[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen staging] hypercall_xlat_continuation: Replace BUG_ON with domain_crash

commit 9926e692c4afc40bcd66f8416ff6a1e93ce402f6
Author:     Bjoern Doebel <doebel@xxxxxxxxx>
AuthorDate: Wed Mar 27 17:31:38 2024 +0000
Commit:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Tue Apr 9 12:49:40 2024 +0100

    hypercall_xlat_continuation: Replace BUG_ON with domain_crash
    
    Instead of crashing the host in case of unexpected hypercall parameters,
    resort to only crashing the calling domain.
    
    This is part of XSA-454 / CVE-2023-46842.
    
    Fixes: b8a7efe8528a ("Enable compatibility mode operation for 
HYPERVISOR_memory_op")
    Reported-by: Manuel Andreas <manuel.andreas@xxxxxx>
    Signed-off-by: Bjoern Doebel <doebel@xxxxxxxxx>
    Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
    Reviewed-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
---
 xen/arch/x86/hypercall.c | 24 ++++++++++++++++--------
 1 file changed, 16 insertions(+), 8 deletions(-)

diff --git a/xen/arch/x86/hypercall.c b/xen/arch/x86/hypercall.c
index 133e9f221c..d292376b19 100644
--- a/xen/arch/x86/hypercall.c
+++ b/xen/arch/x86/hypercall.c
@@ -142,8 +142,10 @@ int hypercall_xlat_continuation(unsigned int *id, unsigned 
int nr,
                 cval = va_arg(args, unsigned int);
                 if ( cval == nval )
                     mask &= ~1U;
-                else
-                    BUG_ON(nval == (unsigned int)nval);
+                else if ( nval == (unsigned int)nval )
+                    domain_crash(current->domain,
+                                 "multicall (op %lu) bogus continuation arg%u 
(%#lx)\n",
+                                 mcs->call.op, i, nval);
             }
             else if ( id && *id == i )
             {
@@ -155,8 +157,10 @@ int hypercall_xlat_continuation(unsigned int *id, unsigned 
int nr,
                 mcs->call.args[i] = cval;
                 ++rc;
             }
-            else
-                BUG_ON(mcs->call.args[i] != (unsigned int)mcs->call.args[i]);
+            else if ( mcs->call.args[i] != (unsigned int)mcs->call.args[i] )
+                domain_crash(current->domain,
+                             "multicall (op %lu) bad continuation arg%u 
(%#lx)\n",
+                             mcs->call.op, i, mcs->call.args[i]);
         }
     }
     else
@@ -182,8 +186,10 @@ int hypercall_xlat_continuation(unsigned int *id, unsigned 
int nr,
                 cval = va_arg(args, unsigned int);
                 if ( cval == nval )
                     mask &= ~1U;
-                else
-                    BUG_ON(nval == (unsigned int)nval);
+                else if ( nval == (unsigned int)nval )
+                    domain_crash(current->domain,
+                                 "hypercall (op %u) bogus continuation arg%u 
(%#lx)\n",
+                                 regs->eax, i, nval);
             }
             else if ( id && *id == i )
             {
@@ -195,8 +201,10 @@ int hypercall_xlat_continuation(unsigned int *id, unsigned 
int nr,
                 *reg = cval;
                 ++rc;
             }
-            else
-                BUG_ON(*reg != (unsigned int)*reg);
+            else if ( *reg != (unsigned int)*reg )
+                domain_crash(current->domain,
+                             "hypercall (op %u) bad continuation arg%u 
(%#lx)\n",
+                             regs->eax, i, *reg);
         }
     }
 
--
generated by git-patchbot for /home/xen/git/xen.git#staging

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.