Flaws in handling traps from 32-bit userspace on 64-bit ARM

When handling a trap from guest mode on ARM, Xen asserts that the current guest mode must match the domain address width. This assertion is false when a guest takes a trap from a 32-bit userspace running on a 64-bit kernel in a 64-bit domain.

在Xen里面有一个false assertion:

guest mode must match the domain address width

但是如果一个32-bit的userspace process在64-bit的kernel发生了一个trap,这个assertion就不对了,造成DoS。

false assertion



We are not setup to handle these properly. This turns a host crash into a trap to the guest kernel which will likely result in killing the offending process.

--- a/xen/arch/arm/traps.c
+++ b/xen/arch/arm/traps.c
@@ -1812,6 +1812,17 @@ asmlinkage void do_trap_hypervisor(struct cpu_user_regs *regs)
     union hsr hsr = { .bits = READ_SYSREG32(ESR_EL2) };
+    /*
+     * We currently do not handle 32-bit userspace on 64-bit kernels
+     * correctly (See XSA-102). Until that is resolved we treat any
+     * trap from 32-bit userspace on 64-bit kernel as undefined.
+     */
+    if ( is_pv64_domain(current->domain) && psr_mode_is_32bit(regs->cpsr) )
+    {
+        inject_undef_exception(regs, hsr.len);
+        return;
+    }



Any user in a guest which is running a 64-bit kernel who is able to spawn a 32-bit process can crash the host. I.e. an unprivileged guest user can cause host-wide denial of service.