From: Andrew Cooper <andrew.cooper3@citrix.com>
Date: Tue, 25 Oct 2016 11:00:45 +0000 (+0100)
Subject: XSA-193 PoC
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=ff3582de3fce3478cd70da25caaaad7c63dcc29d;p=people%2Fandrewcoop%2Fxen-test-framework.git

XSA-193 PoC

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---

diff --git a/docs/all-tests.dox b/docs/all-tests.dox
index 64c95a4..b6e586b 100644
--- a/docs/all-tests.dox
+++ b/docs/all-tests.dox
@@ -68,6 +68,9 @@ XSA-190 - See @ref test-fpu-exception-emulation.
 
 @subpage test-xsa-192 - x86: Task switch to VM86 mode mis-handled.
 
+@subpage test-xsa-193 - x86: Segment base write emulation lacking canonical
+address checks.
+
 
 @section index-utility Utilities
 
diff --git a/tests/xsa-193/Makefile b/tests/xsa-193/Makefile
new file mode 100644
index 0000000..1004ba1
--- /dev/null
+++ b/tests/xsa-193/Makefile
@@ -0,0 +1,9 @@
+include $(ROOT)/build/common.mk
+
+NAME      := xsa-193
+CATEGORY  := xsa
+TEST-ENVS := pv64
+
+obj-perenv += main.o
+
+include $(ROOT)/build/gen.mk
diff --git a/tests/xsa-193/main.c b/tests/xsa-193/main.c
new file mode 100644
index 0000000..c36c7bf
--- /dev/null
+++ b/tests/xsa-193/main.c
@@ -0,0 +1,48 @@
+/**
+ * @file tests/xsa-193/main.c
+ * @ref test-xsa-193
+ *
+ * @page test-xsa-193 XSA-193
+ *
+ * Advisory: [XSA-193](http://xenbits.xen.org/xsa/advisory-xsa-193.html)
+ *
+ * Xen change [c42494acb2](http://xenbits.xen.org/gitweb/
+ * ?p=xen.git;a=commitdiff;h=c42494acb2f7f31e561d38f06c59a50ee4198f36)
+ * switched wrmsr_safe() for wr{f,g}sbase(), neglecting to consider that they
+ * internally may use plain wrmsr() or the `wr{f,g}sbase` instructions, both
+ * of which will suffer a @#GP fault in this case for non-canonical addresses.
+ *
+ * Check that Xen properly bounces the @#GP faults back to us, rather than
+ * dying itself.
+ *
+ * @see tests/xsa-193/main.c
+ */
+#include <xtf.h>
+
+#include <arch/x86/msr-index.h>
+
+const char test_title[] = "XSA-193 PoC";
+
+void test_main(void)
+{
+    if ( !wrmsr_safe(MSR_FS_BASE, 0x8000000000000000ull) )
+        xtf_failure("Fail: MSR_FS_BASE didn't fault for non-canonical value\n");
+
+    if ( !wrmsr_safe(MSR_GS_BASE, 0x8000000000000000ull) )
+        xtf_failure("Fail: MSR_GS_BASE didn't fault for non-canonical value\n");
+
+    if ( !wrmsr_safe(MSR_SHADOW_GS_BASE, 0x8000000000000000ull) )
+        xtf_failure("Fail: MSR_SHADOW_GS_BASE didn't fault for non-canonical value\n");
+
+    xtf_success("Success: not vulnerable to XSA-193\n");
+}
+
+/*
+ * Local variables:
+ * mode: C
+ * c-file-style: "BSD"
+ * c-basic-offset: 4
+ * tab-width: 4
+ * indent-tabs-mode: nil
+ * End:
+ */