| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
Coverity-ID: 1055816
Coverity-ID: 1055817
Coverity-ID: 1055818
Signed-off-by: Matthew Daley <mattjd@gmail.com>
Acked-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
| |
|
|
|
|
|
|
|
| |
The only current user that passes a non-NULL _nodename limits it to 64
bytes anyway.
Coverity-ID: 1054993
Signed-off-by: Matthew Daley <mattjd@gmail.com>
Acked-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
| |
|
|
|
|
|
|
|
|
| |
This patch cleans up instances of char array allocation where string
lengths were manually counted to use strlen() instead. There are no
functional changes in this patch.
Signed-off-by: Matt Wilson <msw@amazon.com>
Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-By: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The char arrays used to hold xenbus paths have historically been
allocated by manually counting the length longest string constants
included in constructing the path. This has led to improperly sized
buffers, both too large (with little consequence) and too small (which
obviously causes problems). This patch corrects the instances where
the length was incorrectly calculated by using strlen() on the longest
string constant used in building a xenbus path.
A follow-on clean-up patch will change all instances to use strlen().
Signed-off-by: Ben Cressey <bcressey@amazon.com>
Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-By: Samuel Thibault <samuel.thibault@ens-lyon.org>
[msw: split this patch from a larger patch from Ben, reworked to use
strlen()]
Signed-off-by: Matt Wilson <msw@amazon.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Matthew Daley has observed that the PV console protocol places sensitive host
state into a guest writeable xenstore locations, this includes:
- The pty used to communicate between the console backend daemon and its
client, allowing the guest administrator to read and write arbitrary host
files.
- The output file, allowing the guest administrator to write arbitrary host
files or to target arbitrary qemu chardevs which include sockets, udp, ptr,
pipes etc (see -chardev in qemu(1) for a more complete list).
- The maximum buffer size, allowing the guest administrator to consume more
resources than the host administrator has configured.
- The backend to use (qemu vs xenconsoled), potentially allowing the guest
administrator to confuse host software.
So we arrange to make the sensitive keys in the xenstore frontend directory
read only for the guest. This is safe since the xenstore permissions model,
unlike POSIX directory permissions, does not allow the guest to remove and
recreate a node if it has write access to the containing directory.
There are a few associated wrinkles:
- The primary PV console is "special". It's xenstore node is not under the
usual /devices/ subtree and it does not use the customary xenstore state
machine protocol. Unfortunately its directory is used for other things,
including the vnc-port node, which we do not want the guest to be able to
write to. Rather than trying to track down all the possible secondary uses
of this directory just make it r/o to the guest. All newly created
subdirectories inherit these permissions and so are now safe by default.
- The other serial consoles do use the customary xenstore state machine and
therefore need write access to at least the "protocol" and "state" nodes,
however they may also want to use arbitrary "feature-foo" nodes (although
I'm not aware of any) and therefore we cannot simply lock down the entire
frontend directory. Instead we add support to libxl__device_generic_add for
frontend keys which are explicitly read only and use that to lock down the
sensitive keys.
- Minios' console frontend wants to write the "type" node, which it has no
business doing since this is a host/toolstack level decision. This fails
now that the node has become read only to the PV guest. Since the toolstack
already writes this node just remove the attempt to set it.
This is a security issue, XSA-57.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
|
| |
|
|
|
|
|
|
|
|
| |
In exactly the same style as app_main() in kernel.c, create a weak
reference console_input() function for applications to override to
quickly gain access to the console.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Committed-by: Keir Fraser <keir@xen.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds compile-time logic to disable certain frontends in mini-os:
- pcifront is disabled by default, enabled for ioemu
- blkfront, netfront, fbfront, kbdfront, consfront are enabled by default
- xenbus is required for any frontend, and is enabled by default
If all frontends and xenbus are disabled, mini-os will run without
needing to communicate with xenstore, making it suitable to run the
xenstore daemon. The console frontend is not required for the initial
console, only consoles opened via openpt or ptmx.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Committed-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
|
| |
|
|
|
|
|
| |
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Committed-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
|
| |
|
|
|
|
|
|
|
| |
gcc (GCC) 4.6.2 20111027 (Red Hat 4.6.2-1) complains about unused variables
in mini-os drivers
Signed-off-by: John McDermott <john.mcdermott@nrl.navy.mil>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add two "special" PV consoles to stubdoms that are going to be used
to send and receive the qemu-xen save files on save/restore.
Use the second PV console to send the qemu-xen save file and the third
PV console to receive the qemu-xen save file on restore.
Fix the console shutdown function free_consfront that is called when the
qemu save file is closed.
Stubdom save/restore is still broken with xend.
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
|
| |
|
|
| |
Signed-off-by: Yu Zhiguo <yuzg@cn.fujitsu.com>
|
| |
|
|
|
|
|
|
|
| |
The return value of Xenbus routines xenbus_transaction_start(),
xenbus_printf(), xenbus_transaction_end(), etc. is a pointer of error
message. This pointer should be passed to free() to release the
allocated memory when it is no longer needed.
Signed-off-by: Yu Zhiguo <yuzg@cn.fujitsu.com>
|
| |
|
|
|
|
|
|
|
|
| |
In a lot of places in MiniOS frontends, xenbus_watch_path_token is
used instead of xenbus_watch_path to get more precise wake ups. To
free those, xenbus_unwatch_path_token has to be used instead of
xenbus_unwatch_path, else the unwatch operation will fail. This fixes
spurious watch events left by pv-grub.
Signed-Off-By: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
| |
|
|
|
|
| |
Change the end of line produced by minios' console from \n\r to \r\n.
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
|
| |
|
|
|
|
|
|
| |
MiniOS' console_print tries to expand '\n' into "\n\r" in place,
causing page faults if the string resides in text.
Use a duplicate of the string instead.
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
|
| |
|
|
|
|
|
|
|
| |
As part of making stubdom usable on NetBSD, it is necessary to
restructure the minios headers to avoid conflicts with NetBSD's
crossbuild toolchain.
Signed-off-by: Christoph Egger <Christoph.Egger@amd.com>
Acked-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
| |
|
|
| |
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
|
| |
|
|
| |
Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
|
| |
|
|
| |
Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
evtchn_bind_interdomain used to clear any already pending event before
binding a handler, because else the handler may be called before it is
ready. That however leads to missed events, which I had to workaround
for the HVM case.
This changes the semantics of bind_evtchn, and thus of all the
event channel binding functions (bind_virq, evtchn_alloc_unbound,
evtchn_bind_interdomain) into not unmasking the event itself, hence
letting the caller initialize properly before unmasking the port (e.g.
record the port number in an appropriate place).
Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
|
| |
|
|
| |
Signed-off-by: Samuel Thibault <samuel.thibault@eu.citrix.com>
|
| |
|
|
|
| |
Signed-off-by: Anil Madhavapeddy <anil@xensource.com>
|
| |
|
|
|
| |
Signed-off-by: John D. Ramsdell <ramsdell@mitre.org>
Signed-off-by: Steven Smith <sos22@cam.ac.uk>
|
| |
|
|
|
|
|
| |
void* pointer to handlers.
Signed-off-by: Steven Smith <sos22@cam.ac.uk>
Signed-off-by: Grzegorz Milos <gm281@cam.ac.uk>
|
| |
|
|
|
| |
Signed-off-by: Grzegorz Milos <gm281@cam.ac.uk>
|
| |
|
|
|
|
|
|
|
|
| |
a) 64-bit switch_to scheduler macro (by Aravindh Puthiyaparambil)
b) implements 64-bit hypervisor_callback
c) fixes thread creation issues (thread_starter used to perform
initialisation)
Signed-off-by: Grzegorz Milos <gm281@cam.ac.uk>
|
| |
|
|
|
|
|
| |
From: Grzegorz Milos <gm281@cam.ac.uk>
Signed-off-by: Keir Fraser <keir@xensource.com>
|
|
|
a) in initialising new page table frames
b) in initialising idle thread.
Signed-off-by: Grzegorz Milos <gm281@cam.ac.uk>
|
