arm: vgic: Out-of-bound access when sending SGIs

2017-06-20T11:58:00
ID XSA-225
Type xen
Reporter Xen Project
Modified 2017-06-20T11:58:00

Description

ISSUE DESCRIPTION

ARM guests can send SGI (i.e. IPI) targeting a list of vCPUs using the MMIO register GICD_SGIR (GICv2) or System Register ICC_SGI1R (GICv3). However, the emulation code does not sanitize the list and will directly access an array without checking whether the array index is within bounds.

IMPACT

A guest may cause a hypervisor crash, resulting in a Denial of Service (DoS).

VULNERABLE SYSTEMS

Xen versions 4.6 and onwards are affected. Xen versions 4.5 and earlier are not affected. Only ARM systems are affected. x86 systems are not affected.