From patchwork Wed Nov  9 12:01:52 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Xuquan (Euler)" <xuquan8@huawei.com>
X-Patchwork-Id: 9419091
Return-Path: <xen-devel-bounces@lists.xen.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	E222060512 for <patchwork-xen-devel@patchwork.kernel.org>;
	Wed,  9 Nov 2016 12:05:24 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D1D3329257
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Wed,  9 Nov 2016 12:05:24 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id C45152925D; Wed,  9 Nov 2016 12:05:24 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED
	autolearn=ham version=3.3.1
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 157BC29257
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Wed,  9 Nov 2016 12:05:24 +0000 (UTC)
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <xen-devel-bounces@lists.xen.org>)
	id 1c4RaR-0003ur-1D; Wed, 09 Nov 2016 12:02:39 +0000
Received: from mail6.bemta6.messagelabs.com ([193.109.254.103])
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <xuquan8@huawei.com>) id 1c4RaP-0003uF-SX
	for xen-devel@lists.xen.org; Wed, 09 Nov 2016 12:02:37 +0000
Received: from [193.109.254.147] by server-6.bemta-6.messagelabs.com id
	38/3A-12520-D5013285; Wed, 09 Nov 2016 12:02:37 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrHIsWRWlGSWpSXmKPExsVSPpHPSTdGQDn
	CYPVVDYuvzasYLZZ8XMziwORxdPdvJo/Tt2axBTBFsWbmJeVXJLBmfP94hKmgSaRi4q89jA2M
	p/i7GLk4hAROMUrMfn2YDcLZwCixbPIJpi5GTg42AV2J7adPsYLYIgLmEluXbGEEKWIWOM0s8
	fHZZnaQhLCAj8S5iw/ZIYqCJJob+xkhbD2J9uvPWEBsFgEViW2XPoAN4hUIllj47CxYPaOAmM
	T3U2vAljELiEvMnTYLrEZCQFBi0ew9zBC2mMS/XQ/ZIGxFiT19EHOYBXQkFuz+xAZha0ssW/i
	aGWK+oMTJmU9YIOolJQ6uuMEygVF4FpIVs5C0z0LSPgtJ+wJGllWMGsWpRWWpRbpGFnpJRZnp
	GSW5iZk5uoYGZnq5qcXFiempOYlJxXrJ+bmbGIFxwQAEOxjPrw08xCjJwaQkylvxXClCiC8pP
	6UyI7E4I76oNCe1+BCjDAeHkgTvYj7lCCHBotT01Iq0zBxghMKkJTh4lER4C0DSvMUFibnFme
	kQqVOMuhxvdr18wCTEkpeflyolzrsMpEgApCijNA9uBCxZXGKUlRLmZQQ6SoinILUoN7MEVf4
	VozgHo5IwbzTIFJ7MvBK4Ta+AjmACOqIqRgHkiJJEhJRUA+M2U19HMafEnrXv2IqyPeKLqr2n
	Rd+982apouTE25PP/XITsdDYaFR/+rLlmtKfocrcEYl8+iKHzk1QNNnY1Kp1qP2ozQPudcv5p
	33lPrBkSYRmlogFx6VPK4/P5Dznair20e74tcLkAE+p0jemQr2B/37cTVhy/buY92nz/SFHdQ
	KYvC8ErlViKc5INNRiLipOBADUiDtWEQMAAA==
X-Env-Sender: xuquan8@huawei.com
X-Msg-Ref: server-15.tower-27.messagelabs.com!1478692929!17855268!1
X-Originating-IP: [119.145.14.66]
X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor:
	VHJ1c3RlZCBJUDogMTE5LjE0NS4xNC42NiA9PiA4NTI3\n
X-StarScan-Received: 
X-StarScan-Version: 9.0.13; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 16027 invoked from network); 9 Nov 2016 12:02:35 -0000
Received: from szxga03-in.huawei.com (HELO szxga03-in.huawei.com)
	(119.145.14.66)
	by server-15.tower-27.messagelabs.com with RC4-SHA encrypted SMTP;
	9 Nov 2016 12:02:35 -0000
Received: from 172.24.1.60 (EHLO SZXEMI413-HUB.china.huawei.com)
	([172.24.1.60])
	by szxrg03-dlp.huawei.com (MOS 4.4.3-GA FastPath queued)
	with ESMTP id CLB47249; Wed, 09 Nov 2016 20:02:01 +0800 (CST)
Received: from SZXEMI506-MBX.china.huawei.com ([169.254.5.112]) by
	SZXEMI413-HUB.china.huawei.com ([10.86.210.41]) with mapi id
	14.03.0235.001; Wed, 9 Nov 2016 20:01:53 +0800
From: "Xuquan (Quan Xu)" <xuquan8@huawei.com>
To: "xen-devel@lists.xen.org" <xen-devel@lists.xen.org>
Thread-Topic: question: is it a CVE in
	relinquish_memory()[xen/arch/x86/domain.c]
Thread-Index: AdI6gFJ/bDEPKV4CSg+PuH+yGI+U1g==
Date: Wed, 9 Nov 2016 12:01:52 +0000
Message-ID: 
 <E0A769A898ADB6449596C41F51EF62C6AC27B8@SZXEMI506-MBX.china.huawei.com>
Accept-Language: en-US
Content-Language: zh-CN
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.142.69.246]
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Cc: "Tian, Kevin" <kevin.tian@intel.com>,
	"Liuxiaojian \(alex\)" <liuxiaojian6@huawei.com>,
	"George.Dunlap@eu.citrix.com" <George.Dunlap@eu.citrix.com>,
	Andrew Cooper <andrew.cooper3@citrix.com>, Tim Deegan <tim@xen.org>,
	"Xuquan \(Quan Xu\)" <xuquan8@huawei.com>,
	"JBeulich@suse.com" <JBeulich@suse.com>,
	"dgdegra@tycho.nsa.gov" <dgdegra@tycho.nsa.gov>
Subject: [Xen-devel] question: is it a CVE in
	relinquish_memory()[xen/arch/x86/domain.c]
X-BeenThere: xen-devel@lists.xen.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Xen developer discussion <xen-devel.lists.xen.org>
List-Unsubscribe: <https://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <https://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xen.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xen.org>
X-Virus-Scanned: ClamAV using ClamSMTP

Hi,
Based on CVE-2015-7814 and commit 1ef01396fdff, ' arm: handle races between relinquish_memory and free_domheap_pages'..
relinquish_memory() [xen/arch/arm/domain.c, arm code], 
when couldn't get a reference -- someone is freeing this page and has already committed to doing so, so no more to do here, continue.


But in relinquish_memory()[xen/arch/x86/domain.c, __x86__ code], when couldn't get a reference -- someone is freeing this page,
Why adding this page to d->arch.relmem_list again. 
Is it a CVE to double free page, then hit the ''" alloc_heap_pages() : BUG_ON(pg[i].count_info != PGC_state_free)"" in creating guests later..




~


Quan

========

[1] CVE-2015-7814
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7814

[2] commit 1ef01396fdff

commit 1ef01396fdff88b1c3331a09ca5c69619b90f4ea
Author: Ian Campbell <ian.campbell@citrix.com>
Date:   Thu Oct 29 13:34:17 2015 +0100

    arm: handle races between relinquish_memory and free_domheap_pages

    Primarily this means XENMEM_decrease_reservation from a toolstack
    domain.

    Unlike x86 we have no requirement right now to queue such pages onto
    a separate list, if we hit this race then the other code has already
    fully accepted responsibility for freeing this page and therefore
    there is no more for relinquish_memory to do.

    This is CVE-2015-7814 / XSA-147.

    Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
    Reviewed-by: Julien Grall <julien.grall@citrix.com>
    Reviewed-by: Jan Beulich <jbeulich@suse.com>

diff --git a/xen/arch/arm/domain.c b/xen/arch/arm/domain.c
index 683e769..880d0a6 100644
--- a/xen/arch/arm/domain.c
+++ b/xen/arch/arm/domain.c
@@ -772,8 +772,15 @@ static int relinquish_memory(struct domain *d, struct page_list_head *list)
     {
         /* Grab a reference to the page so it won't disappear from under us. */
         if ( unlikely(!get_page(page, d)) )
-            /* Couldn't get a reference -- someone is freeing this page. */
-            BUG();
+            /*
+             * Couldn't get a reference -- someone is freeing this page and
+             * has already committed to doing so, so no more to do here.
+             *
+             * Note that the page must be left on the list, a list_del
+             * here will clash with the list_del done by the other
+             * party in the race and corrupt the list head.
+             */
+            continue;

         if ( test_and_clear_bit(_PGC_allocated, &page->count_info) )
             put_page(page);