From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Xen-devel <xen-devel@lists.xen.org>
Cc: George Dunlap <george.dunlap@eu.citrix.com>,
Andrew Cooper <andrew.cooper3@citrix.com>,
Ian Jackson <Ian.Jackson@eu.citrix.com>,
Wei Liu <wei.liu2@citrix.com>, Jan Beulich <JBeulich@suse.com>
Subject: [PATCH 08/10] tools/insn-fuzz: Fix assertion failures in x86_emulate_wrapper()
Date: Mon, 27 Mar 2017 10:56:36 +0100 [thread overview]
Message-ID: <1490608598-11197-9-git-send-email-andrew.cooper3@citrix.com> (raw)
In-Reply-To: <1490608598-11197-1-git-send-email-andrew.cooper3@citrix.com>
c/s 92cf67888 "x86/emul: Hold x86_emulate() to strict X86EMUL_EXCEPTION
requirements" was appropriate for the hypervisor, but the fuzzer stubs didn't
conform to the stricter requirements. AFL is very quick to discover this.
Extend the fuzzing harness exception logic to raise exceptions appropriately.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
CC: Jan Beulich <JBeulich@suse.com>
CC: George Dunlap <george.dunlap@eu.citrix.com>
CC: Ian Jackson <Ian.Jackson@eu.citrix.com>
CC: Wei Liu <wei.liu2@citrix.com>
---
tools/fuzz/x86_instruction_emulator/fuzz-emul.c | 27 ++++++++++++++++++++-----
1 file changed, 22 insertions(+), 5 deletions(-)
diff --git a/tools/fuzz/x86_instruction_emulator/fuzz-emul.c b/tools/fuzz/x86_instruction_emulator/fuzz-emul.c
index ca902f6..1906186 100644
--- a/tools/fuzz/x86_instruction_emulator/fuzz-emul.c
+++ b/tools/fuzz/x86_instruction_emulator/fuzz-emul.c
@@ -86,10 +86,15 @@ static int maybe_fail(struct x86_emulate_ctxt *ctxt,
printf("maybe_fail %s: %d\n", why, rc);
+ if ( rc == X86EMUL_EXCEPTION )
+ /* Fake up a pagefault. */
+ x86_emul_pagefault(0, 0, ctxt);
+
return rc;
}
static int data_read(struct x86_emulate_ctxt *ctxt,
+ enum x86_segment seg,
const char *why, void *dst, unsigned int bytes)
{
struct fuzz_state *s = ctxt->data;
@@ -98,7 +103,17 @@ static int data_read(struct x86_emulate_ctxt *ctxt,
int rc;
if ( s->data_index + bytes > s->data_num )
+ {
+ /*
+ * Fake up a segment limit violation. System segment limit volations
+ * are reported by X86EMUL_EXCEPTION alone, so the emulator can fill
+ * in the correct context.
+ */
+ if ( !is_x86_system_segment(seg) )
+ x86_emul_hw_exception(13, 0, ctxt);
+
rc = X86EMUL_EXCEPTION;
+ }
else
rc = maybe_fail(ctxt, why, true);
@@ -125,7 +140,7 @@ static int fuzz_read(
{
assert((unsigned int)seg < x86_seg_none);
- return data_read(ctxt, "read", p_data, bytes);
+ return data_read(ctxt, seg, "read", p_data, bytes);
}
static int fuzz_read_io(
@@ -134,7 +149,7 @@ static int fuzz_read_io(
unsigned long *val,
struct x86_emulate_ctxt *ctxt)
{
- return data_read(ctxt, "read_io", val, bytes);
+ return data_read(ctxt, x86_seg_none, "read_io", val, bytes);
}
static int fuzz_insn_fetch(
@@ -146,7 +161,7 @@ static int fuzz_insn_fetch(
{
assert(seg == x86_seg_cs);
- return data_read(ctxt, "insn_fetch", p_data, bytes);
+ return data_read(ctxt, seg, "insn_fetch", p_data, bytes);
}
static int _fuzz_rep_read(struct x86_emulate_ctxt *ctxt,
@@ -155,7 +170,7 @@ static int _fuzz_rep_read(struct x86_emulate_ctxt *ctxt,
int rc;
unsigned long bytes_read = 0;
- rc = data_read(ctxt, why, &bytes_read, sizeof(bytes_read));
+ rc = data_read(ctxt, x86_seg_none, why, &bytes_read, sizeof(bytes_read));
if ( bytes_read <= *reps )
*reps = bytes_read;
@@ -419,7 +434,7 @@ static int fuzz_read_msr(
* should preferably return consistent values, but returning
* random values is fine in fuzzer.
*/
- return data_read(ctxt, "read_msr", val, sizeof(*val));
+ return data_read(ctxt, x86_seg_none, "read_msr", val, sizeof(*val));
case MSR_EFER:
*val = c->msr[MSRI_EFER];
*val &= ~EFER_LMA;
@@ -441,6 +456,7 @@ static int fuzz_read_msr(
}
}
+ x86_emul_hw_exception(13, 0, ctxt);
return X86EMUL_EXCEPTION;
}
@@ -474,6 +490,7 @@ static int fuzz_write_msr(
}
}
+ x86_emul_hw_exception(13, 0, ctxt);
return X86EMUL_EXCEPTION;
}
--
2.1.4
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
next prev parent reply other threads:[~2017-03-27 9:56 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-27 9:56 [PATCH 00/10] x86 emulation bugfixes and fuzzer improvements Andrew Cooper
2017-03-27 9:56 ` [PATCH 01/10] x86/emul: Correct the decoding of vlddqu Andrew Cooper
2017-03-27 11:24 ` Jan Beulich
2017-03-27 12:10 ` Andrew Cooper
2017-03-27 12:30 ` Jan Beulich
2017-03-27 9:56 ` [PATCH 02/10] x86/emul: Add feature check for clzero Andrew Cooper
2017-03-27 11:25 ` Jan Beulich
2017-03-27 11:28 ` Jan Beulich
2017-03-27 12:13 ` Andrew Cooper
2017-03-27 12:31 ` Jan Beulich
2017-03-27 13:40 ` Andrew Cooper
2017-03-27 9:56 ` [PATCH 03/10] tools/insn-fuzz: Don't use memcpy() for zero-length reads Andrew Cooper
2017-03-27 11:02 ` George Dunlap
2017-03-27 11:05 ` Andrew Cooper
2017-03-27 11:32 ` Jan Beulich
2017-03-27 12:22 ` Andrew Cooper
2017-03-27 12:35 ` Jan Beulich
2017-03-27 11:36 ` Jan Beulich
2017-03-27 12:14 ` Andrew Cooper
2017-03-27 9:56 ` [PATCH 04/10] tools/insn-fuzz: Avoid making use of static data Andrew Cooper
2017-03-27 11:39 ` Jan Beulich
2017-03-27 9:56 ` [PATCH 05/10] tools/insn-fuzz: Fix a stability bug in afl-clang-fast mode Andrew Cooper
2017-03-27 11:41 ` Jan Beulich
2017-03-27 9:56 ` [PATCH 06/10] tools/insn-fuzz: Correct hook prototypes, and assert() appropriate segments Andrew Cooper
2017-03-27 11:48 ` Jan Beulich
2017-03-27 12:49 ` Andrew Cooper
2017-03-27 9:56 ` [PATCH 07/10] tools/insn-fuzz: Provide IA32_DEBUGCTL consistently to the emulator Andrew Cooper
2017-03-27 11:53 ` Jan Beulich
2017-03-27 12:53 ` Andrew Cooper
2017-03-27 9:56 ` Andrew Cooper [this message]
2017-03-27 12:01 ` [PATCH 08/10] tools/insn-fuzz: Fix assertion failures in x86_emulate_wrapper() Jan Beulich
2017-03-27 9:56 ` [PATCH 09/10] tools/x86emul: Advertise more CPUID features for testing purposes Andrew Cooper
2017-03-27 11:20 ` George Dunlap
2017-03-27 12:13 ` Jan Beulich
2017-03-27 12:56 ` George Dunlap
2017-03-27 13:03 ` Andrew Cooper
2017-03-27 13:08 ` George Dunlap
2017-03-27 13:42 ` Jan Beulich
2017-03-27 13:49 ` Andrew Cooper
2017-03-27 13:37 ` Andrew Cooper
2017-03-27 13:45 ` Jan Beulich
2017-03-27 12:09 ` Jan Beulich
2017-03-27 13:01 ` Andrew Cooper
2017-03-27 13:40 ` Jan Beulich
2017-03-27 9:56 ` [PATCH 10/10] tools/insn-fuzz: Always use x86_swint_emulate_all Andrew Cooper
2017-03-27 11:00 ` George Dunlap
2017-03-27 13:09 ` Andrew Cooper
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1490608598-11197-9-git-send-email-andrew.cooper3@citrix.com \
--to=andrew.cooper3@citrix.com \
--cc=Ian.Jackson@eu.citrix.com \
--cc=JBeulich@suse.com \
--cc=george.dunlap@eu.citrix.com \
--cc=wei.liu2@citrix.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).