aboutsummaryrefslogtreecommitdiff
path: root/system/xen/xsa/xsa201-3-4.7.patch
diff options
context:
space:
mode:
Diffstat (limited to 'system/xen/xsa/xsa201-3-4.7.patch')
-rw-r--r--system/xen/xsa/xsa201-3-4.7.patch47
1 files changed, 47 insertions, 0 deletions
diff --git a/system/xen/xsa/xsa201-3-4.7.patch b/system/xen/xsa/xsa201-3-4.7.patch
new file mode 100644
index 0000000000000..af7fc3703e0d2
--- /dev/null
+++ b/system/xen/xsa/xsa201-3-4.7.patch
@@ -0,0 +1,47 @@
+From: Wei Chen <Wei.Chen@arm.com>
+Subject: arm: crash the guest when it traps on external abort
+
+If we spot a data or prefetch abort bearing the ESR_EL2.EA bit set, we
+know that this is an external abort, and that should crash the guest.
+
+This is CVE-2016-9817, part of XSA-201.
+
+Signed-off-by: Wei Chen <Wei.Chen@arm.com>
+Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
+Reviewed-by: Steve Capper <steve.capper@arm.com>
+Reviewed-by: Julien Grall <Julien.Grall@arm.com>
+
+--- a/xen/arch/arm/traps.c
++++ b/xen/arch/arm/traps.c
+@@ -2383,6 +2383,15 @@ static void do_trap_instr_abort_guest(struct cpu_user_regs *regs,
+ int rc;
+ register_t gva = READ_SYSREG(FAR_EL2);
+
++ /*
++ * If this bit has been set, it means that this instruction abort is caused
++ * by a guest external abort. Currently we crash the guest to protect the
++ * hypervisor. In future one can better handle this by injecting a virtual
++ * abort to the guest.
++ */
++ if ( hsr.iabt.eat )
++ domain_crash_synchronous();
++
+ switch ( hsr.iabt.ifsc & 0x3f )
+ {
+ case FSC_FLT_PERM ... FSC_FLT_PERM + 3:
+@@ -2437,6 +2446,15 @@ static void do_trap_data_abort_guest(struct cpu_user_regs *regs,
+ return;
+ }
+
++ /*
++ * If this bit has been set, it means that this data abort is caused
++ * by a guest external abort. Currently we crash the guest to protect the
++ * hypervisor. In future one can better handle this by injecting a virtual
++ * abort to the guest.
++ */
++ if ( dabt.eat )
++ domain_crash_synchronous();
++
+ info.dabt = dabt;
+ #ifdef CONFIG_ARM_32
+ info.gva = READ_CP32(HDFAR);