Vigil@nce - Xen: denial of service via GICD_SGIR
February 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker in a guest system can set the GICD_SGIR register on
Xen, in order to trigger a denial of service.
Impacted products: Unix (platform)
Severity: 1/4
Creation date: 13/02/2015
DESCRIPTION OF THE VULNERABILITY
The Xen product emulates the ARM GICv2 (Generic Interrupt
Controller) component.
The GICD_SGIR.TargetListFilter register can contain 3 values:
– 0 : GICD_SGI_TARGET_LIST_VAL
– 1 : GICD_SGI_TARGET_OTHERS_VAL
– 2 : GICD_SGI_TARGET_SELF_VAL
– 3 : reserved
However, if a local attacker uses the value 3, the
vgic_v2_to_sgi() function calls the macro BUG(), which stops the
host system.
An attacker in a guest system can therefore set the GICD_SGIR
register on Xen, in order to trigger a denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Xen-denial-of-service-via-GICD-SGIR-16188