xen: arm: Handle traps from 32-bit userspace on 64-bit kernel as undef

We are not setup to handle these properly. This turns a host crash
into a trap to the guest kernel which will likely result in killing
the offending process.

This is part of CVE-2014-5147 / XSA-102.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>

diff --git a/xen/arch/arm/traps.c b/xen/arch/arm/traps.c
index 7f34f1d78697a6f20ce0e4b6d797601c103a6fb1..ae594caea72d0bda315d0043cb612d16ac0698a2 100644 (file)
--- a/xen/arch/arm/traps.c
+++ b/xen/arch/arm/traps.c
@@ -1841,6 +1841,17 @@ asmlinkage void do_trap_hypervisor(struct cpu_user_regs *regs)
 
     enter_hypervisor_head(regs);
 
+    /*
+     * We currently do not handle 32-bit userspace on 64-bit kernels
+     * correctly (See XSA-102). Until that is resolved we treat any
+     * trap from 32-bit userspace on 64-bit kernel as undefined.
+     */
+    if ( is_64bit_domain(current->domain) && psr_mode_is_32bit(regs->cpsr) )
+    {
+        inject_undef_exception(regs, hsr.len);
+        return;
+    }
+
     switch (hsr.ec) {
     case HSR_EC_WFI_WFE:
         if ( !check_conditional_instr(regs, hsr) )