From: =?gb18030?B?UnJvYWNo?= <2284696125@qq.com>
To: =?gb18030?B?eGVuLWRldmVs?= <xen-devel@lists.xenproject.org>
Subject: Re: A possible pointer_overflow in xen-4.13
Date: Wed, 7 Jul 2021 10:32:11 +0800 [thread overview]
Message-ID: <tencent_40EF4EF7C31E752FD2BCB7D5963C44459006@qq.com> (raw)
In-Reply-To: <fbd1eb89-695c-5c23-da07-ae16fd567010@citrix.com>
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="gb18030", Size: 4590 bytes --]
After patching it, this works fine and UBSAN dose not have any error report about it.
------------------ Original ------------------
From: "Andrew Cooper";<andrew.cooper3@citrix.com>;
Send time: Saturday, Jun 26, 2021 9:50 PM
To: "Rroach"<2284696125@qq.com>; "xen-devel"<xen-devel@lists.xenproject.org>;
Subject: Re: A possible pointer_overflow in xen-4.13
On 26/06/2021 14:29, Rroach wrote:
Hi, I compile Xen-4.13 with CONFIG_UBSAN, and try test it. However, during testing, xl dmesg got the output as shown below.
It seems that there is a potential pointer overflow within arch/x86/pv/emul-priv-op.c:131 where xen try to execute instruction ''' APPEND_CALL(save_guest_gprs) '''£¬where APPEND_CALL try to add an offset on *p without proper checking.
I compiled xen-4.13 by clang-9, with following instructions: ''' export CONFIG_UBSAN=y ''' && ''' make clang=y debug=y ''' . Do you have any idea what going on here?
You say Xen 4.13, but APPEND_CALL() doesn't exist there. I added it in 4.14 when I rewrote this mess to be compatible with CET by not using a ROP gadget. Your backtrace says 4.15 unstable which means its an old staging build (not that that is going to have any effect on this specific issue).
The fact that it continued executing correctly means the calculation did the right thing, whether or not UBSAN was happy. The displacement will end up negative as the stub we're writing is numerically higher than {load,save}_guest_gprs(), which I guess means that f - stub_va will underflow.
I'm very confused as to why UBSAN reports against save_guest_gprs() considering that load_guest_gprs() when through the exact same logic a few instructions earlier.
Either way, does this make the problem go away?
diff --git a/xen/arch/x86/pv/emul-priv-op.c b/xen/arch/x86/pv/emul-priv-op.c
index 11467a1e3a..be41bced76 100644
--- a/xen/arch/x86/pv/emul-priv-op.c
+++ b/xen/arch/x86/pv/emul-priv-op.c
@@ -98,7 +98,7 @@ static io_emul_stub_t *io_emul_stub_setup(struct priv_op_ctxt *ctxt, u8 opcode,
#define APPEND_BUFF(b) ({ memcpy(p, b, sizeof(b)); p += sizeof(b); })
#define APPEND_CALL(f) \
({ \
- long disp = (long)(f) - (stub_va + p - ctxt->io_emul_stub + 5); \
+ long disp = (long)(f) - (long)(stub_va + p - ctxt->io_emul_stub + 5); \
BUG_ON((int32_t)disp != disp); \
*p++ = 0xe8; \
*(int32_t *)p = disp; p += 4; \
~Andrew
[-- Attachment #2: Type: text/html, Size: 5222 bytes --]
next prev parent reply other threads:[~2021-07-07 2:32 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <tencent_A17CA7BA63F6E47B3FE7B1AC54E55B2A3609@qq.com>
2021-06-26 13:50 ` A possible pointer_overflow in xen-4.13 Andrew Cooper
2021-07-07 2:32 ` =?gb18030?B?UnJvYWNo?= [this message]
2021-07-07 7:55 ` Jan Beulich
2021-07-07 15:54 =?gb18030?B?UnJvYWNo?=
2021-07-07 15:59 ` Jan Beulich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=tencent_40EF4EF7C31E752FD2BCB7D5963C44459006@qq.com \
--to=2284696125@qq.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.