|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen master] xen/arm: vgic-v2: Don't crash the hypervisor if the SGI target mode is invalid
commit 97c4e77538f24786dc7521cdffb2b4d6e3dad7ed
Author: Julien Grall <julien.grall@xxxxxxxxxx>
AuthorDate: Fri Jan 23 14:15:07 2015 +0000
Commit: Ian Campbell <ian.campbell@xxxxxxxxxx>
CommitDate: Wed Feb 18 10:26:13 2015 +0000
xen/arm: vgic-v2: Don't crash the hypervisor if the SGI target mode is
invalid
The GICv2 spec reserved the value 0b11 for GICD_SGIR.TargetListFilter.
Even if it's an invalid value, a malicious guest could write this value
and threfore crash the hypervisor.
Replace the BUG() by logging the error and inject a data abort to the guest.
This was introduced by commit ea37fd21110b6fbcf9257f814076a243d3873cb7
"xen/arm: split vgic driver into generic and vgic-v2 driver".
This is CVE-2015-0268 / XSA-117.
Signed-off-by: Julien Grall <julien.grall@xxxxxxxxxx>
Acked-by: Ian Campbell <ian.campbell@xxxxxxxxxx>
---
xen/arch/arm/vgic-v2.c | 5 ++++-
1 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/xen/arch/arm/vgic-v2.c b/xen/arch/arm/vgic-v2.c
index 515faf7..3b87f54 100644
--- a/xen/arch/arm/vgic-v2.c
+++ b/xen/arch/arm/vgic-v2.c
@@ -257,7 +257,10 @@ static int vgic_v2_to_sgi(struct vcpu *v, register_t sgir)
sgi_mode = SGI_TARGET_SELF;
break;
default:
- BUG();
+ printk(XENLOG_G_DEBUG
+ "%pv: vGICD: unhandled GICD_SGIR write %"PRIregister" with
wrong mode\n",
+ v, sgir);
+ return 0;
}
return vgic_to_sgi(v, sgir, sgi_mode, virq, vcpu_mask);
--
generated by git-patchbot for /home/xen/git/xen.git#master
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |