A possible pointer_overflow in xen-4.13

Sat, 26 Jun 2021 06:30:42 -0700 

Hi, I compile Xen-4.13 with CONFIG_UBSAN, and try test it. However, during 
testing, xl dmesg got the output as shown below.


It seems that there is a potential pointer overflow within 
arch/x86/pv/emul-priv-op.c:131 where xen try to execute instruction ''' 
APPEND_CALL(save_guest_gprs) '''??where APPEND_CALL try to add an offset on *p 
without proper checking.


I compiled xen-4.13 by clang-9, with following instructions: ''' export 
CONFIG_UBSAN=y ''' && ''' make clang=y debug=y ''' . Do you have any 
idea what going on here?


(XEN) pointer operation underflowed ffff8200400170d3 to ffff04d0c0014193
(XEN) ----[ Xen-4.15-unstable  x86_64  debug=y   Not 
tainted ]----
(XEN) CPU:    1
(XEN) RIP:&nbsp; &nbsp; e008:[<ffff82d0402d694a&gt;] 
common/ubsan/ubsan.c#ubsan_epilogue+0xa/0x90
(XEN) RFLAGS: 0000000000010082&nbsp; &nbsp;CONTEXT: hypervisor (d0v0)
(XEN) rax: 0000000000000000&nbsp; &nbsp;rbx: ffff83007c36f870&nbsp; &nbsp;rcx: 
0000000000000010
(XEN) rdx: 0000000000010000&nbsp; &nbsp;rsi: ffff83007c370000&nbsp; &nbsp;rdi: 
ffff83007c36f870
(XEN) rbp: ffff83007c36f858&nbsp; &nbsp;rsp: ffff83007c36f848&nbsp; 
&nbsp;r8:&nbsp; ffff82d040853f70
(XEN) r9:&nbsp; 0000000000000001&nbsp; &nbsp;r10: ffff82d040854400&nbsp; 
&nbsp;r11: ffff82d0408543d0
(XEN) r12: ffff83007c36f870&nbsp; &nbsp;r13: ffff8200400170d0&nbsp; &nbsp;r14: 
ffff04d0c0014193
(XEN) r15: ffff8200400170d3&nbsp; &nbsp;cr0: 0000000080050033&nbsp; &nbsp;cr4: 
0000000000000660
(XEN) cr3: 000000007640c000&nbsp; &nbsp;cr2: ffffc900003ff000
(XEN) fsb: 0000000000000000&nbsp; &nbsp;gsb: ffff888073600000&nbsp; &nbsp;gss: 
0000000000000000
(XEN) ds: 0000&nbsp; &nbsp;es: 0000&nbsp; &nbsp;fs: 0000&nbsp; &nbsp;gs: 
0000&nbsp; &nbsp;ss: 0000&nbsp; &nbsp;cs: e008
(XEN) Xen code around <ffff82d0402d694a&gt; 
(common/ubsan/ubsan.c#ubsan_epilogue+0xa/0x90):
(XEN)&nbsp; 89 e5 41 56 53 48 89 fb <0f&gt; 0b 48 8d 3d 17 83 3c 00 31 c0 e8 76 
29 00 00
(XEN) Xen stack trace from rsp=ffff83007c36f848:
(XEN)&nbsp; &nbsp; ffff82d040a5b9b0 ffff04d0c0014193 ffff83007c36f898 
ffff82d0402d7bde
(XEN)&nbsp; &nbsp; 0000000000003000 0000000000000286 ffff04d0c0014193 
ffff83007c36fe58
(XEN)&nbsp; &nbsp; ffff82d07fffd0c0 ffff8200400170d3 ffff83007c36f8f8 
ffff82d040493d7b
(XEN)&nbsp; &nbsp; ffff83007c36f8c8 00000001000003da ffff83007f85aa50 
000000ec7f85ce01
(XEN)&nbsp; &nbsp; ffff83007c36fe00 ffff83007c36fe18 00000000000003da 
ffff83007c36fe00
(XEN)&nbsp; &nbsp; 0000000000000000 0000000000000001 ffff83007c36f938 
ffff82d040490eb5
(XEN)&nbsp; &nbsp; ffff83007c36fce8 00000000000003da 0000000000000000 
ffff82d0406c0358
(XEN)&nbsp; &nbsp; ffff82d0406c03c0 0000000000000000 ffff83007c36fda8 
ffff82d040531a73
(XEN)&nbsp; &nbsp; ffff82d04058d851 0000000000000046 0000000000000046 
ffff82d04027061d
(XEN)&nbsp; &nbsp; 0000000000077f07 ffff83007f85f2b8 0000000000000000 
aaaaaaaaaaaaaaaa
(XEN)&nbsp; &nbsp; aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa 
aaaaaaaaaaaaaaaa
(XEN)&nbsp; &nbsp; aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa 
ffff82d040270980
(XEN)&nbsp; &nbsp; 0000000000000017 ffff82d0402364f4 0000000000000246 
ffff82d04028f4e9
(XEN)&nbsp; &nbsp; 0000000100000220 ffff83007c378004 000000000000022f 
000000000000000f
(XEN)&nbsp; &nbsp; 0000000000000001 0000000000000246 0000000000000246 
ffff82d04028f4e9
(XEN)&nbsp; &nbsp; 00000001000000a0 ffff83007c378004 00000000000000a3 
0000000000000003
(XEN)&nbsp; &nbsp; ffff83007c36fe2c 0000000000000001 ffff83007c36fa78 
ffff82d040270a07
(XEN)&nbsp; &nbsp; ffff83007c36fef8 ffff82d040c68058 ffff83007c36fa98 
ffff82d040270980
(XEN)&nbsp; &nbsp; ffff83007ff48ea8 00000000000000b0 ffff83007c36faf8 
ffff82d04028ded1
(XEN)&nbsp; &nbsp; ffff83007ff48ea8 ffff83007ff48eb0 ffff83007c379868 
00000000000000a0
(XEN) Xen call trace:
(XEN)&nbsp; &nbsp; [<ffff82d0402d694a&gt;] R 
common/ubsan/ubsan.c#ubsan_epilogue+0xa/0x90
(XEN)&nbsp; &nbsp; [<ffff82d0402d7bde&gt;] F 
__ubsan_handle_pointer_overflow+0x6e/0xa0
(XEN)&nbsp; &nbsp; [<ffff82d040493d7b&gt;] F 
arch/x86/pv/emul-priv-op.c#io_emul_stub_setup+0x44b/0x6a0
(XEN)&nbsp; &nbsp; [<ffff82d040490eb5&gt;] F 
arch/x86/pv/emul-priv-op.c#read_io+0xd5/0x1c0
(XEN)&nbsp; &nbsp; [<ffff82d040531a73&gt;] F x86_emulate+0x94f3/0x2e170
(XEN)&nbsp; &nbsp; [<ffff82d040565eb1&gt;] F x86_emulate_wrapper+0x71/0x210
(XEN)&nbsp; &nbsp; [<ffff82d04048f5f2&gt;] F 
pv_emulate_privileged_op+0x392/0x6a0
(XEN)&nbsp; &nbsp; [<ffff82d040522d3a&gt;] F do_general_protection+0x41a/0x520
(XEN)&nbsp; &nbsp; [<ffff82d04058da3a&gt;] F 
x86_64/entry.S#handle_exception_saved+0x65/0x91
(XEN)
(XEN) 
================================================================================
(XEN) d0: Forcing read-only access to MFN fed00

Reply via email to