| Message ID | 20250326155121.364658-1-andrew.cooper3@citrix.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | ARM/vgic: Fix out-of-bounds accesses in vgic_mmio_write_sgir() | expand |
Hi Andrew, Andrew Cooper <andrew.cooper3@citrix.com> writes: > The switch() statement is over bits 24:25 (unshifted) of the guest provided > value. This makes case 0x3: dead, and not an implementation of the 4th > possible state. > > A guest which writes (3<<24)|(ff<<16) to this register will skip the early > exit, then enter bitmap_for_each() with targets not bound by nr_vcpus. > > If the guest has fewer than 8 vCPUs, bitmap_for_each() will read off the end > of d->vcpu[] and use the resulting vcpu pointer to ultimately derive irq, and > perform an out-of-bounds write. > > Fix this by changing case 0x3 to default. > > Fixes: 08c688ca6422 ("ARM: new VGIC: Add SGIR register handler") > Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com> > --- > CC: Stefano Stabellini <sstabellini@kernel.org> > CC: Julien Grall <julien@xen.org> > CC: Volodymyr Babchuk <Volodymyr_Babchuk@epam.com> > CC: Bertrand Marquis <bertrand.marquis@arm.com> > CC: Michal Orzel <michal.orzel@amd.com> > > This vgic driver is explicity not security supported, hence no XSA. > --- > xen/arch/arm/vgic/vgic-mmio-v2.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/xen/arch/arm/vgic/vgic-mmio-v2.c b/xen/arch/arm/vgic/vgic-mmio-v2.c > index 670b335db2c3..7d1391ac9b48 100644 > --- a/xen/arch/arm/vgic/vgic-mmio-v2.c > +++ b/xen/arch/arm/vgic/vgic-mmio-v2.c > @@ -104,7 +104,8 @@ static void vgic_mmio_write_sgir(struct vcpu *source_vcpu, > case GICD_SGI_TARGET_SELF: /* this very vCPU only */ > targets = (1U << source_vcpu->vcpu_id); > break; > - case 0x3: /* reserved */ > + > + default: > return; > }
On Thu, 27 Mar 2025, Volodymyr Babchuk wrote: > Hi Andrew, > > Andrew Cooper <andrew.cooper3@citrix.com> writes: > > > The switch() statement is over bits 24:25 (unshifted) of the guest provided > > value. This makes case 0x3: dead, and not an implementation of the 4th > > possible state. > > > > A guest which writes (3<<24)|(ff<<16) to this register will skip the early > > exit, then enter bitmap_for_each() with targets not bound by nr_vcpus. > > > > If the guest has fewer than 8 vCPUs, bitmap_for_each() will read off the end > > of d->vcpu[] and use the resulting vcpu pointer to ultimately derive irq, and > > perform an out-of-bounds write. > > > > Fix this by changing case 0x3 to default. > > > > Fixes: 08c688ca6422 ("ARM: new VGIC: Add SGIR register handler") > > Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> > > Reviewed-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com> Reviewed-by: Stefano Stabellini <sstabellini@kernel.org> > > --- > > CC: Stefano Stabellini <sstabellini@kernel.org> > > CC: Julien Grall <julien@xen.org> > > CC: Volodymyr Babchuk <Volodymyr_Babchuk@epam.com> > > CC: Bertrand Marquis <bertrand.marquis@arm.com> > > CC: Michal Orzel <michal.orzel@amd.com> > > > > This vgic driver is explicity not security supported, hence no XSA. > > --- > > xen/arch/arm/vgic/vgic-mmio-v2.c | 3 ++- > > 1 file changed, 2 insertions(+), 1 deletion(-) > > > > diff --git a/xen/arch/arm/vgic/vgic-mmio-v2.c b/xen/arch/arm/vgic/vgic-mmio-v2.c > > index 670b335db2c3..7d1391ac9b48 100644 > > --- a/xen/arch/arm/vgic/vgic-mmio-v2.c > > +++ b/xen/arch/arm/vgic/vgic-mmio-v2.c > > @@ -104,7 +104,8 @@ static void vgic_mmio_write_sgir(struct vcpu *source_vcpu, > > case GICD_SGI_TARGET_SELF: /* this very vCPU only */ > > targets = (1U << source_vcpu->vcpu_id); > > break; > > - case 0x3: /* reserved */ > > + > > + default: > > return; > > } > > -- > WBR, Volodymyr
diff --git a/xen/arch/arm/vgic/vgic-mmio-v2.c b/xen/arch/arm/vgic/vgic-mmio-v2.c index 670b335db2c3..7d1391ac9b48 100644 --- a/xen/arch/arm/vgic/vgic-mmio-v2.c +++ b/xen/arch/arm/vgic/vgic-mmio-v2.c @@ -104,7 +104,8 @@ static void vgic_mmio_write_sgir(struct vcpu *source_vcpu, case GICD_SGI_TARGET_SELF: /* this very vCPU only */ targets = (1U << source_vcpu->vcpu_id); break; - case 0x3: /* reserved */ + + default: return; }
The switch() statement is over bits 24:25 (unshifted) of the guest provided value. This makes case 0x3: dead, and not an implementation of the 4th possible state. A guest which writes (3<<24)|(ff<<16) to this register will skip the early exit, then enter bitmap_for_each() with targets not bound by nr_vcpus. If the guest has fewer than 8 vCPUs, bitmap_for_each() will read off the end of d->vcpu[] and use the resulting vcpu pointer to ultimately derive irq, and perform an out-of-bounds write. Fix this by changing case 0x3 to default. Fixes: 08c688ca6422 ("ARM: new VGIC: Add SGIR register handler") Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> --- CC: Stefano Stabellini <sstabellini@kernel.org> CC: Julien Grall <julien@xen.org> CC: Volodymyr Babchuk <Volodymyr_Babchuk@epam.com> CC: Bertrand Marquis <bertrand.marquis@arm.com> CC: Michal Orzel <michal.orzel@amd.com> This vgic driver is explicity not security supported, hence no XSA. --- xen/arch/arm/vgic/vgic-mmio-v2.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)