[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Xen Security Advisory 94 (CVE-2014-2986) - ARM hypervisor crash on guest interrupt co
From: Xen.org security team <security () xen ! org>
Date: 2014-04-23 15:13:02
Message-ID: E1Wcyr8-0001eE-Nk () xenbits ! xen ! org
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xen Security Advisory CVE-2014-2986 / XSA-94
version 2
ARM hypervisor crash on guest interrupt controller access
UPDATES IN VERSION 2
====================
This issue has been assigned CVE-2014-2986.
ISSUE DESCRIPTION
=================
When handling a guest access to the virtual GIC distributor (interrupt
controller) Xen could dereference a pointer before checking it for
validity leading to a hypervisor crash and host Denial of Service.
IMPACT
======
A buggy or malicious guest can crash the host.
VULNERABLE SYSTEMS
==================
Both 32- and 64-bit ARM systems are vulnerable from Xen 4.4 onward.
x86 systems are not vulnerable.
MITIGATION
==========
None.
NOTE REGARDING LACK OF EMBARGO
==============================
This bug was publicly reported on xen-devel, before it was appreciated
that there was a security problem.
CREDITS
=======
The initial bug was discovered by Thomas Leonard and the security
aspect was diagnosed by Julien Grall.
RESOLUTION
==========
Applying the appropriate attached patch resolves this issue.
xsa94.patch xen-unstable, Xen 4.4.x
$ sha256sum xsa94*.patch
ad0f20577400756a1786daeafef86fa870727ec35b48f71f565e4a30dcbda58d xsa94.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJTV9hdAAoJEIP+FMlX6CvZmDwH/2sBH/w9kPhOu+hdOAMX3dlb
bmj1sLTehOKqEy8sZpDsCuJw8cRAIQn+xWPMDPj2lUggz5iVWHUgfs4Zk8o9l3qQ
9/RcnQQHFSw1Bu8lDLlH0FpE6R98ZcdX//PAviJewj10FiMOpIoBSzNpKLxst1IZ
5YPmBVCn6DfgsCjWYPPaGQMLtBWU/LbAPmpYUiIDywOd58OScekNL2hfKM0ZWzgo
HPuB2DwpPsj7P43kuEJyXIHYLu00see+uEXXKd591mmznVtSXSrzVVaKPjeTfh9D
WEGqCxOof5slzwofbMFflBL1SW6d6f0Llui/7cMEDITSXeCaP2wqMb34p/g68+w=
=BNcq
-----END PGP SIGNATURE-----
["xsa94.patch" (application/octet-stream)]
xen/arm: vgic: Check rank in GICD_ICFGR* emulation before locking
The function vgic_irq_rank may return NULL is the IRQ is not in range handled
by the guest. This will result to derefence a NULL pointer which will crash
Xen.
I've checked the rest of the emulation and this is only place where the lock is
taken before the rank is checked.
Signed-off-by: Julien Grall <julien.grall@linaro.org>
Reported-by: Thomas Leonard <talex5@gmail.com>
Reviewed-by: Jan Beulich <JBeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
diff --git a/xen/arch/arm/vgic.c b/xen/arch/arm/vgic.c
index 1b95003..4cf6470 100644
--- a/xen/arch/arm/vgic.c
+++ b/xen/arch/arm/vgic.c
@@ -602,8 +602,8 @@ static int vgic_distr_mmio_write(struct vcpu *v, mmio_info_t *info)
case GICD_ICFGR + 2 ... GICD_ICFGRN: /* SPIs */
if ( dabt.size != 2 ) goto bad_width;
rank = vgic_irq_rank(v, 2, gicd_reg - GICD_ICFGR);
- vgic_lock_rank(v, rank);
if ( rank == NULL) goto write_ignore;
+ vgic_lock_rank(v, rank);
rank->icfg[REG_RANK_INDEX(2, gicd_reg - GICD_ICFGR)] = *r;
vgic_unlock_rank(v, rank);
return 1;
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic