From nobody Sun Nov 24 15:35:57 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass(p=reject dis=none) header.from=cloud.com ARC-Seal: i=1; a=rsa-sha256; t=1717426833; cv=none; d=zohomail.com; s=zohoarc; b=hKNMdtza6csAuR1fGroo8k9gO7EqQgSw5WbxuwM6+6oHa1P1l478xinojoMNEF+vFe5WhPknYlmkOIjzFIde/LHBcg8f9CzhcKczOm3RkLj1TmhAuJmuREhDlvJZy4T3wkmqgTlXpSvW9Xy6LQtb7lHBOTInZzWQD4atFUQkz6U= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1717426833; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=+JA14AOgEuKBKYAkFvlW6fpt/3ZUuvQg25+31+429CY=; b=UuHzf1YCcPry738MaOgLdiUNSWk770ZVjkSfX+v2jZKjn6NeuVAQkUnlQNOIqDc7FXo+8IQgbvokd35ye7PDNnaCgQ+QslmJavGO9gLlqeUr6Aq4jr5SpBWdiy6Qo/3g/k9uw+7d1d7z3T7Pmn8qvTJvEodlmRvEfOkHirqmqhE= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1717426833115519.6470850802643; Mon, 3 Jun 2024 08:00:33 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.734944.1141077 (Exim 4.92) (envelope-from ) id 1sE9A6-0000Az-0Z; Mon, 03 Jun 2024 14:59:50 +0000 Received: by outflank-mailman (output) from mailman id 734944.1141077; Mon, 03 Jun 2024 14:59:49 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1sE9A5-0000Ai-TO; Mon, 03 Jun 2024 14:59:49 +0000 Received: by outflank-mailman (input) for mailman id 734944; Mon, 03 Jun 2024 14:59:48 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1sE9A4-0000Ab-Lt for xen-devel@lists.xenproject.org; Mon, 03 Jun 2024 14:59:48 +0000 Received: from mail-ej1-x62a.google.com (mail-ej1-x62a.google.com [2a00:1450:4864:20::62a]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id e84896b9-21b9-11ef-b4bb-af5377834399; Mon, 03 Jun 2024 16:59:42 +0200 (CEST) Received: by mail-ej1-x62a.google.com with SMTP id a640c23a62f3a-a66e9eac48fso2267366b.2 for ; Mon, 03 Jun 2024 07:59:42 -0700 (PDT) Received: from EMEAENGAAD91498.citrite.net ([217.156.233.157]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a685b935b5csm464114866b.206.2024.06.03.07.59.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 03 Jun 2024 07:59:40 -0700 (PDT) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: e84896b9-21b9-11ef-b4bb-af5377834399 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloud.com; s=cloud; t=1717426781; x=1718031581; darn=lists.xenproject.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=+JA14AOgEuKBKYAkFvlW6fpt/3ZUuvQg25+31+429CY=; b=k+xzKYs7zcOulCMfgoyL4KLhfELcAUzob6htf+kKUOi11Af0NzF7zQqOEBK5rH6uyV ZetTAwjowCwP/4G9bTjmZUVDZg4/Mjo1gN2vaJjzze9dXFBLsAp41Oug5G2iEjj5igux HJy/dzEqTjOrtcSQLZ+xhbgD2CvpE1LsGcBLQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1717426781; x=1718031581; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=+JA14AOgEuKBKYAkFvlW6fpt/3ZUuvQg25+31+429CY=; b=BSZBLSnDLgIZAvLBK9WwHwl/nRisD1c3Xt2pvrIJ2pmN093EPVBTdt7+Y1D4kA0onz sKIzDRRp0yv4xkSEMhW9dqF3wVw4CfhS2hxGX2cYVismylSAKZVS8g0/Xk6Z/+atjfZy Ea/ggUr6EEiRF1nPUIv4FwolhprjPaj/TKh3oUBztgfjuDgWf3ZXVXpPtHAHCrz9OuUS rntNSGkfOMMnF5lW3EzbpiespXlGKbvbd7EgeIgU9Vkd2mV8mz7DrNKKMVgblAtYBjsr 72KKg7gRQbM+9P7o9aGOjTfqstsWF1ILxX7X/LPIQEYB7gSOjjBKL6kI537EeBZv1fft Rd8w== X-Gm-Message-State: AOJu0YwK5n9Nsl1D59+FNKQ2AjfoxxIor1H2jZVm3gXHSJtWgL1mfYSr VgPJilD1pzFIE2i5xpO1FC/Z62+ivG5eSkhLCgAbgGkcBe81LSmH7+rJH3IXNS6xMAgCeRcpuPL l X-Google-Smtp-Source: AGHT+IGIdwQtkxRsIrywJihfXR582ob4fbTWFwhOGhA4eNRNhIzbkUvc081KuhaSxyV2ONFN7D9plA== X-Received: by 2002:a17:906:56ca:b0:a68:f43f:6f31 with SMTP id a640c23a62f3a-a68f43f708fmr240161266b.64.1717426781323; Mon, 03 Jun 2024 07:59:41 -0700 (PDT) From: Matthew Barnes To: Xen-devel Cc: Matthew Barnes , Anthony PERARD , Andrew Cooper Subject: [XEN PATCH] tools/misc: xen-hvmcrash: Inject #DF instead of overwriting RIP Date: Mon, 3 Jun 2024 15:59:18 +0100 Message-Id: <27f4397093d92b53f89d625d682bd4b7145b65d8.1717426439.git.matthew.barnes@cloud.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @cloud.com) X-ZM-MESSAGEID: 1717426833678100001 Content-Type: text/plain; charset="utf-8" xen-hvmcrash would previously save records, overwrite the instruction pointer with a bogus value, and then restore them to crash a domain just enough to cause the guest OS to memdump. This approach is found to be unreliable when tested on a guest running Windows 10 x64, with some executions doing nothing at all. Another approach would be to trigger NMIs. This approach is found to be unreliable when tested on Linux (Ubuntu 22.04), as Linux will ignore NMIs if it is not configured to handle such. Injecting a double fault abort to all vCPUs is found to be more reliable at crashing and invoking memdumps from Windows and Linux domains. This patch modifies the xen-hvmcrash tool to inject #DF to all vCPUs belonging to the specified domain, instead of overwriting RIP. Signed-off-by: Matthew Barnes --- tools/misc/xen-hvmcrash.c | 77 +++++++-------------------------------- 1 file changed, 13 insertions(+), 64 deletions(-) diff --git a/tools/misc/xen-hvmcrash.c b/tools/misc/xen-hvmcrash.c index 1d058fa40a47..8ef1beb388f8 100644 --- a/tools/misc/xen-hvmcrash.c +++ b/tools/misc/xen-hvmcrash.c @@ -38,22 +38,21 @@ #include #include =20 +#define XC_WANT_COMPAT_DEVICEMODEL_API #include #include #include #include =20 +#define X86_ABORT_DF 8 + int main(int argc, char **argv) { int domid; xc_interface *xch; xc_domaininfo_t dominfo; - int ret; - uint32_t len; - uint8_t *buf; - uint32_t off; - struct hvm_save_descriptor *descriptor; + int vcpu_id, ret; =20 if (argc !=3D 2 || !argv[1] || (domid =3D atoi(argv[1])) < 0) { fprintf(stderr, "usage: %s \n", argv[0]); @@ -77,66 +76,16 @@ main(int argc, char **argv) exit(1); } =20 - ret =3D xc_domain_pause(xch, domid); - if (ret < 0) { - perror("xc_domain_pause"); - exit(-1); - } - - /* - * Calling with zero buffer length should return the buffer length - * required. - */ - ret =3D xc_domain_hvm_getcontext(xch, domid, 0, 0); - if (ret < 0) { - perror("xc_domain_hvm_getcontext"); - exit(1); - } - =20 - len =3D ret; - buf =3D malloc(len); - if (buf =3D=3D NULL) { - perror("malloc"); - exit(1); - } - - ret =3D xc_domain_hvm_getcontext(xch, domid, buf, len); - if (ret < 0) { - perror("xc_domain_hvm_getcontext"); - exit(1); - } - - off =3D 0; - - while (off < len) { - descriptor =3D (struct hvm_save_descriptor *)(buf + off); - - off +=3D sizeof (struct hvm_save_descriptor); - - if (descriptor->typecode =3D=3D HVM_SAVE_CODE(CPU)) { - HVM_SAVE_TYPE(CPU) *cpu; - - /* Overwrite EIP/RIP with some recognisable but bogus value */ - cpu =3D (HVM_SAVE_TYPE(CPU) *)(buf + off); - printf("CPU[%d]: RIP =3D %" PRIx64 "\n", descriptor->instance,= cpu->rip); - cpu->rip =3D 0xf001; - } else if (descriptor->typecode =3D=3D HVM_SAVE_CODE(END)) { - break; + for (vcpu_id =3D 0; vcpu_id <=3D dominfo.max_vcpu_id; vcpu_id++) { + printf("Injecting #DF to vcpu ID #%d...\n", vcpu_id); + ret =3D xc_hvm_inject_trap(xch, domid, vcpu_id, + X86_ABORT_DF, + XEN_DMOP_EVENT_hw_exc, 0, + NULL, NULL); + if (ret < 0) { + fprintf(stderr, "Could not inject #DF to vcpu ID #%d\n", vcpu_= id); + perror("xc_hvm_inject_trap"); } - - off +=3D descriptor->length; - } - - ret =3D xc_domain_hvm_setcontext(xch, domid, buf, len); - if (ret < 0) { - perror("xc_domain_hvm_setcontext"); - exit(1); - } - - ret =3D xc_domain_unpause(xch, domid); - if (ret < 0) { - perror("xc_domain_unpause"); - exit(1); } =20 return 0; --=20 2.34.1