From: Julien Grall <julien.grall@linaro.org>
Date: Mon, 14 Apr 2014 19:46:43 +0000 (+0100)
Subject: xen/arm: Upgrade DCISW into DCCISW
X-Git-Tag: archive/raspbian/4.8.0-1+rpi1~1^2~5181
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=cda12fa0cee7023878598ff8ced3613b57576ce3;p=xen.git

xen/arm: Upgrade DCISW into DCCISW

A guest is allowed to use invalidate cache by set/way instruction (i.e DCISW)
without any restriction. As the cache is shared with Xen, the guest invalidate
an address being in used by Xen. This may lead a Xen crash because the memory
state is invalid.
Set the bit HCR.SWIO to upgrade invalidate cache by set/way instruction to an
invalidate and clean.

This is CVE-2014-2915 / XSA-93.

Signed-off-by: Julien Grall <julien.grall@linaro.org>
Reported-by: Thomas Leonard <tal36@cam.ac.uk>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
---

diff --git a/xen/arch/arm/traps.c b/xen/arch/arm/traps.c
index 97ab28667e..17ac8d87de 100644
--- a/xen/arch/arm/traps.c
+++ b/xen/arch/arm/traps.c
@@ -82,7 +82,7 @@ void __cpuinit init_traps(void)
 
     /* Setup hypervisor traps */
     WRITE_SYSREG(HCR_PTW|HCR_BSU_INNER|HCR_AMO|HCR_IMO|HCR_VM|HCR_TWI|HCR_TSC|
-                 HCR_TAC, HCR_EL2);
+                 HCR_TAC|HCR_SWIO, HCR_EL2);
     isb();
 }