From: Ian Campbell <ian.campbell@citrix.com>
Date: Wed, 23 Apr 2014 15:32:45 +0000 (+0100)
Subject: xen/arm: vgic: Check rank in GICD_ICFGR* emulation before locking
X-Git-Tag: archive/raspbian/4.8.0-1+rpi1~1^2~5154
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=bf70db7cea3794cf2f3c8d714b460bba86b04791;p=xen.git

xen/arm: vgic: Check rank in GICD_ICFGR* emulation before locking

The function vgic_irq_rank may return NULL is the IRQ is not in range handled
by the guest. This will result to derefence a NULL pointer which will crash
Xen.

I've checked the rest of the emulation and this is only place where the lock
is taken before the rank is checked.

This is CVE-2014-2986 / XSA-94.

Signed-off-by: Julien Grall <julien.grall@linaro.org>
Reported-by: Thomas Leonard <talex5@gmail.com>
Reviewed-by: Jan Beulich <JBeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
---

diff --git a/xen/arch/arm/vgic.c b/xen/arch/arm/vgic.c
index 4a7f8c0fe4..e4e39231c2 100644
--- a/xen/arch/arm/vgic.c
+++ b/xen/arch/arm/vgic.c
@@ -592,8 +592,8 @@ static int vgic_distr_mmio_write(struct vcpu *v, mmio_info_t *info)
     case GICD_ICFGR + 2 ... GICD_ICFGRN: /* SPIs */
         if ( dabt.size != 2 ) goto bad_width;
         rank = vgic_irq_rank(v, 2, gicd_reg - GICD_ICFGR);
-        vgic_lock_rank(v, rank);
         if ( rank == NULL) goto write_ignore;
+        vgic_lock_rank(v, rank);
         rank->icfg[REG_RANK_INDEX(2, gicd_reg - GICD_ICFGR)] = *r;
         vgic_unlock_rank(v, rank);
         return 1;