Xen project Mailing List

Re: [PATCH] ARM/vgic: Fix out-of-bounds accesses in vgic_mmio_write_sgir()

To: Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>

From: Stefano Stabellini <sstabellini@xxxxxxxxxx>

Date: Wed, 26 Mar 2025 18:34:21 -0700 (PDT)

Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>

Delivery-date: Thu, 27 Mar 2025 01:34:39 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Thu, 27 Mar 2025, Volodymyr Babchuk wrote: > Hi Andrew, > > Andrew Cooper <andrew.cooper3@xxxxxxxxxx> writes: > > > The switch() statement is over bits 24:25 (unshifted) of the guest provided > > value. This makes case 0x3: dead, and not an implementation of the 4th > > possible state. > > > > A guest which writes (3<<24)|(ff<<16) to this register will skip the early > > exit, then enter bitmap_for_each() with targets not bound by nr_vcpus. > > > > If the guest has fewer than 8 vCPUs, bitmap_for_each() will read off the end > > of d->vcpu[] and use the resulting vcpu pointer to ultimately derive irq, > > and > > perform an out-of-bounds write. > > > > Fix this by changing case 0x3 to default. > > > > Fixes: 08c688ca6422 ("ARM: new VGIC: Add SGIR register handler") > > Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> > > Reviewed-by: Volodymyr Babchuk <volodymyr_babchuk@xxxxxxxx> Reviewed-by: Stefano Stabellini <sstabellini@xxxxxxxxxx> > > --- > > CC: Stefano Stabellini <sstabellini@xxxxxxxxxx> > > CC: Julien Grall <julien@xxxxxxx> > > CC: Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx> > > CC: Bertrand Marquis <bertrand.marquis@xxxxxxx> > > CC: Michal Orzel <michal.orzel@xxxxxxx> > > > > This vgic driver is explicity not security supported, hence no XSA. > > --- > > xen/arch/arm/vgic/vgic-mmio-v2.c | 3 ++- > > 1 file changed, 2 insertions(+), 1 deletion(-) > > > > diff --git a/xen/arch/arm/vgic/vgic-mmio-v2.c > > b/xen/arch/arm/vgic/vgic-mmio-v2.c > > index 670b335db2c3..7d1391ac9b48 100644 > > --- a/xen/arch/arm/vgic/vgic-mmio-v2.c > > +++ b/xen/arch/arm/vgic/vgic-mmio-v2.c > > @@ -104,7 +104,8 @@ static void vgic_mmio_write_sgir(struct vcpu > > *source_vcpu, > > case GICD_SGI_TARGET_SELF: /* this very vCPU only */ > > targets = (1U << source_vcpu->vcpu_id); > > break; > > - case 0x3: /* reserved */ > > + > > + default: > > return; > > } > > -- > WBR, Volodymyr

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.