XSA-117

CVE-2015-0268

问题描述

http://xenbits.xen.org/xsa/advisory-117.html

arm: vgic-v2: GICD_SGIR is not properly emulated

When decoding a guest write to a specific register in the virtual interrupt controller Xen would treat an invalid value as a critical error and crash the host.

exception handling using BUG() cause DoS

false BUG

Patch描述

http://xenbits.xen.org/xsa/xsa117.patch

The GICv2 spec reserved the value 0b11 for GICD_SGIR.TargetListFilter.

Even if it’s an invalid value, a malicious guest could write this value and threfore crash the hypervisor.

Replace the BUG() by logging the error and inject a data abort to the guest.

--- a/xen/arch/arm/vgic-v2.c
+++ b/xen/arch/arm/vgic-v2.c
@@ -257,7 +257,10 @@ static int vgic_v2_to_sgi(struct vcpu *v, register_t sgir)
         sgi_mode = SGI_TARGET_SELF;
         break;
     default:
-        BUG();
+        printk(XENLOG_G_DEBUG
+               "%pv: vGICD: unhandled GICD_SGIR write %"PRIregister" with wrong mode\n",
+               v, sgir);
+        return 0;
     }

Consequence

By writing an invalid value to the GICD.SGIR register a guest can crash the host, resulting in a Denial of Service attack.

DoS