From: Igor Druzhinin <igor.druzhinin@citrix.com>
Date: Tue, 7 Apr 2020 20:18:56 +0000 (+0100)
Subject: XSA-316 PoC
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=a9128a19f498fae8982c27488d545c16c135f870;p=people%2Fandrewcoop%2Fxen-test-framework.git

XSA-316 PoC

Signed-off-by: Igor Druzhinin <igor.druzhinin@citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
---

diff --git a/docs/all-tests.dox b/docs/all-tests.dox
index a725248..15eeccd 100644
--- a/docs/all-tests.dox
+++ b/docs/all-tests.dox
@@ -148,6 +148,8 @@ emulation.
 @subpage test-xsa-308 - VMX: VMentry failure with debug exceptions and blocked
 states.
 
+@subpage test-xsa-316 - Bad error path in GNTTABOP_map_grant.
+
 
 @section index-utility Utilities
 
diff --git a/tests/xsa-316/Makefile b/tests/xsa-316/Makefile
new file mode 100644
index 0000000..af983ae
--- /dev/null
+++ b/tests/xsa-316/Makefile
@@ -0,0 +1,9 @@
+include $(ROOT)/build/common.mk
+
+NAME      := xsa-316
+CATEGORY  := xsa
+TEST-ENVS := pv64
+
+obj-perenv += main.o
+
+include $(ROOT)/build/gen.mk
diff --git a/tests/xsa-316/main.c b/tests/xsa-316/main.c
new file mode 100644
index 0000000..0f3d0ab
--- /dev/null
+++ b/tests/xsa-316/main.c
@@ -0,0 +1,71 @@
+/**
+ * @file tests/xsa-316/main.c
+ * @ref test-xsa-316
+ *
+ * @page test-xsa-316 XSA-316
+ *
+ * Advisory: [XSA-316](https://xenbits.xen.org/xsa/advisory-316.html)
+ *
+ * XSA-316 describes an issue with error handling in GNTTABOP_map_grant
+ * operation code.
+ *
+ * Grant table operations are expected to return 0 for success, and a negative
+ * number for errors. Some misplaced brackets cause one error path to return 1
+ * instead of a negative value.
+ *
+ * @see tests/xsa-316/main.c
+ */
+#include <xtf.h>
+
+const char test_title[] = "XSA-316 PoC";
+
+static uint8_t frame[PAGE_SIZE] __page_aligned_bss;
+
+void test_main(void)
+{
+    int rc = xtf_init_grant_table(1);
+
+    if ( rc )
+        return xtf_error("Error initialising grant table: %d\n", rc);
+
+    int domid = xtf_get_domid();
+
+    if ( domid < 0 )
+        return xtf_error("Error getting domid\n");
+
+    /*
+     * Construct gref 8 to allow frame[] to be mapped by ourselves..
+     */
+    gnttab_v1[8].domid = domid;
+    gnttab_v1[8].frame = virt_to_gfn(frame);
+    smp_wmb();
+    gnttab_v1[8].flags = GTF_permit_access;
+
+    struct gnttab_map_grant_ref map = {
+        .host_addr = KB(4),
+        .flags = GNTMAP_host_map,
+        .ref = 8,
+        .dom = 0, /* .. but provide incorrect domain id to map operation. */
+    };
+
+    /*
+     * Attempt to map gref to exercise the faulty error path.
+     */
+    rc = hypercall_grant_table_op(GNTTABOP_map_grant_ref, &map, 1);
+    if ( map.status > 0 )
+        return xtf_failure("Fail: Vulnerable to XSA-316\n");
+    else if ( !rc && map.status == GNTST_general_error )
+        return xtf_success("Success: Not vulnerable to XSA-316\n");
+    else
+        return xtf_error("Error: Unexpected result: %d/%d\n", rc, map.status);
+}
+
+/*
+ * Local variables:
+ * mode: C
+ * c-file-style: "BSD"
+ * c-basic-offset: 4
+ * tab-width: 4
+ * indent-tabs-mode: nil
+ * End:
+ */