fix(bl31): harden check in delegate_async_ea

Following hardening done around ESR_EL3 register usage
 - Panic if exception is anyting other than SError
 - AET bit is only valid if DFSC is 0x11, move DFSC check before AET.

Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
Change-Id: Ib15159920f6cad964332fd40f88943aee2bc73b4

diff --git a/bl31/aarch64/ea_delegate.S b/bl31/aarch64/ea_delegate.S
index 5e53ab4b69cb6fd008725dbab9ae3ec55fde183d..dbb32344dfe35745f05122c46718b7a855783f20 100644 (file)
--- a/bl31/aarch64/ea_delegate.S
+++ b/bl31/aarch64/ea_delegate.S
@@ -195,23 +195,30 @@ endfunc delegate_sync_ea
  */
 func delegate_async_ea
 #if RAS_EXTENSION
+       /* Check Exception Class to ensure SError, as this function should
+        * only be invoked for SError. If that is not the case, which implies
+        * either an HW error or programming error, panic.
+        */
+       ubfx    x2, x1, #ESR_EC_SHIFT, #ESR_EC_LENGTH
+       cmp     x2, EC_SERROR
+       b.ne    do_panic
        /*
         * Check for Implementation Defined Syndrome. If so, skip checking
         * Uncontainable error type from the syndrome as the format is unknown.
         */
        tbnz    x1, #SERROR_IDS_BIT, 1f
 
+       /* AET only valid when DFSC is 0x11 */
+       ubfx    x2, x1, #EABORT_DFSC_SHIFT, #EABORT_DFSC_WIDTH
+       cmp     x2, #DFSC_SERROR
+       b.ne    1f
+
        /*
         * Check for Uncontainable error type. If so, route to the platform
         * fatal error handler rather than the generic EA one.
         */
-       ubfx    x2, x1, #EABORT_AET_SHIFT, #EABORT_AET_WIDTH
-       cmp     x2, #ERROR_STATUS_UET_UC
-       b.ne    1f
-
-       /* Check DFSC for SError type */
-       ubfx    x3, x1, #EABORT_DFSC_SHIFT, #EABORT_DFSC_WIDTH
-       cmp     x3, #DFSC_SERROR
+       ubfx    x3, x1, #EABORT_AET_SHIFT, #EABORT_AET_WIDTH
+       cmp     x3, #ERROR_STATUS_UET_UC
        b.ne    1f
 
        no_ret  plat_handle_uncontainable_ea