There is a Write-What-Where vulnerability exposed through SMC calls to the guest
kernel which may lead to code execution in EL2. The function psci_reg() is
accessible from the smccall() handler at [1] (core/smccall.c).
At [2] (core/psci.c), the variable target_core is set to an attacker-controlled value if the
call is coming from a guest kernel. At [3] we have a check but this check will
always pass because target_core is unsigned and combined checks are always
ordered so the second part of the check is always ignored here.
This leads to a Write-What-Where
at [4] when we use target_core to index into memory and write another
attacker-controlled value a2 to that address.
Due to the ease of exploitation, the degree of privilege escalation (Guest to
EL2) and the convenience of the vulnerability, I rate this bug as critical.
There is a Write-What-Where vulnerability exposed through SMC calls to the guest kernel which may lead to code execution in EL2. The function psci_reg() is accessible from the smccall() handler at [1] (core/smccall.c).
At [2] (core/psci.c), the variable target_core is set to an attacker-controlled value if the call is coming from a guest kernel. At [3] we have a check but this check will always pass because target_core is unsigned and combined checks are always ordered so the second part of the check is always ignored here.
This leads to a Write-What-Where at [4] when we use target_core to index into memory and write another attacker-controlled value a2 to that address.
Due to the ease of exploitation, the degree of privilege escalation (Guest to EL2) and the convenience of the vulnerability, I rate this bug as critical.