docs/xtf/xsa-196_2main_8c_source.html

#include <xtf.h>


const char test_title[] = "XSA-196 PoC";


bool test_needs_fep = true;


void custom_doublefault_handler(void);

asm(".align 16;"

    "custom_doublefault_handler:"

    /* Fake up "return EXINFO_SYM(DF, 0);" */

    "mov $(1 << 31 | " STR(X86_EXC_DF) " << 16), %eax;"

    "iretq;"

    );


static const struct xtf_idte idte = {

    .addr = _u(custom_doublefault_handler),

    .cs   = __KERN_CS,

};


static unsigned long __user_text compat_userspace(void)

{

    exinfo_t fault = 0;


    asm volatile (/* Drop into a 32bit compat code segment. */

                  "push $%c[cs32];"

                  "push $1f;"

                  "lretq; 1:"


                  /* Force `int $8` through the emulator. */

                  ".code32;"

                  "start_32bit:;"

                  _ASM_XEN_FEP

                  "1: int $%c[df]; 2:"

                  _ASM_EXTABLE_HANDLER(1b, 2b, %P[rec])


                  /* Return to 64bit. */

                  "ljmpl $%c[cs], $1f;"

                  "end_32bit:;"


                  ".code64; 1:"

                  : "+a" (fault)

                  : [df]   "i" (X86_EXC_DF),

                    [cs32] "i" (__USER_CS32),

                    [cs]   "i" (__USER_CS),

                    [rec] "p" (ex_record_fault_eax));


    return fault;

}


void test_main(void)

{

    /*

     * Sanity check the preconditions for this PoC working.  These settings

     * are very common.

     */

    ASSERT(idt[X86_EXC_OF].dpl == 3);

    ASSERT(idt[X86_EXC_DF].dpl == 0);


    /* Hook the custom doublefault handler. */

    xtf_set_idte(X86_EXC_DF, &idte);


    exinfo_t fault = exec_user(compat_userspace);


    switch ( fault )

    {

    case EXINFO_SYM(GP, EXC_EC_SYM(DF, IDT)):

        xtf_success("Success: #DF DPL was checked correctly\n");

        break;


    case EXINFO_SYM(DF, 0):

        xtf_failure("Fail: Userspace managed to invoke #DF\n");

        break;


    default:

        xtf_error("Error: Unexpected fault %#x\n", fault);

        break;

    }

}


/*

 * Local variables:

 * mode: C

 * c-file-style: "BSD"

 * c-basic-offset: 4

 * tab-width: 4

 * indent-tabs-mode: nil

 * End:

 */

_ASM_XEN_FEP
#define _ASM_XEN_FEP
Xen Forced Emulation Prefix.
Definition: xen.h:150

ex_record_fault_eax
bool ex_record_fault_eax(struct cpu_regs *regs, const struct extable_entry *ex)
Record the current fault in %eax.
Definition: extable.c:8

__user_text
#define __user_text
Definition: compiler.h:33

test_main
void test_main(void)
To be implemented by each test, as its entry point.
Definition: main.c:110

test_title
const char test_title[]
The title of the test.
Definition: main.c:24

EXINFO_SYM
#define EXINFO_SYM(exc, ec)
Definition: exinfo.h:29

exinfo_t
unsigned int exinfo_t
Packed exception and error code information.
Definition: exinfo.h:19

xtf_set_idte
int xtf_set_idte(unsigned int vector, const struct xtf_idte *idte)
Set up an IDT Entry, in a guest agnostic way.
Definition: traps.c:73

_ASM_EXTABLE_HANDLER
#define _ASM_EXTABLE_HANDLER(fault, fixup, handler)
Create an exception table entry with custom handler.
Definition: extable.h:38

ASSERT
#define ASSERT(cond)
Definition: lib.h:14

exec_user
static unsigned long exec_user(unsigned long(*fn)(void))
Definition: lib.h:62

STR
#define STR(x)
Stringise an expression, expanding preprocessor tokens.
Definition: macro_magic.h:17

GP
#define GP

_u
#define _u(v)
Express an arbitrary value v as unsigned long.
Definition: numbers.h:53

X86_EXC_OF
#define X86_EXC_OF
Definition: processor.h:106

X86_EXC_DF
#define X86_EXC_DF
Definition: processor.h:110

xtf_failure
void xtf_failure(const char *fmt,...)
Report a test failure.
Definition: report.c:94

xtf_error
void xtf_error(const char *fmt,...)
Report a test error.
Definition: report.c:80

xtf_success
void xtf_success(const char *fmt,...)
Report test success.
Definition: report.c:38

xtf_idte
A guest agnostic represention of IDT information.
Definition: idt.h:27

xtf_idte::dpl
unsigned int dpl
Definition: idt.h:29

xtf_idte::cs
unsigned int cs
Definition: idt.h:29

xtf_idte::addr
unsigned long addr
Definition: idt.h:28

EXC_EC_SYM
#define EXC_EC_SYM(exc,...)
Create an exception selector based error code using mnemonics, with implicit X86_EC_IDT.
Definition: symbolic-const.h:96

test_needs_fep
bool test_needs_fep
Boolean indicating whether the test is entirely predicated on the available of the Force Emulation Pr...
Definition: main.c:34

compat_userspace
static unsigned long compat_userspace(void)
Definition: main.c:44

idte
static const struct xtf_idte idte
Definition: main.c:39

custom_doublefault_handler
void custom_doublefault_handler(void)