From nobody Fri Oct 31 23:15:36 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass(p=reject dis=none) header.from=citrix.com ARC-Seal: i=1; a=rsa-sha256; t=1743004326; cv=none; d=zohomail.com; s=zohoarc; b=CTisAdk1VwMu5CDva3s0EvlbWY95ghjuwN56nFAyOs06qZpVR+N/p1pP9xlaR11+/EuQWTz/k3ZxRH93zxFE0XSaKAfA5LTZA8KOs74mrQeI24QRrVlT4WPMEoXcSA38my1eWGbzf6QWCSnZFByR0ZvS0kfQvlCWHk71fojlZN0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1743004326; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=qKijxke+AzpWn/noJtkVwwHiLuyFBHz6vFTC2DadQ2M=; b=B6kRSsVeLOFPZvGGSHRS2vsnD2XjIsgN0wJTIvyDP3Z96dK67L+sCP5VwpX/GZG8HAdtYtFTmUlgm1ax/u8sNgdtm7KJBJFp3C8QVezcgzjJGWIDevhxokSo6T0Xv1qFR/uWNiwEp+hyrzwW+3MK7CTrlVJE0z7jkI8emw65NUU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1743004326182181.50778322720532; Wed, 26 Mar 2025 08:52:06 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.928039.1330797 (Exim 4.92) (envelope-from ) id 1txT2N-00060M-AK; Wed, 26 Mar 2025 15:51:27 +0000 Received: by outflank-mailman (output) from mailman id 928039.1330797; Wed, 26 Mar 2025 15:51:27 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1txT2N-00060F-7j; Wed, 26 Mar 2025 15:51:27 +0000 Received: by outflank-mailman (input) for mailman id 928039; Wed, 26 Mar 2025 15:51:25 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1txT2L-000609-HB for xen-devel@lists.xenproject.org; Wed, 26 Mar 2025 15:51:25 +0000 Received: from mail-wm1-x32e.google.com (mail-wm1-x32e.google.com [2a00:1450:4864:20::32e]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id 2bb96f21-0a5a-11f0-9ea3-5ba50f476ded; Wed, 26 Mar 2025 16:51:24 +0100 (CET) Received: by mail-wm1-x32e.google.com with SMTP id 5b1f17b1804b1-43cf680d351so6735045e9.0 for ; Wed, 26 Mar 2025 08:51:24 -0700 (PDT) Received: from localhost.localdomain (host-92-26-98-202.as13285.net. [92.26.98.202]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-3997f9ef23esm17076793f8f.81.2025.03.26.08.51.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 26 Mar 2025 08:51:23 -0700 (PDT) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 2bb96f21-0a5a-11f0-9ea3-5ba50f476ded DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=citrix.com; s=google; t=1743004284; x=1743609084; darn=lists.xenproject.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=qKijxke+AzpWn/noJtkVwwHiLuyFBHz6vFTC2DadQ2M=; b=MiRptaj6nyzweGXS0ubrbF/8FOwzTg5totStpyzPx1q5CFLyLWvPDEUlkw3LH5njSc n2uZd6BW+JNTiPv9U8nULCrB0BfHSFyo1nZYBYv6jquw0ivvpHSto/hscnamZQLc00g5 1+6BVLqe7UKVSWjtjUvE8jt/8ql3oGiNgWlk8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1743004284; x=1743609084; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=qKijxke+AzpWn/noJtkVwwHiLuyFBHz6vFTC2DadQ2M=; b=B8/zXnlQJpEVenMCC0W62YblqvfllYcIhw/eODH6R/1L4hXeOYjJGOGqJrZ7IIm6Ol IdSRvWDrlOY3y+FQqMub5vanYhJxWhTRITmOG/nqXpoXrMIJdPydW763Zzfj9l7tR/0y wSz8HobWr+ZElSeMTYujflwh31ncGuWlyFkKBmGupqJMpDPwOMM9i+7bnlclrJxVGvIF WjHNeLaaLhy8BBR+K6EtQHaq6/XvWZSLm9PlQpRKgCHuaytrvZGljSYS74KYkzEfwnLY 1Cf/dbAyXVypGNbQxHUXEwXZ3SVDCXoCc++OP0zC5UHD11XHgSucZltOi9SKAwoOO9nM JzMg== X-Gm-Message-State: AOJu0YzrVawagHyMAzUpI4o9tFN+WTj7m+uXNNcMJKLGdX40BH4Nd1ya 2TXsQ7z46qsuALIKUcJOF3F2c+P+57oJLI2u8J03QXku4J6/MqO5WEriF+lbuoQ0sHF6jzAffJg vtdE= X-Gm-Gg: ASbGncsLrc+8bcTyfSo3LuT+UPpWKE5LNgeyI3ZqNuuyBhUzWnDlJVzrWZYCWkx6AzN KBW80NKlhmqRa3CDsrKVEs7u5bcDfUuHmyKUlzRk4LmUQaQtrlfZB75oCwC0ckmLGGkOxRjR2dE S1DU/lVjJNwPnuBx0+R67ycNnGX2W9OOb5MuVOWXfKX1L4Me9jfGG+BYYRhi6O5Y1K7oWqOkncf RXontjhudpXlCQ1XqYeiNFwNOqP0lxNY/LpjRZ+fFln92Dc/rKfafRFViLvkBUN0fzn+6cnpy4o 2r5f3Ouwp8fnPTzQbq3OJ4OxGiQomayXnV5LhrARWFTzvPcr/qGLcRQkKfp3K/8kQ2eQD1E+UaE FVJi/9inOOqyO+/EMxg== X-Google-Smtp-Source: AGHT+IFlTNkdKsVI29te81xBexb3cl6+MmL7h4BMYQCLGUeF6htMKF1fxWFoqnR3D2YelCt7eAQhqg== X-Received: by 2002:a05:600c:6c9:b0:439:91c7:895a with SMTP id 5b1f17b1804b1-43d775be4b3mr29222435e9.7.1743004283672; Wed, 26 Mar 2025 08:51:23 -0700 (PDT) From: Andrew Cooper To: Xen-devel Cc: Andrew Cooper , Stefano Stabellini , Julien Grall , Volodymyr Babchuk , Bertrand Marquis , Michal Orzel Subject: [PATCH] ARM/vgic: Fix out-of-bounds accesses in vgic_mmio_write_sgir() Date: Wed, 26 Mar 2025 15:51:21 +0000 Message-Id: <20250326155121.364658-1-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.39.5 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @citrix.com) X-ZM-MESSAGEID: 1743004328659019100 Content-Type: text/plain; charset="utf-8" The switch() statement is over bits 24:25 (unshifted) of the guest provided value. This makes case 0x3: dead, and not an implementation of the 4th possible state. A guest which writes (3<<24)|(ff<<16) to this register will skip the early exit, then enter bitmap_for_each() with targets not bound by nr_vcpus. If the guest has fewer than 8 vCPUs, bitmap_for_each() will read off the end of d->vcpu[] and use the resulting vcpu pointer to ultimately derive irq, a= nd perform an out-of-bounds write. Fix this by changing case 0x3 to default. Fixes: 08c688ca6422 ("ARM: new VGIC: Add SGIR register handler") Signed-off-by: Andrew Cooper Reviewed-by: Stefano Stabellini Reviewed-by: Volodymyr Babchuk --- CC: Stefano Stabellini CC: Julien Grall CC: Volodymyr Babchuk CC: Bertrand Marquis CC: Michal Orzel This vgic driver is explicity not security supported, hence no XSA. --- xen/arch/arm/vgic/vgic-mmio-v2.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/xen/arch/arm/vgic/vgic-mmio-v2.c b/xen/arch/arm/vgic/vgic-mmio= -v2.c index 670b335db2c3..7d1391ac9b48 100644 --- a/xen/arch/arm/vgic/vgic-mmio-v2.c +++ b/xen/arch/arm/vgic/vgic-mmio-v2.c @@ -104,7 +104,8 @@ static void vgic_mmio_write_sgir(struct vcpu *source_vc= pu, case GICD_SGI_TARGET_SELF: /* this very vCPU only */ targets =3D (1U << source_vcpu->vcpu_id); break; - case 0x3: /* reserved */ + + default: return; } =20 --=20 2.39.5