commit 65eb8f32b6b82e0268a9d66b49da354bc6698e87
Author: Bjoern Doebel <doebel@amazon.de>
AuthorDate: Wed Mar 27 18:30:55 2024 +0000
Commit: Andrew Cooper <andrew.cooper3@citrix.com>
CommitDate: Fri Apr 5 15:44:25 2024 +0100
hypercall_xlat_continuation: Replace BUG_ON with domain_crash
Instead of crashing the host in case of unexpected hypercall parameters,
resort to only crashing the calling domain.
This is part of XSA-454 / CVE-2023-46842.
Fixes: b8a7efe8528a ("Enable compatibility mode operation for HYPERVISOR_memory_op")
Reported-by: Manuel Andreas <manuel.andreas@tum.de>
Signed-off-by: Bjoern Doebel <doebel@amazon.de>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
(cherry picked from commit 9926e692c4afc40bcd66f8416ff6a1e93ce402f6)
---
xen/arch/x86/hypercall.c | 36 ++++++++++++++++++++++++++++--------
1 file changed, 28 insertions(+), 8 deletions(-)
diff --git a/xen/arch/x86/hypercall.c b/xen/arch/x86/hypercall.c
index 791b4c7585..7889729717 100644
--- a/xen/arch/x86/hypercall.c
+++ b/xen/arch/x86/hypercall.c
@@ -202,8 +202,13 @@ int hypercall_xlat_continuation(unsigned int *id, unsigned int nr,
cval = va_arg(args, unsigned int);
if ( cval == nval )
mask &= ~1U;
- else
- BUG_ON(nval == (unsigned int)nval);
+ else if ( nval == (unsigned int)nval )
+ {
+ printk(XENLOG_G_ERR
+ "multicall (op %lu) bogus continuation arg%u (%#lx)\n",
+ mcs->call.op, i, nval);
+ domain_crash(current->domain);
+ }
}
else if ( id && *id == i )
{
@@ -215,8 +220,13 @@ int hypercall_xlat_continuation(unsigned int *id, unsigned int nr,
mcs->call.args[i] = cval;
++rc;
}
- else
- BUG_ON(mcs->call.args[i] != (unsigned int)mcs->call.args[i]);
+ else if ( mcs->call.args[i] != (unsigned int)mcs->call.args[i] )
+ {
+ printk(XENLOG_G_ERR
+ "multicall (op %lu) bad continuation arg%u (%#lx)\n",
+ mcs->call.op, i, mcs->call.args[i]);
+ domain_crash(current->domain);
+ }
}
}
else
@@ -242,8 +252,13 @@ int hypercall_xlat_continuation(unsigned int *id, unsigned int nr,
cval = va_arg(args, unsigned int);
if ( cval == nval )
mask &= ~1U;
- else
- BUG_ON(nval == (unsigned int)nval);
+ else if ( nval == (unsigned int)nval )
+ {
+ printk(XENLOG_G_ERR
+ "hypercall (op %u) bogus continuation arg%u (%#lx)\n",
+ regs->eax, i, nval);
+ domain_crash(current->domain);
+ }
}
else if ( id && *id == i )
{
@@ -255,8 +270,13 @@ int hypercall_xlat_continuation(unsigned int *id, unsigned int nr,
*reg = cval;
++rc;
}
- else
- BUG_ON(*reg != (unsigned int)*reg);
+ else if ( *reg != (unsigned int)*reg )
+ {
+ printk(XENLOG_G_ERR
+ "hypercall (op %u) bad continuation arg%u (%#lx)\n",
+ regs->eax, i, *reg);
+ domain_crash(current->domain);
+ }
}
}
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.15
Author: Bjoern Doebel <doebel@amazon.de>
AuthorDate: Wed Mar 27 18:30:55 2024 +0000
Commit: Andrew Cooper <andrew.cooper3@citrix.com>
CommitDate: Fri Apr 5 15:44:25 2024 +0100
hypercall_xlat_continuation: Replace BUG_ON with domain_crash
Instead of crashing the host in case of unexpected hypercall parameters,
resort to only crashing the calling domain.
This is part of XSA-454 / CVE-2023-46842.
Fixes: b8a7efe8528a ("Enable compatibility mode operation for HYPERVISOR_memory_op")
Reported-by: Manuel Andreas <manuel.andreas@tum.de>
Signed-off-by: Bjoern Doebel <doebel@amazon.de>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
(cherry picked from commit 9926e692c4afc40bcd66f8416ff6a1e93ce402f6)
---
xen/arch/x86/hypercall.c | 36 ++++++++++++++++++++++++++++--------
1 file changed, 28 insertions(+), 8 deletions(-)
diff --git a/xen/arch/x86/hypercall.c b/xen/arch/x86/hypercall.c
index 791b4c7585..7889729717 100644
--- a/xen/arch/x86/hypercall.c
+++ b/xen/arch/x86/hypercall.c
@@ -202,8 +202,13 @@ int hypercall_xlat_continuation(unsigned int *id, unsigned int nr,
cval = va_arg(args, unsigned int);
if ( cval == nval )
mask &= ~1U;
- else
- BUG_ON(nval == (unsigned int)nval);
+ else if ( nval == (unsigned int)nval )
+ {
+ printk(XENLOG_G_ERR
+ "multicall (op %lu) bogus continuation arg%u (%#lx)\n",
+ mcs->call.op, i, nval);
+ domain_crash(current->domain);
+ }
}
else if ( id && *id == i )
{
@@ -215,8 +220,13 @@ int hypercall_xlat_continuation(unsigned int *id, unsigned int nr,
mcs->call.args[i] = cval;
++rc;
}
- else
- BUG_ON(mcs->call.args[i] != (unsigned int)mcs->call.args[i]);
+ else if ( mcs->call.args[i] != (unsigned int)mcs->call.args[i] )
+ {
+ printk(XENLOG_G_ERR
+ "multicall (op %lu) bad continuation arg%u (%#lx)\n",
+ mcs->call.op, i, mcs->call.args[i]);
+ domain_crash(current->domain);
+ }
}
}
else
@@ -242,8 +252,13 @@ int hypercall_xlat_continuation(unsigned int *id, unsigned int nr,
cval = va_arg(args, unsigned int);
if ( cval == nval )
mask &= ~1U;
- else
- BUG_ON(nval == (unsigned int)nval);
+ else if ( nval == (unsigned int)nval )
+ {
+ printk(XENLOG_G_ERR
+ "hypercall (op %u) bogus continuation arg%u (%#lx)\n",
+ regs->eax, i, nval);
+ domain_crash(current->domain);
+ }
}
else if ( id && *id == i )
{
@@ -255,8 +270,13 @@ int hypercall_xlat_continuation(unsigned int *id, unsigned int nr,
*reg = cval;
++rc;
}
- else
- BUG_ON(*reg != (unsigned int)*reg);
+ else if ( *reg != (unsigned int)*reg )
+ {
+ printk(XENLOG_G_ERR
+ "hypercall (op %u) bad continuation arg%u (%#lx)\n",
+ regs->eax, i, *reg);
+ domain_crash(current->domain);
+ }
}
}
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.15