[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] ARM/vgic: Fix out-of-bounds accesses in vgic_mmio_write_sgir()


  • To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • From: Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>
  • Date: Thu, 27 Mar 2025 00:56:26 +0000
  • Accept-language: en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=epam.com; dmarc=pass action=none header.from=epam.com; dkim=pass header.d=epam.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=zg4ZfL+EzvDZDtyMQp4FFCGm0LoESOqGM+3TIfe4Ftk=; b=Vv5/eGsQEM6qPDZjKDQ0p97MdrbB6s/bBUAD2CXFANK/xvkqPHRWKlOIQ+O2JrMmaBinU5xxKNTCrCBbD/oWGmuYz9YVl2+mbY+CR21WfWYu/bDH0RT2M9bs+qI5a9Q7bb5sDUXrPsV4CWaPUYGn+qAOdt0/nbZ1AmtPSzgd6JM5S6B+OrVytYwQuECL2Yhk0nINaxyfrtbvYT7SYXDiYSMNz3FBVKrfjPkWNY2qSBqkSWuGl5qnOGqCoAkqULbLNhmSkSjDR4R2CGQq+HjBpayoLTPatJU8Pwh3sH/x3OP703Zrm/X9+feW7Qs3da8bxpJZY5/Ph2zU232/nX/T5Q==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=GX/uM/78kuIYuPCIx7vifOxCmXOicx0IYfjQJ8jzhvjmgznKbPfK+uWuykYF38LanQ9pXMw1knmNMXi1ZQpUQZ3mggofHr0xFxTj3o2SGDX6jb9/UKolMujL0d+fkxj8/AZf7rhNkvXitZix133M0i2eYGABXoJFUURThk6oIgpDR/833dd0G2s6PVTf8SkUGcPjJFb8VZOklfLmdKxRVnbUNmFb8OygwMGxuaDC4kESXvSIJ861rk3rnznQnk7ceDQRXDGBw09CIlBB6ieI9OKSNp679dYCK2yyOfr5X/PVXTwSz0CRe0NumMruHKDPZGRXe3zqRkyEaJzTyOA2ow==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=epam.com;
  • Cc: Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>
  • Delivery-date: Thu, 27 Mar 2025 00:56:35 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AQHbnmbv4CnAg2LcQ06L+X8rg+2+kg==
  • Thread-topic: [PATCH] ARM/vgic: Fix out-of-bounds accesses in vgic_mmio_write_sgir()

Hi Andrew,

Andrew Cooper <andrew.cooper3@xxxxxxxxxx> writes:

> The switch() statement is over bits 24:25 (unshifted) of the guest provided
> value.  This makes case 0x3: dead, and not an implementation of the 4th
> possible state.
>
> A guest which writes (3<<24)|(ff<<16) to this register will skip the early
> exit, then enter bitmap_for_each() with targets not bound by nr_vcpus.
>
> If the guest has fewer than 8 vCPUs, bitmap_for_each() will read off the end
> of d->vcpu[] and use the resulting vcpu pointer to ultimately derive irq, and
> perform an out-of-bounds write.
>
> Fix this by changing case 0x3 to default.
>
> Fixes: 08c688ca6422 ("ARM: new VGIC: Add SGIR register handler")
> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Reviewed-by: Volodymyr Babchuk <volodymyr_babchuk@xxxxxxxx>

> ---
> CC: Stefano Stabellini <sstabellini@xxxxxxxxxx>
> CC: Julien Grall <julien@xxxxxxx>
> CC: Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>
> CC: Bertrand Marquis <bertrand.marquis@xxxxxxx>
> CC: Michal Orzel <michal.orzel@xxxxxxx>
>
> This vgic driver is explicity not security supported, hence no XSA.
> ---
>  xen/arch/arm/vgic/vgic-mmio-v2.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/xen/arch/arm/vgic/vgic-mmio-v2.c 
> b/xen/arch/arm/vgic/vgic-mmio-v2.c
> index 670b335db2c3..7d1391ac9b48 100644
> --- a/xen/arch/arm/vgic/vgic-mmio-v2.c
> +++ b/xen/arch/arm/vgic/vgic-mmio-v2.c
> @@ -104,7 +104,8 @@ static void vgic_mmio_write_sgir(struct vcpu *source_vcpu,
>      case GICD_SGI_TARGET_SELF:                    /* this very vCPU only */
>          targets = (1U << source_vcpu->vcpu_id);
>          break;
> -    case 0x3:                                     /* reserved */
> +
> +    default:
>          return;
>      }

-- 
WBR, Volodymyr


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.