(cpu, l2[l2_table_offset(va)]);
+ if ( !(l1e & _PAGE_PRESENT) )
+ {
+ munmap(l2, PAGE_SIZE);
+ return NULL;
+ }
l1p = l1e >> PAGE_SHIFT;
if (l1e & 0x80) { /* 2M pages */
p = to_ma(cpu, (l1p + l1_table_offset(va)) << PAGE_SHIFT);
} else { /* 4K pages */
- //l1p = to_ma(cpu, l1e[l1_table_offset(va)]);
+ l1p = to_ma(cpu, l1p);
l1 = xc_map_foreign_range(xc_handle, current_domid, PAGE_SIZE, perm, l1p >> PAGE_SHIFT);
munmap(l2, PAGE_SIZE);
if ( l1 == NULL )
@@ -328,15 +316,15 @@ map_domain_va_64(

p = to_ma(cpu, l1[l1_table_offset(va)]);
}
- if ( v != NULL )
- munmap(v, PAGE_SIZE);
- v = xc_map_foreign_range(xc_handle, current_domid, PAGE_SIZE, perm, p >> PAGE_SHIFT);
+ if ( v[cpu] != NULL )
+ munmap(v[cpu], PAGE_SIZE);
+ v[cpu] = xc_map_foreign_range(xc_handle, current_domid, PAGE_SIZE, perm, p >> PAGE_SHIFT);
if (l1)
munmap(l1, PAGE_SIZE);
- if ( v == NULL )
- return NULL;
-
- return (void *)((unsigned long)v | (va & (PAGE_SIZE - 1)));
+ if ( v[cpu] == NULL )
+ return NULL;
+
+ return (void *)((unsigned long)v[cpu] | (va & (PAGE_SIZE - 1)));
}
#endif


_______________________________________________
Xen-changelog mailing list
Xen-changelog@lists.xensource.com
http://lists.xensource.com/xen-changelog

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal