[xen] arm: vgic-v2: GICD_SGIR is not properly emulated, gcc5 build fixes

myoung myoung at fedoraproject.org
Sun Feb 15 13:30:48 UTC 2015 

commit 3913e55263237295cae460b0c299de2e4aaf4ad6
Author: Michael Young <m.a.young at durham.ac.uk>
Date:   Sun Feb 15 13:30:07 2015 +0000

    arm: vgic-v2: GICD_SGIR is not properly emulated,
    gcc5 build fixes

 xen.gcc5.fix.patch |   21 +++++++++++++++++++++
 xen.spec           |   14 +++++++++++---
 xsa117.patch       |   42 ++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 74 insertions(+), 3 deletions(-)
---
diff --git a/xen.gcc5.fix.patch b/xen.gcc5.fix.patch
new file mode 100644
index 0000000..d8e0bcd
--- /dev/null
+++ b/xen.gcc5.fix.patch
@@ -0,0 +1,21 @@
+gcc5 gives array-bounds warning on xen/common/symbols.c
+     also maybe-uninitialized warning on xen/xsm/flask/ss/policydb.c
+
+--- xen-4.5.0/xen/common/Makefile.orig	2015-01-12 16:53:24.000000000 +0000
++++ xen-4.5.0/xen/common/Makefile	2015-02-14 15:40:29.722759007 +0000
+@@ -72,3 +72,5 @@
+ 
+ subdir-y += libelf
+ subdir-$(HAS_DEVICE_TREE) += libfdt
++
++CFLAGS += -Wno-error=array-bounds
+--- xen-4.5.0/xen/xsm/flask/Makefile.orig	2015-01-12 16:53:24.000000000 +0000
++++ xen-4.5.0/xen/xsm/flask/Makefile	2015-02-14 16:49:54.376183206 +0000
+@@ -5,6 +5,7 @@
+ subdir-y += ss
+ 
+ CFLAGS += -I./include
++CFLAGS += -Wno-error=maybe-uninitialized
+ 
+ AWK = awk
+ 
diff --git a/xen.spec b/xen.spec
index 1a37221..eddde91 100644
--- a/xen.spec
+++ b/xen.spec
@@ -51,7 +51,7 @@
 Summary: Xen is a virtual machine monitor
 Name:    xen
 Version: 4.5.0
-Release: 1%{?dist}
+Release: 2%{?dist}
 Group:   Development/Libraries
 License: GPLv2+ and LGPLv2+ and BSD
 URL:     http://xen.org/
@@ -86,6 +86,8 @@ Patch17: xen.ocaml.uint.fix.patch
 Patch18: xen.ocaml.selinux.fix.patch
 Patch19: xsa118-4.5-unstable-1.patch
 Patch20: xsa118-4.5-unstable-2.patch
+Patch21: xsa117.patch
+Patch22: xen.gcc5.fix.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
 BuildRequires: transfig libidn-devel zlib-devel texi2html SDL-devel curl-devel
@@ -271,6 +273,8 @@ manage Xen virtual machines.
 %patch18 -p1
 %patch19 -p1
 %patch20 -p1
+%patch21 -p1
+%patch22 -p1
 
 # stubdom sources
 cp -v %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} stubdom
@@ -775,6 +779,10 @@ rm -rf %{buildroot}
 %endif
 
 %changelog
+* Sat Feb 14 2015 Michael Young <m.a.young at durham.ac.uk> - 4.5.0-2
+- arm: vgic-v2: GICD_SGIR is not properly emulated [XSA-117, CVE-2015-0268]
+- allow certain warnings with gcc5 that would otherwise be treated as errors
+
 * Thu Jan 29 2015 Michael Young <m.a.young at durham.ac.uk> - 4.5.0-1
 - update to 4.5.0
   xend has gone, so remove references to xend in spec file, sources and patches
@@ -792,8 +800,8 @@ rm -rf %{buildroot}
   re-number patches
 - enable building pngs from fig files which is working again
 - fix oxenstored.service preset preuninstall script
-- arm: vgic: incorrect rate limiting of guest triggered logging [XSA-118]
-	(#1187153)
+- arm: vgic: incorrect rate limiting of guest triggered logging [XSA-118,
+	CVE-2015-1563] (#1187153)
 
 * Tue Jan 06 2015 Michael Young <m.a.young at durham.ac.uk> - 4.4.1-12
 - xen crash due to use after free on hvm guest teardown [XSA-116,
diff --git a/xsa117.patch b/xsa117.patch
new file mode 100644
index 0000000..aa04fe4
--- /dev/null
+++ b/xsa117.patch
@@ -0,0 +1,42 @@
+From 472dc9e627c8f1b9d7138b142a5b0838550a2072 Mon Sep 17 00:00:00 2001
+From: Julien Grall <julien.grall at linaro.org>
+Date: Fri, 23 Jan 2015 14:15:07 +0000
+Subject: [PATCH] xen/arm: vgic-v2: Don't crash the hypervisor if the SGI
+ target mode is invalid
+
+The GICv2 spec reserved the value 0b11 for GICD_SGIR.TargetListFilter.
+
+Even if it's an invalid value, a malicious guest could write this value
+and threfore crash the hypervisor.
+
+Replace the BUG() by logging the error and inject a data abort to the guest.
+
+This was introduced by commit ea37fd21110b6fbcf9257f814076a243d3873cb7
+"xen/arm: split vgic driver into generic and vgic-v2 driver".
+
+This is CVE-2015-0268 / XSA-117.
+
+Signed-off-by: Julien Grall <julien.grall at linaro.org>
+---
+ xen/arch/arm/vgic-v2.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/xen/arch/arm/vgic-v2.c b/xen/arch/arm/vgic-v2.c
+index 598bf06..9dc9a20 100644
+--- a/xen/arch/arm/vgic-v2.c
++++ b/xen/arch/arm/vgic-v2.c
+@@ -257,7 +257,10 @@ static int vgic_v2_to_sgi(struct vcpu *v, register_t sgir)
+         sgi_mode = SGI_TARGET_SELF;
+         break;
+     default:
+-        BUG();
++        printk(XENLOG_G_DEBUG
++               "%pv: vGICD: unhandled GICD_SGIR write %"PRIregister" with wrong mode\n",
++               v, sgir);
++        return 0;
+     }
+ 
+     return vgic_to_sgi(v, sgir, sgi_mode, virq, vcpu_mask);
+-- 
+2.1.4
+

More information about the scm-commits mailing list