|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen stable-4.4] xen/arm: vgic: Check rank in GICD_ICFGR* emulation before locking
commit 139a62e98161051e7687d6c356d9a9b92a8801a3
Author: Ian Campbell <ian.campbell@xxxxxxxxxx>
AuthorDate: Wed Apr 23 16:32:45 2014 +0100
Commit: Ian Campbell <ian.campbell@xxxxxxxxxx>
CommitDate: Wed Apr 23 16:33:38 2014 +0100
xen/arm: vgic: Check rank in GICD_ICFGR* emulation before locking
The function vgic_irq_rank may return NULL is the IRQ is not in range
handled
by the guest. This will result to derefence a NULL pointer which will crash
Xen.
I've checked the rest of the emulation and this is only place where the lock
is taken before the rank is checked.
This is CVE-2014-2986 / XSA-94.
Signed-off-by: Julien Grall <julien.grall@xxxxxxxxxx>
Reported-by: Thomas Leonard <talex5@xxxxxxxxx>
Reviewed-by: Jan Beulich <JBeulich@xxxxxxxx>
Acked-by: Ian Campbell <ian.campbell@xxxxxxxxxx>
---
xen/arch/arm/vgic.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/xen/arch/arm/vgic.c b/xen/arch/arm/vgic.c
index 553411d..ef6976b 100644
--- a/xen/arch/arm/vgic.c
+++ b/xen/arch/arm/vgic.c
@@ -583,8 +583,8 @@ static int vgic_distr_mmio_write(struct vcpu *v,
mmio_info_t *info)
case GICD_ICFGR + 2 ... GICD_ICFGRN: /* SPIs */
if ( dabt.size != 2 ) goto bad_width;
rank = vgic_irq_rank(v, 2, gicd_reg - GICD_ICFGR);
- vgic_lock_rank(v, rank);
if ( rank == NULL) goto write_ignore;
+ vgic_lock_rank(v, rank);
rank->icfg[REG_RANK_INDEX(2, gicd_reg - GICD_ICFGR)] = *r;
vgic_unlock_rank(v, rank);
return 1;
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.4
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |