Hi,
Based on CVE-2015-7814 and commit 1ef01396fdff, ' arm: handle races between
relinquish_memory and free_domheap_pages'..
relinquish_memory() [xen/arch/arm/domain.c, arm code],
when couldn't get a reference -- someone is freeing this page and has already
committed to doing so, so no more to do here, continue.
But in relinquish_memory()[xen/arch/x86/domain.c, __x86__ code], when couldn't
get a reference -- someone is freeing this page,
Why adding this page to d->arch.relmem_list again.
Is it a CVE to double free page, then hit the ''" alloc_heap_pages() :
BUG_ON(pg[i].count_info != PGC_state_free)"" in creating guests later..
[1] CVE-2015-7814
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7814
[2] commit 1ef01396fdff
commit 1ef01396fdff88b1c3331a09ca5c69619b90f4ea
Author: Ian Campbell
Date: Thu Oct 29 13:34:17 2015 +0100
arm: handle races between relinquish_memory and free_domheap_pages
Primarily this means XENMEM_decrease_reservation from a toolstack
domain.
Unlike x86 we have no requirement right now to queue such pages onto
a separate list, if we hit this race then the other code has already
fully accepted responsibility for freeing this page and therefore
there is no more for relinquish_memory to do.
This is CVE-2015-7814 / XSA-147.
Signed-off-by: Ian Campbell
Reviewed-by: Julien Grall
Reviewed-by: Jan Beulich
diff --git a/xen/arch/arm/domain.c b/xen/arch/arm/domain.c
index 683e769..880d0a6 100644
--- a/xen/arch/arm/domain.c
+++ b/xen/arch/arm/domain.c
@@ -772,8 +772,15 @@ static int relinquish_memory(struct domain *d, struct
page_list_head *list)
{
/* Grab a reference to the page so it won't disappear from under us. */
if ( unlikely(!get_page(page, d)) )
-/* Couldn't get a reference -- someone is freeing this page. */
-BUG();
+/*
+ * Couldn't get a reference -- someone is freeing this page and
+ * has already committed to doing so, so no more to do here.
+ *
+ * Note that the page must be left on the list, a list_del
+ * here will clash with the list_del done by the other
+ * party in the race and corrupt the list head.
+ */
+continue;
if ( test_and_clear_bit(_PGC_allocated, >count_info) )
put_page(page);
~
Quan
___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel