|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen master] xen/arm: vgic: Check rank in GICD_ICFGR* emulation before locking
commit bf70db7cea3794cf2f3c8d714b460bba86b04791
Author: Ian Campbell <ian.campbell@xxxxxxxxxx>
AuthorDate: Wed Apr 23 16:32:45 2014 +0100
Commit: Ian Campbell <ian.campbell@xxxxxxxxxx>
CommitDate: Wed Apr 23 16:32:45 2014 +0100
xen/arm: vgic: Check rank in GICD_ICFGR* emulation before locking
The function vgic_irq_rank may return NULL is the IRQ is not in range
handled
by the guest. This will result to derefence a NULL pointer which will crash
Xen.
I've checked the rest of the emulation and this is only place where the lock
is taken before the rank is checked.
This is CVE-2014-2986 / XSA-94.
Signed-off-by: Julien Grall <julien.grall@xxxxxxxxxx>
Reported-by: Thomas Leonard <talex5@xxxxxxxxx>
Reviewed-by: Jan Beulich <JBeulich@xxxxxxxx>
Acked-by: Ian Campbell <ian.campbell@xxxxxxxxxx>
---
xen/arch/arm/vgic.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/xen/arch/arm/vgic.c b/xen/arch/arm/vgic.c
index 4a7f8c0..e4e3923 100644
--- a/xen/arch/arm/vgic.c
+++ b/xen/arch/arm/vgic.c
@@ -592,8 +592,8 @@ static int vgic_distr_mmio_write(struct vcpu *v,
mmio_info_t *info)
case GICD_ICFGR + 2 ... GICD_ICFGRN: /* SPIs */
if ( dabt.size != 2 ) goto bad_width;
rank = vgic_irq_rank(v, 2, gicd_reg - GICD_ICFGR);
- vgic_lock_rank(v, rank);
if ( rank == NULL) goto write_ignore;
+ vgic_lock_rank(v, rank);
rank->icfg[REG_RANK_INDEX(2, gicd_reg - GICD_ICFGR)] = *r;
vgic_unlock_rank(v, rank);
return 1;
--
generated by git-patchbot for /home/xen/git/xen.git#master
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |