aboutsummaryrefslogtreecommitdiff
path: root/system/xen/xsa/xsa201-1.patch
diff options
context:
space:
mode:
authorMario Preksavec <mario@slackware.hr>2016-12-17 12:07:20 +0100
committerWilly Sudiarto Raharjo <willysr@slackbuilds.org>2016-12-24 07:34:16 +0700
commitb674aee736e631d8f7d4ec0ed949f71726ba3462 (patch)
tree0fce21c2a4dce8fca56280b6ee86dce68f4dfd71 /system/xen/xsa/xsa201-1.patch
parent8e2ace85aac7ba510e31434cd838a1d7d2c5d198 (diff)
system/xen: XSA 199-201 update.
Signed-off-by: Mario Preksavec <mario@slackware.hr>
Diffstat (limited to 'system/xen/xsa/xsa201-1.patch')
-rw-r--r--system/xen/xsa/xsa201-1.patch87
1 files changed, 87 insertions, 0 deletions
diff --git a/system/xen/xsa/xsa201-1.patch b/system/xen/xsa/xsa201-1.patch
new file mode 100644
index 0000000000..50983b852f
--- /dev/null
+++ b/system/xen/xsa/xsa201-1.patch
@@ -0,0 +1,87 @@
+From: Wei Chen <Wei.Chen@arm.com>
+Subject: arm64: handle guest-generated EL1 asynchronous abort
+
+In current code, when the hypervisor receives an asynchronous abort
+from a guest, the hypervisor will do panic, the host will be down.
+We have to prevent such security issue, so, in this patch we crash
+the guest, when the hypervisor receives an asynchronous abort from
+the guest.
+
+This is CVE-2016-9815, part of XSA-201.
+
+Signed-off-by: Wei Chen <Wei.Chen@arm.com>
+Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
+Reviewed-by: Steve Capper <steve.capper@arm.com>
+Reviewed-by: Julien Grall <Julien.Grall@arm.com>
+
+--- a/xen/arch/arm/arm64/entry.S
++++ b/xen/arch/arm/arm64/entry.S
+@@ -204,9 +204,12 @@ guest_fiq_invalid:
+ entry hyp=0, compat=0
+ invalid BAD_FIQ
+
+-guest_error_invalid:
++guest_error:
+ entry hyp=0, compat=0
+- invalid BAD_ERROR
++ msr daifclr, #2
++ mov x0, sp
++ bl do_trap_guest_error
++ exit hyp=0, compat=0
+
+ guest_sync_compat:
+ entry hyp=0, compat=1
+@@ -225,9 +228,12 @@ guest_fiq_invalid_compat:
+ entry hyp=0, compat=1
+ invalid BAD_FIQ
+
+-guest_error_invalid_compat:
++guest_error_compat:
+ entry hyp=0, compat=1
+- invalid BAD_ERROR
++ msr daifclr, #2
++ mov x0, sp
++ bl do_trap_guest_error
++ exit hyp=0, compat=1
+
+ ENTRY(return_to_new_vcpu32)
+ exit hyp=0, compat=1
+@@ -286,12 +292,12 @@ ENTRY(hyp_traps_vector)
+ ventry guest_sync // Synchronous 64-bit EL0/EL1
+ ventry guest_irq // IRQ 64-bit EL0/EL1
+ ventry guest_fiq_invalid // FIQ 64-bit EL0/EL1
+- ventry guest_error_invalid // Error 64-bit EL0/EL1
++ ventry guest_error // Error 64-bit EL0/EL1
+
+ ventry guest_sync_compat // Synchronous 32-bit EL0/EL1
+ ventry guest_irq_compat // IRQ 32-bit EL0/EL1
+ ventry guest_fiq_invalid_compat // FIQ 32-bit EL0/EL1
+- ventry guest_error_invalid_compat // Error 32-bit EL0/EL1
++ ventry guest_error_compat // Error 32-bit EL0/EL1
+
+ /*
+ * struct vcpu *__context_switch(struct vcpu *prev, struct vcpu *next)
+--- a/xen/arch/arm/traps.c
++++ b/xen/arch/arm/traps.c
+@@ -2723,6 +2723,21 @@ asmlinkage void do_trap_hypervisor(struct cpu_user_regs *regs)
+ }
+ }
+
++asmlinkage void do_trap_guest_error(struct cpu_user_regs *regs)
++{
++ enter_hypervisor_head(regs);
++
++ /*
++ * Currently, to ensure hypervisor safety, when we received a
++ * guest-generated vSerror/vAbort, we just crash the guest to protect
++ * the hypervisor. In future we can better handle this by injecting
++ * a vSerror/vAbort to the guest.
++ */
++ gdprintk(XENLOG_WARNING, "Guest(Dom-%u) will be crashed by vSError\n",
++ current->domain->domain_id);
++ domain_crash_synchronous();
++}
++
+ asmlinkage void do_trap_irq(struct cpu_user_regs *regs)
+ {
+ enter_hypervisor_head(regs);
generated by cgit v1.2.3 (git 2.26.2) at 2025-08-22 12:08:38 +0000