docs/xtf/xsa-204_2main_8c_source.html

#include <xtf.h>


const char test_title[] = "XSA-204 PoC";

bool test_needs_fep = true;


void entry_SYSCALL_64(void);

asm(".align 8;"

    "entry_SYSCALL_64:"

    "1: and $~" STR(X86_EFLAGS_TF) ", %r11;"

    "sysretq;"

    _ASM_EXTABLE_HANDLER(1b, 1b, ex_record_fault_eax)

    );


static unsigned long __user_text user_force_syscall(void)

{

    unsigned long fault = 0;


    asm volatile ("pushf;"

                  "orl $%c[TF], (%%rsp);"

                  "popf;"

                  _ASM_XEN_FEP "syscall;"

                  : "+a" (fault)

                  : [TF] "i" (X86_EFLAGS_TF)

                  : "rcx", "r11");


    return fault;

}


void test_main(void)

{

    if ( !cpu_has_syscall )

        return xtf_skip("Skip: SYSCALL not suported\n");


    /* Enable SYSCALL/SYSRET. */

    wrmsr(MSR_EFER, rdmsr(MSR_EFER) | EFER_SCE);


    /* Lay out the GDT suitably for SYSCALL/SYSRET. */

    gdt[GDTE_AVAIL0] = gdt[__KERN_CS >> 3]; /* SYSCALL %cs/%ss selectors */

    gdt[GDTE_AVAIL1] = gdt[GDTE_DS32_DPL0];


    gdt[GDTE_AVAIL2] = gdt[GDTE_CS32_DPL3]; /* SYSRET  %cs/%ss selectors */

    gdt[GDTE_AVAIL3] = gdt[GDTE_DS32_DPL3];

    gdt[GDTE_AVAIL4] = gdt[GDTE_CS64_DPL3];


    /* Set up the MSRs. */

    wrmsr(MSR_STAR, ((((uint64_t)GDTE_AVAIL0 * 8 + 0) << 32) |

                     (((uint64_t)GDTE_AVAIL2 * 8 + 3) << 48)));

    wrmsr(MSR_LSTAR, _u(entry_SYSCALL_64));

    wrmsr(MSR_FMASK, X86_EFLAGS_TF);


    exinfo_t ex = exec_user(user_force_syscall);

    switch ( ex )

    {

    case 0:

        return xtf_success("Success: Not vulnerable to XSA-204\n");


    case EXINFO_SYM(DB, 0):

        return xtf_failure("Fail: Got #DB - vulnerable to XSA-204\n");


    default:

        return xtf_error("Error: Expected nothing, got %pe\n", _p(ex));

    }

}


/*

 * Local variables:

 * mode: C

 * c-file-style: "BSD"

 * c-basic-offset: 4

 * tab-width: 4

 * indent-tabs-mode: nil

 * End:

 */

_ASM_XEN_FEP
#define _ASM_XEN_FEP
Xen Forced Emulation Prefix.
Definition: xen.h:150

ex_record_fault_eax
bool ex_record_fault_eax(struct cpu_regs *regs, const struct extable_entry *ex)
Record the current fault in %eax.
Definition: extable.c:8

cpu_has_syscall
#define cpu_has_syscall
Definition: cpuid.h:85

__user_text
#define __user_text
Definition: compiler.h:33

test_main
void test_main(void)
To be implemented by each test, as its entry point.
Definition: main.c:110

test_title
const char test_title[]
The title of the test.
Definition: main.c:24

gdt
user_desc gdt[NR_GDT_ENTRIES]

EXINFO_SYM
#define EXINFO_SYM(exc, ec)
Definition: exinfo.h:29

exinfo_t
unsigned int exinfo_t
Packed exception and error code information.
Definition: exinfo.h:19

_ASM_EXTABLE_HANDLER
#define _ASM_EXTABLE_HANDLER(fault, fixup, handler)
Create an exception table entry with custom handler.
Definition: extable.h:38

exec_user
static unsigned long exec_user(unsigned long(*fn)(void))
Definition: lib.h:62

STR
#define STR(x)
Stringise an expression, expanding preprocessor tokens.
Definition: macro_magic.h:17

MSR_FMASK
#define MSR_FMASK
Definition: msr-index.h:62

MSR_EFER
#define MSR_EFER
Definition: msr-index.h:49

EFER_SCE
#define EFER_SCE
Definition: msr-index.h:50

MSR_STAR
#define MSR_STAR
Definition: msr-index.h:59

MSR_LSTAR
#define MSR_LSTAR
Definition: msr-index.h:60

rdmsr
static uint64_t rdmsr(uint32_t idx)
Thin wrapper around an rdmsr instruction.
Definition: msr.h:19

wrmsr
static void wrmsr(uint32_t idx, uint64_t val)
Thin wrapper around an wrmsr instruction.
Definition: msr.h:55

_p
#define _p(v)
Express an abitrary integer v as void *.
Definition: numbers.h:48

_u
#define _u(v)
Express an arbitrary value v as unsigned long.
Definition: numbers.h:53

X86_EFLAGS_TF
#define X86_EFLAGS_TF
Definition: processor.h:13

xtf_failure
void xtf_failure(const char *fmt,...)
Report a test failure.
Definition: report.c:94

xtf_error
void xtf_error(const char *fmt,...)
Report a test error.
Definition: report.c:80

xtf_skip
void xtf_skip(const char *fmt,...)
Report a test skip.
Definition: report.c:66

xtf_success
void xtf_success(const char *fmt,...)
Report test success.
Definition: report.c:38

GDTE_DS32_DPL0
#define GDTE_DS32_DPL0
Definition: segment.h:29

GDTE_AVAIL0
#define GDTE_AVAIL0
Definition: segment.h:37

GDTE_AVAIL4
#define GDTE_AVAIL4
Definition: segment.h:41

GDTE_AVAIL2
#define GDTE_AVAIL2
Definition: segment.h:39

GDTE_CS32_DPL3
#define GDTE_CS32_DPL3
Definition: segment.h:31

GDTE_DS32_DPL3
#define GDTE_DS32_DPL3
Definition: segment.h:32

GDTE_AVAIL3
#define GDTE_AVAIL3
Definition: segment.h:40

GDTE_AVAIL1
#define GDTE_AVAIL1
Definition: segment.h:38

GDTE_CS64_DPL3
#define GDTE_CS64_DPL3
Definition: segment.h:30

uint64_t
__UINT64_TYPE__ uint64_t
Definition: stdint.h:17

test_needs_fep
bool test_needs_fep
Boolean indicating whether the test is entirely predicated on the available of the Force Emulation Pr...
Definition: main.c:34

entry_SYSCALL_64
void entry_SYSCALL_64(void)

user_force_syscall
static unsigned long user_force_syscall(void)
Definition: main.c:35