thr3ads.net - Xen devel - [Xen-devel] RE: [Xen-changelog] Fix a crash in gdbserver-xen where it referencesunmapped memory if [May 2006]

If this information is useful, please help other people find it:
Share via:
Kamble, Nitin A
2006-May-20 01:27 UTC
[Xen-devel] RE: [Xen-changelog] Fix a crash in gdbserver-xen where it referencesunmapped memory if

Hi Simon, Keir,
  With this patch I am seeing the gdbserver is broken for HVM guests. I
am bit busy now, will look into it once I get time.

Thanks & Regards,
Nitin
------------------------------------------------------------------------
-----------
Open Source Technology Center, Intel Corp
>-----Original Message-----
>From: xen-changelog-bounces@lists.xensource.com [mailto:xen-changelog-
>bounces@lists.xensource.com] On Behalf Of Xen patchbot-unstable
>Sent: Friday, May 19, 2006 8:40 AM
>To: xen-changelog@lists.xensource.com
>Subject: [Xen-changelog] Fix a crash in gdbserver-xen where it
>referencesunmapped memory if
>
># HG changeset patch
># User kaf24@firebug.cl.cam.ac.uk
># Node ID 1855124935e2810ebb1e8c577dadacc079f6487e
># Parent  aa17b7173325ca8a86c14f4111383d041290cd03
>Fix a crash in gdbserver-xen where it references unmapped memory if
>the page directory / page table pages are not present (for example
>through dereferencing NULL in the gdb session). Changes:
>
>- map_domain_va_32 has been rewritten to match map_domain_va_pae and
>  map_domain_va_64.
>
>- All three functions have been extended to handle multiple vCPUs,
>  (untested, but shuld work), and check for _PAGE_PRESENT.
>
>- Keir''s workaround for the compile error in map_domain_va_64 has
been
>  removed and hopefully fixed.
>
>Signed-Off-By: Simon Kagstrom <simon.kagstrom@bth.se>
>---
> tools/libxc/xc_ptrace.c |  140
+++++++++++++++++++++---------------------->-----
> 1 files changed, 64 insertions(+), 76 deletions(-)
>
>diff -r aa17b7173325 -r 1855124935e2 tools/libxc/xc_ptrace.c
>--- a/tools/libxc/xc_ptrace.c	Thu May 18 21:41:56 2006 +0100
>+++ b/tools/libxc/xc_ptrace.c	Fri May 19 15:22:11 2006 +0100
>@@ -185,61 +185,34 @@ map_domain_va_32(
>     void *guest_va,
>     int perm)
> {
>-    unsigned long pde, page;
>-    unsigned long va = (unsigned long)guest_va;
>-
>-    static unsigned long  cr3_phys[MAX_VIRT_CPUS];
>-    static uint32_t *cr3_virt[MAX_VIRT_CPUS];
>-    static unsigned long  pde_phys[MAX_VIRT_CPUS];
>-    static uint32_t *pde_virt[MAX_VIRT_CPUS];
>-    static unsigned long  page_phys[MAX_VIRT_CPUS];
>-    static uint32_t *page_virt[MAX_VIRT_CPUS];
>-    static int            prev_perm[MAX_VIRT_CPUS];
>-
>-   if (ctxt[cpu].ctrlreg[3] == 0)
>-       return NULL;
>-   if ( ctxt[cpu].ctrlreg[3] != cr3_phys[cpu] )
>-    {
>-        cr3_phys[cpu] = ctxt[cpu].ctrlreg[3];
>-        if ( cr3_virt[cpu] )
>-            munmap(cr3_virt[cpu], PAGE_SIZE);
>-        cr3_virt[cpu] = xc_map_foreign_range(
>-            xc_handle, current_domid, PAGE_SIZE, PROT_READ,
>-            cr3_phys[cpu] >> PAGE_SHIFT);
>-        if ( cr3_virt[cpu] == NULL )
>-            return NULL;
>-    }
>-    pde = to_ma(cpu, cr3_virt[cpu][vtopdi(va)]);
>-    if ( pde != pde_phys[cpu] )
>-    {
>-        pde_phys[cpu] = pde;
>-        if ( pde_virt[cpu] )
>-            munmap(pde_virt[cpu], PAGE_SIZE);
>-        pde_virt[cpu] = xc_map_foreign_range(
>-            xc_handle, current_domid, PAGE_SIZE, PROT_READ,
>-            pde_phys[cpu] >> PAGE_SHIFT);
>-        if ( pde_virt[cpu] == NULL )
>-            return NULL;
>-    }
>-    page = to_ma(cpu, pde_virt[cpu][vtopti(va)]);
>-
>-    if ( (page != page_phys[cpu]) || (perm != prev_perm[cpu]) )
>-    {
>-        page_phys[cpu] = page;
>-        if ( page_virt[cpu] )
>-            munmap(page_virt[cpu], PAGE_SIZE);
>-        page_virt[cpu] = xc_map_foreign_range(
>-            xc_handle, current_domid, PAGE_SIZE, perm,
>-            page_phys[cpu] >> PAGE_SHIFT);
>-        if ( page_virt[cpu] == NULL )
>-        {
>-            page_phys[cpu] = 0;
>-            return NULL;
>-        }
>-        prev_perm[cpu] = perm;
>-    }
>-
>-    return (void *)(((unsigned long)page_virt[cpu]) | (va &
>BSD_PAGE_MASK));
>+    unsigned long l1p, p, va = (unsigned long)guest_va;
>+    uint32_t *l2, *l1;
>+    static void *v[MAX_VIRT_CPUS];
>+
>+    l2 = xc_map_foreign_range(
>+         xc_handle, current_domid, PAGE_SIZE, PROT_READ,
>ctxt[cpu].ctrlreg[3] >> PAGE_SHIFT);
>+    if ( l2 == NULL )
>+        return NULL;
>+
>+    l1p = to_ma(cpu, l2[l2_table_offset(va)]);
>+    munmap(l2, PAGE_SIZE);
>+    if ( !(l1p & _PAGE_PRESENT) )
>+        return NULL;
>+    l1 = xc_map_foreign_range(xc_handle, current_domid, PAGE_SIZE,
>PROT_READ, l1p >> PAGE_SHIFT);
>+    if ( l1 == NULL )
>+        return NULL;
>+
>+    p = to_ma(cpu, l1[l1_table_offset(va)]);
>+    munmap(l1, PAGE_SIZE);
>+    if ( !(p & _PAGE_PRESENT) )
>+        return NULL;
>+    if ( v[cpu] != NULL )
>+        munmap(v[cpu], PAGE_SIZE);
>+    v[cpu] = xc_map_foreign_range(xc_handle, current_domid, PAGE_SIZE,
>perm, p >> PAGE_SHIFT);
>+    if ( v[cpu] == NULL )
>+        return NULL;
>+
>+    return (void *)((unsigned long)v[cpu] | (va & (PAGE_SIZE - 1)));
> }
>
>
>@@ -252,7 +225,7 @@ map_domain_va_pae(
> {
>     unsigned long l2p, l1p, p, va = (unsigned long)guest_va;
>     uint64_t *l3, *l2, *l1;
>-    static void *v;
>+    static void *v[MAX_VIRT_CPUS];
>
>     l3 = xc_map_foreign_range(
>         xc_handle, current_domid, PAGE_SIZE, PROT_READ,
>ctxt[cpu].ctrlreg[3] >> PAGE_SHIFT);
>@@ -260,26 +233,32 @@ map_domain_va_pae(
>         return NULL;
>
>     l2p = to_ma(cpu, l3[l3_table_offset_pae(va)]);
>+    munmap(l3, PAGE_SIZE);
>+    if ( !(l2p & _PAGE_PRESENT) )
>+        return NULL;
>     l2 = xc_map_foreign_range(xc_handle, current_domid, PAGE_SIZE,
>PROT_READ, l2p >> PAGE_SHIFT);
>-    munmap(l3, PAGE_SIZE);
>     if ( l2 == NULL )
>         return NULL;
>
>     l1p = to_ma(cpu, l2[l2_table_offset_pae(va)]);
>+    munmap(l2, PAGE_SIZE);
>+    if ( !(l1p & _PAGE_PRESENT) )
>+        return NULL;
>     l1 = xc_map_foreign_range(xc_handle, current_domid, PAGE_SIZE,
perm,>l1p >> PAGE_SHIFT);
>-    munmap(l2, PAGE_SIZE);
>     if ( l1 == NULL )
>         return NULL;
>
>     p = to_ma(cpu, l1[l1_table_offset_pae(va)]);
>-    if ( v != NULL )
>-        munmap(v, PAGE_SIZE);
>-    v = xc_map_foreign_range(xc_handle, current_domid, PAGE_SIZE,
perm, p>>> PAGE_SHIFT);
>     munmap(l1, PAGE_SIZE);
>-    if ( v == NULL )
>-        return NULL;
>-
>-    return (void *)((unsigned long)v | (va & (PAGE_SIZE - 1)));
>+    if ( !(p & _PAGE_PRESENT) )
>+        return NULL;
>+    if ( v[cpu] != NULL )
>+        munmap(v[cpu], PAGE_SIZE);
>+    v[cpu] = xc_map_foreign_range(xc_handle, current_domid, PAGE_SIZE,
>perm, p >> PAGE_SHIFT);
>+    if ( v[cpu] == NULL )
>+        return NULL;
>+
>+    return (void *)((unsigned long)v[cpu] | (va & (PAGE_SIZE - 1)));
> }
>
> #ifdef __x86_64__
>@@ -292,7 +271,7 @@ map_domain_va_64(
> {
>     unsigned long l3p, l2p, l1p, l1e, p, va = (unsigned long)guest_va;
>     uint64_t *l4, *l3, *l2, *l1;
>-    static void *v;
>+    static void *v[MAX_VIRT_CPUS];
>
>     if ((ctxt[cpu].ctrlreg[4] & 0x20) == 0 ) /* legacy ia32 mode */
>         return map_domain_va_32(xc_handle, cpu, guest_va, perm);
>@@ -303,24 +282,33 @@ map_domain_va_64(
>         return NULL;
>
>     l3p = to_ma(cpu, l4[l4_table_offset(va)]);
>+    munmap(l4, PAGE_SIZE);
>+    if ( !(l3p & _PAGE_PRESENT) )
>+        return NULL;
>     l3 = xc_map_foreign_range(xc_handle, current_domid, PAGE_SIZE,
>PROT_READ, l3p >> PAGE_SHIFT);
>-    munmap(l4, PAGE_SIZE);
>     if ( l3 == NULL )
>         return NULL;
>
>     l2p = to_ma(cpu, l3[l3_table_offset(va)]);
>+    munmap(l3, PAGE_SIZE);
>+    if ( !(l2p & _PAGE_PRESENT) )
>+        return NULL;
>     l2 = xc_map_foreign_range(xc_handle, current_domid, PAGE_SIZE,
>PROT_READ, l2p >> PAGE_SHIFT);
>-    munmap(l3, PAGE_SIZE);
>     if ( l2 == NULL )
>         return NULL;
>
>     l1 = NULL;
>     l1e = to_ma(cpu, l2[l2_table_offset(va)]);
>+    if ( !(l1e & _PAGE_PRESENT) )
>+    {
>+        munmap(l2, PAGE_SIZE);
>+        return NULL;
>+    }
>     l1p = l1e >> PAGE_SHIFT;
>     if (l1e & 0x80)  { /* 2M pages */
>         p = to_ma(cpu, (l1p + l1_table_offset(va)) << PAGE_SHIFT);
>     } else { /* 4K pages */
>-        //l1p = to_ma(cpu, l1e[l1_table_offset(va)]);
>+        l1p = to_ma(cpu, l1p);
>         l1 = xc_map_foreign_range(xc_handle, current_domid, PAGE_SIZE,
>perm, l1p >> PAGE_SHIFT);
>         munmap(l2, PAGE_SIZE);
>         if ( l1 == NULL )
>@@ -328,15 +316,15 @@ map_domain_va_64(
>
>         p = to_ma(cpu, l1[l1_table_offset(va)]);
>     }
>-    if ( v != NULL )
>-        munmap(v, PAGE_SIZE);
>-    v = xc_map_foreign_range(xc_handle, current_domid, PAGE_SIZE,
perm, p>>> PAGE_SHIFT);
>+    if ( v[cpu] != NULL )
>+        munmap(v[cpu], PAGE_SIZE);
>+    v[cpu] = xc_map_foreign_range(xc_handle, current_domid, PAGE_SIZE,
>perm, p >> PAGE_SHIFT);
>     if (l1)
>         munmap(l1, PAGE_SIZE);
>-    if ( v == NULL )
>-        return NULL;
>-
>-    return (void *)((unsigned long)v | (va & (PAGE_SIZE - 1)));
>+    if ( v[cpu] == NULL )
>+        return NULL;
>+
>+    return (void *)((unsigned long)v[cpu] | (va & (PAGE_SIZE - 1)));
> }
> #endif
>
>
>_______________________________________________
>Xen-changelog mailing list
>Xen-changelog@lists.xensource.com
>http://lists.xensource.com/xen-changelog
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
Xen devel - May 2006 - RE: [Xen-changelog] Fix a crash in gdbserver-xen where it referencesunmapped memory if

[Xen-devel] RE: [Xen-changelog] Fix a crash in gdbserver-xen where it referencesunmapped memory if
