Xen Test Framework

Advisory: XSA-122

Before XSA-122, Xen would fill a fixed size stack array with a NUL-terminated string, and copy the entire array back to guest space. This leaks hypervisor stack rubble to the guest.

This PoC makes the affected hypercalls, and checks for non-zero bytes in the trailing space after the NUL terminator.

The PoC is unable to distinguish between a fixed Xen, and zeroes happening to be leaked from the stack. In particular, it can incorrectly report success if it is the first vcpu to run on a "fresh" pcpu after host reboot. For added reliability, pin the PoC to a specific pcpu and run it twice.

See also