From: Julien Grall <julien.grall@linaro.org>
Date: Fri, 23 Jan 2015 14:15:07 +0000 (+0000)
Subject: xen/arm: vgic-v2: Don't crash the hypervisor if the SGI target mode is invalid
X-Git-Tag: archive/raspbian/4.8.0-1+rpi1~1^2~3758
X-Git-Url: https://dgit.raspbian.org/%22http:/www.example.com/cgi/%22https://%22%22/%22http:/www.example.com/cgi/%22https:/%22%22?a=commitdiff_plain;h=97c4e77538f24786dc7521cdffb2b4d6e3dad7ed;p=xen.git

xen/arm: vgic-v2: Don't crash the hypervisor if the SGI target mode is invalid

The GICv2 spec reserved the value 0b11 for GICD_SGIR.TargetListFilter.

Even if it's an invalid value, a malicious guest could write this value
and threfore crash the hypervisor.

Replace the BUG() by logging the error and inject a data abort to the guest.

This was introduced by commit ea37fd21110b6fbcf9257f814076a243d3873cb7
"xen/arm: split vgic driver into generic and vgic-v2 driver".

This is CVE-2015-0268 / XSA-117.

Signed-off-by: Julien Grall <julien.grall@linaro.org>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
---

diff --git a/xen/arch/arm/vgic-v2.c b/xen/arch/arm/vgic-v2.c
index 515faf77da..3b87f54012 100644
--- a/xen/arch/arm/vgic-v2.c
+++ b/xen/arch/arm/vgic-v2.c
@@ -257,7 +257,10 @@ static int vgic_v2_to_sgi(struct vcpu *v, register_t sgir)
         sgi_mode = SGI_TARGET_SELF;
         break;
     default:
-        BUG();
+        printk(XENLOG_G_DEBUG
+               "%pv: vGICD: unhandled GICD_SGIR write %"PRIregister" with wrong mode\n",
+               v, sgir);
+        return 0;
     }
 
     return vgic_to_sgi(v, sgir, sgi_mode, virq, vcpu_mask);