FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu Kernel Team

 
 
LinkBack Thread Tools
 
Old 06-22-2011, 12:34 PM
Stefan Bader
 
Default UBUNTU: xen: Fix memory corruption caused by double free

The Xen patches missed to exclude a section in pgd_dtor which causes
pgds which are freed on a quicklist trim to be unlinked from the
pgd_list for a second time. This causes memory coruption in struct pages
which possible are not even related to pgds.

Beside of this, a possible NULL pointer access and potential unbalanced
function call to xen_destroy_region get fixed.

BugLink: http://bugs.launchpad.net/bugs/705562

Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
---
...n-Check-for-NULL-pointer-before-using-pgd.patch | 37 +++++++++++++++++
...xen_destroy_contiguous_region-only-needed.patch | 37 +++++++++++++++++
...Do-not-call-pgd_list_del-in-pgd_dtor-for-.patch | 43 ++++++++++++++++++++
3 files changed, 117 insertions(+), 0 deletions(-)
create mode 100644 debian/binary-custom.d/xen/patchset/022-UBUNTU-xen-Check-for-NULL-pointer-before-using-pgd.patch
create mode 100644 debian/binary-custom.d/xen/patchset/023-UBUNTU-xen-xen_destroy_contiguous_region-only-needed.patch
create mode 100644 debian/binary-custom.d/xen/patchset/024-UBUNTU-xen-Do-not-call-pgd_list_del-in-pgd_dtor-for-.patch

diff --git a/debian/binary-custom.d/xen/patchset/022-UBUNTU-xen-Check-for-NULL-pointer-before-using-pgd.patch b/debian/binary-custom.d/xen/patchset/022-UBUNTU-xen-Check-for-NULL-pointer-before-using-pgd.patch
new file mode 100644
index 0000000..5faf99a
--- /dev/null
+++ b/debian/binary-custom.d/xen/patchset/022-UBUNTU-xen-Check-for-NULL-pointer-before-using-pgd.patch
@@ -0,0 +1,37 @@
+From 310f9650b26f889008ae5210ed7cadb9dcb5e39f Mon Sep 17 00:00:00 2001
+From: Stefan Bader <stefan.bader@canonical.com>
+Date: Tue, 21 Jun 2011 09:48:56 +0200
+Subject: [PATCH 21/23] UBUNTU: xen: Check for NULL pointer before using pgd
+
+In pgd_alloc(), the test for the new pgd being NULL is done
+after it has already been used for test_and_unpin(). Do that
+check before.
+
+BugLink: http://bugs.launchpad.net/bugs/705562
+
+Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
+---
+ arch/x86/mm/pgtable_32-xen.c | 5 ++++-
+ 1 files changed, 4 insertions(+), 1 deletions(-)
+
+diff --git a/arch/x86/mm/pgtable_32-xen.c b/arch/x86/mm/pgtable_32-xen.c
+index 74a2e57..48242aa 100644
+--- a/arch/x86/mm/pgtable_32-xen.c
++++ b/arch/x86/mm/pgtable_32-xen.c
+@@ -345,9 +345,12 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
+ pmd_t **pmds = NULL;
+ unsigned long flags;
+
++ if (!pgd)
++ return NULL;
++
+ pgd_test_and_unpin(pgd);
+
+- if (PTRS_PER_PMD == 1 || !pgd)
++ if (PTRS_PER_PMD == 1)
+ return pgd;
+
+ #ifdef CONFIG_XEN
+--
+1.7.4.1
+
diff --git a/debian/binary-custom.d/xen/patchset/023-UBUNTU-xen-xen_destroy_contiguous_region-only-needed.patch b/debian/binary-custom.d/xen/patchset/023-UBUNTU-xen-xen_destroy_contiguous_region-only-needed.patch
new file mode 100644
index 0000000..bb3670a
--- /dev/null
+++ b/debian/binary-custom.d/xen/patchset/023-UBUNTU-xen-xen_destroy_contiguous_region-only-needed.patch
@@ -0,0 +1,37 @@
+From 6a622c376c715a04d245bb3ca1f7910680b8165c Mon Sep 17 00:00:00 2001
+From: Stefan Bader <stefan.bader@canonical.com>
+Date: Wed, 22 Jun 2011 12:06:51 +0200
+Subject: [PATCH 22/23] UBUNTU: xen: xen_destroy_contiguous_region only needed in unshared case
+
+The call to create is only done for !SHARED_KERNEL_PMD, so only destroy
+in that case (also this is only useful when CONFIG_XEN is set.
+
+BugLink: http://bugs.launchpad.net/bugs/705562
+
+Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
+---
+ arch/x86/mm/pgtable_32-xen.c | 8 ++++++--
+ 1 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/mm/pgtable_32-xen.c b/arch/x86/mm/pgtable_32-xen.c
+index 48242aa..49e28e7 100644
+--- a/arch/x86/mm/pgtable_32-xen.c
++++ b/arch/x86/mm/pgtable_32-xen.c
+@@ -473,8 +473,12 @@ void pgd_free(pgd_t *pgd)
+ pmd_cache_free(pmd, i);
+ }
+
+- if (!xen_feature(XENFEAT_pae_pgdir_above_4gb))
+- xen_destroy_contiguous_region((unsigned long)pgd, 0);
++#ifdef CONFIG_XEN
++ if (!SHARED_KERNEL_PMD)
++ if (!xen_feature(XENFEAT_pae_pgdir_above_4gb))
++ xen_destroy_contiguous_region(
++ (unsigned long)pgd, 0);
++#endif
+ }
+
+ /* in the non-PAE case, free_pgtables() clears user pgd entries */
+--
+1.7.4.1
+
diff --git a/debian/binary-custom.d/xen/patchset/024-UBUNTU-xen-Do-not-call-pgd_list_del-in-pgd_dtor-for-.patch b/debian/binary-custom.d/xen/patchset/024-UBUNTU-xen-Do-not-call-pgd_list_del-in-pgd_dtor-for-.patch
new file mode 100644
index 0000000..0c65d36
--- /dev/null
+++ b/debian/binary-custom.d/xen/patchset/024-UBUNTU-xen-Do-not-call-pgd_list_del-in-pgd_dtor-for-.patch
@@ -0,0 +1,43 @@
+From b70dad384c6b97b30a11838989364bb5946922cf Mon Sep 17 00:00:00 2001
+From: Stefan Bader <stefan.bader@canonical.com>
+Date: Wed, 22 Jun 2011 12:16:10 +0200
+Subject: [PATCH 23/23] UBUNTU: xen: Do not call pgd_list_del in pgd_dtor for Xen
+
+The Xen modifications add code to remove the pgd from the list as soon
+as it is freed in pgd_free.
+
+BugLink: http://bugs.launchpad.net/bugs/705562
+
+Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
+---
+ arch/x86/mm/pgtable_32-xen.c | 5 +++++
+ 1 files changed, 5 insertions(+), 0 deletions(-)
+
+diff --git a/arch/x86/mm/pgtable_32-xen.c b/arch/x86/mm/pgtable_32-xen.c
+index 49e28e7..d8bc211 100644
+--- a/arch/x86/mm/pgtable_32-xen.c
++++ b/arch/x86/mm/pgtable_32-xen.c
+@@ -290,15 +290,20 @@ static void pgd_ctor(void *pgd)
+
+ static void pgd_dtor(void *pgd)
+ {
++#ifndef CONFIG_XEN
+ unsigned long flags; /* can be called from interrupt context */
++#endif
+
+ if (SHARED_KERNEL_PMD)
+ return;
+
++#ifndef CONFIG_XEN
++ /* This is done in pgd_free in the Xen case. */
+ paravirt_release_pd(__pa(pgd) >> PAGE_SHIFT);
+ spin_lock_irqsave(&pgd_lock, flags);
+ pgd_list_del(pgd);
+ spin_unlock_irqrestore(&pgd_lock, flags);
++#endif
+
+ pgd_test_and_unpin(pgd);
+ }
+--
+1.7.4.1
+
--
1.7.4.1


--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 

Thread Tools




All times are GMT. The time now is 04:42 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org