1 files changed, 87 insertions, 0 deletions

diff --git a/system/xen/xsa/xsa201-1.patch b/system/xen/xsa/xsa201-1.patch
new file mode 100644
index 0000000000..50983b852f
--- /dev/null
+++ b/system/xen/xsa/xsa201-1.patch
@@ -0,0 +1,87 @@
+From: Wei Chen <Wei.Chen@arm.com>
+Subject: arm64: handle guest-generated EL1 asynchronous abort
+
+In current code, when the hypervisor receives an asynchronous abort
+from a guest, the hypervisor will do panic, the host will be down.
+We have to prevent such security issue, so, in this patch we crash
+the guest, when the hypervisor receives an asynchronous abort from
+the guest.
+
+This is CVE-2016-9815, part of XSA-201.
+
+Signed-off-by: Wei Chen <Wei.Chen@arm.com>
+Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
+Reviewed-by: Steve Capper <steve.capper@arm.com>
+Reviewed-by: Julien Grall <Julien.Grall@arm.com>
+
+--- a/xen/arch/arm/arm64/entry.S
++++ b/xen/arch/arm/arm64/entry.S
+@@ -204,9 +204,12 @@ guest_fiq_invalid:
+         entry   hyp=0, compat=0
+         invalid BAD_FIQ
+
+-guest_error_invalid:
++guest_error:
+         entry   hyp=0, compat=0
+-        invalid BAD_ERROR
++        msr     daifclr, #2
++        mov     x0, sp
++        bl      do_trap_guest_error
++        exit    hyp=0, compat=0
+
+ guest_sync_compat:
+         entry   hyp=0, compat=1
+@@ -225,9 +228,12 @@ guest_fiq_invalid_compat:
+         entry   hyp=0, compat=1
+         invalid BAD_FIQ
+
+-guest_error_invalid_compat:
++guest_error_compat:
+         entry   hyp=0, compat=1
+-        invalid BAD_ERROR
++        msr     daifclr, #2
++        mov     x0, sp
++        bl      do_trap_guest_error
++        exit    hyp=0, compat=1
+
+ ENTRY(return_to_new_vcpu32)
+         exit    hyp=0, compat=1
+@@ -286,12 +292,12 @@ ENTRY(hyp_traps_vector)
+         ventry  guest_sync                      // Synchronous 64-bit EL0/EL1
+         ventry  guest_irq                       // IRQ 64-bit EL0/EL1
+         ventry  guest_fiq_invalid               // FIQ 64-bit EL0/EL1
+-        ventry  guest_error_invalid             // Error 64-bit EL0/EL1
++        ventry  guest_error                     // Error 64-bit EL0/EL1
+
+         ventry  guest_sync_compat               // Synchronous 32-bit EL0/EL1
+         ventry  guest_irq_compat                // IRQ 32-bit EL0/EL1
+         ventry  guest_fiq_invalid_compat        // FIQ 32-bit EL0/EL1
+-        ventry  guest_error_invalid_compat      // Error 32-bit EL0/EL1
++        ventry  guest_error_compat              // Error 32-bit EL0/EL1
+
+ /*
+  * struct vcpu *__context_switch(struct vcpu *prev, struct vcpu *next)
+--- a/xen/arch/arm/traps.c
++++ b/xen/arch/arm/traps.c
+@@ -2723,6 +2723,21 @@ asmlinkage void do_trap_hypervisor(struct cpu_user_regs *regs)
+     }
+ }
+
++asmlinkage void do_trap_guest_error(struct cpu_user_regs *regs)
++{
++    enter_hypervisor_head(regs);
++
++    /*
++     * Currently, to ensure hypervisor safety, when we received a
++     * guest-generated vSerror/vAbort, we just crash the guest to protect
++     * the hypervisor. In future we can better handle this by injecting
++     * a vSerror/vAbort to the guest.
++     */
++    gdprintk(XENLOG_WARNING, "Guest(Dom-%u) will be crashed by vSError\n",
++             current->domain->domain_id);
++    domain_crash_synchronous();
++}
++
+ asmlinkage void do_trap_irq(struct cpu_user_regs *regs)
+ {
+     enter_hypervisor_head(regs);