From 137e278117d2c8b884077e1507c8d5f634c98441 Mon Sep 17 00:00:00 2001 From: Keir Fraser Date: Wed, 21 Jan 2009 11:58:01 +0000 Subject: [PATCH] xenoprof: dom0 hypercall could trigger Xen NULL-pointer access Signed-off-by: Xiaowei Yang --- xen/common/xenoprof.c | 29 +++++++++++++++++------------ xen/include/xen/xenoprof.h | 7 ++++--- 2 files changed, 21 insertions(+), 15 deletions(-) diff --git a/xen/common/xenoprof.c b/xen/common/xenoprof.c index 116a4622db..a7960313ef 100644 --- a/xen/common/xenoprof.c +++ b/xen/common/xenoprof.c @@ -681,6 +681,8 @@ int do_xenoprof_op(int op, XEN_GUEST_HANDLE(void) arg) { case XENOPROF_init: ret = xenoprof_op_init(arg); + if ( !ret ) + xenoprof_state = XENOPROF_INITIALIZED; break; case XENOPROF_get_buffer: @@ -693,21 +695,19 @@ int do_xenoprof_op(int op, XEN_GUEST_HANDLE(void) arg) break; case XENOPROF_reset_active_list: - { reset_active_list(); ret = 0; break; - } + case XENOPROF_reset_passive_list: - { reset_passive_list(); ret = 0; break; - } + case XENOPROF_set_active: { domid_t domid; - if ( xenoprof_state != XENOPROF_IDLE ) + if ( xenoprof_state != XENOPROF_INITIALIZED ) { ret = -EPERM; break; @@ -720,18 +720,18 @@ int do_xenoprof_op(int op, XEN_GUEST_HANDLE(void) arg) ret = add_active_list(domid); break; } + case XENOPROF_set_passive: - { - if ( xenoprof_state != XENOPROF_IDLE ) + if ( xenoprof_state != XENOPROF_INITIALIZED ) { ret = -EPERM; break; } ret = add_passive_list(arg); break; - } + case XENOPROF_reserve_counters: - if ( xenoprof_state != XENOPROF_IDLE ) + if ( xenoprof_state != XENOPROF_INITIALIZED ) { ret = -EPERM; break; @@ -748,7 +748,6 @@ int do_xenoprof_op(int op, XEN_GUEST_HANDLE(void) arg) ret = -EPERM; break; } - ret = xenoprof_arch_counter(arg); break; @@ -766,8 +765,14 @@ int do_xenoprof_op(int op, XEN_GUEST_HANDLE(void) arg) case XENOPROF_enable_virq: { int i; + if ( current->domain == xenoprof_primary_profiler ) { + if ( xenoprof_state != XENOPROF_READY ) + { + ret = -EPERM; + break; + } xenoprof_arch_enable_virq(); xenoprof_reset_stat(); for ( i = 0; i < pdomains; i++ ) @@ -835,7 +840,7 @@ int do_xenoprof_op(int op, XEN_GUEST_HANDLE(void) arg) if ( (xenoprof_state == XENOPROF_COUNTERS_RESERVED) || (xenoprof_state == XENOPROF_READY) ) { - xenoprof_state = XENOPROF_IDLE; + xenoprof_state = XENOPROF_INITIALIZED; xenoprof_arch_release_counters(); xenoprof_arch_disable_virq(); reset_passive_list(); @@ -845,7 +850,7 @@ int do_xenoprof_op(int op, XEN_GUEST_HANDLE(void) arg) case XENOPROF_shutdown: ret = -EPERM; - if ( xenoprof_state == XENOPROF_IDLE ) + if ( xenoprof_state == XENOPROF_INITIALIZED ) { activated = 0; adomains=0; diff --git a/xen/include/xen/xenoprof.h b/xen/include/xen/xenoprof.h index 5616d0867f..525dbdedfa 100644 --- a/xen/include/xen/xenoprof.h +++ b/xen/include/xen/xenoprof.h @@ -19,9 +19,10 @@ #define XENOPROF_DOMAIN_PASSIVE 2 #define XENOPROF_IDLE 0 -#define XENOPROF_COUNTERS_RESERVED 1 -#define XENOPROF_READY 2 -#define XENOPROF_PROFILING 3 +#define XENOPROF_INITIALIZED 1 +#define XENOPROF_COUNTERS_RESERVED 2 +#define XENOPROF_READY 3 +#define XENOPROF_PROFILING 4 #ifndef CONFIG_COMPAT typedef struct xenoprof_buf xenoprof_buf_t; -- 2.30.2