Re: [Xen-devel] [PATCH v3 1/2] x86/traps: guard top-of-stack reads
On 23/09/2019 16:12, Jan Beulich wrote: > On 23.09.2019 16:20, Andrew Cooper wrote: >> On 15/07/2019 16:00, Jan Beulich wrote: >>> Nothing guarantees that the original frame's stack pointer points at >>> readable memory. Avoid a (likely nested) crash by attaching exception >>> recovery to the read (making it a single read at the same time). Don't >>> even invoke _show_trace() in case of a non-readable top slot. >>> >>> Signed-off-by: Jan Beulich >>> Reviewed-by: Andrew Cooper > With this, ... > >> Reviewed-by: Andrew Cooper > ... was this perhaps meant for patch 2 of this short series? No. I didn't spot my R-b tag and only had enough free time to read the first email. ~Andrew ___ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel
Re: [Xen-devel] [PATCH v3 1/2] x86/traps: guard top-of-stack reads
On 23.09.2019 16:20, Andrew Cooper wrote: > On 15/07/2019 16:00, Jan Beulich wrote: >> Nothing guarantees that the original frame's stack pointer points at >> readable memory. Avoid a (likely nested) crash by attaching exception >> recovery to the read (making it a single read at the same time). Don't >> even invoke _show_trace() in case of a non-readable top slot. >> >> Signed-off-by: Jan Beulich >> Reviewed-by: Andrew Cooper With this, ... > Reviewed-by: Andrew Cooper ... was this perhaps meant for patch 2 of this short series? Jan ___ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel
Re: [Xen-devel] [PATCH v3 1/2] x86/traps: guard top-of-stack reads
On 15/07/2019 16:00, Jan Beulich wrote: > Nothing guarantees that the original frame's stack pointer points at > readable memory. Avoid a (likely nested) crash by attaching exception > recovery to the read (making it a single read at the same time). Don't > even invoke _show_trace() in case of a non-readable top slot. > > Signed-off-by: Jan Beulich > Reviewed-by: Andrew Cooper Reviewed-by: Andrew Cooper ___ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel
[Xen-devel] [PATCH v3 1/2] x86/traps: guard top-of-stack reads
Nothing guarantees that the original frame's stack pointer points at readable memory. Avoid a (likely nested) crash by attaching exception recovery to the read (making it a single read at the same time). Don't even invoke _show_trace() in case of a non-readable top slot. Signed-off-by: Jan Beulich Reviewed-by: Andrew Cooper --- v2: Name asm() arguments. Use explicit "fault" variable. --- a/xen/arch/x86/traps.c +++ b/xen/arch/x86/traps.c @@ -486,17 +486,31 @@ static void _show_trace(unsigned long sp static void show_trace(const struct cpu_user_regs *regs) { -unsigned long *sp = ESP_BEFORE_EXCEPTION(regs); +unsigned long *sp = ESP_BEFORE_EXCEPTION(regs), tos = 0; +bool fault = false; printk("Xen call trace:\n"); +/* Guarded read of the stack top. */ +asm ( "1: mov %[data], %[tos]; 2:\n" + ".pushsection .fixup,\"ax\"\n" + "3: movb $1, %[fault]; jmp 2b\n" + ".popsection\n" + _ASM_EXTABLE(1b, 3b) + : [tos] "+r" (tos), [fault] "+qm" (fault) : [data] "m" (*sp) ); + /* * If RIP looks sensible, or the top of the stack doesn't, print RIP at * the top of the stack trace. */ if ( is_active_kernel_text(regs->rip) || - !is_active_kernel_text(*sp) ) + !is_active_kernel_text(tos) ) printk(" [<%p>] %pS\n", _p(regs->rip), _p(regs->rip)); +else if ( fault ) +{ +printk(" [Fault on access]\n"); +return; +} /* * Else RIP looks bad but the top of the stack looks good. Perhaps we * followed a wild function pointer? Lets assume the top of the stack is a @@ -505,7 +519,7 @@ static void show_trace(const struct cpu_ */ else { -printk(" [<%p>] %pS\n", _p(*sp), _p(*sp)); +printk(" [<%p>] %pS\n", _p(tos), _p(tos)); sp++; } ___ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel