XSA-94

CVE-2014-2986

问题描述

http://xenbits.xen.org/xsa/advisory-94.html

ARM hypervisor crash on guest interrupt controller access

When handling a guest access to the virtual GIC distributor (interrupt controller) Xen could dereference a pointer before checking it for validity leading to a hypervisor crash and host Denial of Service.

lack of check (invalid pointer)

Patch描述

http://xenbits.xen.org/xsa/xsa94.patch

--- a/xen/arch/arm/vgic.c
+++ b/xen/arch/arm/vgic.c
@@ -602,8 +602,8 @@ static int vgic_distr_mmio_write(struct vcpu *v, mmio_info_t *info)
     case GICD_ICFGR + 2 ... GICD_ICFGRN: /* SPIs */
         if ( dabt.size != 2 ) goto bad_width;
         rank = vgic_irq_rank(v, 2, gicd_reg - GICD_ICFGR);
-        vgic_lock_rank(v, rank);
         if ( rank == NULL) goto write_ignore;
+        vgic_lock_rank(v, rank);
         rank->icfg[REG_RANK_INDEX(2, gicd_reg - GICD_ICFGR)] = *r;
         vgic_unlock_rank(v, rank);
         return 1;

Consequence

A buggy or malicious guest can crash the host.

DoS