]> xenbits.xensource.com Git - people/andrewcoop/xen-test-framework.git/commitdiff
projects / people / andrewcoop / xen-test-framework.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 103584c)
XSA-193 PoC
authorAndrew Cooper <andrew.cooper3@citrix.com>
Tue, 25 Oct 2016 11:00:45 +0000 (12:00 +0100)
committerAndrew Cooper <andrew.cooper3@citrix.com>
Wed, 30 Nov 2016 19:18:11 +0000 (19:18 +0000)
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
docs/all-tests.dox patch | blob | blame | history
tests/xsa-193/Makefile [new file with mode: 0644] patch | blob
tests/xsa-193/main.c [new file with mode: 0644] patch | blob

diff --git a/docs/all-tests.dox b/docs/all-tests.dox
index 64c95a457b8e0c7a4c81b3c9fd979af062eb8df9..b6e586ba68e9c852cab3a306d38ec3ab96385a04 100644 (file)
--- a/docs/all-tests.dox
+++ b/docs/all-tests.dox
@@ -68,6 +68,9 @@ XSA-190 - See @ref test-fpu-exception-emulation.
 
 @subpage test-xsa-192 - x86: Task switch to VM86 mode mis-handled.
 
+@subpage test-xsa-193 - x86: Segment base write emulation lacking canonical
+address checks.
+
 
 @section index-utility Utilities
 
diff --git a/tests/xsa-193/Makefile b/tests/xsa-193/Makefile
new file mode 100644 (file)
index 0000000..1004ba1
--- /dev/null
+++ b/tests/xsa-193/Makefile
@@ -0,0 +1,9 @@
+include $(ROOT)/build/common.mk
+
+NAME      := xsa-193
+CATEGORY  := xsa
+TEST-ENVS := pv64
+
+obj-perenv += main.o
+
+include $(ROOT)/build/gen.mk
diff --git a/tests/xsa-193/main.c b/tests/xsa-193/main.c
new file mode 100644 (file)
index 0000000..c36c7bf
--- /dev/null
+++ b/tests/xsa-193/main.c
@@ -0,0 +1,48 @@
+/**
+ * @file tests/xsa-193/main.c
+ * @ref test-xsa-193
+ *
+ * @page test-xsa-193 XSA-193
+ *
+ * Advisory: [XSA-193](http://xenbits.xen.org/xsa/advisory-xsa-193.html)
+ *
+ * Xen change [c42494acb2](http://xenbits.xen.org/gitweb/
+ * ?p=xen.git;a=commitdiff;h=c42494acb2f7f31e561d38f06c59a50ee4198f36)
+ * switched wrmsr_safe() for wr{f,g}sbase(), neglecting to consider that they
+ * internally may use plain wrmsr() or the `wr{f,g}sbase` instructions, both
+ * of which will suffer a @#GP fault in this case for non-canonical addresses.
+ *
+ * Check that Xen properly bounces the @#GP faults back to us, rather than
+ * dying itself.
+ *
+ * @see tests/xsa-193/main.c
+ */
+#include <xtf.h>
+
+#include <arch/x86/msr-index.h>
+
+const char test_title[] = "XSA-193 PoC";
+
+void test_main(void)
+{
+    if ( !wrmsr_safe(MSR_FS_BASE, 0x8000000000000000ull) )
+        xtf_failure("Fail: MSR_FS_BASE didn't fault for non-canonical value\n");
+
+    if ( !wrmsr_safe(MSR_GS_BASE, 0x8000000000000000ull) )
+        xtf_failure("Fail: MSR_GS_BASE didn't fault for non-canonical value\n");
+
+    if ( !wrmsr_safe(MSR_SHADOW_GS_BASE, 0x8000000000000000ull) )
+        xtf_failure("Fail: MSR_SHADOW_GS_BASE didn't fault for non-canonical value\n");
+
+    xtf_success("Success: not vulnerable to XSA-193\n");
+}
+
+/*
+ * Local variables:
+ * mode: C
+ * c-file-style: "BSD"
+ * c-basic-offset: 4
+ * tab-width: 4
+ * indent-tabs-mode: nil
+ * End:
+ */
Xen Test Framework - Documentation: http://xenbits.xen.org/people/andrewcoop/xen-test-framework/