docs/xtf/xsa-339_2main_8c_source.html

#include <xtf.h>


const char test_title[] = "XSA-339 PoC";


void entry_GP(void);


static unsigned long __user_text sysenter_nt(void)

{

    exinfo_t fault = 0;


    /* Use the SYSEXIT ABI.  Return %rsp in %rcx, %rip in %rdx. */

    asm volatile ("mov %%"_ASM_SP", %%"_ASM_CX";"

#ifdef __x86_64__

                  "lea 3f(%%rip), %%rdx;"

#else

                  "call 1f;"

                  "1: pop %%edx;"

                  "add $3f - 1b, %%edx;"

#endif

                  "pushf;"

                  "orl $"STR(X86_EFLAGS_NT)", (%%"_ASM_SP");"

                  "popf;"

                  "2: sysenter;"

                  "3:"

                  _ASM_EXTABLE_HANDLER(2b, 3b, %P[rec])

                  : "+a" (fault)

                  : [rec] "p" (ex_record_fault_eax)

                  : "ecx", "edx");


    return fault;

}


static void fixup_sysenter_state(struct cpu_regs *regs)

{

    regs->cs = __USER_CS;

    regs->ip = regs->dx;

    regs->eflags &= ~X86_EFLAGS_NT;

    regs->_ss = __USER_DS;

    regs->_sp = regs->cx;

}


void do_sysenter(struct cpu_regs *regs)

{

    fixup_sysenter_state(regs);

}


bool do_unhandled_exception(struct cpu_regs *regs)

{

    exinfo_t ex = EXINFO(regs->entry_vector, regs->error_code);


    /*

     * First buggy #GP, and the subject of XSA-339.  Points at the #GP handler

     * in kernel mode.

     */

    if ( ex == EXINFO_SYM(GP, 0) && regs->ip == _u(entry_GP) &&

         (regs->cs & X86_SEL_RPL_MASK) == IS_DEFINED(CONFIG_32BIT) )

    {

        regs->ax = EXINFO_AVAIL0;

        return true;

    }


    /*

     * Second buggy #GP, not a security issue.  Invoked with SYSENTER

     * semantics, so all calling state discarded.  Don't clobber EXINFO_AVAIL0

     * in the fault information if we're unwnding the XSA case.

     */

    if ( ex == EXINFO_SYM(GP, 0) && regs->ip == 0 &&

         (regs->cs & X86_SEL_RPL_MASK) == 3 )

    {

        if ( regs->ax != EXINFO_AVAIL0 )

            regs->ax = ex;


        fixup_sysenter_state(regs);

        return true;

    }


    return false;

}


void test_main(void)

{

    exinfo_t fault = exec_user(sysenter_nt);


    switch ( fault )

    {

    case EXINFO_AVAIL0:

        return xtf_failure("Fail: Vulnerable to XSA-399\n");


    case 0:

    case EXINFO_SYM(UD, 0):

    case EXINFO_SYM(GP, 0):

        return xtf_success("Success: Not vulnerable to XSA-339\n");


    default:

        return xtf_error("Unexpected fault %#x, %pe\n", fault, _p(fault));

    }

}


/*

 * Local variables:

 * mode: C

 * c-file-style: "BSD"

 * c-basic-offset: 4

 * tab-width: 4

 * indent-tabs-mode: nil

 * End:

 */

ex_record_fault_eax
bool ex_record_fault_eax(struct cpu_regs *regs, const struct extable_entry *ex)
Record the current fault in %eax.
Definition: extable.c:8

_ASM_SP
#define _ASM_SP
Definition: asm_macros.h:37

_ASM_CX
#define _ASM_CX
Definition: asm_macros.h:34

__user_text
#define __user_text
Definition: compiler.h:33

test_main
void test_main(void)
To be implemented by each test, as its entry point.
Definition: main.c:110

test_title
const char test_title[]
The title of the test.
Definition: main.c:24

EXINFO
#define EXINFO(vec, ec)
Definition: exinfo.h:26

EXINFO_SYM
#define EXINFO_SYM(exc, ec)
Definition: exinfo.h:29

EXINFO_AVAIL0
#define EXINFO_AVAIL0
Definition: exinfo.h:24

exinfo_t
unsigned int exinfo_t
Packed exception and error code information.
Definition: exinfo.h:19

_ASM_EXTABLE_HANDLER
#define _ASM_EXTABLE_HANDLER(fault, fixup, handler)
Create an exception table entry with custom handler.
Definition: extable.h:38

exec_user
static unsigned long exec_user(unsigned long(*fn)(void))
Definition: lib.h:62

STR
#define STR(x)
Stringise an expression, expanding preprocessor tokens.
Definition: macro_magic.h:17

IS_DEFINED
#define IS_DEFINED(x)
Evalute whether the CONFIG_ token x is defined.
Definition: macro_magic.h:67

GP
#define GP

do_unhandled_exception
bool do_unhandled_exception(struct cpu_regs *regs)
May be implemented by a guest to provide custom exception handling.
Definition: main.c:93

_p
#define _p(v)
Express an abitrary integer v as void *.
Definition: numbers.h:48

_u
#define _u(v)
Express an arbitrary value v as unsigned long.
Definition: numbers.h:53

X86_SEL_RPL_MASK
#define X86_SEL_RPL_MASK
Definition: processor.h:189

X86_EFLAGS_NT
#define X86_EFLAGS_NT
Definition: processor.h:18

xtf_failure
void xtf_failure(const char *fmt,...)
Report a test failure.
Definition: report.c:94

xtf_error
void xtf_error(const char *fmt,...)
Report a test error.
Definition: report.c:80

xtf_success
void xtf_success(const char *fmt,...)
Report test success.
Definition: report.c:38

fixup_sysenter_state
static void fixup_sysenter_state(struct cpu_regs *regs)
Definition: main.c:65

sysenter_nt
static unsigned long sysenter_nt(void)
Definition: main.c:39

entry_GP
void entry_GP(void)

do_sysenter
void do_sysenter(struct cpu_regs *regs)
May be implemented by a guest to handle SYSENTER invocations.
Definition: main.c:74