xen-devel.lists.xenproject.org archive mirror
 help / color / mirror / Atom feed
From: "Jan Beulich" <JBeulich@suse.com>
To: andrew.cooper3@citrix.com, Kevin.Mayer@gdata.de
Cc: xen-devel@lists.xen.org
Subject: Re: Xen 4.6.1 crash with altp2m enabledbydefault
Date: Thu, 22 Sep 2016 04:13:08 -0600	[thread overview]
Message-ID: <57E3CAD4020000780011186F@prv-mh.provo.novell.com> (raw)
In-Reply-To: <5C9C3B9BEF1B354596EAE3D6800D876B2DCF6BF5@e3.gdata.de>

>>> On 21.09.16 at 16:18, <Kevin.Mayer@gdata.de> wrote:
> I have found the problem (after hours and hours of gruesome
> debugging with the almighty print) and it seems that this could potentially
> have quite a bit of impact if altp2m is enabled for a guest domain (even if
> the
> functionality is never actively used), since destroying any vcpu of this
> guest could lead to a hypervisor panic.
> So a malicious user could simply destroy and restart his VM(s) in order to
> DOS the VMs of other users by killing the hypervisor.
> Granted, this is not very effective, but, depending on the environment, it
> is extremely easy to implement.

So this is not a security problem because altp2m isn't a supported
feature yet, albeit the features page doesn't explicitly state this one
way or the other. The correct way to report a suspected security
issue would, however, have been to contact security@xenproject.org 
(see also https://www.xenproject.org/security-policy.html).

> The bug persists in Xen 4.7 and I do not that it was fixed in the current
> master branch.
> 
> The following happens.
> The call
> void hvm_vcpu_destroy(struct vcpu *v)
> {
>     hvm_all_ioreq_servers_remove_vcpu(v->domain, v);
>     if ( hvm_altp2m_supported() )
>         altp2m_vcpu_destroy(v);
> 
> at some time reaches vmx_vcpu_update_eptp which ends with a
> vmx_vmcs_exit(v);.

I don't see how this can be a problem - it is properly paired with
a vmx_vmcs_enter().

> For the next function in hvm_vcpu_destroy, the nestedhvm_vcpu_destroy(v) the
> missing vmcs is no problem (at least in our use case), but the
> free_compat_arg_xlat crashes.
> The callstack is as follows:
> hvm_vcpu_destroy
> free_compat_arg_xlat
> destroy_perdomain_mapping
> map_domain_page
> (probably inlined) mapcache_current_vcpu
> sync_local_execstate

For you to get here, you must be running on the idle vCPU, yet
proof of this is not visible from the partial call stack you provide.
And anyway, things breaking here suggest something going wrong
earlier, or else - afaict - we'd run into this problem also without use
of altp2m (basically whenever map_domain_page() would get used
on the guest cleanup path, which - as you see from the call tree -
happens always). So I'm afraid the patch you've put together is
papering over a problem rather than fixing it, and the actual bug
remains non-understood.

Perhaps a relevant aspect is you saying "some time reaches
vmx_vcpu_update_eptp": Why only sometimes? Afaics
altp2m_vcpu_destroy() unconditionally calls
altp2m_vcpu_update_p2m(), which is just a wrapper around
vmx_vcpu_update_eptp().

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

  reply	other threads:[~2016-09-22 10:13 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-07-29  7:33 Xen 4.6.1 crash with altp2m enabled by default Kevin.Mayer
2016-07-29  9:57 ` Dario Faggioli
2016-07-29 10:05 ` Andrew Cooper
2016-08-02 11:45   ` Kevin.Mayer
2016-08-02 12:34     ` Jan Beulich
2016-08-03 13:24       ` Kevin.Mayer
2016-08-03 13:54         ` Jan Beulich
2016-08-04 15:08           ` Kevin.Mayer
2016-08-04 15:35             ` Jan Beulich
2016-08-05 12:51               ` Xen 4.6.1 crash with altp2m enabled bydefault Kevin.Mayer
2016-08-05 14:48                 ` Jan Beulich
2016-08-08  9:48                   ` Xen 4.6.1 crash with altp2m enabledbydefault Kevin.Mayer
2016-08-08 10:29                     ` Jan Beulich
2016-08-19 10:01                       ` Kevin.Mayer
2016-08-22 11:58                         ` Andrew Cooper
2016-08-22 12:22                           ` Kevin.Mayer
2016-09-07  8:35                           ` Kevin.Mayer
2016-09-21 14:18                           ` Kevin.Mayer
2016-09-22 10:13                             ` Jan Beulich [this message]
     [not found]                               ` <5C9C3B9BEF1B354596EAE3D6800D876B2DCF7138@e3.gdata.de>
     [not found]                                 ` <57E405970200007800111B26@prv-mh.provo.novell.com>
     [not found]                                   ` <5C9C3B9BEF1B354596EAE3D6800D876B2DCF7254@e3.gdata.de>
2016-09-26  9:20                                     ` Xen 4.6.1 crash with altp2menabledbydefault Jan Beulich

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=57E3CAD4020000780011186F@prv-mh.provo.novell.com \
    --to=jbeulich@suse.com \
    --cc=Kevin.Mayer@gdata.de \
    --cc=andrew.cooper3@citrix.com \
    --cc=xen-devel@lists.xen.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).