bitkeeper revision 1.1159.1.303 (41821734F7OlWCgL8OAaRtEc5i-iEA)

Scrub memory on reboot. Security paranoia.

diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c
index f635caac2539d9666b91851e57865b35b5e6ebb0..eaea07f51cfbb902c87278d62973753ca4839483 100644 (file)
--- a/xen/arch/x86/domain.c
+++ b/xen/arch/x86/domain.c
@@ -698,6 +698,9 @@ int construct_dom0(struct domain *p,
         return -EINVAL;
     }
 
+    /* Paranoia: scrub DOM0's memory allocation. */
+    memset((void *)alloc_start, 0, alloc_end - alloc_start);
+
     /* Construct a frame-allocation list for the initial domain. */
     for ( mfn = (alloc_start>>PAGE_SHIFT); 
           mfn < (alloc_end>>PAGE_SHIFT); 

diff --git a/xen/common/kernel.c b/xen/common/kernel.c
index c2ecc32c3eec83e65b86ed3adb2223ce38a2d165..79bb14324a9efc51b6f9d240445a103e3d6f2e8f 100644 (file)
--- a/xen/common/kernel.c
+++ b/xen/common/kernel.c
@@ -344,6 +344,8 @@ void cmain(multiboot_info_t *mbi)
     init_domheap_pages(__pa(frame_table) + frame_table_size,
                        dom0_memory_start);
 
+    scrub_heap_pages();
+
     init_trace_bufs();
 
     domain_unpause_by_systemcontroller(current);

diff --git a/xen/common/page_alloc.c b/xen/common/page_alloc.c
index 72e13ec9d3dd4734dddfcec0fd63cc2ba1a7896c..5792e4a4e59449b0f4dee26ba97d1edac4a9d6c0 100644 (file)
--- a/xen/common/page_alloc.c
+++ b/xen/common/page_alloc.c
@@ -37,6 +37,7 @@ extern char opt_badpage[];
  *  One bit per page of memory. Bit set => page is allocated.
  */
 
+static unsigned long  bitmap_size; /* in bytes */
 static unsigned long *alloc_bitmap;
 #define PAGES_PER_MAPWORD (sizeof(unsigned long) * 8)
 
@@ -139,7 +140,7 @@ unsigned long init_heap_allocator(
     unsigned long bitmap_start, unsigned long max_pages)
 {
     int i, j;
-    unsigned long bitmap_size, bad_pfn;
+    unsigned long bad_pfn;
     char *p;
 
     memset(avail, 0, sizeof(avail));
@@ -285,6 +286,37 @@ void free_heap_pages(int zone, struct pfn_info *pg, int order)
 }
 
 
+/*
+ * Scrub all unallocated pages in all heap zones. This function is more
+ * convoluted than appears necessary because we do not want to continuously
+ * hold the lock or disable interrupts while scrubbing very large memory areas.
+ */
+void scrub_heap_pages(void)
+{
+    void *p;
+    unsigned long pfn, flags;
+
+    for ( pfn = 0; pfn < (bitmap_size * 8); pfn++ )
+    {
+        /* Quick lock-free check. */
+        if ( allocated_in_map(pfn) )
+            continue;
+        
+        spin_lock_irqsave(&heap_lock, flags);
+        
+        /* Re-check page status with lock held. */
+        if ( !allocated_in_map(pfn) )
+        {
+            p = map_domain_mem(pfn << PAGE_SHIFT);
+            clear_page(p);
+            unmap_domain_mem(p);
+        }
+        
+        spin_unlock_irqrestore(&heap_lock, flags);
+    }
+}
+
+
 
 /*************************
  * XEN-HEAP SUB-ALLOCATOR

diff --git a/xen/include/xen/mm.h b/xen/include/xen/mm.h
index 859db7c9f1851332f157af0b98376bc7c8a5d00b..ac126568b25bebfcfd1ee91f98c49e78ca2f487c 100644 (file)
--- a/xen/include/xen/mm.h
+++ b/xen/include/xen/mm.h
@@ -11,6 +11,7 @@ unsigned long init_heap_allocator(
 void init_heap_pages(int zone, struct pfn_info *pg, unsigned long nr_pages);
 struct pfn_info *alloc_heap_pages(int zone, int order);
 void free_heap_pages(int zone, struct pfn_info *pg, int order);
+void scrub_heap_pages(void);
 
 /* Xen suballocator */
 void init_xenheap_pages(unsigned long ps, unsigned long pe);