# Commit 9926e692c4afc40bcd66f8416ff6a1e93ce402f6
# Date 2024-04-09 12:49:40 +0100
# Author Bjoern Doebel <doebel@amazon.de>
# Committer Andrew Cooper <andrew.cooper3@citrix.com>
hypercall_xlat_continuation: Replace BUG_ON with domain_crash

Instead of crashing the host in case of unexpected hypercall parameters,
resort to only crashing the calling domain.

This is part of XSA-454 / CVE-2023-46842.

Fixes: b8a7efe8528a ("Enable compatibility mode operation for HYPERVISOR_memory_op")
Reported-by: Manuel Andreas <manuel.andreas@tum.de>
Signed-off-by: Bjoern Doebel <doebel@amazon.de>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>

--- a/xen/arch/x86/hypercall.c
+++ b/xen/arch/x86/hypercall.c
@@ -198,8 +198,13 @@ int hypercall_xlat_continuation(unsigned
                 cval = va_arg(args, unsigned int);
                 if ( cval == nval )
                     mask &= ~1U;
-                else
-                    BUG_ON(nval == (unsigned int)nval);
+                else if ( nval == (unsigned int)nval )
+                {
+                    printk(XENLOG_G_ERR
+                           "multicall (op %lu) bogus continuation arg%u (%#lx)\n",
+                           mcs->call.op, i, nval);
+                    domain_crash(current->domain);
+                }
             }
             else if ( id && *id == i )
             {
@@ -211,8 +216,13 @@ int hypercall_xlat_continuation(unsigned
                 mcs->call.args[i] = cval;
                 ++rc;
             }
-            else
-                BUG_ON(mcs->call.args[i] != (unsigned int)mcs->call.args[i]);
+            else if ( mcs->call.args[i] != (unsigned int)mcs->call.args[i] )
+            {
+                printk(XENLOG_G_ERR
+                       "multicall (op %lu) bad continuation arg%u (%#lx)\n",
+                       mcs->call.op, i, mcs->call.args[i]);
+                domain_crash(current->domain);
+            }
         }
     }
     else
@@ -238,8 +248,13 @@ int hypercall_xlat_continuation(unsigned
                 cval = va_arg(args, unsigned int);
                 if ( cval == nval )
                     mask &= ~1U;
-                else
-                    BUG_ON(nval == (unsigned int)nval);
+                else if ( nval == (unsigned int)nval )
+                {
+                    printk(XENLOG_G_ERR
+                           "hypercall (op %u) bogus continuation arg%u (%#lx)\n",
+                           regs->eax, i, nval);
+                    domain_crash(current->domain);
+                }
             }
             else if ( id && *id == i )
             {
@@ -251,8 +266,13 @@ int hypercall_xlat_continuation(unsigned
                 *reg = cval;
                 ++rc;
             }
-            else
-                BUG_ON(*reg != (unsigned int)*reg);
+            else if ( *reg != (unsigned int)*reg )
+            {
+                printk(XENLOG_G_ERR
+                       "hypercall (op %u) bad continuation arg%u (%#lx)\n",
+                       regs->eax, i, *reg);
+                domain_crash(current->domain);
+            }
         }
     }