xen/arm: vgic-v2: Don't crash the hypervisor if the SGI target mode is invalid

The GICv2 spec reserved the value 0b11 for GICD_SGIR.TargetListFilter.

Even if it's an invalid value, a malicious guest could write this value
and threfore crash the hypervisor.

Replace the BUG() by logging the error and inject a data abort to the guest.

This was introduced by commit ea37fd21110b6fbcf9257f814076a243d3873cb7
"xen/arm: split vgic driver into generic and vgic-v2 driver".

This is CVE-2015-0268 / XSA-117.

Signed-off-by: Julien Grall <julien.grall@linaro.org>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

diff --git a/xen/arch/arm/vgic-v2.c b/xen/arch/arm/vgic-v2.c
index 515faf77da2d3379134da56f280329b484b9a906..3b87f540129cd8ca9446693a9d842e835e7fce05 100644 (file)
--- a/xen/arch/arm/vgic-v2.c
+++ b/xen/arch/arm/vgic-v2.c
@@ -257,7 +257,10 @@ static int vgic_v2_to_sgi(struct vcpu *v, register_t sgir)
         sgi_mode = SGI_TARGET_SELF;
         break;
     default:
-        BUG();
+        printk(XENLOG_G_DEBUG
+               "%pv: vGICD: unhandled GICD_SGIR write %"PRIregister" with wrong mode\n",
+               v, sgir);
+        return 0;
     }
 
     return vgic_to_sgi(v, sgir, sgi_mode, virq, vcpu_mask);