xen: easy DoS... tiring

To: port-xen%netbsd.org@localhost
Subject: xen: easy DoS... tiring
From: Maxime Villard <max%m00nbsd.net@localhost>
Date: Sat, 14 Oct 2017 14:10:10 +0200

An issue I found some time ago: xen_failsafe_handler panics, but the
interrupt it is called from can be triggered by userland.

For example, userland can make iretq fault by changing the %eip of a traced
32bit process, and making it point to > VM_MAXUSER_ADDRESS32. Xen then
jumps into failsafe_callback, which calls xen_failsafe_handler. See [1]:

	$ gcc -m32 child32 child32.c
	$ gcc -o ptrace ptrace.c
	$ ./child32 &
	$ ./ptrace pid_of_child32
	-> panic

I tried to fix it, by returning into the original context but in resume_iret
that would reconstruct the frame and call trap with T_PROTFLT. But I remember
that it produced some bizarre behavior that I didn't understand, and it was
too tiring to reverse engineer the undocumented xen code.

I'm posting this here with the hope someone interested enough can fix it...

Maxime

[1] http://m00nbsd.net/garbage/xen/

Prev by Date: Re: attaching cpu via lapic
Next by Date: NetBSD-7.1 can support USB Function feature (Device or gadget in linux) or not?
Previous by Thread: attaching cpu via lapic
Next by Thread: NetBSD-7.1 can support USB Function feature (Device or gadget in linux) or not?
Indexes:

Home | Main Index | Thread Index | Old Index