xen/26370-libxc-x86-initial-mapping-fit.patch

# HG changeset patch
# User Ian Campbell <Ian.Campbell@citrix.com>
# Date 1357906947 0
# Node ID ba2d73234d73fc0faa027cd9bdfd3ac90642733c
# Parent  84d87ca765be81c215ef3b67d2ed71acfba73553
libxc: x86: ensure that the initial mapping fits into the guest's memory

In particular we need to check that adding 512KB of slack and
rounding up to a 4MB boundary do not overflow the guest's memory
allocation. Otherwise we run off the end of the p2m when building the
guest's initial page tables and populate them with garbage.

Wei noticed this when build tiny (2MB) mini-os domains.

Reported-by: Wei Liu <Wei.Liu2@citrix.com>
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>

--- a/tools/libxc/xc_dom_core.c
+++ b/tools/libxc/xc_dom_core.c
@@ -871,7 +871,8 @@ int xc_dom_build_image(struct xc_dom_ima
         goto err;
     if ( dom->arch_hooks->count_pgtables )
     {
-        dom->arch_hooks->count_pgtables(dom);
+        if ( dom->arch_hooks->count_pgtables(dom) != 0 )
+            goto err;
         if ( (dom->pgtables > 0) &&
              (xc_dom_alloc_segment(dom, &dom->pgtables_seg, "page tables", 0,
                                    dom->pgtables * page_size) != 0) )
--- a/tools/libxc/xc_dom_x86.c
+++ b/tools/libxc/xc_dom_x86.c
@@ -82,6 +82,7 @@ static int count_pgtables(struct xc_dom_
 {
     int pages, extra_pages;
     xen_vaddr_t try_virt_end;
+    xen_pfn_t try_pfn_end;
 
     extra_pages = dom->alloc_bootstack ? 1 : 0;
     extra_pages += dom->extra_pages;
@@ -91,6 +92,17 @@ static int count_pgtables(struct xc_dom_
     {
         try_virt_end = round_up(dom->virt_alloc_end + pages * PAGE_SIZE_X86,
                                 bits_to_mask(22)); /* 4MB alignment */
+
+        try_pfn_end = (try_virt_end - dom->parms.virt_base) >> PAGE_SHIFT_X86;
+
+        if ( try_pfn_end > dom->total_pages )
+        {
+            xc_dom_panic(dom->xch, XC_OUT_OF_MEMORY,
+                         "%s: not enough memory for initial mapping (%#"PRIpfn" > %#"PRIpfn")",
+                         __FUNCTION__, try_pfn_end, dom->total_pages);
+            return -ENOMEM;
+        }
+
         dom->pg_l4 =
             nr_page_tables(dom, dom->parms.virt_base, try_virt_end, l4_bits);
         dom->pg_l3 =
- Add upstream patch to fix vfb/vkb initialization in libxl 26369-libxl-devid.patch - fate##313584: pass bios information to XEN HVM guest 26554-hvm-firmware-passthrough.patch 26555-hvm-firmware-passthrough.patch 26556-hvm-firmware-passthrough.patch - Upstream patches from Jan 26516-ACPI-parse-table-retval.patch (Replaces CVE-2013-0153-xsa36.patch) 26517-AMD-IOMMU-clear-irtes.patch (Replaces CVE-2013-0153-xsa36.patch) 26518-AMD-IOMMU-disable-if-SATA-combined-mode.patch (Replaces CVE-2013-0153-xsa36.patch) 26519-AMD-IOMMU-perdev-intremap-default.patch (Replaces CVE-2013-0153-xsa36.patch) 26526-pvdrv-no-devinit.patch 26529-gcc48-build-fix.patch 26531-AMD-IOMMU-IVHD-special-missing.patch (Replaces CVE-2013-0153-xsa36.patch) 26532-AMD-IOMMU-phantom-MSI.patch 26536-xenoprof-div-by-0.patch 26576-x86-APICV-migration.patch 26577-x86-APICV-x2APIC.patch 26578-AMD-IOMMU-replace-BUG_ON.patch - bnc#797014 - no way to control live migrations 26547-tools-xc_fix_logic_error_in_stdiostream_progress.patch 26548-tools-xc_handle_tty_output_differently_in_stdiostream_progress.patch 26549-tools-xc_turn_XCFLAGS_*_into_shifts.patch 26550-tools-xc_restore_logging_in_xc_save.patch 26551-tools-xc_log_pid_in_xc_save-xc_restore_output.patch - PVonHVM: __devinit was removed in linux-3.8 OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=229 2013-02-22 21:42:01 +00:00			`# HG changeset patch`
			`# User Ian Campbell <Ian.Campbell@citrix.com>`
			`# Date 1357906947 0`
			`# Node ID ba2d73234d73fc0faa027cd9bdfd3ac90642733c`
			`# Parent 84d87ca765be81c215ef3b67d2ed71acfba73553`
			`libxc: x86: ensure that the initial mapping fits into the guest's memory`

			`In particular we need to check that adding 512KB of slack and`
			`rounding up to a 4MB boundary do not overflow the guest's memory`
			`allocation. Otherwise we run off the end of the p2m when building the`
			`guest's initial page tables and populate them with garbage.`

			`Wei noticed this when build tiny (2MB) mini-os domains.`

			`Reported-by: Wei Liu <Wei.Liu2@citrix.com>`
			`Signed-off-by: Ian Campbell <ian.campbell@citrix.com>`
			`Acked-by: Jan Beulich <jbeulich@suse.com>`
			`Committed-by: Ian Campbell <ian.campbell@citrix.com>`

			`--- a/tools/libxc/xc_dom_core.c`
			`+++ b/tools/libxc/xc_dom_core.c`
			`@@ -871,7 +871,8 @@ int xc_dom_build_image(struct xc_dom_ima`
			`goto err;`
			`if ( dom->arch_hooks->count_pgtables )`
			`{`
			`- dom->arch_hooks->count_pgtables(dom);`
			`+ if ( dom->arch_hooks->count_pgtables(dom) != 0 )`
			`+ goto err;`
			`if ( (dom->pgtables > 0) &&`
			`(xc_dom_alloc_segment(dom, &dom->pgtables_seg, "page tables", 0,`
			`dom->pgtables * page_size) != 0) )`
			`--- a/tools/libxc/xc_dom_x86.c`
			`+++ b/tools/libxc/xc_dom_x86.c`
			`@@ -82,6 +82,7 @@ static int count_pgtables(struct xc_dom_`
			`{`
			`int pages, extra_pages;`
			`xen_vaddr_t try_virt_end;`
			`+ xen_pfn_t try_pfn_end;`

			`extra_pages = dom->alloc_bootstack ? 1 : 0;`
			`extra_pages += dom->extra_pages;`
			`@@ -91,6 +92,17 @@ static int count_pgtables(struct xc_dom_`
			`{`
			`try_virt_end = round_up(dom->virt_alloc_end + pages * PAGE_SIZE_X86,`
			`bits_to_mask(22)); /* 4MB alignment */`
			`+`
			`+ try_pfn_end = (try_virt_end - dom->parms.virt_base) >> PAGE_SHIFT_X86;`
			`+`
			`+ if ( try_pfn_end > dom->total_pages )`
			`+ {`
			`+ xc_dom_panic(dom->xch, XC_OUT_OF_MEMORY,`
			`+ "%s: not enough memory for initial mapping (%#"PRIpfn" > %#"PRIpfn")",`
			`+ __FUNCTION__, try_pfn_end, dom->total_pages);`
			`+ return -ENOMEM;`
			`+ }`
			`+`
			`dom->pg_l4 =`
			`nr_page_tables(dom, dom->parms.virt_base, try_virt_end, l4_bits);`
			`dom->pg_l3 =`