diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2015-05-15 11:20:29 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2015-05-15 11:20:29 +0000 |
commit | a824d445bbe2abb22ca2362898b7e72054639120 (patch) | |
tree | a617cd635d915c4d623e19eb4851329b62f8b8cb /main/xen/xsa117.patch | |
parent | 0b34e934c5ee509c197b159a51b14e9424f24470 (diff) | |
download | aports-a824d445bbe2abb22ca2362898b7e72054639120.tar.bz2 aports-a824d445bbe2abb22ca2362898b7e72054639120.tar.xz |
main/xen: upgrade to 4.5
Diffstat (limited to 'main/xen/xsa117.patch')
-rw-r--r-- | main/xen/xsa117.patch | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/main/xen/xsa117.patch b/main/xen/xsa117.patch new file mode 100644 index 000000000..aa04fe45c --- /dev/null +++ b/main/xen/xsa117.patch @@ -0,0 +1,42 @@ +From 472dc9e627c8f1b9d7138b142a5b0838550a2072 Mon Sep 17 00:00:00 2001 +From: Julien Grall <julien.grall@linaro.org> +Date: Fri, 23 Jan 2015 14:15:07 +0000 +Subject: [PATCH] xen/arm: vgic-v2: Don't crash the hypervisor if the SGI + target mode is invalid + +The GICv2 spec reserved the value 0b11 for GICD_SGIR.TargetListFilter. + +Even if it's an invalid value, a malicious guest could write this value +and threfore crash the hypervisor. + +Replace the BUG() by logging the error and inject a data abort to the guest. + +This was introduced by commit ea37fd21110b6fbcf9257f814076a243d3873cb7 +"xen/arm: split vgic driver into generic and vgic-v2 driver". + +This is CVE-2015-0268 / XSA-117. + +Signed-off-by: Julien Grall <julien.grall@linaro.org> +--- + xen/arch/arm/vgic-v2.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/xen/arch/arm/vgic-v2.c b/xen/arch/arm/vgic-v2.c +index 598bf06..9dc9a20 100644 +--- a/xen/arch/arm/vgic-v2.c ++++ b/xen/arch/arm/vgic-v2.c +@@ -257,7 +257,10 @@ static int vgic_v2_to_sgi(struct vcpu *v, register_t sgir) + sgi_mode = SGI_TARGET_SELF; + break; + default: +- BUG(); ++ printk(XENLOG_G_DEBUG ++ "%pv: vGICD: unhandled GICD_SGIR write %"PRIregister" with wrong mode\n", ++ v, sgir); ++ return 0; + } + + return vgic_to_sgi(v, sgir, sgi_mode, virq, vcpu_mask); +-- +2.1.4 + |