From: Ian Campbell <ian.campbell@citrix.com>
Date: Tue, 12 Aug 2014 13:38:01 +0000 (+0200)
Subject: xen: arm: Correctly handle do_sysreg exception injection from 64-bit userspace
X-Git-Tag: archive/raspbian/4.8.0-1+rpi1~1^2~4530
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=f2ae8bfa498831ee6343d672066b898d3cd73892;p=xen.git

xen: arm: Correctly handle do_sysreg exception injection from 64-bit userspace

The do_sysreg case was missing a return, so it would increment PC and
inject the trap to the second instruction of the handler.

This is CVE-2014-5148 / XSA-103.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Julien Grall <julien.grall@linaro.org>
---

diff --git a/xen/arch/arm/traps.c b/xen/arch/arm/traps.c
index ae594caea7..683b4400f9 100644
--- a/xen/arch/arm/traps.c
+++ b/xen/arch/arm/traps.c
@@ -1704,6 +1704,7 @@ static void do_sysreg(struct cpu_user_regs *regs,
                      hsr.bits & HSR_SYSREG_REGS_MASK);
 #endif
             inject_undef_exception(regs, sysreg.len);
+            return;
         }
     }