Xen Test Framework

Advisory: XSA-173

This vulnerability only affects guests running with shadow paging. Xen truncated the shadowed gfn into a 32bit variable, causing issues later when the superpage is unshadowed.

This test constructs such a shadow and attempts to use it. A fixed Xen should raise a #PF indicated that reserved bits were set, while a vulnerable Xen will create the shadow and allow it to be used. Furthermore, it will crash when the domain shuts down. This test is unable to distinguish between a test misconfiguration (using hap) and a fixed shadow paging implementation, but can identify a buggy shadow paging implementation.

See also