debuggers.hg

annotate tools/misc/xen-hvmcrash.c @ 22848:6341fe0f4e5a

Added tag 4.1.0-rc2 for changeset 9dca60d88c63
author Keir Fraser <keir@xen.org>
date Tue Jan 25 14:06:55 2011 +0000 (2011-01-25)
parents 754877be695b
children
rev   line source
paul@21939 1 /*
paul@21939 2 * xen-hvmcrash.c
paul@21939 3 *
paul@21939 4 * Attempt to crash an HVM guest by overwriting RIP/EIP with a bogus value
paul@21939 5 *
paul@21939 6 * Copyright (c) 2010 Citrix Systems, Inc.
paul@21939 7 *
paul@21939 8 * Permission is hereby granted, free of charge, to any person obtaining a copy
paul@21939 9 * of this software and associated documentation files (the "Software"), to
paul@21939 10 * deal in the Software without restriction, including without limitation the
paul@21939 11 * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
paul@21939 12 * sell copies of the Software, and to permit persons to whom the Software is
paul@21939 13 * furnished to do so, subject to the following conditions:
paul@21939 14 *
paul@21939 15 * The above copyright notice and this permission notice shall be included in
paul@21939 16 * all copies or substantial portions of the Software.
paul@21939 17 *
paul@21939 18 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
paul@21939 19 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
paul@21939 20 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
paul@21939 21 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
paul@21939 22 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
paul@21939 23 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
paul@21939 24 * DEALINGS IN THE SOFTWARE.
paul@21939 25 */
paul@21939 26
paul@21939 27 #include <inttypes.h>
paul@21939 28 #include <stdio.h>
paul@21939 29 #include <stdlib.h>
paul@21939 30 #include <stddef.h>
paul@21939 31 #include <stdint.h>
paul@21939 32 #include <unistd.h>
paul@21939 33 #include <string.h>
paul@21939 34 #include <errno.h>
paul@21939 35 #include <limits.h>
paul@21939 36
paul@21939 37 #include <sys/types.h>
paul@21939 38 #include <sys/stat.h>
paul@21939 39 #include <arpa/inet.h>
paul@21939 40
paul@21939 41 #include <xenctrl.h>
paul@21939 42 #include <xen/xen.h>
paul@21939 43 #include <xen/domctl.h>
paul@21939 44 #include <xen/hvm/save.h>
paul@21939 45
paul@21939 46 int
paul@21939 47 main(int argc, char **argv)
paul@21939 48 {
paul@21939 49 int domid;
paul@21939 50 xc_interface *xch;
paul@21939 51 xc_dominfo_t dominfo;
paul@21939 52 int ret;
paul@21939 53 uint32_t len;
paul@21939 54 uint8_t *buf;
paul@21939 55 uint32_t off;
paul@21939 56 struct hvm_save_descriptor *descriptor;
paul@21939 57
paul@21939 58 if (argc != 2 || !argv[1] || (domid = atoi(argv[1])) < 0) {
paul@21939 59 fprintf(stderr, "usage: %s <domid>\n", argv[0]);
paul@21939 60 exit(1);
paul@21939 61 }
paul@21939 62
paul@21939 63 xch = xc_interface_open(0, 0, 0);
paul@21939 64 if (!xch) {
paul@21939 65 fprintf(stderr, "error: can't open libxc handle\n");
paul@21939 66 exit(1);
paul@21939 67 }
paul@21939 68
paul@21939 69 ret = xc_domain_getinfo(xch, domid, 1, &dominfo);
paul@21939 70 if (ret < 0) {
paul@21939 71 perror("xc_domain_getinfo");
paul@21939 72 exit(1);
paul@21939 73 }
paul@21939 74
paul@21939 75 if (!dominfo.hvm) {
paul@21939 76 fprintf(stderr, "domain %d is not HVM\n", domid);
paul@21939 77 exit(1);
paul@21939 78 }
paul@21939 79
paul@21939 80 ret = xc_domain_pause(xch, domid);
paul@21939 81 if (ret < 0) {
paul@21939 82 perror("xc_domain_pause");
paul@21939 83 exit(-1);
paul@21939 84 }
paul@21939 85
paul@21939 86 /*
paul@21939 87 * Calling with zero buffer length should return the buffer length
paul@21939 88 * required.
paul@21939 89 */
paul@21939 90 ret = xc_domain_hvm_getcontext(xch, domid, 0, 0);
paul@21939 91 if (ret < 0) {
paul@21939 92 perror("xc_domain_hvm_getcontext");
paul@21939 93 exit(1);
paul@21939 94 }
paul@21939 95
paul@21939 96 len = ret;
paul@21939 97 buf = malloc(len);
paul@21939 98 if (buf == NULL) {
paul@21939 99 perror("malloc");
paul@21939 100 exit(1);
paul@21939 101 }
paul@21939 102
paul@21939 103 ret = xc_domain_hvm_getcontext(xch, domid, buf, len);
paul@21939 104 if (ret < 0) {
paul@21939 105 perror("xc_domain_hvm_getcontext");
paul@21939 106 exit(1);
paul@21939 107 }
paul@21939 108
paul@21939 109 off = 0;
paul@21939 110
paul@21939 111 while (off < len) {
paul@21939 112 descriptor = (struct hvm_save_descriptor *)(buf + off);
paul@21939 113
paul@21939 114 off += sizeof (struct hvm_save_descriptor);
paul@21939 115
paul@21939 116 if (descriptor->typecode == HVM_SAVE_CODE(CPU)) {
paul@21939 117 HVM_SAVE_TYPE(CPU) *cpu;
paul@21939 118
paul@21939 119 /* Overwrite EIP/RIP with some recognisable but bogus value */
paul@21939 120 cpu = (HVM_SAVE_TYPE(CPU) *)(buf + off);
paul@21939 121 printf("CPU[%d]: RIP = %" PRIx64 "\n", descriptor->instance, cpu->rip);
paul@21939 122 cpu->rip = 0xf001;
paul@21939 123 } else if (descriptor->typecode == HVM_SAVE_CODE(END)) {
paul@21939 124 break;
paul@21939 125 }
paul@21939 126
paul@21939 127 off += descriptor->length;
paul@21939 128 }
paul@21939 129
paul@21939 130 ret = xc_domain_hvm_setcontext(xch, domid, buf, len);
paul@21939 131 if (ret < 0) {
paul@21939 132 perror("xc_domain_hvm_setcontext");
paul@21939 133 exit(1);
paul@21939 134 }
paul@21939 135
paul@21939 136 ret = xc_domain_unpause(xch, domid);
paul@21939 137 if (ret < 0) {
paul@21939 138 perror("xc_domain_unpause");
paul@21939 139 exit(1);
paul@21939 140 }
paul@21939 141
paul@21939 142 return 0;
paul@21939 143 }