From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Xen-devel <xen-devel@lists.xen.org>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>,
Ian Jackson <Ian.Jackson@eu.citrix.com>,
Wei Liu <wei.liu2@citrix.com>, Jan Beulich <JBeulich@suse.com>
Subject: [PATCH v2 for-4.9 2/7] tools/insn-fuzz: Don't hit memcpy() for zero-length reads
Date: Wed, 5 Apr 2017 18:53:28 +0100 [thread overview]
Message-ID: <1491414813-30003-3-git-send-email-andrew.cooper3@citrix.com> (raw)
In-Reply-To: <1491414813-30003-1-git-send-email-andrew.cooper3@citrix.com>
For control-flow changes, the emulator needs to perform a zero-length
instruction fetch at the target offset. It also passes NULL for the
destination buffer, as there is no instruction stream to collect.
This trips up UBSAN when passed to memcpy(), as passing NULL is undefined
behaviour per the C spec (irrespective of passing a size of 0).
Special case these fetches in fuzz_insn_fetch() before reaching data_read().
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: George Dunlap <george.dunlap@citrix.com>
---
CC: Jan Beulich <JBeulich@suse.com>
CC: Ian Jackson <Ian.Jackson@eu.citrix.com>
CC: Wei Liu <wei.liu2@citrix.com>
v2:
* Rework in terms of special casing zero-length fetches only.
---
tools/fuzz/x86_instruction_emulator/fuzz-emul.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/tools/fuzz/x86_instruction_emulator/fuzz-emul.c b/tools/fuzz/x86_instruction_emulator/fuzz-emul.c
index 65c5a3b..64b7fb2 100644
--- a/tools/fuzz/x86_instruction_emulator/fuzz-emul.c
+++ b/tools/fuzz/x86_instruction_emulator/fuzz-emul.c
@@ -117,6 +117,16 @@ static int fuzz_insn_fetch(
unsigned int bytes,
struct x86_emulate_ctxt *ctxt)
{
+ /*
+ * Zero-length instruction fetches are made at the destination of jumps,
+ * to perform segmentation checks. No data needs returning.
+ */
+ if ( bytes == 0 )
+ {
+ assert(p_data == NULL);
+ return maybe_fail("insn_fetch", true);
+ }
+
return data_read("insn_fetch", p_data, bytes);
}
--
2.1.4
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
next prev parent reply other threads:[~2017-04-05 17:53 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-05 17:53 [PATCH v2 for-4.9 0/7] x86/emul: Userspace fuzzing harness fixes Andrew Cooper
2017-04-05 17:53 ` [PATCH v2 for-4.9 1/7] MAINTAINERS: Move the x86 instruction emulator under x86 maintainership Andrew Cooper
2017-04-06 9:13 ` Wei Liu
2017-04-06 11:00 ` Ian Jackson
2017-04-05 17:53 ` Andrew Cooper [this message]
2017-04-06 9:22 ` [PATCH v2 for-4.9 2/7] tools/insn-fuzz: Don't hit memcpy() for zero-length reads Jan Beulich
2017-04-05 17:53 ` [PATCH v2 for-4.9 3/7] tools/insn-fuzz: Avoid making use of static data Andrew Cooper
2017-04-05 17:53 ` [PATCH v2 for-4.9 4/7] tools/insn-fuzz: Fix a stability bug in afl-clang-fast mode Andrew Cooper
2017-04-05 17:53 ` [PATCH v2 for-4.9 5/7] tools/insn-fuzz: Correct hook prototypes, and assert() appropriate segments Andrew Cooper
2017-04-06 9:28 ` Jan Beulich
2017-04-05 17:53 ` [PATCH v2 for-4.9 6/7] tools/insn-fuzz: Provide IA32_DEBUGCTL consistently to the emulator Andrew Cooper
2017-04-05 17:53 ` [PATCH v2 for-4.9 7/7] tools/insn-fuzz: Fix assertion failures in x86_emulate_wrapper() Andrew Cooper
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1491414813-30003-3-git-send-email-andrew.cooper3@citrix.com \
--to=andrew.cooper3@citrix.com \
--cc=Ian.Jackson@eu.citrix.com \
--cc=JBeulich@suse.com \
--cc=wei.liu2@citrix.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).