* [PATCH v2 00/12] fuzz: update x86emul fuzzer
@ 2017-01-31 11:07 Wei Liu
2017-01-31 11:07 ` [PATCH v2 01/12] fuzz: don't buffer stdout in afl stubs Wei Liu
` (11 more replies)
0 siblings, 12 replies; 37+ messages in thread
From: Wei Liu @ 2017-01-31 11:07 UTC (permalink / raw)
To: Xen-devel; +Cc: George Dunlap, Ian Jackson, Wei Liu, Jan Beulich, Andrew Cooper
The first few patches refactor x86emul code so that more code can be shared
between xen and userspace tools.
I have run XTF suite (tests subject to availability on the testbox I use, and
xsa-195 was skipped because qemu segfault -- a known issue) against this
series, no issue is found.
Wei.
---
Cc: Ian Jackson <ian.jackson@eu.citrix.com>
Cc: Jan Beulich <jbeulich@suse.com>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: George Dunlap <george.dunlap@eu.citrix.com>
Wei Liu (12):
fuzz: don't buffer stdout in afl stubs
x86: extract macros to x86-defns.h
x86: extract vendor numeric id to x86-vendors.h
x86emul/test: use x86-vendors.h
x86emul: use eflags definitions in x86-defns.h
x86emul: use msr definitions in msr-index.h
x86: add UMIP CR4 bit
x86emul: use CR definitions in x86-defns.h
x86emul: use TRAP definitions in x86-defns.h
fuzz/x86emul: update fuzzer
fuzz/x86emul: print out minimal input size
fuzz: update README.afl example
tools/fuzz/README.afl | 5 +-
tools/fuzz/libelf/afl-libelf-fuzzer.c | 2 +
.../afl-x86-insn-emulator-fuzzer.c | 10 +
.../x86-insn-emulator-fuzzer.c | 665 ++++++++++++++++++--
tools/tests/x86_emulator/test_x86_emulator.c | 9 -
tools/tests/x86_emulator/x86_emulate.c | 3 -
tools/tests/x86_emulator/x86_emulate.h | 9 +-
xen/arch/x86/x86_emulate/x86_emulate.c | 700 ++++++++++-----------
xen/include/asm-x86/processor.h | 105 +---
xen/include/asm-x86/x86-defns.h | 101 +++
10 files changed, 1045 insertions(+), 564 deletions(-)
create mode 100644 xen/include/asm-x86/x86-defns.h
--
2.11.0
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 37+ messages in thread
* [PATCH v2 01/12] fuzz: don't buffer stdout in afl stubs
2017-01-31 11:07 [PATCH v2 00/12] fuzz: update x86emul fuzzer Wei Liu
@ 2017-01-31 11:07 ` Wei Liu
2017-01-31 12:44 ` Jan Beulich
2017-01-31 11:07 ` [PATCH v2 02/12] x86: extract macros to x86-defns.h Wei Liu
` (10 subsequent siblings)
11 siblings, 1 reply; 37+ messages in thread
From: Wei Liu @ 2017-01-31 11:07 UTC (permalink / raw)
To: Xen-devel; +Cc: George Dunlap, Ian Jackson, Wei Liu, Jan Beulich, Andrew Cooper
... to avoid obscuring output.
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
---
Cc: Ian Jackson <ian.jackson@eu.citrix.com>
Cc: Jan Beulich <jbeulich@suse.com>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: George Dunlap <george.dunlap@eu.citrix.com>
---
tools/fuzz/libelf/afl-libelf-fuzzer.c | 2 ++
tools/fuzz/x86_instruction_emulator/afl-x86-insn-emulator-fuzzer.c | 2 ++
2 files changed, 4 insertions(+)
diff --git a/tools/fuzz/libelf/afl-libelf-fuzzer.c b/tools/fuzz/libelf/afl-libelf-fuzzer.c
index 02cbfb0e2c..115c98e22e 100644
--- a/tools/fuzz/libelf/afl-libelf-fuzzer.c
+++ b/tools/fuzz/libelf/afl-libelf-fuzzer.c
@@ -13,6 +13,8 @@ int main(int argc, char **argv)
size_t size;
FILE *fp;
+ setbuf(stdout, NULL);
+
if ( argc != 2 )
{
printf("Expecting only one argument\n");
diff --git a/tools/fuzz/x86_instruction_emulator/afl-x86-insn-emulator-fuzzer.c b/tools/fuzz/x86_instruction_emulator/afl-x86-insn-emulator-fuzzer.c
index b5668c11e7..494c23ba2e 100644
--- a/tools/fuzz/x86_instruction_emulator/afl-x86-insn-emulator-fuzzer.c
+++ b/tools/fuzz/x86_instruction_emulator/afl-x86-insn-emulator-fuzzer.c
@@ -13,6 +13,8 @@ int main(int argc, char **argv)
size_t size;
FILE *fp;
+ setbuf(stdout, NULL);
+
if ( argc != 2 )
{
printf("Expecting only one argument\n");
--
2.11.0
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [PATCH v2 02/12] x86: extract macros to x86-defns.h
2017-01-31 11:07 [PATCH v2 00/12] fuzz: update x86emul fuzzer Wei Liu
2017-01-31 11:07 ` [PATCH v2 01/12] fuzz: don't buffer stdout in afl stubs Wei Liu
@ 2017-01-31 11:07 ` Wei Liu
2017-01-31 12:45 ` Jan Beulich
2017-01-31 11:08 ` [PATCH v2 03/12] x86: extract vendor numeric id to x86-vendors.h Wei Liu
` (9 subsequent siblings)
11 siblings, 1 reply; 37+ messages in thread
From: Wei Liu @ 2017-01-31 11:07 UTC (permalink / raw)
To: Xen-devel; +Cc: Andrew Cooper, Wei Liu, Jan Beulich
... so that they can be used by userspace x86 instruction emulator test
program and fuzzer as well.
No functional change.
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
---
Cc: Jan Beulich <jbeulich@suse.com>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
---
xen/include/asm-x86/processor.h | 97 +-------------------------------------
xen/include/asm-x86/x86-defns.h | 100 ++++++++++++++++++++++++++++++++++++++++
2 files changed, 102 insertions(+), 95 deletions(-)
create mode 100644 xen/include/asm-x86/x86-defns.h
diff --git a/xen/include/asm-x86/processor.h b/xen/include/asm-x86/processor.h
index 4da9c193e0..ff0e51f3d5 100644
--- a/xen/include/asm-x86/processor.h
+++ b/xen/include/asm-x86/processor.h
@@ -16,6 +16,8 @@
#include <asm/desc.h>
#endif
+#include "x86-defns.h"
+
/*
* CPU vendor IDs
*/
@@ -25,101 +27,6 @@
#define X86_VENDOR_NUM 3
#define X86_VENDOR_UNKNOWN 0xff
-/*
- * EFLAGS bits
- */
-#define X86_EFLAGS_CF 0x00000001 /* Carry Flag */
-#define X86_EFLAGS_MBS 0x00000002 /* Resvd bit */
-#define X86_EFLAGS_PF 0x00000004 /* Parity Flag */
-#define X86_EFLAGS_AF 0x00000010 /* Auxillary carry Flag */
-#define X86_EFLAGS_ZF 0x00000040 /* Zero Flag */
-#define X86_EFLAGS_SF 0x00000080 /* Sign Flag */
-#define X86_EFLAGS_TF 0x00000100 /* Trap Flag */
-#define X86_EFLAGS_IF 0x00000200 /* Interrupt Flag */
-#define X86_EFLAGS_DF 0x00000400 /* Direction Flag */
-#define X86_EFLAGS_OF 0x00000800 /* Overflow Flag */
-#define X86_EFLAGS_IOPL 0x00003000 /* IOPL mask */
-#define X86_EFLAGS_NT 0x00004000 /* Nested Task */
-#define X86_EFLAGS_RF 0x00010000 /* Resume Flag */
-#define X86_EFLAGS_VM 0x00020000 /* Virtual Mode */
-#define X86_EFLAGS_AC 0x00040000 /* Alignment Check */
-#define X86_EFLAGS_VIF 0x00080000 /* Virtual Interrupt Flag */
-#define X86_EFLAGS_VIP 0x00100000 /* Virtual Interrupt Pending */
-#define X86_EFLAGS_ID 0x00200000 /* CPUID detection flag */
-
-#define X86_EFLAGS_ARITH_MASK \
- (X86_EFLAGS_CF | X86_EFLAGS_PF | X86_EFLAGS_AF | \
- X86_EFLAGS_ZF | X86_EFLAGS_SF | X86_EFLAGS_OF)
-
-/*
- * Intel CPU flags in CR0
- */
-#define X86_CR0_PE 0x00000001 /* Enable Protected Mode (RW) */
-#define X86_CR0_MP 0x00000002 /* Monitor Coprocessor (RW) */
-#define X86_CR0_EM 0x00000004 /* Require FPU Emulation (RO) */
-#define X86_CR0_TS 0x00000008 /* Task Switched (RW) */
-#define X86_CR0_ET 0x00000010 /* Extension type (RO) */
-#define X86_CR0_NE 0x00000020 /* Numeric Error Reporting (RW) */
-#define X86_CR0_WP 0x00010000 /* Supervisor Write Protect (RW) */
-#define X86_CR0_AM 0x00040000 /* Alignment Checking (RW) */
-#define X86_CR0_NW 0x20000000 /* Not Write-Through (RW) */
-#define X86_CR0_CD 0x40000000 /* Cache Disable (RW) */
-#define X86_CR0_PG 0x80000000 /* Paging (RW) */
-
-/*
- * Intel CPU features in CR4
- */
-#define X86_CR4_VME 0x00000001 /* enable vm86 extensions */
-#define X86_CR4_PVI 0x00000002 /* virtual interrupts flag enable */
-#define X86_CR4_TSD 0x00000004 /* disable time stamp at ipl 3 */
-#define X86_CR4_DE 0x00000008 /* enable debugging extensions */
-#define X86_CR4_PSE 0x00000010 /* enable page size extensions */
-#define X86_CR4_PAE 0x00000020 /* enable physical address extensions */
-#define X86_CR4_MCE 0x00000040 /* Machine check enable */
-#define X86_CR4_PGE 0x00000080 /* enable global pages */
-#define X86_CR4_PCE 0x00000100 /* enable performance counters at ipl 3 */
-#define X86_CR4_OSFXSR 0x00000200 /* enable fast FPU save and restore */
-#define X86_CR4_OSXMMEXCPT 0x00000400 /* enable unmasked SSE exceptions */
-#define X86_CR4_VMXE 0x00002000 /* enable VMX */
-#define X86_CR4_SMXE 0x00004000 /* enable SMX */
-#define X86_CR4_FSGSBASE 0x00010000 /* enable {rd,wr}{fs,gs}base */
-#define X86_CR4_PCIDE 0x00020000 /* enable PCID */
-#define X86_CR4_OSXSAVE 0x00040000 /* enable XSAVE/XRSTOR */
-#define X86_CR4_SMEP 0x00100000 /* enable SMEP */
-#define X86_CR4_SMAP 0x00200000 /* enable SMAP */
-#define X86_CR4_PKE 0x00400000 /* enable PKE */
-
-/*
- * Trap/fault mnemonics.
- */
-#define TRAP_divide_error 0
-#define TRAP_debug 1
-#define TRAP_nmi 2
-#define TRAP_int3 3
-#define TRAP_overflow 4
-#define TRAP_bounds 5
-#define TRAP_invalid_op 6
-#define TRAP_no_device 7
-#define TRAP_double_fault 8
-#define TRAP_copro_seg 9
-#define TRAP_invalid_tss 10
-#define TRAP_no_segment 11
-#define TRAP_stack_error 12
-#define TRAP_gp_fault 13
-#define TRAP_page_fault 14
-#define TRAP_spurious_int 15
-#define TRAP_copro_error 16
-#define TRAP_alignment_check 17
-#define TRAP_machine_check 18
-#define TRAP_simd_error 19
-#define TRAP_virtualisation 20
-#define TRAP_nr 32
-
-#define TRAP_HAVE_EC \
- ((1u << TRAP_double_fault) | (1u << TRAP_invalid_tss) | \
- (1u << TRAP_no_segment) | (1u << TRAP_stack_error) | \
- (1u << TRAP_gp_fault) | (1u << TRAP_page_fault) | \
- (1u << TRAP_alignment_check))
/* Set for entry via SYSCALL. Informs return code to use SYSRETQ not IRETQ. */
/* NB. Same as VGCF_in_syscall. No bits in common with any other TRAP_ defn. */
diff --git a/xen/include/asm-x86/x86-defns.h b/xen/include/asm-x86/x86-defns.h
new file mode 100644
index 0000000000..762938f222
--- /dev/null
+++ b/xen/include/asm-x86/x86-defns.h
@@ -0,0 +1,100 @@
+#ifndef __XEN_X86_DEFNS_H__
+#define __XEN_X86_DEFNS_H__
+
+/*
+ * EFLAGS bits
+ */
+#define X86_EFLAGS_CF 0x00000001 /* Carry Flag */
+#define X86_EFLAGS_MBS 0x00000002 /* Resvd bit */
+#define X86_EFLAGS_PF 0x00000004 /* Parity Flag */
+#define X86_EFLAGS_AF 0x00000010 /* Auxillary carry Flag */
+#define X86_EFLAGS_ZF 0x00000040 /* Zero Flag */
+#define X86_EFLAGS_SF 0x00000080 /* Sign Flag */
+#define X86_EFLAGS_TF 0x00000100 /* Trap Flag */
+#define X86_EFLAGS_IF 0x00000200 /* Interrupt Flag */
+#define X86_EFLAGS_DF 0x00000400 /* Direction Flag */
+#define X86_EFLAGS_OF 0x00000800 /* Overflow Flag */
+#define X86_EFLAGS_IOPL 0x00003000 /* IOPL mask */
+#define X86_EFLAGS_NT 0x00004000 /* Nested Task */
+#define X86_EFLAGS_RF 0x00010000 /* Resume Flag */
+#define X86_EFLAGS_VM 0x00020000 /* Virtual Mode */
+#define X86_EFLAGS_AC 0x00040000 /* Alignment Check */
+#define X86_EFLAGS_VIF 0x00080000 /* Virtual Interrupt Flag */
+#define X86_EFLAGS_VIP 0x00100000 /* Virtual Interrupt Pending */
+#define X86_EFLAGS_ID 0x00200000 /* CPUID detection flag */
+
+#define X86_EFLAGS_ARITH_MASK \
+ (X86_EFLAGS_CF | X86_EFLAGS_PF | X86_EFLAGS_AF | \
+ X86_EFLAGS_ZF | X86_EFLAGS_SF | X86_EFLAGS_OF)
+
+/*
+ * Intel CPU flags in CR0
+ */
+#define X86_CR0_PE 0x00000001 /* Enable Protected Mode (RW) */
+#define X86_CR0_MP 0x00000002 /* Monitor Coprocessor (RW) */
+#define X86_CR0_EM 0x00000004 /* Require FPU Emulation (RO) */
+#define X86_CR0_TS 0x00000008 /* Task Switched (RW) */
+#define X86_CR0_ET 0x00000010 /* Extension type (RO) */
+#define X86_CR0_NE 0x00000020 /* Numeric Error Reporting (RW) */
+#define X86_CR0_WP 0x00010000 /* Supervisor Write Protect (RW) */
+#define X86_CR0_AM 0x00040000 /* Alignment Checking (RW) */
+#define X86_CR0_NW 0x20000000 /* Not Write-Through (RW) */
+#define X86_CR0_CD 0x40000000 /* Cache Disable (RW) */
+#define X86_CR0_PG 0x80000000 /* Paging (RW) */
+
+/*
+ * Intel CPU features in CR4
+ */
+#define X86_CR4_VME 0x00000001 /* enable vm86 extensions */
+#define X86_CR4_PVI 0x00000002 /* virtual interrupts flag enable */
+#define X86_CR4_TSD 0x00000004 /* disable time stamp at ipl 3 */
+#define X86_CR4_DE 0x00000008 /* enable debugging extensions */
+#define X86_CR4_PSE 0x00000010 /* enable page size extensions */
+#define X86_CR4_PAE 0x00000020 /* enable physical address extensions */
+#define X86_CR4_MCE 0x00000040 /* Machine check enable */
+#define X86_CR4_PGE 0x00000080 /* enable global pages */
+#define X86_CR4_PCE 0x00000100 /* enable performance counters at ipl 3 */
+#define X86_CR4_OSFXSR 0x00000200 /* enable fast FPU save and restore */
+#define X86_CR4_OSXMMEXCPT 0x00000400 /* enable unmasked SSE exceptions */
+#define X86_CR4_VMXE 0x00002000 /* enable VMX */
+#define X86_CR4_SMXE 0x00004000 /* enable SMX */
+#define X86_CR4_FSGSBASE 0x00010000 /* enable {rd,wr}{fs,gs}base */
+#define X86_CR4_PCIDE 0x00020000 /* enable PCID */
+#define X86_CR4_OSXSAVE 0x00040000 /* enable XSAVE/XRSTOR */
+#define X86_CR4_SMEP 0x00100000 /* enable SMEP */
+#define X86_CR4_SMAP 0x00200000 /* enable SMAP */
+#define X86_CR4_PKE 0x00400000 /* enable PKE */
+
+/*
+ * Trap/fault mnemonics.
+ */
+#define TRAP_divide_error 0
+#define TRAP_debug 1
+#define TRAP_nmi 2
+#define TRAP_int3 3
+#define TRAP_overflow 4
+#define TRAP_bounds 5
+#define TRAP_invalid_op 6
+#define TRAP_no_device 7
+#define TRAP_double_fault 8
+#define TRAP_copro_seg 9
+#define TRAP_invalid_tss 10
+#define TRAP_no_segment 11
+#define TRAP_stack_error 12
+#define TRAP_gp_fault 13
+#define TRAP_page_fault 14
+#define TRAP_spurious_int 15
+#define TRAP_copro_error 16
+#define TRAP_alignment_check 17
+#define TRAP_machine_check 18
+#define TRAP_simd_error 19
+#define TRAP_virtualisation 20
+#define TRAP_nr 32
+
+#define TRAP_HAVE_EC \
+ ((1u << TRAP_double_fault) | (1u << TRAP_invalid_tss) | \
+ (1u << TRAP_no_segment) | (1u << TRAP_stack_error) | \
+ (1u << TRAP_gp_fault) | (1u << TRAP_page_fault) | \
+ (1u << TRAP_alignment_check))
+
+#endif /* __XEN_X86_DEFNS_H__ */
--
2.11.0
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [PATCH v2 03/12] x86: extract vendor numeric id to x86-vendors.h
2017-01-31 11:07 [PATCH v2 00/12] fuzz: update x86emul fuzzer Wei Liu
2017-01-31 11:07 ` [PATCH v2 01/12] fuzz: don't buffer stdout in afl stubs Wei Liu
2017-01-31 11:07 ` [PATCH v2 02/12] x86: extract macros to x86-defns.h Wei Liu
@ 2017-01-31 11:08 ` Wei Liu
2017-01-31 12:48 ` Jan Beulich
2017-01-31 11:08 ` [PATCH v2 04/12] x86emul/test: use x86-vendors.h Wei Liu
` (8 subsequent siblings)
11 siblings, 1 reply; 37+ messages in thread
From: Wei Liu @ 2017-01-31 11:08 UTC (permalink / raw)
To: Xen-devel; +Cc: Andrew Cooper, Wei Liu, Jan Beulich
They will be shared between xen and userspace programs.
No functional change.
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
---
Cc: Jan Beulich <jbeulich@suse.com>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
---
xen/include/asm-x86/processor.h | 10 +---------
1 file changed, 1 insertion(+), 9 deletions(-)
diff --git a/xen/include/asm-x86/processor.h b/xen/include/asm-x86/processor.h
index ff0e51f3d5..be2ff71c72 100644
--- a/xen/include/asm-x86/processor.h
+++ b/xen/include/asm-x86/processor.h
@@ -17,15 +17,7 @@
#endif
#include "x86-defns.h"
-
-/*
- * CPU vendor IDs
- */
-#define X86_VENDOR_INTEL 0
-#define X86_VENDOR_AMD 1
-#define X86_VENDOR_CENTAUR 2
-#define X86_VENDOR_NUM 3
-#define X86_VENDOR_UNKNOWN 0xff
+#include "x86-vendors.h"
/* Set for entry via SYSCALL. Informs return code to use SYSRETQ not IRETQ. */
--
2.11.0
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [PATCH v2 04/12] x86emul/test: use x86-vendors.h
2017-01-31 11:07 [PATCH v2 00/12] fuzz: update x86emul fuzzer Wei Liu
` (2 preceding siblings ...)
2017-01-31 11:08 ` [PATCH v2 03/12] x86: extract vendor numeric id to x86-vendors.h Wei Liu
@ 2017-01-31 11:08 ` Wei Liu
2017-01-31 12:50 ` Jan Beulich
2017-01-31 11:08 ` [PATCH v2 05/12] x86emul: use eflags definitions in x86-defns.h Wei Liu
` (7 subsequent siblings)
11 siblings, 1 reply; 37+ messages in thread
From: Wei Liu @ 2017-01-31 11:08 UTC (permalink / raw)
To: Xen-devel; +Cc: Andrew Cooper, Wei Liu, Jan Beulich
No functional change.
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
---
Cc: Jan Beulich <jbeulich@suse.com>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
---
tools/tests/x86_emulator/x86_emulate.h | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/tools/tests/x86_emulator/x86_emulate.h b/tools/tests/x86_emulator/x86_emulate.h
index 3a6badee46..2267602ce9 100644
--- a/tools/tests/x86_emulator/x86_emulate.h
+++ b/tools/tests/x86_emulator/x86_emulate.h
@@ -6,6 +6,8 @@
#include <string.h>
#include <xen/xen.h>
+#include "../../../xen/include/asm-x86/x86-vendors.h"
+
#define BUG() abort()
#define ASSERT assert
#define ASSERT_UNREACHABLE() assert(!__LINE__)
@@ -38,11 +40,6 @@
#define is_canonical_address(x) (((int64_t)(x) >> 47) == ((int64_t)(x) >> 63))
-/* There's no strict need for these to be in sync with processor.h. */
-#define X86_VENDOR_INTEL 0
-#define X86_VENDOR_AMD 2
-#define X86_VENDOR_UNKNOWN 0xff
-
#define MMAP_SZ 16384
bool emul_test_make_stack_executable(void);
--
2.11.0
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [PATCH v2 05/12] x86emul: use eflags definitions in x86-defns.h
2017-01-31 11:07 [PATCH v2 00/12] fuzz: update x86emul fuzzer Wei Liu
` (3 preceding siblings ...)
2017-01-31 11:08 ` [PATCH v2 04/12] x86emul/test: use x86-vendors.h Wei Liu
@ 2017-01-31 11:08 ` Wei Liu
2017-01-31 12:56 ` Jan Beulich
2017-01-31 11:08 ` [PATCH v2 06/12] x86emul: use msr definitions in msr-index.h Wei Liu
` (6 subsequent siblings)
11 siblings, 1 reply; 37+ messages in thread
From: Wei Liu @ 2017-01-31 11:08 UTC (permalink / raw)
To: Xen-devel; +Cc: Andrew Cooper, Wei Liu, Jan Beulich
Basically this patch does 's/EFLG_/X86_EFLAGS_/g' and with indentation
fixed up. And remove the duplicates in x86_emualte.c. This in turn
requires userspace test harness to include x86-defns.h. Also remove a
few duplicates in userspace harness program.
No functional change.
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
---
Cc: Jan Beulich <jbeulich@suse.com>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
---
tools/tests/x86_emulator/test_x86_emulator.c | 9 -
tools/tests/x86_emulator/x86_emulate.h | 1 +
xen/arch/x86/x86_emulate/x86_emulate.c | 321 +++++++++++++--------------
3 files changed, 156 insertions(+), 175 deletions(-)
diff --git a/tools/tests/x86_emulator/test_x86_emulator.c b/tools/tests/x86_emulator/test_x86_emulator.c
index 924fd36f18..27200e0283 100644
--- a/tools/tests/x86_emulator/test_x86_emulator.c
+++ b/tools/tests/x86_emulator/test_x86_emulator.c
@@ -23,15 +23,6 @@ static const struct {
#endif
};
-/* EFLAGS bit definitions. */
-#define EFLG_OF (1<<11)
-#define EFLG_DF (1<<10)
-#define EFLG_SF (1<<7)
-#define EFLG_ZF (1<<6)
-#define EFLG_AF (1<<4)
-#define EFLG_PF (1<<2)
-#define EFLG_CF (1<<0)
-
static unsigned int bytes_read;
static int read(
diff --git a/tools/tests/x86_emulator/x86_emulate.h b/tools/tests/x86_emulator/x86_emulate.h
index 2267602ce9..0046514220 100644
--- a/tools/tests/x86_emulator/x86_emulate.h
+++ b/tools/tests/x86_emulator/x86_emulate.h
@@ -6,6 +6,7 @@
#include <string.h>
#include <xen/xen.h>
+#include "../../../xen/include/asm-x86/x86-defns.h"
#include "../../../xen/include/asm-x86/x86-vendors.h"
#define BUG() abort()
diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c
index 21dd98cebc..1d2d019cc7 100644
--- a/xen/arch/x86/x86_emulate/x86_emulate.c
+++ b/xen/arch/x86/x86_emulate/x86_emulate.c
@@ -447,26 +447,6 @@ typedef union {
#define CR4_FSGSBASE (1<<16)
#define CR4_OSXSAVE (1<<18)
-/* EFLAGS bit definitions. */
-#define EFLG_ID (1<<21)
-#define EFLG_VIP (1<<20)
-#define EFLG_VIF (1<<19)
-#define EFLG_AC (1<<18)
-#define EFLG_VM (1<<17)
-#define EFLG_RF (1<<16)
-#define EFLG_NT (1<<14)
-#define EFLG_IOPL (3<<12)
-#define EFLG_OF (1<<11)
-#define EFLG_DF (1<<10)
-#define EFLG_IF (1<<9)
-#define EFLG_TF (1<<8)
-#define EFLG_SF (1<<7)
-#define EFLG_ZF (1<<6)
-#define EFLG_AF (1<<4)
-#define EFLG_PF (1<<2)
-#define EFLG_MBS (1<<1)
-#define EFLG_CF (1<<0)
-
/* Floating point status word definitions. */
#define FSW_ES (1U << 7)
@@ -521,14 +501,16 @@ typedef union {
* These EFLAGS bits are restored from saved value during emulation, and
* any changes are written back to the saved value after emulation.
*/
-#define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
+#define EFLAGS_MASK (X86_EFLAGS_OF|X86_EFLAGS_SF|X86_EFLAGS_ZF|X86_EFLAGS_AF| \
+ X86_EFLAGS_PF|X86_EFLAGS_CF)
/*
* These EFLAGS bits are modifiable (by POPF and IRET), possibly subject
* to further CPL and IOPL constraints.
*/
-#define EFLAGS_MODIFIABLE (EFLG_ID|EFLG_AC|EFLG_RF|EFLG_NT|EFLG_IOPL| \
- EFLG_DF|EFLG_IF|EFLG_TF|EFLAGS_MASK)
+#define EFLAGS_MODIFIABLE (X86_EFLAGS_ID|X86_EFLAGS_AC|X86_EFLAGS_RF| \
+ X86_EFLAGS_NT|X86_EFLAGS_IOPL|X86_EFLAGS_DF| \
+ X86_EFLAGS_IF|X86_EFLAGS_TF|EFLAGS_MASK)
/* Before executing instruction: restore necessary bits in EFLAGS. */
#define _PRE_EFLAGS(_sav, _msk, _tmp) \
@@ -761,7 +743,8 @@ do { \
} while (0)
#define register_address_adjust(reg, adj) \
_register_address_increment(reg, \
- _regs._eflags & EFLG_DF ? -(adj) : (adj), \
+ _regs._eflags & X86_EFLAGS_DF ? \
+ -(adj) : (adj), \
ad_bytes)
#define sp_pre_dec(dec) ({ \
@@ -784,7 +767,7 @@ do { \
rc = ops->insn_fetch(x86_seg_cs, ip, NULL, 0, ctxt); \
if ( rc ) goto done; \
_regs.r(ip) = ip; \
- singlestep = _regs._eflags & EFLG_TF; \
+ singlestep = _regs._eflags & X86_EFLAGS_TF; \
} while (0)
#define validate_far_branch(cs, ip) ({ \
@@ -801,7 +784,7 @@ do { \
#define commit_far_branch(cs, newip) ({ \
validate_far_branch(cs, newip); \
_regs.r(ip) = (newip); \
- singlestep = _regs._eflags & EFLG_TF; \
+ singlestep = _regs._eflags & X86_EFLAGS_TF; \
ops->write_segment(x86_seg_cs, cs, ctxt); \
})
@@ -854,7 +837,7 @@ static int _get_fpu(
if ( type >= X86EMUL_FPU_ymm )
{
/* Should be unreachable if VEX decoding is working correctly. */
- ASSERT((cr0 & CR0_PE) && !(ctxt->regs->_eflags & EFLG_VM));
+ ASSERT((cr0 & CR0_PE) && !(ctxt->regs->_eflags & X86_EFLAGS_VM));
}
if ( cr0 & CR0_EM )
{
@@ -946,7 +929,8 @@ do { \
: [eflags] "+g" (_regs._eflags), \
[tmp] "=&r" (tmp_), "+m" (fic) \
: [func] "rm" (stub.func), \
- [mask] "i" (EFLG_ZF|EFLG_PF|EFLG_CF) ); \
+ [mask] "i" (X86_EFLAGS_ZF|X86_EFLAGS_PF| \
+ X86_EFLAGS_CF) ); \
put_stub(stub); \
} while (0)
@@ -988,7 +972,7 @@ static inline void put_loop_count(
} \
goto complete_insn; \
} \
- if ( max_reps > 1 && (_regs._eflags & EFLG_TF) && \
+ if ( max_reps > 1 && (_regs._eflags & X86_EFLAGS_TF) && \
!is_branch_step(ctxt, ops) ) \
max_reps = 1; \
max_reps; \
@@ -1022,7 +1006,7 @@ static void __put_rep_prefix(
/* Clip maximum repetitions so that the index register at most just wraps. */
#define truncate_ea_and_reps(ea, reps, bytes_per_rep) ({ \
unsigned long todo__, ea__ = truncate_word(ea, ad_bytes); \
- if ( !(_regs._eflags & EFLG_DF) ) \
+ if ( !(_regs._eflags & X86_EFLAGS_DF) ) \
todo__ = truncate_word(-(ea), ad_bytes) / (bytes_per_rep); \
else if ( truncate_word((ea) + (bytes_per_rep) - 1, ad_bytes) < ea__ )\
todo__ = 1; \
@@ -1143,28 +1127,28 @@ test_cc(
switch ( (condition & 15) >> 1 )
{
case 0: /* o */
- rc |= (flags & EFLG_OF);
+ rc |= (flags & X86_EFLAGS_OF);
break;
case 1: /* b/c/nae */
- rc |= (flags & EFLG_CF);
+ rc |= (flags & X86_EFLAGS_CF);
break;
case 2: /* z/e */
- rc |= (flags & EFLG_ZF);
+ rc |= (flags & X86_EFLAGS_ZF);
break;
case 3: /* be/na */
- rc |= (flags & (EFLG_CF|EFLG_ZF));
+ rc |= (flags & (X86_EFLAGS_CF|X86_EFLAGS_ZF));
break;
case 4: /* s */
- rc |= (flags & EFLG_SF);
+ rc |= (flags & X86_EFLAGS_SF);
break;
case 5: /* p/pe */
- rc |= (flags & EFLG_PF);
+ rc |= (flags & X86_EFLAGS_PF);
break;
case 7: /* le/ng */
- rc |= (flags & EFLG_ZF);
+ rc |= (flags & X86_EFLAGS_ZF);
/* fall through */
case 6: /* l/nge */
- rc |= (!(flags & EFLG_SF) != !(flags & EFLG_OF));
+ rc |= (!(flags & X86_EFLAGS_SF) != !(flags & X86_EFLAGS_OF));
break;
}
@@ -1179,7 +1163,7 @@ get_cpl(
{
struct segment_register reg;
- if ( ctxt->regs->_eflags & EFLG_VM )
+ if ( ctxt->regs->_eflags & X86_EFLAGS_VM )
return 3;
if ( (ops->read_segment == NULL) ||
@@ -1197,7 +1181,7 @@ _mode_iopl(
int cpl = get_cpl(ctxt, ops);
if ( cpl == -1 )
return -1;
- return cpl <= MASK_EXTR(ctxt->regs->_eflags, EFLG_IOPL);
+ return cpl <= MASK_EXTR(ctxt->regs->_eflags, X86_EFLAGS_IOPL);
}
#define mode_ring0() ({ \
@@ -1217,7 +1201,7 @@ _mode_iopl(
rc = ops->read_cr(4, &cr4, ctxt); \
if ( rc != X86EMUL_OKAY ) goto done; \
} \
- !!(cr4 & (_regs._eflags & EFLG_VM ? CR4_VME : CR4_PVI)); \
+ !!(cr4 & (_regs._eflags & X86_EFLAGS_VM ? CR4_VME : CR4_PVI)); \
})
static int ioport_access_check(
@@ -1230,7 +1214,7 @@ static int ioport_access_check(
struct segment_register tr;
int rc = X86EMUL_OKAY;
- if ( !(ctxt->regs->_eflags & EFLG_VM) && mode_iopl() )
+ if ( !(ctxt->regs->_eflags & X86_EFLAGS_VM) && mode_iopl() )
return X86EMUL_OKAY;
fail_if(ops->read_segment == NULL);
@@ -1299,7 +1283,7 @@ in_protmode(
struct x86_emulate_ctxt *ctxt,
const struct x86_emulate_ops *ops)
{
- return !(in_realmode(ctxt, ops) || (ctxt->regs->_eflags & EFLG_VM));
+ return !(in_realmode(ctxt, ops) || (ctxt->regs->_eflags & X86_EFLAGS_VM));
}
#define EAX 0
@@ -1822,8 +1806,8 @@ static int inject_swint(enum x86_swint_type type,
* a 32bit OS. Someone with many TUITs can see about reading the
* TSS Software Interrupt Redirection bitmap.
*/
- if ( (ctxt->regs->_eflags & EFLG_VM) &&
- ((ctxt->regs->_eflags & EFLG_IOPL) != EFLG_IOPL) )
+ if ( (ctxt->regs->_eflags & X86_EFLAGS_VM) &&
+ ((ctxt->regs->_eflags & X86_EFLAGS_IOPL) != X86_EFLAGS_IOPL) )
goto raise_exn;
/*
@@ -2313,7 +2297,7 @@ x86_decode(
default:
BUG(); /* Shouldn't be possible. */
case 2:
- if ( state->regs->_eflags & EFLG_VM )
+ if ( state->regs->_eflags & X86_EFLAGS_VM )
break;
/* fall through */
case 4:
@@ -2676,7 +2660,8 @@ x86_emulate(
struct x86_emulate_state state;
int rc;
uint8_t b, d;
- bool singlestep = (_regs._eflags & EFLG_TF) && !is_branch_step(ctxt, ops);
+ bool singlestep = (_regs._eflags & X86_EFLAGS_TF) &&
+ !is_branch_step(ctxt, ops);
struct operand src = { .reg = PTR_POISON };
struct operand dst = { .reg = PTR_POISON };
enum x86_swint_type swint_type;
@@ -2954,33 +2939,34 @@ x86_emulate(
uint8_t al = _regs.al;
unsigned int eflags = _regs._eflags;
- _regs._eflags &= ~(EFLG_CF|EFLG_AF|EFLG_SF|EFLG_ZF|EFLG_PF);
- if ( ((al & 0x0f) > 9) || (eflags & EFLG_AF) )
+ _regs._eflags &= ~(X86_EFLAGS_CF|X86_EFLAGS_AF|X86_EFLAGS_SF|
+ X86_EFLAGS_ZF|X86_EFLAGS_PF);
+ if ( ((al & 0x0f) > 9) || (eflags & X86_EFLAGS_AF) )
{
- _regs._eflags |= EFLG_AF;
- if ( b == 0x2f && (al < 6 || (eflags & EFLG_CF)) )
- _regs._eflags |= EFLG_CF;
+ _regs._eflags |= X86_EFLAGS_AF;
+ if ( b == 0x2f && (al < 6 || (eflags & X86_EFLAGS_CF)) )
+ _regs._eflags |= X86_EFLAGS_CF;
_regs.al += (b == 0x27) ? 6 : -6;
}
- if ( (al > 0x99) || (eflags & EFLG_CF) )
+ if ( (al > 0x99) || (eflags & X86_EFLAGS_CF) )
{
_regs.al += (b == 0x27) ? 0x60 : -0x60;
- _regs._eflags |= EFLG_CF;
+ _regs._eflags |= X86_EFLAGS_CF;
}
- _regs._eflags |= !_regs.al ? EFLG_ZF : 0;
- _regs._eflags |= ((int8_t)_regs.al < 0) ? EFLG_SF : 0;
- _regs._eflags |= even_parity(_regs.al) ? EFLG_PF : 0;
+ _regs._eflags |= !_regs.al ? X86_EFLAGS_ZF : 0;
+ _regs._eflags |= ((int8_t)_regs.al < 0) ? X86_EFLAGS_SF : 0;
+ _regs._eflags |= even_parity(_regs.al) ? X86_EFLAGS_PF : 0;
break;
}
case 0x37: /* aaa */
case 0x3f: /* aas */
- _regs._eflags &= ~EFLG_CF;
- if ( (_regs.al > 9) || (_regs._eflags & EFLG_AF) )
+ _regs._eflags &= ~X86_EFLAGS_CF;
+ if ( (_regs.al > 9) || (_regs._eflags & X86_EFLAGS_AF) )
{
_regs.al += (b == 0x37) ? 6 : -6;
_regs.ah += (b == 0x37) ? 1 : -1;
- _regs._eflags |= EFLG_CF | EFLG_AF;
+ _regs._eflags |= X86_EFLAGS_CF | X86_EFLAGS_AF;
}
_regs.al &= 0x0f;
break;
@@ -3086,12 +3072,12 @@ x86_emulate(
goto done;
if ( src_rpl > (dst.val & 3) )
{
- _regs._eflags |= EFLG_ZF;
+ _regs._eflags |= X86_EFLAGS_ZF;
dst.val = (dst.val & ~3) | src_rpl;
}
else
{
- _regs._eflags &= ~EFLG_ZF;
+ _regs._eflags &= ~X86_EFLAGS_ZF;
dst.type = OP_NONE;
}
generate_exception_if(!in_protmode(ctxt, ops), EXC_UD);
@@ -3354,7 +3340,7 @@ x86_emulate(
goto done;
_regs.r(ip) = imm1;
- singlestep = _regs._eflags & EFLG_TF;
+ singlestep = _regs._eflags & X86_EFLAGS_TF;
break;
case 0x9b: /* wait/fwait */
@@ -3366,8 +3352,8 @@ x86_emulate(
break;
case 0x9c: /* pushf */
- if ( (_regs._eflags & EFLG_VM) &&
- MASK_EXTR(_regs._eflags, EFLG_IOPL) != 3 )
+ if ( (_regs._eflags & X86_EFLAGS_VM) &&
+ MASK_EXTR(_regs._eflags, X86_EFLAGS_IOPL) != 3 )
{
cr4 = 0;
if ( op_bytes == 2 && ops->read_cr )
@@ -3377,21 +3363,21 @@ x86_emulate(
goto done;
}
generate_exception_if(!(cr4 & CR4_VME), EXC_GP, 0);
- src.val = (_regs.flags & ~EFLG_IF) | EFLG_IOPL;
- if ( _regs._eflags & EFLG_VIF )
- src.val |= EFLG_IF;
+ src.val = (_regs.flags & ~X86_EFLAGS_IF) | X86_EFLAGS_IOPL;
+ if ( _regs._eflags & X86_EFLAGS_VIF )
+ src.val |= X86_EFLAGS_IF;
}
else
- src.val = _regs.r(flags) & ~(EFLG_VM | EFLG_RF);
+ src.val = _regs.r(flags) & ~(X86_EFLAGS_VM | X86_EFLAGS_RF);
goto push;
case 0x9d: /* popf */ {
- uint32_t mask = EFLG_VIP | EFLG_VIF | EFLG_VM;
+ uint32_t mask = X86_EFLAGS_VIP | X86_EFLAGS_VIF | X86_EFLAGS_VM;
cr4 = 0;
if ( !mode_ring0() )
{
- if ( _regs._eflags & EFLG_VM )
+ if ( _regs._eflags & X86_EFLAGS_VM )
{
if ( op_bytes == 2 && ops->read_cr )
{
@@ -3400,12 +3386,12 @@ x86_emulate(
goto done;
}
generate_exception_if(!(cr4 & CR4_VME) &&
- MASK_EXTR(_regs._eflags, EFLG_IOPL) != 3,
+ MASK_EXTR(_regs._eflags, X86_EFLAGS_IOPL) != 3,
EXC_GP, 0);
}
- mask |= EFLG_IOPL;
+ mask |= X86_EFLAGS_IOPL;
if ( !mode_iopl() )
- mask |= EFLG_IF;
+ mask |= X86_EFLAGS_IF;
}
/* 64-bit mode: POP defaults to a 64-bit operand. */
if ( mode_64bit() && (op_bytes == 4) )
@@ -3418,32 +3404,33 @@ x86_emulate(
dst.val = (uint16_t)dst.val | (_regs._eflags & 0xffff0000u);
if ( cr4 & CR4_VME )
{
- if ( dst.val & EFLG_IF )
+ if ( dst.val & X86_EFLAGS_IF )
{
- generate_exception_if(_regs._eflags & EFLG_VIP, EXC_GP, 0);
- dst.val |= EFLG_VIF;
+ generate_exception_if(_regs._eflags & X86_EFLAGS_VIP,
+ EXC_GP, 0);
+ dst.val |= X86_EFLAGS_VIF;
}
else
- dst.val &= ~EFLG_VIF;
- mask &= ~EFLG_VIF;
+ dst.val &= ~X86_EFLAGS_VIF;
+ mask &= ~X86_EFLAGS_VIF;
}
}
dst.val &= EFLAGS_MODIFIABLE;
_regs._eflags &= mask;
- _regs._eflags |= (dst.val & ~mask) | EFLG_MBS;
+ _regs._eflags |= (dst.val & ~mask) | X86_EFLAGS_MBS;
break;
}
case 0x9e: /* sahf */
if ( mode_64bit() )
vcpu_must_have(lahf_lm);
- *(uint8_t *)&_regs._eflags = (_regs.ah & EFLAGS_MASK) | EFLG_MBS;
+ *(uint8_t *)&_regs._eflags = (_regs.ah & EFLAGS_MASK) | X86_EFLAGS_MBS;
break;
case 0x9f: /* lahf */
if ( mode_64bit() )
vcpu_must_have(lahf_lm);
- _regs.ah = (_regs._eflags & EFLAGS_MASK) | EFLG_MBS;
+ _regs.ah = (_regs._eflags & EFLAGS_MASK) | X86_EFLAGS_MBS;
break;
case 0xa4 ... 0xa5: /* movs */ {
@@ -3487,8 +3474,8 @@ x86_emulate(
put_rep_prefix(1);
/* cmp: dst - src ==> src=*%%edi,dst=*%%esi ==> *%%esi - *%%edi */
emulate_2op_SrcV("cmp", src, dst, _regs._eflags);
- if ( (repe_prefix() && !(_regs._eflags & EFLG_ZF)) ||
- (repne_prefix() && (_regs._eflags & EFLG_ZF)) )
+ if ( (repe_prefix() && !(_regs._eflags & X86_EFLAGS_ZF)) ||
+ (repne_prefix() && (_regs._eflags & X86_EFLAGS_ZF)) )
_regs.r(ip) = next_eip;
break;
}
@@ -3537,8 +3524,8 @@ x86_emulate(
/* cmp: %%eax - *%%edi ==> src=%%eax,dst=*%%edi ==> src - dst */
dst.bytes = src.bytes;
emulate_2op_SrcV("cmp", dst, src, _regs._eflags);
- if ( (repe_prefix() && !(_regs._eflags & EFLG_ZF)) ||
- (repne_prefix() && (_regs._eflags & EFLG_ZF)) )
+ if ( (repe_prefix() && !(_regs._eflags & X86_EFLAGS_ZF)) ||
+ (repne_prefix() && (_regs._eflags & X86_EFLAGS_ZF)) )
_regs.r(ip) = next_eip;
break;
}
@@ -3683,7 +3670,7 @@ x86_emulate(
goto done;
case 0xce: /* into */
- if ( !(_regs._eflags & EFLG_OF) )
+ if ( !(_regs._eflags & X86_EFLAGS_OF) )
break;
src.val = EXC_OF;
swint_type = x86_swint_into;
@@ -3691,7 +3678,7 @@ x86_emulate(
case 0xcf: /* iret */ {
unsigned long sel, eip, eflags;
- uint32_t mask = EFLG_VIP | EFLG_VIF | EFLG_VM;
+ uint32_t mask = X86_EFLAGS_VIP | X86_EFLAGS_VIF | X86_EFLAGS_VM;
fail_if(!in_realmode(ctxt, ops));
if ( (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes),
@@ -3705,7 +3692,7 @@ x86_emulate(
eflags = (uint16_t)eflags | (_regs._eflags & 0xffff0000u);
eflags &= EFLAGS_MODIFIABLE;
_regs._eflags &= mask;
- _regs._eflags |= (eflags & ~mask) | EFLG_MBS;
+ _regs._eflags |= (eflags & ~mask) | X86_EFLAGS_MBS;
if ( (rc = load_seg(x86_seg_cs, sel, 1, &cs, ctxt, ops)) ||
(rc = commit_far_branch(&cs, (uint32_t)eip)) )
goto done;
@@ -3737,15 +3724,15 @@ x86_emulate(
generate_exception_if(!base, EXC_DE);
_regs.ax = ((al / base) << 8) | (al % base);
}
- _regs._eflags &= ~(EFLG_SF|EFLG_ZF|EFLG_PF);
- _regs._eflags |= !_regs.al ? EFLG_ZF : 0;
- _regs._eflags |= ((int8_t)_regs.al < 0) ? EFLG_SF : 0;
- _regs._eflags |= even_parity(_regs.al) ? EFLG_PF : 0;
+ _regs._eflags &= ~(X86_EFLAGS_SF|X86_EFLAGS_ZF|X86_EFLAGS_PF);
+ _regs._eflags |= !_regs.al ? X86_EFLAGS_ZF : 0;
+ _regs._eflags |= ((int8_t)_regs.al < 0) ? X86_EFLAGS_SF : 0;
+ _regs._eflags |= even_parity(_regs.al) ? X86_EFLAGS_PF : 0;
break;
}
case 0xd6: /* salc */
- _regs.al = (_regs._eflags & EFLG_CF) ? 0xff : 0x00;
+ _regs.al = (_regs._eflags & X86_EFLAGS_CF) ? 0xff : 0x00;
break;
case 0xd7: /* xlat */ {
@@ -4263,7 +4250,7 @@ x86_emulate(
case 0xe0 ... 0xe2: /* loop{,z,nz} */ {
unsigned long count = get_loop_count(&_regs, ad_bytes);
- int do_jmp = !(_regs._eflags & EFLG_ZF); /* loopnz */
+ int do_jmp = !(_regs._eflags & X86_EFLAGS_ZF); /* loopnz */
if ( b == 0xe1 )
do_jmp = !do_jmp; /* loopz */
@@ -4351,7 +4338,7 @@ x86_emulate(
break;
case 0xf5: /* cmc */
- _regs._eflags ^= EFLG_CF;
+ _regs._eflags ^= X86_EFLAGS_CF;
break;
case 0xf6 ... 0xf7: /* Grp3 */
@@ -4371,21 +4358,21 @@ x86_emulate(
emulate_1op("neg", dst, _regs._eflags);
break;
case 4: /* mul */
- _regs._eflags &= ~(EFLG_OF|EFLG_CF);
+ _regs._eflags &= ~(X86_EFLAGS_OF|X86_EFLAGS_CF);
switch ( dst.bytes )
{
case 1:
dst.val = _regs.al;
dst.val *= src.val;
if ( (uint8_t)dst.val != (uint16_t)dst.val )
- _regs._eflags |= EFLG_OF|EFLG_CF;
+ _regs._eflags |= X86_EFLAGS_OF|X86_EFLAGS_CF;
dst.bytes = 2;
break;
case 2:
dst.val = _regs.ax;
dst.val *= src.val;
if ( (uint16_t)dst.val != (uint32_t)dst.val )
- _regs._eflags |= EFLG_OF|EFLG_CF;
+ _regs._eflags |= X86_EFLAGS_OF|X86_EFLAGS_CF;
_regs.dx = dst.val >> 16;
break;
#ifdef __x86_64__
@@ -4393,7 +4380,7 @@ x86_emulate(
dst.val = _regs._eax;
dst.val *= src.val;
if ( (uint32_t)dst.val != dst.val )
- _regs._eflags |= EFLG_OF|EFLG_CF;
+ _regs._eflags |= X86_EFLAGS_OF|X86_EFLAGS_CF;
_regs.rdx = dst.val >> 32;
break;
#endif
@@ -4401,7 +4388,7 @@ x86_emulate(
u[0] = src.val;
u[1] = _regs.r(ax);
if ( mul_dbl(u) )
- _regs._eflags |= EFLG_OF|EFLG_CF;
+ _regs._eflags |= X86_EFLAGS_OF|X86_EFLAGS_CF;
_regs.r(dx) = u[1];
dst.val = u[0];
break;
@@ -4409,13 +4396,13 @@ x86_emulate(
break;
case 5: /* imul */
imul:
- _regs._eflags &= ~(EFLG_OF|EFLG_CF);
+ _regs._eflags &= ~(X86_EFLAGS_OF|X86_EFLAGS_CF);
switch ( dst.bytes )
{
case 1:
dst.val = (int8_t)src.val * (int8_t)_regs.al;
if ( (int8_t)dst.val != (int16_t)dst.val )
- _regs._eflags |= EFLG_OF|EFLG_CF;
+ _regs._eflags |= X86_EFLAGS_OF|X86_EFLAGS_CF;
ASSERT(b > 0x6b);
dst.bytes = 2;
break;
@@ -4423,7 +4410,7 @@ x86_emulate(
dst.val = ((uint32_t)(int16_t)src.val *
(uint32_t)(int16_t)_regs.ax);
if ( (int16_t)dst.val != (int32_t)dst.val )
- _regs._eflags |= EFLG_OF|EFLG_CF;
+ _regs._eflags |= X86_EFLAGS_OF|X86_EFLAGS_CF;
if ( b > 0x6b )
_regs.dx = dst.val >> 16;
break;
@@ -4432,7 +4419,7 @@ x86_emulate(
dst.val = ((uint64_t)(int32_t)src.val *
(uint64_t)(int32_t)_regs._eax);
if ( (int32_t)dst.val != dst.val )
- _regs._eflags |= EFLG_OF|EFLG_CF;
+ _regs._eflags |= X86_EFLAGS_OF|X86_EFLAGS_CF;
if ( b > 0x6b )
_regs.rdx = dst.val >> 32;
break;
@@ -4441,7 +4428,7 @@ x86_emulate(
u[0] = src.val;
u[1] = _regs.r(ax);
if ( imul_dbl(u) )
- _regs._eflags |= EFLG_OF|EFLG_CF;
+ _regs._eflags |= X86_EFLAGS_OF|X86_EFLAGS_CF;
if ( b > 0x6b )
_regs.r(dx) = u[1];
dst.val = u[0];
@@ -4542,46 +4529,47 @@ x86_emulate(
break;
case 0xf8: /* clc */
- _regs._eflags &= ~EFLG_CF;
+ _regs._eflags &= ~X86_EFLAGS_CF;
break;
case 0xf9: /* stc */
- _regs._eflags |= EFLG_CF;
+ _regs._eflags |= X86_EFLAGS_CF;
break;
case 0xfa: /* cli */
if ( mode_iopl() )
- _regs._eflags &= ~EFLG_IF;
+ _regs._eflags &= ~X86_EFLAGS_IF;
else
{
generate_exception_if(!mode_vif(), EXC_GP, 0);
- _regs._eflags &= ~EFLG_VIF;
+ _regs._eflags &= ~X86_EFLAGS_VIF;
}
break;
case 0xfb: /* sti */
if ( mode_iopl() )
{
- if ( !(_regs._eflags & EFLG_IF) )
+ if ( !(_regs._eflags & X86_EFLAGS_IF) )
ctxt->retire.sti = true;
- _regs._eflags |= EFLG_IF;
+ _regs._eflags |= X86_EFLAGS_IF;
}
else
{
- generate_exception_if((_regs._eflags & EFLG_VIP) || !mode_vif(),
+ generate_exception_if((_regs._eflags & X86_EFLAGS_VIP) ||
+ !mode_vif(),
EXC_GP, 0);
- if ( !(_regs._eflags & EFLG_VIF) )
+ if ( !(_regs._eflags & X86_EFLAGS_VIF) )
ctxt->retire.sti = true;
- _regs._eflags |= EFLG_VIF;
+ _regs._eflags |= X86_EFLAGS_VIF;
}
break;
case 0xfc: /* cld */
- _regs._eflags &= ~EFLG_DF;
+ _regs._eflags &= ~X86_EFLAGS_DF;
break;
case 0xfd: /* std */
- _regs._eflags |= EFLG_DF;
+ _regs._eflags |= X86_EFLAGS_DF;
break;
case 0xfe: /* Grp4 */
@@ -4643,7 +4631,7 @@ x86_emulate(
goto done;
break;
case 4: /* verr / verw */
- _regs._eflags &= ~EFLG_ZF;
+ _regs._eflags &= ~X86_EFLAGS_ZF;
switch ( rc = protmode_load_seg(x86_seg_none, src.val, false,
&sreg, ctxt, ops) )
{
@@ -4651,7 +4639,7 @@ x86_emulate(
if ( sreg.attr.fields.s &&
((modrm_reg & 1) ? ((sreg.attr.fields.type & 0xa) == 0x2)
: ((sreg.attr.fields.type & 0xa) != 0x8)) )
- _regs._eflags |= EFLG_ZF;
+ _regs._eflags |= X86_EFLAGS_ZF;
break;
case X86EMUL_EXCEPTION:
if ( ctxt->event_pending )
@@ -4681,9 +4669,9 @@ x86_emulate(
vcpu_must_have(smap);
generate_exception_if(vex.pfx || !mode_ring0(), EXC_UD);
- _regs._eflags &= ~EFLG_AC;
+ _regs._eflags &= ~X86_EFLAGS_AC;
if ( modrm == 0xcb )
- _regs._eflags |= EFLG_AC;
+ _regs._eflags |= X86_EFLAGS_AC;
goto complete_insn;
#ifdef __XEN__
@@ -4717,7 +4705,7 @@ x86_emulate(
generate_exception_if(!vcpu_has_rtm() && !vcpu_has_hle(),
EXC_UD);
/* Neither HLE nor RTM can be active when we get here. */
- _regs._eflags |= EFLG_ZF;
+ _regs._eflags |= X86_EFLAGS_ZF;
goto complete_insn;
case 0xdf: /* invlpga */
@@ -4868,7 +4856,7 @@ x86_emulate(
case X86EMUL_OPC(0x0f, 0x02): /* lar */
generate_exception_if(!in_protmode(ctxt, ops), EXC_UD);
- _regs._eflags &= ~EFLG_ZF;
+ _regs._eflags &= ~X86_EFLAGS_ZF;
switch ( rc = protmode_load_seg(x86_seg_none, src.val, false, &sreg,
ctxt, ops) )
{
@@ -4888,12 +4876,12 @@ x86_emulate(
case 0x09: /* available 32/64-bit TSS */
case 0x0b: /* busy 32/64-bit TSS */
case 0x0c: /* 32/64-bit call gate */
- _regs._eflags |= EFLG_ZF;
+ _regs._eflags |= X86_EFLAGS_ZF;
break;
}
}
else
- _regs._eflags |= EFLG_ZF;
+ _regs._eflags |= X86_EFLAGS_ZF;
break;
case X86EMUL_EXCEPTION:
if ( ctxt->event_pending )
@@ -4906,7 +4894,7 @@ x86_emulate(
rc = X86EMUL_OKAY;
break;
}
- if ( _regs._eflags & EFLG_ZF )
+ if ( _regs._eflags & X86_EFLAGS_ZF )
dst.val = ((sreg.attr.bytes & 0xff) << 8) |
((sreg.limit >> (sreg.attr.fields.g ? 12 : 0)) &
0xf0000) |
@@ -4917,7 +4905,7 @@ x86_emulate(
case X86EMUL_OPC(0x0f, 0x03): /* lsl */
generate_exception_if(!in_protmode(ctxt, ops), EXC_UD);
- _regs._eflags &= ~EFLG_ZF;
+ _regs._eflags &= ~X86_EFLAGS_ZF;
switch ( rc = protmode_load_seg(x86_seg_none, src.val, false, &sreg,
ctxt, ops) )
{
@@ -4934,12 +4922,12 @@ x86_emulate(
case 0x02: /* LDT */
case 0x09: /* available 32/64-bit TSS */
case 0x0b: /* busy 32/64-bit TSS */
- _regs._eflags |= EFLG_ZF;
+ _regs._eflags |= X86_EFLAGS_ZF;
break;
}
}
else
- _regs._eflags |= EFLG_ZF;
+ _regs._eflags |= X86_EFLAGS_ZF;
break;
case X86EMUL_EXCEPTION:
if ( ctxt->event_pending )
@@ -4952,7 +4940,7 @@ x86_emulate(
rc = X86EMUL_OKAY;
break;
}
- if ( _regs._eflags & EFLG_ZF )
+ if ( _regs._eflags & X86_EFLAGS_ZF )
dst.val = sreg.limit;
else
dst.type = OP_NONE;
@@ -4988,7 +4976,7 @@ x86_emulate(
cs.attr.bytes = 0xa9b; /* L+DB+P+S+Code */
_regs.rcx = _regs.rip;
- _regs.r11 = _regs._eflags & ~EFLG_RF;
+ _regs.r11 = _regs._eflags & ~X86_EFLAGS_RF;
if ( (rc = ops->read_msr(mode_64bit() ? MSR_LSTAR : MSR_CSTAR,
&msr_content, ctxt)) != 0 )
@@ -4997,7 +4985,7 @@ x86_emulate(
if ( (rc = ops->read_msr(MSR_FMASK, &msr_content, ctxt)) != 0 )
goto done;
- _regs._eflags &= ~(msr_content | EFLG_RF);
+ _regs._eflags &= ~(msr_content | X86_EFLAGS_RF);
}
else
#endif
@@ -5006,7 +4994,7 @@ x86_emulate(
_regs.r(cx) = _regs._eip;
_regs._eip = msr_content;
- _regs._eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
+ _regs._eflags &= ~(X86_EFLAGS_VM | X86_EFLAGS_IF | X86_EFLAGS_RF);
}
fail_if(ops->write_segment == NULL);
@@ -5016,20 +5004,20 @@ x86_emulate(
/*
* SYSCALL (unlike most instructions) evaluates its singlestep action
- * based on the resulting EFLG_TF, not the starting EFLG_TF.
+ * based on the resulting X86_EFLAGS_TF, not the starting X86_EFLAGS_TF.
*
* As the #DB is raised after the CPL change and before the OS can
* switch stack, it is a large risk for privilege escalation.
*
- * 64bit kernels should mask EFLG_TF in MSR_FMASK to avoid any
+ * 64bit kernels should mask X86_EFLAGS_TF in MSR_FMASK to avoid any
* vulnerability. Running the #DB handler on an IST stack is also a
* mitigation.
*
- * 32bit kernels have no ability to mask EFLG_TF at all. Their only
- * mitigation is to use a task gate for handling #DB (or to not use
- * enable EFER.SCE to start with).
+ * 32bit kernels have no ability to mask X86_EFLAGS_TF at all.
+ * Their only mitigation is to use a task gate for handling
+ * #DB (or to not use enable EFER.SCE to start with).
*/
- singlestep = _regs._eflags & EFLG_TF;
+ singlestep = _regs._eflags & X86_EFLAGS_TF;
break;
}
@@ -5260,7 +5248,7 @@ x86_emulate(
if ( lm < 0 )
goto cannot_emulate;
- _regs._eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
+ _regs._eflags &= ~(X86_EFLAGS_VM | X86_EFLAGS_IF | X86_EFLAGS_RF);
cs.sel = msr_content & ~3; /* SELECTOR_RPL_MASK */
cs.base = 0; /* flat segment */
@@ -5286,7 +5274,7 @@ x86_emulate(
goto done;
_regs.r(sp) = lm ? msr_content : (uint32_t)msr_content;
- singlestep = _regs._eflags & EFLG_TF;
+ singlestep = _regs._eflags & X86_EFLAGS_TF;
break;
}
@@ -5328,7 +5316,7 @@ x86_emulate(
_regs.r(ip) = op_bytes == 8 ? _regs.r(dx) : _regs._edx;
_regs.r(sp) = op_bytes == 8 ? _regs.r(cx) : _regs._ecx;
- singlestep = _regs._eflags & EFLG_TF;
+ singlestep = _regs._eflags & X86_EFLAGS_TF;
break;
}
@@ -5517,14 +5505,15 @@ x86_emulate(
((dst.orig_val << shift) |
((src.val >> (width - shift)) & ((1ull << shift) - 1))));
dst.val = truncate_word(dst.val, dst.bytes);
- _regs._eflags &= ~(EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_PF|EFLG_CF);
+ _regs._eflags &= ~(X86_EFLAGS_OF|X86_EFLAGS_SF|X86_EFLAGS_ZF|
+ X86_EFLAGS_PF|X86_EFLAGS_CF);
if ( (dst.val >> ((b & 8) ? (shift - 1) : (width - shift))) & 1 )
- _regs._eflags |= EFLG_CF;
+ _regs._eflags |= X86_EFLAGS_CF;
if ( ((dst.val ^ dst.orig_val) >> (width - 1)) & 1 )
- _regs._eflags |= EFLG_OF;
- _regs._eflags |= ((dst.val >> (width - 1)) & 1) ? EFLG_SF : 0;
- _regs._eflags |= (dst.val == 0) ? EFLG_ZF : 0;
- _regs._eflags |= even_parity(dst.val) ? EFLG_PF : 0;
+ _regs._eflags |= X86_EFLAGS_OF;
+ _regs._eflags |= ((dst.val >> (width - 1)) & 1) ? X86_EFLAGS_SF : 0;
+ _regs._eflags |= (dst.val == 0) ? X86_EFLAGS_ZF : 0;
+ _regs._eflags |= even_parity(dst.val) ? X86_EFLAGS_PF : 0;
break;
}
@@ -5624,7 +5613,7 @@ x86_emulate(
src.val = _regs.r(ax);
/* cmp: %%eax - dst ==> dst and src swapped for macro invocation */
emulate_2op_SrcV("cmp", dst, src, _regs._eflags);
- if ( _regs._eflags & EFLG_ZF )
+ if ( _regs._eflags & X86_EFLAGS_ZF )
{
/* Success: write back to memory. */
dst.val = src.orig_val;
@@ -5663,7 +5652,7 @@ x86_emulate(
asm ( "popcnt %1,%0" : "=r" (dst.val) : "rm" (src.val) );
_regs._eflags &= ~EFLAGS_MASK;
if ( !dst.val )
- _regs._eflags |= EFLG_ZF;
+ _regs._eflags |= X86_EFLAGS_ZF;
break;
case X86EMUL_OPC(0x0f, 0xba): /* Grp8 */
@@ -5688,21 +5677,21 @@ x86_emulate(
asm ( "bsf %2,%0" ASM_FLAG_OUT(, "; setz %1")
: "=r" (dst.val), ASM_FLAG_OUT("=@ccz", "=qm") (zf)
: "rm" (src.val) );
- _regs._eflags &= ~EFLG_ZF;
+ _regs._eflags &= ~X86_EFLAGS_ZF;
if ( (vex.pfx == vex_f3) && vcpu_has_bmi1() )
{
- _regs._eflags &= ~EFLG_CF;
+ _regs._eflags &= ~X86_EFLAGS_CF;
if ( zf )
{
- _regs._eflags |= EFLG_CF;
+ _regs._eflags |= X86_EFLAGS_CF;
dst.val = op_bytes * 8;
}
else if ( !dst.val )
- _regs._eflags |= EFLG_ZF;
+ _regs._eflags |= X86_EFLAGS_ZF;
}
else if ( zf )
{
- _regs._eflags |= EFLG_ZF;
+ _regs._eflags |= X86_EFLAGS_ZF;
dst.type = OP_NONE;
}
break;
@@ -5715,25 +5704,25 @@ x86_emulate(
asm ( "bsr %2,%0" ASM_FLAG_OUT(, "; setz %1")
: "=r" (dst.val), ASM_FLAG_OUT("=@ccz", "=qm") (zf)
: "rm" (src.val) );
- _regs._eflags &= ~EFLG_ZF;
+ _regs._eflags &= ~X86_EFLAGS_ZF;
if ( (vex.pfx == vex_f3) && vcpu_has_lzcnt() )
{
- _regs._eflags &= ~EFLG_CF;
+ _regs._eflags &= ~X86_EFLAGS_CF;
if ( zf )
{
- _regs._eflags |= EFLG_CF;
+ _regs._eflags |= X86_EFLAGS_CF;
dst.val = op_bytes * 8;
}
else
{
dst.val = op_bytes * 8 - 1 - dst.val;
if ( !dst.val )
- _regs._eflags |= EFLG_ZF;
+ _regs._eflags |= X86_EFLAGS_ZF;
}
}
else if ( zf )
{
- _regs._eflags |= EFLG_ZF;
+ _regs._eflags |= X86_EFLAGS_ZF;
dst.type = OP_NONE;
}
break;
@@ -5807,7 +5796,7 @@ x86_emulate(
}
_regs._eflags &= ~EFLAGS_MASK;
if ( carry )
- _regs._eflags |= EFLG_CF;
+ _regs._eflags |= X86_EFLAGS_CF;
break;
#endif
@@ -5850,7 +5839,7 @@ x86_emulate(
}
_regs._eflags &= ~EFLAGS_MASK;
if ( carry )
- _regs._eflags |= EFLG_CF;
+ _regs._eflags |= X86_EFLAGS_CF;
break;
#endif
}
@@ -5899,7 +5888,7 @@ x86_emulate(
/* Expected != actual: store actual to rDX:rAX and clear ZF. */
_regs.r(ax) = !(rex_prefix & REX_W) ? old->u32[0] : old->u64[0];
_regs.r(dx) = !(rex_prefix & REX_W) ? old->u32[1] : old->u64[1];
- _regs._eflags &= ~EFLG_ZF;
+ _regs._eflags &= ~X86_EFLAGS_ZF;
}
else
{
@@ -5921,7 +5910,7 @@ x86_emulate(
if ( (rc = ops->cmpxchg(ea.mem.seg, ea.mem.off, old, aux,
op_bytes, ctxt)) != X86EMUL_OKAY )
goto done;
- _regs._eflags |= EFLG_ZF;
+ _regs._eflags |= X86_EFLAGS_ZF;
}
break;
}
@@ -6070,7 +6059,7 @@ x86_emulate(
case X86EMUL_OPC_66(0x0f38, 0xf6): /* adcx r/m,r */
case X86EMUL_OPC_F3(0x0f38, 0xf6): /* adox r/m,r */
{
- unsigned int mask = rep_prefix() ? EFLG_OF : EFLG_CF;
+ unsigned int mask = rep_prefix() ? X86_EFLAGS_OF : X86_EFLAGS_CF;
unsigned int aux = _regs._eflags & mask ? ~0 : 0;
bool carry;
@@ -6263,7 +6252,7 @@ x86_emulate(
rc = X86EMUL_OKAY;
}
- ctxt->regs->_eflags &= ~EFLG_RF;
+ ctxt->regs->_eflags &= ~X86_EFLAGS_RF;
done:
_put_fpu();
--
2.11.0
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [PATCH v2 06/12] x86emul: use msr definitions in msr-index.h
2017-01-31 11:07 [PATCH v2 00/12] fuzz: update x86emul fuzzer Wei Liu
` (4 preceding siblings ...)
2017-01-31 11:08 ` [PATCH v2 05/12] x86emul: use eflags definitions in x86-defns.h Wei Liu
@ 2017-01-31 11:08 ` Wei Liu
2017-01-31 12:59 ` Jan Beulich
2017-01-31 11:08 ` [PATCH v2 07/12] x86: add UMIP CR4 bit Wei Liu
` (5 subsequent siblings)
11 siblings, 1 reply; 37+ messages in thread
From: Wei Liu @ 2017-01-31 11:08 UTC (permalink / raw)
To: Xen-devel; +Cc: Andrew Cooper, Wei Liu, Jan Beulich
Change the names used in code according to numeric values. Remove the
now unused macros in x86_emualte.c and fix indentation. This in turns
requires including msr-index.h and removing duplicates in userspace
x86_emulate.c in userspace harness program.
No functional change.
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
---
Cc: Jan Beulich <jbeulich@suse.com>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
---
tools/tests/x86_emulator/x86_emulate.c | 3 ---
tools/tests/x86_emulator/x86_emulate.h | 1 +
xen/arch/x86/x86_emulate/x86_emulate.c | 43 ++++++++++++----------------------
3 files changed, 16 insertions(+), 31 deletions(-)
diff --git a/tools/tests/x86_emulator/x86_emulate.c b/tools/tests/x86_emulator/x86_emulate.c
index 615326259b..cda0fd8ee1 100644
--- a/tools/tests/x86_emulator/x86_emulate.c
+++ b/tools/tests/x86_emulator/x86_emulate.c
@@ -2,9 +2,6 @@
#include <sys/mman.h>
-#define EFER_SCE (1 << 0)
-#define EFER_LMA (1 << 10)
-
#define cpu_has_amd_erratum(nr) 0
#define mark_regs_dirty(r) ((void)(r))
#define cpu_has_mpx false
diff --git a/tools/tests/x86_emulator/x86_emulate.h b/tools/tests/x86_emulator/x86_emulate.h
index 0046514220..b64c09968f 100644
--- a/tools/tests/x86_emulator/x86_emulate.h
+++ b/tools/tests/x86_emulator/x86_emulate.h
@@ -8,6 +8,7 @@
#include "../../../xen/include/asm-x86/x86-defns.h"
#include "../../../xen/include/asm-x86/x86-vendors.h"
+#include "../../../xen/include/asm-x86/msr-index.h"
#define BUG() abort()
#define ASSERT assert
diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c
index 1d2d019cc7..695e450141 100644
--- a/xen/arch/x86/x86_emulate/x86_emulate.c
+++ b/xen/arch/x86/x86_emulate/x86_emulate.c
@@ -415,23 +415,6 @@ typedef union {
# define ASM_FLAG_OUT(yes, no) no
#endif
-/* MSRs. */
-#define MSR_TSC 0x00000010
-#define MSR_SYSENTER_CS 0x00000174
-#define MSR_SYSENTER_ESP 0x00000175
-#define MSR_SYSENTER_EIP 0x00000176
-#define MSR_DEBUGCTL 0x000001d9
-#define DEBUGCTL_BTF (1 << 1)
-#define MSR_BNDCFGS 0x00000d90
-#define BNDCFG_ENABLE (1 << 0)
-#define BNDCFG_PRESERVE (1 << 1)
-#define MSR_EFER 0xc0000080
-#define MSR_STAR 0xc0000081
-#define MSR_LSTAR 0xc0000082
-#define MSR_CSTAR 0xc0000083
-#define MSR_FMASK 0xc0000084
-#define MSR_TSC_AUX 0xc0000103
-
/* Control register flags. */
#define CR0_PE (1<<0)
#define CR0_MP (1<<1)
@@ -1731,8 +1714,8 @@ static bool is_branch_step(struct x86_emulate_ctxt *ctxt,
uint64_t debugctl;
return ops->read_msr &&
- ops->read_msr(MSR_DEBUGCTL, &debugctl, ctxt) == X86EMUL_OKAY &&
- (debugctl & DEBUGCTL_BTF);
+ ops->read_msr(MSR_IA32_DEBUGCTLMSR, &debugctl, ctxt) == X86EMUL_OKAY &&
+ (debugctl & IA32_DEBUGCTLMSR_BTF);
}
static bool umip_active(struct x86_emulate_ctxt *ctxt,
@@ -1894,9 +1877,9 @@ static void adjust_bnd(struct x86_emulate_ctxt *ctxt,
if ( !mode_ring0() )
bndcfg = read_bndcfgu();
else if ( !ops->read_msr ||
- ops->read_msr(MSR_BNDCFGS, &bndcfg, ctxt) != X86EMUL_OKAY )
+ ops->read_msr(MSR_IA32_BNDCFGS, &bndcfg, ctxt) != X86EMUL_OKAY )
return;
- if ( (bndcfg & BNDCFG_ENABLE) && !(bndcfg & BNDCFG_PRESERVE) )
+ if ( (bndcfg & IA32_BNDCFGS_ENABLE) && !(bndcfg & IA32_BNDCFGS_PRESERVE) )
{
/*
* Using BNDMK or any other MPX instruction here is pointless, as
@@ -4983,7 +4966,7 @@ x86_emulate(
goto done;
_regs.rip = msr_content;
- if ( (rc = ops->read_msr(MSR_FMASK, &msr_content, ctxt)) != 0 )
+ if ( (rc = ops->read_msr(MSR_SYSCALL_MASK, &msr_content, ctxt)) != 0 )
goto done;
_regs._eflags &= ~(msr_content | X86_EFLAGS_RF);
}
@@ -5009,7 +4992,7 @@ x86_emulate(
* As the #DB is raised after the CPL change and before the OS can
* switch stack, it is a large risk for privilege escalation.
*
- * 64bit kernels should mask X86_EFLAGS_TF in MSR_FMASK to avoid any
+ * 64bit kernels should mask X86_EFLAGS_TF in MSR_SYSCALL_MASK to avoid any
* vulnerability. Running the #DB handler on an IST stack is also a
* mitigation.
*
@@ -5207,7 +5190,7 @@ x86_emulate(
generate_exception_if(cr4 & CR4_TSD, EXC_GP, 0);
}
fail_if(ops->read_msr == NULL);
- if ( (rc = ops->read_msr(MSR_TSC, &val, ctxt)) != 0 )
+ if ( (rc = ops->read_msr(MSR_IA32_TSC, &val, ctxt)) != 0 )
goto done;
_regs.r(dx) = val >> 32;
_regs.r(ax) = (uint32_t)val;
@@ -5240,7 +5223,8 @@ x86_emulate(
generate_exception_if(!in_protmode(ctxt, ops), EXC_GP, 0);
fail_if(ops->read_msr == NULL);
- if ( (rc = ops->read_msr(MSR_SYSENTER_CS, &msr_content, ctxt)) != 0 )
+ if ( (rc = ops->read_msr(MSR_IA32_SYSENTER_CS, &msr_content, ctxt))
+ != 0 )
goto done;
generate_exception_if(!(msr_content & 0xfffc), EXC_GP, 0);
@@ -5266,11 +5250,13 @@ x86_emulate(
(rc = ops->write_segment(x86_seg_ss, &sreg, ctxt)) != 0 )
goto done;
- if ( (rc = ops->read_msr(MSR_SYSENTER_EIP, &msr_content, ctxt)) != 0 )
+ if ( (rc = ops->read_msr(MSR_IA32_SYSENTER_EIP, &msr_content, ctxt))
+ != 0 )
goto done;
_regs.r(ip) = lm ? msr_content : (uint32_t)msr_content;
- if ( (rc = ops->read_msr(MSR_SYSENTER_ESP, &msr_content, ctxt)) != 0 )
+ if ( (rc = ops->read_msr(MSR_IA32_SYSENTER_ESP, &msr_content, ctxt))
+ != 0 )
goto done;
_regs.r(sp) = lm ? msr_content : (uint32_t)msr_content;
@@ -5287,7 +5273,8 @@ x86_emulate(
generate_exception_if(!in_protmode(ctxt, ops), EXC_GP, 0);
fail_if(ops->read_msr == NULL);
- if ( (rc = ops->read_msr(MSR_SYSENTER_CS, &msr_content, ctxt)) != 0 )
+ if ( (rc = ops->read_msr(MSR_IA32_SYSENTER_CS, &msr_content, ctxt))
+ != 0 )
goto done;
generate_exception_if(!(msr_content & 0xfffc), EXC_GP, 0);
--
2.11.0
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [PATCH v2 07/12] x86: add UMIP CR4 bit
2017-01-31 11:07 [PATCH v2 00/12] fuzz: update x86emul fuzzer Wei Liu
` (5 preceding siblings ...)
2017-01-31 11:08 ` [PATCH v2 06/12] x86emul: use msr definitions in msr-index.h Wei Liu
@ 2017-01-31 11:08 ` Wei Liu
2017-01-31 13:00 ` Jan Beulich
2017-01-31 11:08 ` [PATCH v2 08/12] x86emul: use CR definitions in x86-defns.h Wei Liu
` (4 subsequent siblings)
11 siblings, 1 reply; 37+ messages in thread
From: Wei Liu @ 2017-01-31 11:08 UTC (permalink / raw)
To: Xen-devel; +Cc: Andrew Cooper, Wei Liu, Jan Beulich
It will be used later to remove duplicates in x86emul.
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
---
Cc: Jan Beulich <jbeulich@suse.com>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
---
xen/include/asm-x86/x86-defns.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/xen/include/asm-x86/x86-defns.h b/xen/include/asm-x86/x86-defns.h
index 762938f222..a530807866 100644
--- a/xen/include/asm-x86/x86-defns.h
+++ b/xen/include/asm-x86/x86-defns.h
@@ -56,6 +56,7 @@
#define X86_CR4_PCE 0x00000100 /* enable performance counters at ipl 3 */
#define X86_CR4_OSFXSR 0x00000200 /* enable fast FPU save and restore */
#define X86_CR4_OSXMMEXCPT 0x00000400 /* enable unmasked SSE exceptions */
+#define X86_CR4_UMIP 0x00000800 /* enable UMIP */
#define X86_CR4_VMXE 0x00002000 /* enable VMX */
#define X86_CR4_SMXE 0x00004000 /* enable SMX */
#define X86_CR4_FSGSBASE 0x00010000 /* enable {rd,wr}{fs,gs}base */
--
2.11.0
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [PATCH v2 08/12] x86emul: use CR definitions in x86-defns.h
2017-01-31 11:07 [PATCH v2 00/12] fuzz: update x86emul fuzzer Wei Liu
` (6 preceding siblings ...)
2017-01-31 11:08 ` [PATCH v2 07/12] x86: add UMIP CR4 bit Wei Liu
@ 2017-01-31 11:08 ` Wei Liu
2017-01-31 13:01 ` Jan Beulich
2017-01-31 11:08 ` [PATCH v2 09/12] x86emul: use TRAP " Wei Liu
` (3 subsequent siblings)
11 siblings, 1 reply; 37+ messages in thread
From: Wei Liu @ 2017-01-31 11:08 UTC (permalink / raw)
To: Xen-devel; +Cc: Andrew Cooper, Wei Liu, Jan Beulich
And remove the duplicates.
No functional change.
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
---
Cc: Jan Beulich <jbeulich@suse.com>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
---
xen/arch/x86/x86_emulate/x86_emulate.c | 45 ++++++++++++----------------------
1 file changed, 15 insertions(+), 30 deletions(-)
diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c
index 695e450141..d09b861622 100644
--- a/xen/arch/x86/x86_emulate/x86_emulate.c
+++ b/xen/arch/x86/x86_emulate/x86_emulate.c
@@ -415,21 +415,6 @@ typedef union {
# define ASM_FLAG_OUT(yes, no) no
#endif
-/* Control register flags. */
-#define CR0_PE (1<<0)
-#define CR0_MP (1<<1)
-#define CR0_EM (1<<2)
-#define CR0_TS (1<<3)
-
-#define CR4_VME (1<<0)
-#define CR4_PVI (1<<1)
-#define CR4_TSD (1<<2)
-#define CR4_OSFXSR (1<<9)
-#define CR4_OSXMMEXCPT (1<<10)
-#define CR4_UMIP (1<<11)
-#define CR4_FSGSBASE (1<<16)
-#define CR4_OSXSAVE (1<<18)
-
/* Floating point status word definitions. */
#define FSW_ES (1U << 7)
@@ -810,7 +795,7 @@ static int _get_fpu(
if ( rc != X86EMUL_OKAY )
return rc;
generate_exception_if(!(cr4 & ((type == X86EMUL_FPU_xmm)
- ? CR4_OSFXSR : CR4_OSXSAVE)),
+ ? X86_CR4_OSFXSR : X86_CR4_OSXSAVE)),
EXC_UD);
}
@@ -820,16 +805,16 @@ static int _get_fpu(
if ( type >= X86EMUL_FPU_ymm )
{
/* Should be unreachable if VEX decoding is working correctly. */
- ASSERT((cr0 & CR0_PE) && !(ctxt->regs->_eflags & X86_EFLAGS_VM));
+ ASSERT((cr0 & X86_CR0_PE) && !(ctxt->regs->_eflags & X86_EFLAGS_VM));
}
- if ( cr0 & CR0_EM )
+ if ( cr0 & X86_CR0_EM )
{
generate_exception_if(type == X86EMUL_FPU_fpu, EXC_NM);
generate_exception_if(type == X86EMUL_FPU_mmx, EXC_UD);
generate_exception_if(type == X86EMUL_FPU_xmm, EXC_UD);
}
- generate_exception_if((cr0 & CR0_TS) &&
- (type != X86EMUL_FPU_wait || (cr0 & CR0_MP)),
+ generate_exception_if((cr0 & X86_CR0_TS) &&
+ (type != X86EMUL_FPU_wait || (cr0 & X86_CR0_MP)),
EXC_NM);
}
@@ -852,7 +837,7 @@ do { \
_put_fpu(); \
if ( (_fic)->exn_raised == EXC_XM && ops->read_cr && \
ops->read_cr(4, &cr4, ctxt) == X86EMUL_OKAY && \
- !(cr4 & CR4_OSXMMEXCPT) ) \
+ !(cr4 & X86_CR4_OSXMMEXCPT) ) \
(_fic)->exn_raised = EXC_UD; \
generate_exception_if((_fic)->exn_raised >= 0, \
(_fic)->exn_raised); \
@@ -1184,7 +1169,7 @@ _mode_iopl(
rc = ops->read_cr(4, &cr4, ctxt); \
if ( rc != X86EMUL_OKAY ) goto done; \
} \
- !!(cr4 & (_regs._eflags & X86_EFLAGS_VM ? CR4_VME : CR4_PVI)); \
+ !!(cr4 & (_regs._eflags & X86_EFLAGS_VM ? X86_CR4_VME : X86_CR4_PVI)); \
})
static int ioport_access_check(
@@ -1258,7 +1243,7 @@ in_realmode(
return 0;
rc = ops->read_cr(0, &cr0, ctxt);
- return (!rc && !(cr0 & CR0_PE));
+ return (!rc && !(cr0 & X86_CR0_PE));
}
static bool
@@ -1726,7 +1711,7 @@ static bool umip_active(struct x86_emulate_ctxt *ctxt,
/* Intentionally not using mode_ring0() here to avoid its fail_if(). */
return get_cpl(ctxt, ops) > 0 &&
ops->read_cr && ops->read_cr(4, &cr4, ctxt) == X86EMUL_OKAY &&
- (cr4 & CR4_UMIP);
+ (cr4 & X86_CR4_UMIP);
}
/* Inject a software interrupt/exception, emulating if needed. */
@@ -3345,7 +3330,7 @@ x86_emulate(
if ( rc != X86EMUL_OKAY )
goto done;
}
- generate_exception_if(!(cr4 & CR4_VME), EXC_GP, 0);
+ generate_exception_if(!(cr4 & X86_CR4_VME), EXC_GP, 0);
src.val = (_regs.flags & ~X86_EFLAGS_IF) | X86_EFLAGS_IOPL;
if ( _regs._eflags & X86_EFLAGS_VIF )
src.val |= X86_EFLAGS_IF;
@@ -3368,7 +3353,7 @@ x86_emulate(
if ( rc != X86EMUL_OKAY )
goto done;
}
- generate_exception_if(!(cr4 & CR4_VME) &&
+ generate_exception_if(!(cr4 & X86_CR4_VME) &&
MASK_EXTR(_regs._eflags, X86_EFLAGS_IOPL) != 3,
EXC_GP, 0);
}
@@ -3385,7 +3370,7 @@ x86_emulate(
if ( op_bytes == 2 )
{
dst.val = (uint16_t)dst.val | (_regs._eflags & 0xffff0000u);
- if ( cr4 & CR4_VME )
+ if ( cr4 & X86_CR4_VME )
{
if ( dst.val & X86_EFLAGS_IF )
{
@@ -5009,7 +4994,7 @@ x86_emulate(
generate_exception_if(!mode_ring0(), EXC_GP, 0);
fail_if((ops->read_cr == NULL) || (ops->write_cr == NULL));
if ( (rc = ops->read_cr(0, &dst.val, ctxt)) != X86EMUL_OKAY ||
- (rc = ops->write_cr(0, dst.val & ~CR0_TS, ctxt)) != X86EMUL_OKAY )
+ (rc = ops->write_cr(0, dst.val & ~X86_CR0_TS, ctxt)) != X86EMUL_OKAY )
goto done;
break;
@@ -5187,7 +5172,7 @@ x86_emulate(
fail_if(ops->read_cr == NULL);
if ( (rc = ops->read_cr(4, &cr4, ctxt)) )
goto done;
- generate_exception_if(cr4 & CR4_TSD, EXC_GP, 0);
+ generate_exception_if(cr4 & X86_CR4_TSD, EXC_GP, 0);
}
fail_if(ops->read_msr == NULL);
if ( (rc = ops->read_msr(MSR_IA32_TSC, &val, ctxt)) != 0 )
@@ -5560,7 +5545,7 @@ x86_emulate(
fail_if(!ops->read_cr);
if ( (rc = ops->read_cr(4, &cr4, ctxt)) != X86EMUL_OKAY )
goto done;
- generate_exception_if(!(cr4 & CR4_FSGSBASE), EXC_UD);
+ generate_exception_if(!(cr4 & X86_CR4_FSGSBASE), EXC_UD);
seg = modrm_reg & 1 ? x86_seg_gs : x86_seg_fs;
fail_if(!ops->read_segment);
if ( (rc = ops->read_segment(seg, &sreg, ctxt)) != X86EMUL_OKAY )
--
2.11.0
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [PATCH v2 09/12] x86emul: use TRAP definitions in x86-defns.h
2017-01-31 11:07 [PATCH v2 00/12] fuzz: update x86emul fuzzer Wei Liu
` (7 preceding siblings ...)
2017-01-31 11:08 ` [PATCH v2 08/12] x86emul: use CR definitions in x86-defns.h Wei Liu
@ 2017-01-31 11:08 ` Wei Liu
2017-01-31 11:26 ` Andrew Cooper
2017-01-31 11:08 ` [PATCH v2 10/12] fuzz/x86emul: update fuzzer Wei Liu
` (2 subsequent siblings)
11 siblings, 1 reply; 37+ messages in thread
From: Wei Liu @ 2017-01-31 11:08 UTC (permalink / raw)
To: Xen-devel; +Cc: Andrew Cooper, Wei Liu, Jan Beulich
And remove duplicates.
No functional change.
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
---
Cc: Jan Beulich <jbeulich@suse.com>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
---
xen/arch/x86/x86_emulate/x86_emulate.c | 305 +++++++++++++++------------------
1 file changed, 142 insertions(+), 163 deletions(-)
diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c
index d09b861622..ac86de7b5f 100644
--- a/xen/arch/x86/x86_emulate/x86_emulate.c
+++ b/xen/arch/x86/x86_emulate/x86_emulate.c
@@ -421,27 +421,6 @@ typedef union {
/* MXCSR bit definitions. */
#define MXCSR_MM (1U << 17)
-/* Exception definitions. */
-#define EXC_DE 0
-#define EXC_DB 1
-#define EXC_BP 3
-#define EXC_OF 4
-#define EXC_BR 5
-#define EXC_UD 6
-#define EXC_NM 7
-#define EXC_DF 8
-#define EXC_TS 10
-#define EXC_NP 11
-#define EXC_SS 12
-#define EXC_GP 13
-#define EXC_PF 14
-#define EXC_MF 16
-#define EXC_AC 17
-#define EXC_XM 19
-
-#define EXC_HAS_EC \
- ((1u << EXC_DF) | (1u << EXC_TS) | (1u << EXC_NP) | \
- (1u << EXC_SS) | (1u << EXC_GP) | (1u << EXC_PF) | (1u << EXC_AC))
/* Segment selector error code bits. */
#define ECODE_EXT (1 << 0)
@@ -642,7 +621,7 @@ do{ asm volatile ( \
state->ip += (_size); /* real hardware doesn't truncate */ \
generate_exception_if((uint8_t)(state->ip - \
ctxt->regs->r(ip)) > MAX_INST_LEN, \
- EXC_GP, 0); \
+ TRAP_gp_fault, 0); \
rc = ops->insn_fetch(x86_seg_cs, _ip, &_x, (_size), ctxt); \
if ( rc ) goto done; \
_x; \
@@ -671,7 +650,7 @@ do { \
static inline int mkec(uint8_t e, int32_t ec, ...)
{
- return (e < 32 && ((1u << e) & EXC_HAS_EC)) ? ec : X86_EVENT_NO_EC;
+ return (e < 32 && ((1u << e) & TRAP_HAVE_EC)) ? ec : X86_EVENT_NO_EC;
}
#define generate_exception_if(p, e, ec...) \
@@ -741,12 +720,12 @@ do { \
#define validate_far_branch(cs, ip) ({ \
if ( sizeof(ip) <= 4 ) { \
ASSERT(in_longmode(ctxt, ops) <= 0); \
- generate_exception_if((ip) > (cs)->limit, EXC_GP, 0); \
+ generate_exception_if((ip) > (cs)->limit, TRAP_gp_fault, 0); \
} else \
generate_exception_if(in_longmode(ctxt, ops) && \
(cs)->attr.fields.l \
? !is_canonical_address(ip) \
- : (ip) > (cs)->limit, EXC_GP, 0); \
+ : (ip) > (cs)->limit, TRAP_gp_fault, 0); \
})
#define commit_far_branch(cs, newip) ({ \
@@ -796,7 +775,7 @@ static int _get_fpu(
return rc;
generate_exception_if(!(cr4 & ((type == X86EMUL_FPU_xmm)
? X86_CR4_OSFXSR : X86_CR4_OSXSAVE)),
- EXC_UD);
+ TRAP_invalid_op);
}
rc = ops->read_cr(0, &cr0, ctxt);
@@ -809,13 +788,13 @@ static int _get_fpu(
}
if ( cr0 & X86_CR0_EM )
{
- generate_exception_if(type == X86EMUL_FPU_fpu, EXC_NM);
- generate_exception_if(type == X86EMUL_FPU_mmx, EXC_UD);
- generate_exception_if(type == X86EMUL_FPU_xmm, EXC_UD);
+ generate_exception_if(type == X86EMUL_FPU_fpu, TRAP_no_device);
+ generate_exception_if(type == X86EMUL_FPU_mmx, TRAP_invalid_op);
+ generate_exception_if(type == X86EMUL_FPU_xmm, TRAP_invalid_op);
}
generate_exception_if((cr0 & X86_CR0_TS) &&
(type != X86EMUL_FPU_wait || (cr0 & X86_CR0_MP)),
- EXC_NM);
+ TRAP_no_device);
}
done:
@@ -835,10 +814,10 @@ do { \
#define put_fpu(_fic) \
do { \
_put_fpu(); \
- if ( (_fic)->exn_raised == EXC_XM && ops->read_cr && \
+ if ( (_fic)->exn_raised == TRAP_simd_error && ops->read_cr && \
ops->read_cr(4, &cr4, ctxt) == X86EMUL_OKAY && \
!(cr4 & X86_CR4_OSXMMEXCPT) ) \
- (_fic)->exn_raised = EXC_UD; \
+ (_fic)->exn_raised = TRAP_invalid_op; \
generate_exception_if((_fic)->exn_raised >= 0, \
(_fic)->exn_raised); \
} while (0)
@@ -1194,7 +1173,7 @@ static int ioport_access_check(
return rc == X86EMUL_DONE ? X86EMUL_OKAY : rc;
/* Ensure the TSS has an io-bitmap-offset field. */
- generate_exception_if(tr.attr.fields.type != 0xb, EXC_GP, 0);
+ generate_exception_if(tr.attr.fields.type != 0xb, TRAP_gp_fault, 0);
switch ( rc = read_ulong(x86_seg_tr, 0x66, &iobmp, 2, ctxt, ops) )
{
@@ -1202,7 +1181,7 @@ static int ioport_access_check(
break;
case X86EMUL_EXCEPTION:
- generate_exception_if(!ctxt->event_pending, EXC_GP, 0);
+ generate_exception_if(!ctxt->event_pending, TRAP_gp_fault, 0);
/* fallthrough */
default:
@@ -1217,7 +1196,7 @@ static int ioport_access_check(
break;
case X86EMUL_EXCEPTION:
- generate_exception_if(!ctxt->event_pending, EXC_GP, 0);
+ generate_exception_if(!ctxt->event_pending, TRAP_gp_fault, 0);
/* fallthrough */
default:
@@ -1225,7 +1204,7 @@ static int ioport_access_check(
}
generate_exception_if(iobmp & (((1 << bytes) - 1) << (first_port & 7)),
- EXC_GP, 0);
+ TRAP_gp_fault, 0);
done:
return rc;
@@ -1322,7 +1301,7 @@ static bool vcpu_has(
#define vcpu_has_rdpid() vcpu_has( 7, ECX, 22, ctxt, ops)
#define vcpu_must_have(feat) \
- generate_exception_if(!vcpu_has_##feat(), EXC_UD)
+ generate_exception_if(!vcpu_has_##feat(), TRAP_invalid_op)
#ifdef __XEN__
/*
@@ -1332,7 +1311,7 @@ static bool vcpu_has(
* the actual operation.
*/
#define host_and_vcpu_must_have(feat) ({ \
- generate_exception_if(!cpu_has_##feat, EXC_UD); \
+ generate_exception_if(!cpu_has_##feat, TRAP_invalid_op); \
vcpu_must_have(feat); \
})
#else
@@ -1398,7 +1377,7 @@ protmode_load_seg(
uint8_t dpl, rpl;
int cpl = get_cpl(ctxt, ops);
uint32_t a_flag = 0x100;
- int rc, fault_type = EXC_GP;
+ int rc, fault_type = TRAP_gp_fault;
if ( cpl < 0 )
return X86EMUL_UNHANDLEABLE;
@@ -1527,7 +1506,7 @@ protmode_load_seg(
/* Segment present in memory? */
if ( !(desc.b & (1 << 15)) && seg != x86_seg_none )
{
- fault_type = seg != x86_seg_ss ? EXC_NP : EXC_SS;
+ fault_type = seg != x86_seg_ss ? TRAP_no_segment : TRAP_stack_error;
goto raise_exn;
}
@@ -1720,7 +1699,7 @@ static int inject_swint(enum x86_swint_type type,
struct x86_emulate_ctxt *ctxt,
const struct x86_emulate_ops *ops)
{
- int rc, error_code, fault_type = EXC_GP;
+ int rc, error_code, fault_type = TRAP_gp_fault;
/*
* Without hardware support, injecting software interrupts/exceptions is
@@ -1834,7 +1813,7 @@ static int inject_swint(enum x86_swint_type type,
/* Is this entry present? */
if ( !(idte.b & (1u << 15)) )
{
- fault_type = EXC_NP;
+ fault_type = TRAP_no_segment;
goto raise_exn;
}
}
@@ -1989,7 +1968,7 @@ x86_decode_onebyte(
case 0x9a: /* call (far, absolute) */
case 0xea: /* jmp (far, absolute) */
- generate_exception_if(mode_64bit(), EXC_UD);
+ generate_exception_if(mode_64bit(), TRAP_invalid_op);
imm1 = insn_fetch_bytes(op_bytes);
imm2 = insn_fetch_type(uint16_t);
@@ -2083,7 +2062,7 @@ x86_decode_twobyte(
}
/* fall through */
case 0x21: case 0x23: /* mov to/from dr */
- generate_exception_if(lock_prefix || ea.type != OP_REG, EXC_UD);
+ generate_exception_if(lock_prefix || ea.type != OP_REG, TRAP_invalid_op);
op_bytes = mode_64bit() ? 8 : 4;
break;
@@ -2274,7 +2253,7 @@ x86_decode(
/* fall through */
case 8:
/* VEX / XOP / EVEX */
- generate_exception_if(rex_prefix || vex.pfx, EXC_UD);
+ generate_exception_if(rex_prefix || vex.pfx, TRAP_invalid_op);
/*
* With operand size override disallowed (see above), op_bytes
* should not have changed from its default.
@@ -2665,7 +2644,7 @@ x86_emulate(
d = state.desc;
#define state (&state)
- generate_exception_if(state->not_64bit && mode_64bit(), EXC_UD);
+ generate_exception_if(state->not_64bit && mode_64bit(), TRAP_invalid_op);
if ( ea.type == OP_REG )
ea.reg = decode_register(modrm_rm, &_regs,
@@ -2744,12 +2723,12 @@ x86_emulate(
* CMPXCHG{8,16}B (MOV CRn is being handled elsewhere).
*/
generate_exception_if(lock_prefix && (ext != ext_0f || b != 0xc7),
- EXC_UD);
+ TRAP_invalid_op);
dst.type = OP_NONE;
break;
case DstReg:
- generate_exception_if(lock_prefix, EXC_UD);
+ generate_exception_if(lock_prefix, TRAP_invalid_op);
dst.type = OP_REG;
if ( d & ByteOp )
{
@@ -2804,7 +2783,7 @@ x86_emulate(
dst = ea;
if ( dst.type == OP_REG )
{
- generate_exception_if(lock_prefix, EXC_UD);
+ generate_exception_if(lock_prefix, TRAP_invalid_op);
switch ( dst.bytes )
{
case 1: dst.val = *(uint8_t *)dst.reg; break;
@@ -2824,7 +2803,7 @@ x86_emulate(
else
{
/* Lock prefix is allowed only on RMW instructions. */
- generate_exception_if(lock_prefix, EXC_UD);
+ generate_exception_if(lock_prefix, TRAP_invalid_op);
fail_if(!ops->write);
}
break;
@@ -2866,7 +2845,7 @@ x86_emulate(
break;
case 0x38 ... 0x3d: cmp: /* cmp */
- generate_exception_if(lock_prefix, EXC_UD);
+ generate_exception_if(lock_prefix, TRAP_invalid_op);
emulate_2op_SrcV("cmp", src, dst, _regs._eflags);
dst.type = OP_NONE;
break;
@@ -3003,14 +2982,14 @@ x86_emulate(
case 0x62: /* bound */ {
unsigned long src_val2;
int lb, ub, idx;
- generate_exception_if(src.type != OP_MEM, EXC_UD);
+ generate_exception_if(src.type != OP_MEM, TRAP_invalid_op);
if ( (rc = read_ulong(src.mem.seg, src.mem.off + op_bytes,
&src_val2, op_bytes, ctxt, ops)) )
goto done;
ub = (op_bytes == 2) ? (int16_t)src_val2 : (int32_t)src_val2;
lb = (op_bytes == 2) ? (int16_t)src.val : (int32_t)src.val;
idx = (op_bytes == 2) ? (int16_t)dst.val : (int32_t)dst.val;
- generate_exception_if((idx < lb) || (idx > ub), EXC_BR);
+ generate_exception_if((idx < lb) || (idx > ub), TRAP_bounds);
dst.type = OP_NONE;
break;
}
@@ -3048,7 +3027,7 @@ x86_emulate(
_regs._eflags &= ~X86_EFLAGS_ZF;
dst.type = OP_NONE;
}
- generate_exception_if(!in_protmode(ctxt, ops), EXC_UD);
+ generate_exception_if(!in_protmode(ctxt, ops), TRAP_invalid_op);
}
break;
@@ -3212,7 +3191,7 @@ x86_emulate(
dst.type = OP_NONE;
break;
}
- generate_exception_if((modrm_reg & 7) != 0, EXC_UD);
+ generate_exception_if((modrm_reg & 7) != 0, TRAP_invalid_op);
case 0x88 ... 0x8b: /* mov */
case 0xa0 ... 0xa1: /* mov mem.offs,{%al,%ax,%eax,%rax} */
case 0xa2 ... 0xa3: /* mov {%al,%ax,%eax,%rax},mem.offs */
@@ -3221,7 +3200,7 @@ x86_emulate(
case 0x8c: /* mov Sreg,r/m */
seg = modrm_reg & 7; /* REX.R is ignored. */
- generate_exception_if(!is_x86_user_segment(seg), EXC_UD);
+ generate_exception_if(!is_x86_user_segment(seg), TRAP_invalid_op);
store_selector:
fail_if(ops->read_segment == NULL);
if ( (rc = ops->read_segment(seg, &sreg, ctxt)) != 0 )
@@ -3234,7 +3213,7 @@ x86_emulate(
case 0x8e: /* mov r/m,Sreg */
seg = modrm_reg & 7; /* REX.R is ignored. */
generate_exception_if(!is_x86_user_segment(seg) ||
- seg == x86_seg_cs, EXC_UD);
+ seg == x86_seg_cs, TRAP_invalid_op);
if ( (rc = load_seg(seg, src.val, 0, NULL, ctxt, ops)) != 0 )
goto done;
if ( seg == x86_seg_ss )
@@ -3243,12 +3222,12 @@ x86_emulate(
break;
case 0x8d: /* lea */
- generate_exception_if(ea.type != OP_MEM, EXC_UD);
+ generate_exception_if(ea.type != OP_MEM, TRAP_invalid_op);
dst.val = ea.mem.off;
break;
case 0x8f: /* pop (sole member of Grp1a) */
- generate_exception_if((modrm_reg & 7) != 0, EXC_UD);
+ generate_exception_if((modrm_reg & 7) != 0, TRAP_invalid_op);
/* 64-bit mode: POP defaults to a 64-bit operand. */
if ( mode_64bit() && (dst.bytes == 4) )
dst.bytes = 8;
@@ -3330,7 +3309,7 @@ x86_emulate(
if ( rc != X86EMUL_OKAY )
goto done;
}
- generate_exception_if(!(cr4 & X86_CR4_VME), EXC_GP, 0);
+ generate_exception_if(!(cr4 & X86_CR4_VME), TRAP_gp_fault, 0);
src.val = (_regs.flags & ~X86_EFLAGS_IF) | X86_EFLAGS_IOPL;
if ( _regs._eflags & X86_EFLAGS_VIF )
src.val |= X86_EFLAGS_IF;
@@ -3355,7 +3334,7 @@ x86_emulate(
}
generate_exception_if(!(cr4 & X86_CR4_VME) &&
MASK_EXTR(_regs._eflags, X86_EFLAGS_IOPL) != 3,
- EXC_GP, 0);
+ TRAP_gp_fault, 0);
}
mask |= X86_EFLAGS_IOPL;
if ( !mode_iopl() )
@@ -3375,7 +3354,7 @@ x86_emulate(
if ( dst.val & X86_EFLAGS_IF )
{
generate_exception_if(_regs._eflags & X86_EFLAGS_VIP,
- EXC_GP, 0);
+ TRAP_gp_fault, 0);
dst.val |= X86_EFLAGS_VIF;
}
else
@@ -3553,7 +3532,7 @@ x86_emulate(
case 0xc5: /* lds */
seg = (b & 1) * 3; /* es = 0, ds = 3 */
les:
- generate_exception_if(src.type != OP_MEM, EXC_UD);
+ generate_exception_if(src.type != OP_MEM, TRAP_invalid_op);
if ( (rc = read_ulong(src.mem.seg, src.mem.off + src.bytes,
&dst.val, 2, ctxt, ops)) != X86EMUL_OKAY )
goto done;
@@ -3625,7 +3604,7 @@ x86_emulate(
break;
case 0xcc: /* int3 */
- src.val = EXC_BP;
+ src.val = TRAP_int3;
swint_type = x86_swint_int3;
goto swint;
@@ -3640,7 +3619,7 @@ x86_emulate(
case 0xce: /* into */
if ( !(_regs._eflags & X86_EFLAGS_OF) )
break;
- src.val = EXC_OF;
+ src.val = TRAP_overflow;
swint_type = x86_swint_into;
goto swint;
@@ -3689,7 +3668,7 @@ x86_emulate(
{
uint8_t al = _regs.al;
- generate_exception_if(!base, EXC_DE);
+ generate_exception_if(!base, TRAP_divide_error);
_regs.ax = ((al / base) << 8) | (al % base);
}
_regs._eflags &= ~(X86_EFLAGS_SF|X86_EFLAGS_ZF|X86_EFLAGS_PF);
@@ -3805,7 +3784,7 @@ x86_emulate(
emulate_fpu_insn_stub(0xd9, modrm);
break;
default:
- generate_exception_if(ea.type != OP_MEM, EXC_UD);
+ generate_exception_if(ea.type != OP_MEM, TRAP_invalid_op);
dst = ea;
switch ( modrm_reg & 7 )
{
@@ -3840,7 +3819,7 @@ x86_emulate(
dst.bytes = 2;
break;
default:
- generate_exception(EXC_UD);
+ generate_exception(TRAP_invalid_op);
}
/*
* Control instructions can't raise FPU exceptions, so we need
@@ -3869,7 +3848,7 @@ x86_emulate(
emulate_fpu_insn_stub(0xda, modrm);
break;
default:
- generate_exception_if(ea.type != OP_MEM, EXC_UD);
+ generate_exception_if(ea.type != OP_MEM, TRAP_invalid_op);
if ( (rc = ops->read(ea.mem.seg, ea.mem.off, &src.val,
4, ctxt)) != X86EMUL_OKAY )
goto done;
@@ -3927,7 +3906,7 @@ x86_emulate(
emulate_fpu_insn_stub(0xdb, modrm);
break;
default:
- generate_exception_if(ea.type != OP_MEM, EXC_UD);
+ generate_exception_if(ea.type != OP_MEM, TRAP_invalid_op);
dst = ea;
switch ( modrm_reg & 7 )
{
@@ -3968,7 +3947,7 @@ x86_emulate(
dst.type = OP_NONE;
break;
default:
- generate_exception(EXC_UD);
+ generate_exception(TRAP_invalid_op);
}
if ( dst.type == OP_MEM && !fpu_check_write() )
dst.type = OP_NONE;
@@ -4041,7 +4020,7 @@ x86_emulate(
emulate_fpu_insn_stub(0xdd, modrm);
break;
default:
- generate_exception_if(ea.type != OP_MEM, EXC_UD);
+ generate_exception_if(ea.type != OP_MEM, TRAP_invalid_op);
dst = ea;
switch ( modrm_reg & 7 )
{
@@ -4073,7 +4052,7 @@ x86_emulate(
dst.bytes = 2;
break;
default:
- generate_exception(EXC_UD);
+ generate_exception(TRAP_invalid_op);
}
/*
* Control instructions can't raise FPU exceptions, so we need
@@ -4102,7 +4081,7 @@ x86_emulate(
emulate_fpu_insn_stub(0xde, modrm);
break;
default:
- generate_exception_if(ea.type != OP_MEM, EXC_UD);
+ generate_exception_if(ea.type != OP_MEM, TRAP_invalid_op);
switch ( modrm_reg & 7 )
{
case 0: /* fiadd m16i */
@@ -4158,7 +4137,7 @@ x86_emulate(
emulate_fpu_insn_stub(0xdf, modrm);
break;
default:
- generate_exception_if(ea.type != OP_MEM, EXC_UD);
+ generate_exception_if(ea.type != OP_MEM, TRAP_invalid_op);
dst = ea;
switch ( modrm_reg & 7 )
{
@@ -4296,12 +4275,12 @@ x86_emulate(
break;
case 0xf1: /* int1 (icebp) */
- src.val = EXC_DB;
+ src.val = TRAP_debug;
swint_type = x86_swint_icebp;
goto swint;
case 0xf4: /* hlt */
- generate_exception_if(!mode_ring0(), EXC_GP, 0);
+ generate_exception_if(!mode_ring0(), TRAP_gp_fault, 0);
ctxt->retire.hlt = true;
break;
@@ -4317,7 +4296,7 @@ x86_emulate(
unsigned long u[2], v;
case 0 ... 1: /* test */
- generate_exception_if(lock_prefix, EXC_UD);
+ generate_exception_if(lock_prefix, TRAP_invalid_op);
goto test;
case 2: /* not */
dst.val = ~dst.val;
@@ -4412,7 +4391,7 @@ x86_emulate(
v = (uint8_t)src.val;
generate_exception_if(
div_dbl(u, v) || ((uint8_t)u[0] != (uint16_t)u[0]),
- EXC_DE);
+ TRAP_divide_error);
dst.val = (uint8_t)u[0];
_regs.ah = u[1];
break;
@@ -4422,7 +4401,7 @@ x86_emulate(
v = (uint16_t)src.val;
generate_exception_if(
div_dbl(u, v) || ((uint16_t)u[0] != (uint32_t)u[0]),
- EXC_DE);
+ TRAP_divide_error);
dst.val = (uint16_t)u[0];
_regs.dx = u[1];
break;
@@ -4433,7 +4412,7 @@ x86_emulate(
v = (uint32_t)src.val;
generate_exception_if(
div_dbl(u, v) || ((uint32_t)u[0] != u[0]),
- EXC_DE);
+ TRAP_divide_error);
dst.val = (uint32_t)u[0];
_regs.rdx = (uint32_t)u[1];
break;
@@ -4442,7 +4421,7 @@ x86_emulate(
u[0] = _regs.r(ax);
u[1] = _regs.r(dx);
v = src.val;
- generate_exception_if(div_dbl(u, v), EXC_DE);
+ generate_exception_if(div_dbl(u, v), TRAP_divide_error);
dst.val = u[0];
_regs.r(dx) = u[1];
break;
@@ -4457,7 +4436,7 @@ x86_emulate(
v = (int8_t)src.val;
generate_exception_if(
idiv_dbl(u, v) || ((int8_t)u[0] != (int16_t)u[0]),
- EXC_DE);
+ TRAP_divide_error);
dst.val = (int8_t)u[0];
_regs.ah = u[1];
break;
@@ -4467,7 +4446,7 @@ x86_emulate(
v = (int16_t)src.val;
generate_exception_if(
idiv_dbl(u, v) || ((int16_t)u[0] != (int32_t)u[0]),
- EXC_DE);
+ TRAP_divide_error);
dst.val = (int16_t)u[0];
_regs.dx = u[1];
break;
@@ -4478,7 +4457,7 @@ x86_emulate(
v = (int32_t)src.val;
generate_exception_if(
idiv_dbl(u, v) || ((int32_t)u[0] != u[0]),
- EXC_DE);
+ TRAP_divide_error);
dst.val = (int32_t)u[0];
_regs.rdx = (uint32_t)u[1];
break;
@@ -4487,7 +4466,7 @@ x86_emulate(
u[0] = _regs.r(ax);
u[1] = _regs.r(dx);
v = src.val;
- generate_exception_if(idiv_dbl(u, v), EXC_DE);
+ generate_exception_if(idiv_dbl(u, v), TRAP_divide_error);
dst.val = u[0];
_regs.r(dx) = u[1];
break;
@@ -4509,7 +4488,7 @@ x86_emulate(
_regs._eflags &= ~X86_EFLAGS_IF;
else
{
- generate_exception_if(!mode_vif(), EXC_GP, 0);
+ generate_exception_if(!mode_vif(), TRAP_gp_fault, 0);
_regs._eflags &= ~X86_EFLAGS_VIF;
}
break;
@@ -4525,7 +4504,7 @@ x86_emulate(
{
generate_exception_if((_regs._eflags & X86_EFLAGS_VIP) ||
!mode_vif(),
- EXC_GP, 0);
+ TRAP_gp_fault, 0);
if ( !(_regs._eflags & X86_EFLAGS_VIF) )
ctxt->retire.sti = true;
_regs._eflags |= X86_EFLAGS_VIF;
@@ -4541,7 +4520,7 @@ x86_emulate(
break;
case 0xfe: /* Grp4 */
- generate_exception_if((modrm_reg & 7) >= 2, EXC_UD);
+ generate_exception_if((modrm_reg & 7) >= 2, TRAP_invalid_op);
/* Fallthrough. */
case 0xff: /* Grp5 */
switch ( modrm_reg & 7 )
@@ -4569,7 +4548,7 @@ x86_emulate(
break;
case 3: /* call (far, absolute indirect) */
case 5: /* jmp (far, absolute indirect) */
- generate_exception_if(src.type != OP_MEM, EXC_UD);
+ generate_exception_if(src.type != OP_MEM, TRAP_invalid_op);
if ( (rc = read_ulong(src.mem.seg, src.mem.off + op_bytes,
&imm2, 2, ctxt, ops)) )
@@ -4581,20 +4560,20 @@ x86_emulate(
case 6: /* push */
goto push;
case 7:
- generate_exception(EXC_UD);
+ generate_exception(TRAP_invalid_op);
}
break;
case X86EMUL_OPC(0x0f, 0x00): /* Grp6 */
seg = (modrm_reg & 1) ? x86_seg_tr : x86_seg_ldtr;
- generate_exception_if(!in_protmode(ctxt, ops), EXC_UD);
+ generate_exception_if(!in_protmode(ctxt, ops), TRAP_invalid_op);
switch ( modrm_reg & 6 )
{
case 0: /* sldt / str */
- generate_exception_if(umip_active(ctxt, ops), EXC_GP, 0);
+ generate_exception_if(umip_active(ctxt, ops), TRAP_gp_fault, 0);
goto store_selector;
case 2: /* lldt / ltr */
- generate_exception_if(!mode_ring0(), EXC_GP, 0);
+ generate_exception_if(!mode_ring0(), TRAP_gp_fault, 0);
if ( (rc = load_seg(seg, src.val, 0, NULL, ctxt, ops)) != 0 )
goto done;
break;
@@ -4612,7 +4591,7 @@ x86_emulate(
case X86EMUL_EXCEPTION:
if ( ctxt->event_pending )
{
- ASSERT(ctxt->event.vector == EXC_PF);
+ ASSERT(ctxt->event.vector == TRAP_page_fault);
default:
goto done;
}
@@ -4622,7 +4601,7 @@ x86_emulate(
}
break;
default:
- generate_exception_if(true, EXC_UD);
+ generate_exception_if(true, TRAP_invalid_op);
break;
}
break;
@@ -4635,7 +4614,7 @@ x86_emulate(
case 0xca: /* clac */
case 0xcb: /* stac */
vcpu_must_have(smap);
- generate_exception_if(vex.pfx || !mode_ring0(), EXC_UD);
+ generate_exception_if(vex.pfx || !mode_ring0(), TRAP_invalid_op);
_regs._eflags &= ~X86_EFLAGS_AC;
if ( modrm == 0xcb )
@@ -4644,41 +4623,41 @@ x86_emulate(
#ifdef __XEN__
case 0xd1: /* xsetbv */
- generate_exception_if(vex.pfx, EXC_UD);
+ generate_exception_if(vex.pfx, TRAP_invalid_op);
if ( !ops->read_cr || ops->read_cr(4, &cr4, ctxt) != X86EMUL_OKAY )
cr4 = 0;
- generate_exception_if(!(cr4 & X86_CR4_OSXSAVE), EXC_UD);
+ generate_exception_if(!(cr4 & X86_CR4_OSXSAVE), TRAP_invalid_op);
generate_exception_if(!mode_ring0() ||
handle_xsetbv(_regs._ecx,
_regs._eax | (_regs.rdx << 32)),
- EXC_GP, 0);
+ TRAP_gp_fault, 0);
goto complete_insn;
#endif
case 0xd4: /* vmfunc */
- generate_exception_if(vex.pfx, EXC_UD);
+ generate_exception_if(vex.pfx, TRAP_invalid_op);
fail_if(!ops->vmfunc);
if ( (rc = ops->vmfunc(ctxt)) != X86EMUL_OKAY )
goto done;
goto complete_insn;
case 0xd5: /* xend */
- generate_exception_if(vex.pfx, EXC_UD);
- generate_exception_if(!vcpu_has_rtm(), EXC_UD);
- generate_exception_if(vcpu_has_rtm(), EXC_GP, 0);
+ generate_exception_if(vex.pfx, TRAP_invalid_op);
+ generate_exception_if(!vcpu_has_rtm(), TRAP_invalid_op);
+ generate_exception_if(vcpu_has_rtm(), TRAP_gp_fault, 0);
break;
case 0xd6: /* xtest */
- generate_exception_if(vex.pfx, EXC_UD);
+ generate_exception_if(vex.pfx, TRAP_invalid_op);
generate_exception_if(!vcpu_has_rtm() && !vcpu_has_hle(),
- EXC_UD);
+ TRAP_invalid_op);
/* Neither HLE nor RTM can be active when we get here. */
_regs._eflags |= X86_EFLAGS_ZF;
goto complete_insn;
case 0xdf: /* invlpga */
- generate_exception_if(!in_protmode(ctxt, ops), EXC_UD);
- generate_exception_if(!mode_ring0(), EXC_GP, 0);
+ generate_exception_if(!in_protmode(ctxt, ops), TRAP_invalid_op);
+ generate_exception_if(!mode_ring0(), TRAP_gp_fault, 0);
fail_if(ops->invlpg == NULL);
if ( (rc = ops->invlpg(x86_seg_none, truncate_ea(_regs.r(ax)),
ctxt)) )
@@ -4706,7 +4685,7 @@ x86_emulate(
ops->cpuid(1, 0, &cpuid_leaf, ctxt) == X86EMUL_OKAY )
limit = ((cpuid_leaf.b >> 8) & 0xff) * 8;
generate_exception_if(limit < sizeof(long) ||
- (limit & (limit - 1)), EXC_UD);
+ (limit & (limit - 1)), TRAP_invalid_op);
base &= ~(limit - 1);
if ( ops->rep_stos )
{
@@ -4741,8 +4720,8 @@ x86_emulate(
{
case 0: /* sgdt */
case 1: /* sidt */
- generate_exception_if(ea.type != OP_MEM, EXC_UD);
- generate_exception_if(umip_active(ctxt, ops), EXC_GP, 0);
+ generate_exception_if(ea.type != OP_MEM, TRAP_invalid_op);
+ generate_exception_if(umip_active(ctxt, ops), TRAP_gp_fault, 0);
fail_if(!ops->read_segment || !ops->write);
if ( (rc = ops->read_segment(seg, &sreg, ctxt)) )
goto done;
@@ -4761,8 +4740,8 @@ x86_emulate(
break;
case 2: /* lgdt */
case 3: /* lidt */
- generate_exception_if(!mode_ring0(), EXC_GP, 0);
- generate_exception_if(ea.type != OP_MEM, EXC_UD);
+ generate_exception_if(!mode_ring0(), TRAP_gp_fault, 0);
+ generate_exception_if(ea.type != OP_MEM, TRAP_invalid_op);
fail_if(ops->write_segment == NULL);
memset(&sreg, 0, sizeof(sreg));
if ( (rc = read_ulong(ea.mem.seg, ea.mem.off+0,
@@ -4770,7 +4749,7 @@ x86_emulate(
(rc = read_ulong(ea.mem.seg, ea.mem.off+2,
&base, mode_64bit() ? 8 : 4, ctxt, ops)) )
goto done;
- generate_exception_if(!is_canonical_address(base), EXC_GP, 0);
+ generate_exception_if(!is_canonical_address(base), TRAP_gp_fault, 0);
sreg.base = base;
sreg.limit = limit;
if ( !mode_64bit() && op_bytes == 2 )
@@ -4779,7 +4758,7 @@ x86_emulate(
goto done;
break;
case 4: /* smsw */
- generate_exception_if(umip_active(ctxt, ops), EXC_GP, 0);
+ generate_exception_if(umip_active(ctxt, ops), TRAP_gp_fault, 0);
if ( ea.type == OP_MEM )
{
fail_if(!ops->write);
@@ -4796,7 +4775,7 @@ x86_emulate(
case 6: /* lmsw */
fail_if(ops->read_cr == NULL);
fail_if(ops->write_cr == NULL);
- generate_exception_if(!mode_ring0(), EXC_GP, 0);
+ generate_exception_if(!mode_ring0(), TRAP_gp_fault, 0);
if ( (rc = ops->read_cr(0, &cr0, ctxt)) )
goto done;
if ( ea.type == OP_REG )
@@ -4810,8 +4789,8 @@ x86_emulate(
goto done;
break;
case 7: /* invlpg */
- generate_exception_if(!mode_ring0(), EXC_GP, 0);
- generate_exception_if(ea.type != OP_MEM, EXC_UD);
+ generate_exception_if(!mode_ring0(), TRAP_gp_fault, 0);
+ generate_exception_if(ea.type != OP_MEM, TRAP_invalid_op);
fail_if(ops->invlpg == NULL);
if ( (rc = ops->invlpg(ea.mem.seg, ea.mem.off, ctxt)) )
goto done;
@@ -4823,7 +4802,7 @@ x86_emulate(
}
case X86EMUL_OPC(0x0f, 0x02): /* lar */
- generate_exception_if(!in_protmode(ctxt, ops), EXC_UD);
+ generate_exception_if(!in_protmode(ctxt, ops), TRAP_invalid_op);
_regs._eflags &= ~X86_EFLAGS_ZF;
switch ( rc = protmode_load_seg(x86_seg_none, src.val, false, &sreg,
ctxt, ops) )
@@ -4854,7 +4833,7 @@ x86_emulate(
case X86EMUL_EXCEPTION:
if ( ctxt->event_pending )
{
- ASSERT(ctxt->event.vector == EXC_PF);
+ ASSERT(ctxt->event.vector == TRAP_page_fault);
default:
goto done;
}
@@ -4872,7 +4851,7 @@ x86_emulate(
break;
case X86EMUL_OPC(0x0f, 0x03): /* lsl */
- generate_exception_if(!in_protmode(ctxt, ops), EXC_UD);
+ generate_exception_if(!in_protmode(ctxt, ops), TRAP_invalid_op);
_regs._eflags &= ~X86_EFLAGS_ZF;
switch ( rc = protmode_load_seg(x86_seg_none, src.val, false, &sreg,
ctxt, ops) )
@@ -4900,7 +4879,7 @@ x86_emulate(
case X86EMUL_EXCEPTION:
if ( ctxt->event_pending )
{
- ASSERT(ctxt->event.vector == EXC_PF);
+ ASSERT(ctxt->event.vector == TRAP_page_fault);
default:
goto done;
}
@@ -4917,13 +4896,13 @@ x86_emulate(
case X86EMUL_OPC(0x0f, 0x05): /* syscall */ {
uint64_t msr_content;
- generate_exception_if(!in_protmode(ctxt, ops), EXC_UD);
+ generate_exception_if(!in_protmode(ctxt, ops), TRAP_invalid_op);
/* Inject #UD if syscall/sysret are disabled. */
fail_if(ops->read_msr == NULL);
if ( (rc = ops->read_msr(MSR_EFER, &msr_content, ctxt)) != 0 )
goto done;
- generate_exception_if((msr_content & EFER_SCE) == 0, EXC_UD);
+ generate_exception_if((msr_content & EFER_SCE) == 0, TRAP_invalid_op);
if ( (rc = ops->read_msr(MSR_STAR, &msr_content, ctxt)) != 0 )
goto done;
@@ -4991,7 +4970,7 @@ x86_emulate(
}
case X86EMUL_OPC(0x0f, 0x06): /* clts */
- generate_exception_if(!mode_ring0(), EXC_GP, 0);
+ generate_exception_if(!mode_ring0(), TRAP_gp_fault, 0);
fail_if((ops->read_cr == NULL) || (ops->write_cr == NULL));
if ( (rc = ops->read_cr(0, &dst.val, ctxt)) != X86EMUL_OKAY ||
(rc = ops->write_cr(0, dst.val & ~X86_CR0_TS, ctxt)) != X86EMUL_OKAY )
@@ -5000,7 +4979,7 @@ x86_emulate(
case X86EMUL_OPC(0x0f, 0x08): /* invd */
case X86EMUL_OPC(0x0f, 0x09): /* wbinvd */
- generate_exception_if(!mode_ring0(), EXC_GP, 0);
+ generate_exception_if(!mode_ring0(), TRAP_gp_fault, 0);
fail_if(ops->wbinvd == NULL);
if ( (rc = ops->wbinvd(ctxt)) != 0 )
goto done;
@@ -5009,7 +4988,7 @@ x86_emulate(
case X86EMUL_OPC(0x0f, 0x0b): /* ud2 */
case X86EMUL_OPC(0x0f, 0xb9): /* ud1 */
case X86EMUL_OPC(0x0f, 0xff): /* ud0 */
- generate_exception(EXC_UD);
+ generate_exception(TRAP_invalid_op);
case X86EMUL_OPC(0x0f, 0x0d): /* GrpP (prefetch) */
case X86EMUL_OPC(0x0f, 0x18): /* Grp16 (prefetch/nop) */
@@ -5098,7 +5077,7 @@ x86_emulate(
generate_exception_if(!(mxcsr & MXCSR_MM) &&
!is_aligned(ea.mem.seg, ea.mem.off, ea.bytes,
ctxt, ops),
- EXC_GP, 0);
+ TRAP_gp_fault, 0);
if ( !(b & 1) )
rc = ops->read(ea.mem.seg, ea.mem.off+0, mmvalp,
ea.bytes, ctxt);
@@ -5133,7 +5112,7 @@ x86_emulate(
case X86EMUL_OPC(0x0f, 0x21): /* mov dr,reg */
case X86EMUL_OPC(0x0f, 0x22): /* mov reg,cr */
case X86EMUL_OPC(0x0f, 0x23): /* mov reg,dr */
- generate_exception_if(!mode_ring0(), EXC_GP, 0);
+ generate_exception_if(!mode_ring0(), TRAP_gp_fault, 0);
if ( b & 2 )
{
/* Write to CR/DR. */
@@ -5156,7 +5135,7 @@ x86_emulate(
break;
case X86EMUL_OPC(0x0f, 0x30): /* wrmsr */
- generate_exception_if(!mode_ring0(), EXC_GP, 0);
+ generate_exception_if(!mode_ring0(), TRAP_gp_fault, 0);
fail_if(ops->write_msr == NULL);
if ( (rc = ops->write_msr(_regs._ecx,
((uint64_t)_regs.r(dx) << 32) | _regs._eax,
@@ -5172,7 +5151,7 @@ x86_emulate(
fail_if(ops->read_cr == NULL);
if ( (rc = ops->read_cr(4, &cr4, ctxt)) )
goto done;
- generate_exception_if(cr4 & X86_CR4_TSD, EXC_GP, 0);
+ generate_exception_if(cr4 & X86_CR4_TSD, TRAP_gp_fault, 0);
}
fail_if(ops->read_msr == NULL);
if ( (rc = ops->read_msr(MSR_IA32_TSC, &val, ctxt)) != 0 )
@@ -5184,7 +5163,7 @@ x86_emulate(
case X86EMUL_OPC(0x0f, 0x32): /* rdmsr */ {
uint64_t val;
- generate_exception_if(!mode_ring0(), EXC_GP, 0);
+ generate_exception_if(!mode_ring0(), TRAP_gp_fault, 0);
fail_if(ops->read_msr == NULL);
if ( (rc = ops->read_msr(_regs._ecx, &val, ctxt)) != 0 )
goto done;
@@ -5204,15 +5183,15 @@ x86_emulate(
int lm;
vcpu_must_have(sep);
- generate_exception_if(mode_ring0(), EXC_GP, 0);
- generate_exception_if(!in_protmode(ctxt, ops), EXC_GP, 0);
+ generate_exception_if(mode_ring0(), TRAP_gp_fault, 0);
+ generate_exception_if(!in_protmode(ctxt, ops), TRAP_gp_fault, 0);
fail_if(ops->read_msr == NULL);
if ( (rc = ops->read_msr(MSR_IA32_SYSENTER_CS, &msr_content, ctxt))
!= 0 )
goto done;
- generate_exception_if(!(msr_content & 0xfffc), EXC_GP, 0);
+ generate_exception_if(!(msr_content & 0xfffc), TRAP_gp_fault, 0);
lm = in_longmode(ctxt, ops);
if ( lm < 0 )
goto cannot_emulate;
@@ -5254,19 +5233,19 @@ x86_emulate(
uint64_t msr_content;
vcpu_must_have(sep);
- generate_exception_if(!mode_ring0(), EXC_GP, 0);
- generate_exception_if(!in_protmode(ctxt, ops), EXC_GP, 0);
+ generate_exception_if(!mode_ring0(), TRAP_gp_fault, 0);
+ generate_exception_if(!in_protmode(ctxt, ops), TRAP_gp_fault, 0);
fail_if(ops->read_msr == NULL);
if ( (rc = ops->read_msr(MSR_IA32_SYSENTER_CS, &msr_content, ctxt))
!= 0 )
goto done;
- generate_exception_if(!(msr_content & 0xfffc), EXC_GP, 0);
+ generate_exception_if(!(msr_content & 0xfffc), TRAP_gp_fault, 0);
generate_exception_if(op_bytes == 8 &&
(!is_canonical_address(_regs.r(dx)) ||
!is_canonical_address(_regs.r(cx))),
- EXC_GP, 0);
+ TRAP_gp_fault, 0);
cs.sel = (msr_content | 3) + /* SELECTOR_RPL_MASK */
(op_bytes == 8 ? 32 : 16);
@@ -5364,11 +5343,11 @@ x86_emulate(
switch ( b )
{
case 0x7e:
- generate_exception_if(vex.l, EXC_UD);
+ generate_exception_if(vex.l, TRAP_invalid_op);
ea.bytes = op_bytes;
break;
case 0xd6:
- generate_exception_if(vex.l, EXC_UD);
+ generate_exception_if(vex.l, TRAP_invalid_op);
ea.bytes = 8;
break;
}
@@ -5383,7 +5362,7 @@ x86_emulate(
generate_exception_if(!(mxcsr & MXCSR_MM) &&
!is_aligned(ea.mem.seg, ea.mem.off, ea.bytes,
ctxt, ops),
- EXC_GP, 0);
+ TRAP_gp_fault, 0);
if ( b == 0x6f )
rc = ops->read(ea.mem.seg, ea.mem.off+0, mmvalp,
ea.bytes, ctxt);
@@ -5435,7 +5414,7 @@ x86_emulate(
fail_if(ops->cpuid == NULL);
rc = ops->cpuid(_regs._eax, _regs._ecx, &cpuid_leaf, ctxt);
generate_exception_if(rc == X86EMUL_EXCEPTION,
- EXC_GP, 0); /* CPUID Faulting? */
+ TRAP_gp_fault, 0); /* CPUID Faulting? */
if ( rc != X86EMUL_OKAY )
goto done;
_regs.r(ax) = cpuid_leaf.a;
@@ -5445,7 +5424,7 @@ x86_emulate(
break;
case X86EMUL_OPC(0x0f, 0xa3): bt: /* bt */
- generate_exception_if(lock_prefix, EXC_UD);
+ generate_exception_if(lock_prefix, TRAP_invalid_op);
emulate_2op_SrcV_nobyte("bt", src, dst, _regs._eflags);
dst.type = OP_NONE;
break;
@@ -5456,7 +5435,7 @@ x86_emulate(
case X86EMUL_OPC(0x0f, 0xad): /* shrd %%cl,r,r/m */ {
uint8_t shift, width = dst.bytes << 3;
- generate_exception_if(lock_prefix, EXC_UD);
+ generate_exception_if(lock_prefix, TRAP_invalid_op);
if ( b & 1 )
shift = _regs.cl;
else
@@ -5498,14 +5477,14 @@ x86_emulate(
{
case 5: /* lfence */
fail_if(modrm_mod != 3);
- generate_exception_if(vex.pfx, EXC_UD);
+ generate_exception_if(vex.pfx, TRAP_invalid_op);
vcpu_must_have(sse2);
asm volatile ( "lfence" ::: "memory" );
break;
case 6:
if ( modrm_mod == 3 ) /* mfence */
{
- generate_exception_if(vex.pfx, EXC_UD);
+ generate_exception_if(vex.pfx, TRAP_invalid_op);
vcpu_must_have(sse2);
asm volatile ( "mfence" ::: "memory" );
break;
@@ -5520,7 +5499,7 @@ x86_emulate(
case 7:
if ( modrm_mod == 3 ) /* sfence */
{
- generate_exception_if(vex.pfx, EXC_UD);
+ generate_exception_if(vex.pfx, TRAP_invalid_op);
vcpu_must_have(sse);
asm volatile ( "sfence" ::: "memory" );
break;
@@ -5541,11 +5520,11 @@ x86_emulate(
case X86EMUL_OPC_F3(0x0f, 0xae): /* Grp15 */
fail_if(modrm_mod != 3);
- generate_exception_if((modrm_reg & 4) || !mode_64bit(), EXC_UD);
+ generate_exception_if((modrm_reg & 4) || !mode_64bit(), TRAP_invalid_op);
fail_if(!ops->read_cr);
if ( (rc = ops->read_cr(4, &cr4, ctxt)) != X86EMUL_OKAY )
goto done;
- generate_exception_if(!(cr4 & X86_CR4_FSGSBASE), EXC_UD);
+ generate_exception_if(!(cr4 & X86_CR4_FSGSBASE), TRAP_invalid_op);
seg = modrm_reg & 1 ? x86_seg_gs : x86_seg_fs;
fail_if(!ops->read_segment);
if ( (rc = ops->read_segment(seg, &sreg, ctxt)) != X86EMUL_OKAY )
@@ -5565,7 +5544,7 @@ x86_emulate(
{
sreg.base = *dst.reg;
generate_exception_if(!is_canonical_address(sreg.base),
- EXC_GP, 0);
+ TRAP_gp_fault, 0);
}
else
sreg.base = (uint32_t)*dst.reg;
@@ -5634,7 +5613,7 @@ x86_emulate(
case 5: goto bts;
case 6: goto btr;
case 7: goto btc;
- default: generate_exception(EXC_UD);
+ default: generate_exception(TRAP_invalid_op);
}
break;
@@ -5746,7 +5725,7 @@ x86_emulate(
#ifdef HAVE_GAS_RDRAND
case 6: /* rdrand */
- generate_exception_if(rep_prefix(), EXC_UD);
+ generate_exception_if(rep_prefix(), TRAP_invalid_op);
host_and_vcpu_must_have(rdrand);
dst = ea;
switch ( op_bytes )
@@ -5777,7 +5756,7 @@ x86_emulate(
{
uint64_t tsc_aux;
- generate_exception_if(ea.type != OP_REG, EXC_UD);
+ generate_exception_if(ea.type != OP_REG, TRAP_invalid_op);
vcpu_must_have(rdpid);
fail_if(!ops->read_msr);
if ( (rc = ops->read_msr(MSR_TSC_AUX, &tsc_aux,
@@ -5789,7 +5768,7 @@ x86_emulate(
break;
}
#ifdef HAVE_GAS_RDSEED
- generate_exception_if(rep_prefix(), EXC_UD);
+ generate_exception_if(rep_prefix(), TRAP_invalid_op);
host_and_vcpu_must_have(rdseed);
dst = ea;
switch ( op_bytes )
@@ -5819,14 +5798,14 @@ x86_emulate(
}
/* cmpxchg8b/cmpxchg16b */
- generate_exception_if((modrm_reg & 7) != 1, EXC_UD);
+ generate_exception_if((modrm_reg & 7) != 1, TRAP_invalid_op);
fail_if(!ops->cmpxchg);
if ( rex_prefix & REX_W )
{
host_and_vcpu_must_have(cx16);
generate_exception_if(!is_aligned(ea.mem.seg, ea.mem.off, 16,
ctxt, ops),
- EXC_GP, 0);
+ TRAP_gp_fault, 0);
op_bytes = 16;
}
else
@@ -5976,7 +5955,7 @@ x86_emulate(
host_and_vcpu_must_have(bmi2);
else
host_and_vcpu_must_have(bmi1);
- generate_exception_if(vex.l, EXC_UD);
+ generate_exception_if(vex.l, TRAP_invalid_op);
buf[0] = 0xc4;
*pvex = vex;
@@ -6010,7 +5989,7 @@ x86_emulate(
goto cannot_emulate;
}
- generate_exception_if(vex.l, EXC_UD);
+ generate_exception_if(vex.l, TRAP_invalid_op);
buf[0] = 0xc4;
*pvex = vex;
@@ -6063,7 +6042,7 @@ x86_emulate(
case X86EMUL_OPC_VEX_F2(0x0f38, 0xf6): /* mulx r/m,r,r */
vcpu_must_have(bmi2);
- generate_exception_if(vex.l, EXC_UD);
+ generate_exception_if(vex.l, TRAP_invalid_op);
ea.reg = decode_vex_gpr(vex.reg, &_regs, ctxt);
if ( mode_64bit() && vex.w )
asm ( "mulq %3" : "=a" (*ea.reg), "=d" (dst.val)
@@ -6075,7 +6054,7 @@ x86_emulate(
case X86EMUL_OPC_VEX_F2(0x0f3a, 0xf0): /* rorx imm,r/m,r */
vcpu_must_have(bmi2);
- generate_exception_if(vex.l || vex.reg != 0xf, EXC_UD);
+ generate_exception_if(vex.l || vex.reg != 0xf, TRAP_invalid_op);
if ( ea.type == OP_REG )
src.val = *ea.reg;
else if ( (rc = read_ulong(ea.mem.seg, ea.mem.off, &src.val, op_bytes,
@@ -6108,7 +6087,7 @@ x86_emulate(
uint8_t *buf = get_stub(stub);
typeof(vex) *pxop = container_of(buf + 1, typeof(vex), raw[0]);
- generate_exception_if(vex.l, EXC_UD);
+ generate_exception_if(vex.l, TRAP_invalid_op);
buf[0] = 0x8f;
*pxop = vex;
@@ -6142,7 +6121,7 @@ x86_emulate(
typeof(vex) *pxop = container_of(buf + 1, typeof(vex), raw[0]);
host_and_vcpu_must_have(tbm);
- generate_exception_if(vex.l || vex.reg != 0xf, EXC_UD);
+ generate_exception_if(vex.l || vex.reg != 0xf, TRAP_invalid_op);
if ( ea.type == OP_REG )
src.val = *ea.reg;
--
2.11.0
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [PATCH v2 10/12] fuzz/x86emul: update fuzzer
2017-01-31 11:07 [PATCH v2 00/12] fuzz: update x86emul fuzzer Wei Liu
` (8 preceding siblings ...)
2017-01-31 11:08 ` [PATCH v2 09/12] x86emul: use TRAP " Wei Liu
@ 2017-01-31 11:08 ` Wei Liu
2017-01-31 13:33 ` Jan Beulich
2017-01-31 11:08 ` [PATCH v2 11/12] fuzz/x86emul: print out minimal input size Wei Liu
2017-01-31 11:08 ` [PATCH v2 12/12] fuzz: update README.afl example Wei Liu
11 siblings, 1 reply; 37+ messages in thread
From: Wei Liu @ 2017-01-31 11:08 UTC (permalink / raw)
To: Xen-devel
Cc: Wei Liu, George Dunlap, Andrew Cooper, Ian Jackson, George Dunlap,
Jan Beulich
Provide the fuzzer with more ops, and more sophisticated input
structure.
Based on a patch originally written by Andrew and George.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: George Dunlap <george.dunlap@citrix.com>
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
---
Cc: Ian Jackson <ian.jackson@eu.citrix.com>
Cc: Jan Beulich <jbeulich@suse.com>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: George Dunlap <george.dunlap@eu.citrix.com>
v2:
1. Address comments from Jan.
2. Provide architecturally correct behaviour for rep stub.
---
.../x86-insn-emulator-fuzzer.c | 660 +++++++++++++++++++--
1 file changed, 598 insertions(+), 62 deletions(-)
diff --git a/tools/fuzz/x86_instruction_emulator/x86-insn-emulator-fuzzer.c b/tools/fuzz/x86_instruction_emulator/x86-insn-emulator-fuzzer.c
index 7d7f731677..ef223e856d 100644
--- a/tools/fuzz/x86_instruction_emulator/x86-insn-emulator-fuzzer.c
+++ b/tools/fuzz/x86_instruction_emulator/x86-insn-emulator-fuzzer.c
@@ -4,6 +4,7 @@
#include <inttypes.h>
#include <limits.h>
#include <stdbool.h>
+#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
@@ -16,26 +17,79 @@
#include "x86_emulate.h"
-static unsigned char data[4096];
+#include "../../../xen/include/asm-x86/msr-index.h"
+
+#define MSR_INDEX_MAX 16
+
+#define SEG_NUM x86_seg_none
+
+struct input_struct {
+ unsigned long cr[5];
+ uint64_t msr[MSR_INDEX_MAX];
+ struct cpu_user_regs regs;
+ struct segment_register segments[SEG_NUM];
+ unsigned long options;
+ unsigned char data[4096];
+} input;
+#define DATA_OFFSET offsetof(struct input_struct, data)
static unsigned int data_index;
-static unsigned int data_max;
+static unsigned int data_num;
+
+/* Randomly return success or failure when processing data. If
+ * `exception` is false, this function turns _EXCEPTION to _OKAY.
+ */
+int maybe_fail(const char *why, bool exception)
+{
+ int rc;
+
+ if ( data_index + 1 > data_num )
+ rc = X86EMUL_EXCEPTION;
+ else
+ {
+ /* Randomly returns value:
+ * 50% okay
+ * 25% unhandlable
+ * 25% exception
+ */
+ if ( input.data[data_index] > 0xc0 )
+ rc = X86EMUL_EXCEPTION;
+ else if ( input.data[data_index] > 0x80 )
+ rc = X86EMUL_UNHANDLEABLE;
+ else
+ rc = X86EMUL_OKAY;
+ data_index++;
+ }
+
+ if ( rc == X86EMUL_EXCEPTION && !exception )
+ rc = X86EMUL_OKAY;
+
+ printf("maybe_fail %s: %d\n", why, rc);
+
+ return rc;
+}
static int data_read(const char *why, void *dst, unsigned int bytes)
{
unsigned int i;
+ int rc;
- if ( data_index + bytes > data_max )
- return X86EMUL_EXCEPTION;
+ if ( data_index + bytes > data_num )
+ rc = X86EMUL_EXCEPTION;
+ else
+ rc = maybe_fail(why, true);
- memcpy(dst, data + data_index, bytes);
- data_index += bytes;
+ if ( rc == X86EMUL_OKAY )
+ {
+ memcpy(dst, input.data + data_index, bytes);
+ data_index += bytes;
- printf("%s: ", why);
- for ( i = 0; i < bytes; i++ )
- printf(" %02x", *(unsigned char *)(dst + i));
- printf("\n");
+ printf("%s: ", why);
+ for ( i = 0; i < bytes; i++ )
+ printf(" %02x", *(unsigned char *)(dst + i));
+ printf("\n");
+ }
- return X86EMUL_OKAY;
+ return rc;
}
static int fuzz_read(
@@ -48,14 +102,96 @@ static int fuzz_read(
return data_read("read", p_data, bytes);
}
-static int fuzz_fetch(
+static int fuzz_read_io(
+ unsigned int port,
+ unsigned int bytes,
+ unsigned long *val,
+ struct x86_emulate_ctxt *ctxt)
+{
+ return data_read("read_io", val, bytes);
+}
+
+static int fuzz_insn_fetch(
unsigned int seg,
unsigned long offset,
void *p_data,
unsigned int bytes,
struct x86_emulate_ctxt *ctxt)
{
- return data_read("fetch", p_data, bytes);
+ return data_read("insn_fetch", p_data, bytes);
+}
+
+static int _fuzz_rep_read(const char *why, unsigned long *reps)
+{
+ int rc;
+ unsigned long bytes_read = 0;
+
+ rc = data_read(why, &bytes_read, sizeof(bytes_read));
+
+ if ( bytes_read < *reps )
+ *reps -= bytes_read;
+
+ /* Indicate we haven't done any work if emulation has failed */
+ if ( rc != X86EMUL_OKAY )
+ *reps = 0;
+
+ return rc;
+}
+
+static int _fuzz_rep_write(const char *why, unsigned long *reps)
+{
+ int rc = maybe_fail(why, true);
+
+ /* Indicate we haven't done any work if emulation has failed */
+ if ( rc != X86EMUL_OKAY )
+ *reps = 0;
+
+ return rc;
+}
+
+static int fuzz_rep_ins(
+ uint16_t src_port,
+ enum x86_segment dst_seg,
+ unsigned long dst_offset,
+ unsigned int bytes_per_rep,
+ unsigned long *reps,
+ struct x86_emulate_ctxt *ctxt)
+{
+ return _fuzz_rep_read("rep_in", reps);
+}
+
+static int fuzz_rep_movs(
+ enum x86_segment src_seg,
+ unsigned long src_offset,
+ enum x86_segment dst_seg,
+ unsigned long dst_offset,
+ unsigned int bytes_per_rep,
+ unsigned long *reps,
+ struct x86_emulate_ctxt *ctxt)
+{
+ return _fuzz_rep_read("rep_movs", reps);
+}
+
+static int fuzz_rep_outs(
+ enum x86_segment src_seg,
+ unsigned long src_offset,
+ uint16_t dst_port,
+ unsigned int bytes_per_rep,
+ unsigned long *reps,
+ struct x86_emulate_ctxt *ctxt)
+{
+ return _fuzz_rep_write("rep_outs", reps);
+}
+
+static int fuzz_rep_stos(
+ void *p_data,
+ enum x86_segment seg,
+ unsigned long offset,
+ unsigned int bytes_per_rep,
+ unsigned long *reps,
+ struct x86_emulate_ctxt *ctxt)
+{
+ return _fuzz_rep_write("rep_stos", reps);
}
static int fuzz_write(
@@ -65,7 +201,7 @@ static int fuzz_write(
unsigned int bytes,
struct x86_emulate_ctxt *ctxt)
{
- return X86EMUL_OKAY;
+ return maybe_fail("write", true);
}
static int fuzz_cmpxchg(
@@ -76,18 +212,294 @@ static int fuzz_cmpxchg(
unsigned int bytes,
struct x86_emulate_ctxt *ctxt)
{
- return X86EMUL_OKAY;
+ return maybe_fail("cmpxchg", true);
+}
+
+static int fuzz_invlpg(
+ enum x86_segment seg,
+ unsigned long offset,
+ struct x86_emulate_ctxt *ctxt)
+{
+ return maybe_fail("invlpg", false);
+}
+
+static int fuzz_wbinvd(
+ struct x86_emulate_ctxt *ctxt)
+{
+ return maybe_fail("wbinvd", true);
+}
+
+static int fuzz_write_io(
+ unsigned int port,
+ unsigned int bytes,
+ unsigned long val,
+ struct x86_emulate_ctxt *ctxt)
+{
+ return maybe_fail("write_io", true);
+}
+
+static int fuzz_cpuid(
+ uint32_t leaf,
+ uint32_t subleaf,
+ struct cpuid_leaf *res,
+ struct x86_emulate_ctxt *ctxt)
+{
+ return emul_test_cpuid(leaf, subleaf, res, ctxt);
+}
+
+static int fuzz_read_segment(
+ enum x86_segment seg,
+ struct segment_register *reg,
+ struct x86_emulate_ctxt *ctxt)
+{
+ int rc;
+
+ if ( seg > SEG_NUM )
+ return X86EMUL_UNHANDLEABLE;
+
+ rc = maybe_fail("read_segment", true);
+
+ if ( rc == X86EMUL_OKAY )
+ memcpy(reg, input.segments+seg, sizeof(struct segment_register));
+
+ return rc;
+}
+
+static int fuzz_write_segment(
+ enum x86_segment seg,
+ const struct segment_register *reg,
+ struct x86_emulate_ctxt *ctxt)
+{
+ int rc;
+
+ if ( seg > SEG_NUM )
+ return X86EMUL_UNHANDLEABLE;
+
+ rc = maybe_fail("write_segment", true);
+
+ if ( rc == X86EMUL_OKAY )
+ memcpy(input.segments+seg, reg, sizeof(struct segment_register));
+
+ return rc;
+}
+
+static int fuzz_read_cr(
+ unsigned int reg,
+ unsigned long *val,
+ struct x86_emulate_ctxt *ctxt)
+{
+ int rc;
+
+ if ( reg > ARRAY_SIZE(input.cr) )
+ return X86EMUL_UNHANDLEABLE;
+
+ rc = maybe_fail("read_cr", true);
+
+ if ( rc == X86EMUL_OKAY )
+ *val = input.cr[reg];
+
+ return rc;
+}
+
+static int fuzz_write_cr(
+ unsigned int reg,
+ unsigned long val,
+ struct x86_emulate_ctxt *ctxt)
+{
+ int rc;
+
+ if ( reg > ARRAY_SIZE(input.cr) )
+ return X86EMUL_UNHANDLEABLE;
+
+ rc = maybe_fail("write_cr", true);
+
+ if ( rc == X86EMUL_OKAY )
+ input.cr[reg] = val;
+
+ return rc;
+}
+
+enum {
+ MSRI_IA32_SYSENTER_CS,
+ MSRI_IA32_SYSENTER_ESP,
+ MSRI_IA32_SYSENTER_EIP,
+ MSRI_EFER,
+ MSRI_STAR,
+ MSRI_LSTAR,
+ MSRI_CSTAR,
+ MSRI_SYSCALL_MASK
+};
+
+const static unsigned int msr_index[MSR_INDEX_MAX] = {
+ [MSRI_IA32_SYSENTER_CS] = MSR_IA32_SYSENTER_CS,
+ [MSRI_IA32_SYSENTER_ESP] = MSR_IA32_SYSENTER_ESP,
+ [MSRI_IA32_SYSENTER_EIP] = MSR_IA32_SYSENTER_EIP,
+ [MSRI_EFER] = MSR_EFER,
+ [MSRI_STAR] = MSR_STAR,
+ [MSRI_LSTAR] = MSR_LSTAR,
+ [MSRI_CSTAR] = MSR_CSTAR,
+ [MSRI_SYSCALL_MASK] = MSR_SYSCALL_MASK
+};
+
+static int _fuzz_read_msr(
+ unsigned int reg,
+ uint64_t *val,
+ struct x86_emulate_ctxt *ctxt)
+{
+ unsigned int idx;
+
+ switch ( reg )
+ {
+ case MSR_TSC_AUX:
+ case MSR_IA32_TSC:
+ return data_read("read_msr", val, sizeof(*val));
+ case MSR_EFER:
+ *val = input.msr[MSRI_EFER];
+ *val &= ~EFER_LMA;
+ if ( (*val & EFER_LME) && (input.cr[4] & X86_CR4_PAE) &&
+ (input.cr[0] & X86_CR0_PG) )
+ {
+ printf("Setting EFER_LMA\n");
+ *val |= EFER_LMA;
+ }
+ return X86EMUL_OKAY;
+ }
+
+ for ( idx = 0; idx < MSR_INDEX_MAX; idx++ )
+ {
+ if ( msr_index[idx] == reg )
+ {
+ *val = input.msr[idx];
+ return X86EMUL_OKAY;
+ }
+ }
+
+ return X86EMUL_EXCEPTION;
+}
+
+static int fuzz_read_msr(
+ unsigned int reg,
+ uint64_t *val,
+ struct x86_emulate_ctxt *ctxt) {
+ int rc;
+
+ rc = maybe_fail("read_msr", true);
+ if ( rc != X86EMUL_OKAY )
+ return rc;
+ else
+ return _fuzz_read_msr(reg, val, ctxt);
+}
+
+static int fuzz_write_msr(
+ unsigned int reg,
+ uint64_t val,
+ struct x86_emulate_ctxt *ctxt)
+{
+ unsigned int idx;
+ int rc;
+
+ rc = maybe_fail("write_ms", true);
+ if ( rc != X86EMUL_OKAY )
+ return rc;
+
+ switch ( reg )
+ {
+ case MSR_TSC_AUX:
+ case MSR_IA32_TSC:
+ return X86EMUL_OKAY;
+ }
+
+ for ( idx = 0; idx < MSR_INDEX_MAX; idx++ )
+ {
+ if ( msr_index[idx] == reg )
+ {
+ input.msr[idx] = val;
+ return X86EMUL_OKAY;
+ }
+ }
+
+ return X86EMUL_EXCEPTION;
}
+#define SET(h) .h = fuzz_##h
static struct x86_emulate_ops fuzz_emulops = {
- .read = fuzz_read,
- .insn_fetch = fuzz_fetch,
- .write = fuzz_write,
- .cmpxchg = fuzz_cmpxchg,
- .cpuid = emul_test_cpuid,
- .read_cr = emul_test_read_cr,
+ SET(read),
+ SET(insn_fetch),
+ SET(write),
+ SET(cmpxchg),
+ SET(rep_ins),
+ SET(rep_outs),
+ SET(rep_movs),
+ SET(rep_stos),
+ SET(read_segment),
+ SET(write_segment),
+ SET(read_io),
+ SET(write_io),
+ SET(read_cr),
+ SET(write_cr),
+ SET(read_msr),
+ SET(write_msr),
+ SET(wbinvd),
+ SET(cpuid),
+ SET(invlpg),
.get_fpu = emul_test_get_fpu,
};
+#undef SET
+
+static void setup_fpu_exception_handler(void)
+{
+ /* FIXME - just disable exceptions for now */
+ unsigned long a;
+
+ asm volatile ( "fnclex");
+ a=0x37f; /* FCW_DEFAULT in Xen */
+ asm volatile ( "fldcw %0" :: "m" (a));
+ a=0x1f80; /* MXCSR_DEFAULT in Xen */
+ asm volatile ( "ldmxcsr %0" :: "m" (a) );
+}
+
+static void dump_state(struct x86_emulate_ctxt *ctxt)
+{
+ struct cpu_user_regs *regs = ctxt->regs;
+ uint64_t val;
+
+ printf(" -- State -- \n");
+ printf("addr / sp size: %d / %d\n", ctxt->addr_size, ctxt->sp_size);
+ printf(" cr0: %lx\n", input.cr[0]);
+ printf(" cr3: %lx\n", input.cr[3]);
+ printf(" cr4: %lx\n", input.cr[4]);
+
+ printf(" rip: %"PRIx64"\n", regs->rip);
+
+ _fuzz_read_msr(MSR_EFER, &val, ctxt);
+ printf("EFER: %"PRIx64"\n", val);
+}
+
+static bool long_mode_active(struct x86_emulate_ctxt *ctxt)
+{
+ uint64_t val;
+
+ if ( _fuzz_read_msr(MSR_EFER, &val, ctxt) != X86EMUL_OKAY )
+ return false;
+
+ return val & EFER_LMA;
+}
+
+static bool in_longmode(struct x86_emulate_ctxt *ctxt)
+{
+ return long_mode_active(ctxt) && input.segments[x86_seg_cs].attr.fields.l;
+}
+
+static void set_sizes(struct x86_emulate_ctxt *ctxt)
+{
+ if ( in_longmode(ctxt) )
+ ctxt->addr_size = ctxt->sp_size = 64;
+ else
+ {
+ ctxt->addr_size = input.segments[x86_seg_cs].attr.fields.db ? 32 : 16;
+ ctxt->sp_size = input.segments[x86_seg_ss].attr.fields.db ? 32 : 16;
+ }
+}
#define CANONICALIZE(x) \
do { \
@@ -100,10 +512,150 @@ static struct x86_emulate_ops fuzz_emulops = {
(x) = _y; \
} while( 0 )
-#define ADDR_SIZE_SHIFT 60
-#define ADDR_SIZE_64 (2ULL << ADDR_SIZE_SHIFT)
-#define ADDR_SIZE_32 (1ULL << ADDR_SIZE_SHIFT)
-#define ADDR_SIZE_16 (0)
+/* Expects bitmap and regs to be defined */
+#define CANONICALIZE_MAYBE(reg) \
+ if ( !(bitmap & (1 << CANONICALIZE_##reg)) ) \
+ CANONICALIZE(regs->reg); \
+
+enum {
+ HOOK_read,
+ HOOK_insn_fetch,
+ HOOK_write,
+ HOOK_cmpxchg,
+ HOOK_rep_ins,
+ HOOK_rep_outs,
+ HOOK_rep_movs,
+ HOOK_rep_stos,
+ HOOK_read_segment,
+ HOOK_write_segment,
+ HOOK_read_io,
+ HOOK_write_io,
+ HOOK_read_cr,
+ HOOK_write_cr,
+ HOOK_read_dr,
+ HOOK_write_dr,
+ HOOK_read_msr,
+ HOOK_write_msr,
+ HOOK_wbinvd,
+ HOOK_cpuid,
+ HOOK_inject_hw_exception,
+ HOOK_inject_sw_interrupt,
+ HOOK_get_fpu,
+ HOOK_put_fpu,
+ HOOK_invlpg,
+ HOOK_vmfunc,
+ OPTION_swint_emulation, /* Two bits */
+ CANONICALIZE_rip = OPTION_swint_emulation + 2,
+ CANONICALIZE_rsp,
+ CANONICALIZE_rbp
+};
+
+/* Expects bitmap to be defined */
+#define MAYBE_DISABLE_HOOK(h) \
+ if ( bitmap & (1 << HOOK_##h) ) \
+ { \
+ fuzz_emulops.h = NULL; \
+ printf("Disabling hook "#h"\n"); \
+ }
+
+static void disable_hooks(void)
+{
+ unsigned long bitmap = input.options;
+
+ /* See also sanitize_input, some hooks can't be disabled. */
+ MAYBE_DISABLE_HOOK(read);
+ MAYBE_DISABLE_HOOK(insn_fetch);
+ MAYBE_DISABLE_HOOK(write);
+ MAYBE_DISABLE_HOOK(cmpxchg);
+ MAYBE_DISABLE_HOOK(rep_ins);
+ MAYBE_DISABLE_HOOK(rep_outs);
+ MAYBE_DISABLE_HOOK(rep_movs);
+ MAYBE_DISABLE_HOOK(rep_stos);
+ MAYBE_DISABLE_HOOK(read_segment);
+ MAYBE_DISABLE_HOOK(write_segment);
+ MAYBE_DISABLE_HOOK(read_io);
+ MAYBE_DISABLE_HOOK(write_io);
+ MAYBE_DISABLE_HOOK(read_cr);
+ MAYBE_DISABLE_HOOK(write_cr);
+ MAYBE_DISABLE_HOOK(read_msr);
+ MAYBE_DISABLE_HOOK(write_msr);
+ MAYBE_DISABLE_HOOK(wbinvd);
+ MAYBE_DISABLE_HOOK(cpuid);
+ MAYBE_DISABLE_HOOK(get_fpu);
+ MAYBE_DISABLE_HOOK(invlpg);
+}
+
+static void set_swint_support(struct x86_emulate_ctxt *ctxt)
+{
+ unsigned int swint_opt = (input.options >> OPTION_swint_emulation) & 3;
+
+ static const enum x86_swint_emulation map[4] = {
+ x86_swint_emulate_none,
+ x86_swint_emulate_none,
+ x86_swint_emulate_icebp,
+ x86_swint_emulate_all };
+
+ ctxt->swint_emulate = map[swint_opt];
+}
+
+/*
+ * Constrain input to architecturally-possible states where
+ * the emulator relies on these
+ *
+ * In general we want the emulator to be as absolutely robust as
+ * possible; which means that we want to minimize the number of things
+ * it assumes about the input state. Tesing this means minimizing and
+ * removing as much of the input constraints as possible.
+ *
+ * So we only add constraints that (in general) have been proven to
+ * cause crashes in the emulator.
+ *
+ * For future reference: other constraints which might be necessary at
+ * some point:
+ *
+ * - EFER.LMA => !EFLAGS.NT
+ * - In VM86 mode (and real mode?), force segment...
+ * - ...access rights to 0xf3
+ * - ...limits to 0xffff
+ * - ...bases to below 1Mb, 16-byte aligned
+ * - ...selectors to (base >> 4)
+ */
+void sanitize_input(struct x86_emulate_ctxt *ctxt) {
+ struct cpu_user_regs *regs = &input.regs;
+ unsigned long bitmap = input.options;
+
+ /* Some hooks can't be disabled. */
+ input.options &= ~((1<<HOOK_read)|(1<<HOOK_insn_fetch));
+
+ /* Zero 'private' entries */
+ regs->error_code = 0;
+ regs->entry_vector = 0;
+
+ CANONICALIZE_MAYBE(rip);
+ CANONICALIZE_MAYBE(rsp);
+ CANONICALIZE_MAYBE(rbp);
+
+ /*
+ * CR0.PG can't be set if CR0.PE isn't set. Set is more interesting, so
+ * set PE if PG is set.
+ */
+ if ( input.cr[0] & X86_CR0_PG )
+ input.cr[0] |= X86_CR0_PE;
+
+ /*
+ * EFLAGS.VM not available in long mode
+ */
+ if ( long_mode_active(ctxt) )
+ regs->rflags &= ~X86_EFLAGS_VM;
+
+ /*
+ * EFLAGS.VM implies 16-bit mode
+ */
+ if ( regs->rflags & X86_EFLAGS_VM ) {
+ input.segments[x86_seg_cs].attr.fields.db = 0;
+ input.segments[x86_seg_ss].attr.fields.db = 0;
+ }
+}
int LLVMFuzzerTestOneInput(const uint8_t *data_p, size_t size)
{
@@ -114,10 +666,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data_p, size_t size)
.addr_size = 8 * sizeof(void *),
.sp_size = 8 * sizeof(void *),
};
- unsigned int nr = 0;
int rc;
- unsigned int x;
- const uint8_t *p = data_p;
stack_exec = emul_test_make_stack_executable();
if ( !stack_exec )
@@ -127,52 +676,39 @@ int LLVMFuzzerTestOneInput(const uint8_t *data_p, size_t size)
}
/* Reset all global state variables */
- memset(data, 0, sizeof(data));
+ memset(&input, 0, sizeof(input));
data_index = 0;
- data_max = 0;
-
- nr = size < sizeof(regs) ? size : sizeof(regs);
+ data_num = 0;
- memcpy(®s, p, nr);
- p += sizeof(regs);
+ if ( size <= DATA_OFFSET )
+ {
+ printf("Input too small\n");
+ return 1;
+ }
- if ( nr < size )
+ if ( size > sizeof(input) )
{
- memcpy(data, p, size - nr);
- data_max = size - nr;
+ printf("Input too large\n");
+ return 1;
}
- ctxt.force_writeback = false;
+ memcpy(&input, data_p, size);
- /* Zero 'private' fields */
- regs.error_code = 0;
- regs.entry_vector = 0;
+ data_num = size - DATA_OFFSET;
- /* Use the upper bits of regs.eip to determine addr_size */
- x = (regs.rip >> ADDR_SIZE_SHIFT) & 0x3;
- if ( x == 3 )
- x = 2;
- ctxt.addr_size = 16 << x;
- printf("addr_size: %d\n", ctxt.addr_size);
+ sanitize_input(&ctxt);
- /* Use the upper bit of regs.rsp to determine sp_size (if appropriate) */
- if ( ctxt.addr_size == 64 )
- ctxt.sp_size = 64;
- else
- {
- /* If addr_size isn't 64-bits, sp_size can only be 16 or 32 bits */
- x = (regs.rsp >> ADDR_SIZE_SHIFT) & 0x1;
- ctxt.sp_size = 16 << x;
- }
- printf("sp_size: %d\n", ctxt.sp_size);
- CANONICALIZE(regs.rip);
- CANONICALIZE(regs.rsp);
- CANONICALIZE(regs.rbp);
+ disable_hooks();
- /* Zero all segments for now */
- regs.cs = regs.ss = regs.es = regs.ds = regs.fs = regs.gs = 0;
+ set_swint_support(&ctxt);
do {
+ /* FIXME: Until we actually implement SIGFPE handling properly */
+ setup_fpu_exception_handler();
+
+ set_sizes(&ctxt);
+ dump_state(&ctxt);
+
rc = x86_emulate(&ctxt, &fuzz_emulops);
printf("Emulation result: %d\n", rc);
} while ( rc == X86EMUL_OKAY );
--
2.11.0
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [PATCH v2 11/12] fuzz/x86emul: print out minimal input size
2017-01-31 11:07 [PATCH v2 00/12] fuzz: update x86emul fuzzer Wei Liu
` (9 preceding siblings ...)
2017-01-31 11:08 ` [PATCH v2 10/12] fuzz/x86emul: update fuzzer Wei Liu
@ 2017-01-31 11:08 ` Wei Liu
2017-01-31 13:33 ` Jan Beulich
2017-01-31 11:08 ` [PATCH v2 12/12] fuzz: update README.afl example Wei Liu
11 siblings, 1 reply; 37+ messages in thread
From: Wei Liu @ 2017-01-31 11:08 UTC (permalink / raw)
To: Xen-devel; +Cc: George Dunlap, Ian Jackson, Wei Liu, Jan Beulich, Andrew Cooper
... so that users can know how big the initial input should be.
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
---
Cc: Ian Jackson <ian.jackson@eu.citrix.com>
Cc: Jan Beulich <jbeulich@suse.com>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: George Dunlap <george.dunlap@eu.citrix.com>
---
.../fuzz/x86_instruction_emulator/afl-x86-insn-emulator-fuzzer.c | 8 ++++++++
tools/fuzz/x86_instruction_emulator/x86-insn-emulator-fuzzer.c | 5 +++++
2 files changed, 13 insertions(+)
diff --git a/tools/fuzz/x86_instruction_emulator/afl-x86-insn-emulator-fuzzer.c b/tools/fuzz/x86_instruction_emulator/afl-x86-insn-emulator-fuzzer.c
index 494c23ba2e..16edbd6bab 100644
--- a/tools/fuzz/x86_instruction_emulator/afl-x86-insn-emulator-fuzzer.c
+++ b/tools/fuzz/x86_instruction_emulator/afl-x86-insn-emulator-fuzzer.c
@@ -2,8 +2,10 @@
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
+#include <string.h>
extern int LLVMFuzzerTestOneInput(const uint8_t *data_p, size_t size);
+extern unsigned int fuzz_minimal_input_size(void);
#define INPUT_SIZE 4096
static uint8_t input[INPUT_SIZE];
@@ -21,6 +23,12 @@ int main(int argc, char **argv)
exit(-1);
}
+ if ( !strcmp(argv[1], "--min-input-size") )
+ {
+ printf("%u\n", fuzz_minimal_input_size());
+ exit(0);
+ }
+
fp = fopen(argv[1], "rb");
if ( fp == NULL )
{
diff --git a/tools/fuzz/x86_instruction_emulator/x86-insn-emulator-fuzzer.c b/tools/fuzz/x86_instruction_emulator/x86-insn-emulator-fuzzer.c
index ef223e856d..40c5ea1c1b 100644
--- a/tools/fuzz/x86_instruction_emulator/x86-insn-emulator-fuzzer.c
+++ b/tools/fuzz/x86_instruction_emulator/x86-insn-emulator-fuzzer.c
@@ -716,6 +716,11 @@ int LLVMFuzzerTestOneInput(const uint8_t *data_p, size_t size)
return 0;
}
+unsigned int fuzz_minimal_input_size(void)
+{
+ return DATA_OFFSET + 1;
+}
+
/*
* Local variables:
* mode: C
--
2.11.0
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [PATCH v2 12/12] fuzz: update README.afl example
2017-01-31 11:07 [PATCH v2 00/12] fuzz: update x86emul fuzzer Wei Liu
` (10 preceding siblings ...)
2017-01-31 11:08 ` [PATCH v2 11/12] fuzz/x86emul: print out minimal input size Wei Liu
@ 2017-01-31 11:08 ` Wei Liu
2017-01-31 13:34 ` Jan Beulich
11 siblings, 1 reply; 37+ messages in thread
From: Wei Liu @ 2017-01-31 11:08 UTC (permalink / raw)
To: Xen-devel; +Cc: George Dunlap, Ian Jackson, Wei Liu, Jan Beulich, Andrew Cooper
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
---
Cc: Ian Jackson <ian.jackson@eu.citrix.com>
Cc: Jan Beulich <jbeulich@suse.com>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: George Dunlap <george.dunlap@eu.citrix.com>
---
tools/fuzz/README.afl | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/tools/fuzz/README.afl b/tools/fuzz/README.afl
index 431b4a8cbf..68e0fa396f 100644
--- a/tools/fuzz/README.afl
+++ b/tools/fuzz/README.afl
@@ -20,9 +20,10 @@ Use the x86 instruction emulator fuzzer as an example.
$ make distclean
$ make CC=$AFLPATH/afl-gcc afl # produces afl-x86-insn-emulator-fuzzer
-3. provide initial test case:
+3. provide initial test case (fuzzer dependent, see afl-*.c):
$ mkdir testcase_dir
- $ echo -n -e '\xc3' > testcase_dir/ret.bin
+ $ dd if=/dev/urandom of=testcase_dir/rand.bin \
+ bs=`./afl-x86-insn-emulator-fuzzer --min-input-size` count=1
4. run the fuzzer with AFL:
$ $AFLPATH/afl-fuzz -m none -t 1000 -i testcase_dir -o findings_dir -- \
--
2.11.0
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply related [flat|nested] 37+ messages in thread
* Re: [PATCH v2 09/12] x86emul: use TRAP definitions in x86-defns.h
2017-01-31 11:08 ` [PATCH v2 09/12] x86emul: use TRAP " Wei Liu
@ 2017-01-31 11:26 ` Andrew Cooper
0 siblings, 0 replies; 37+ messages in thread
From: Andrew Cooper @ 2017-01-31 11:26 UTC (permalink / raw)
To: Wei Liu, Xen-devel; +Cc: Jan Beulich
On 31/01/17 11:08, Wei Liu wrote:
> And remove duplicates.
>
> No functional change.
>
> Signed-off-by: Wei Liu <wei.liu2@citrix.com>
> ---
> Cc: Jan Beulich <jbeulich@suse.com>
> Cc: Andrew Cooper <andrew.cooper3@citrix.com>
> ---
> xen/arch/x86/x86_emulate/x86_emulate.c | 305 +++++++++++++++------------------
> 1 file changed, 142 insertions(+), 163 deletions(-)
>
> diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c
> index d09b861622..ac86de7b5f 100644
> --- a/xen/arch/x86/x86_emulate/x86_emulate.c
> +++ b/xen/arch/x86/x86_emulate/x86_emulate.c
> @@ -421,27 +421,6 @@ typedef union {
> /* MXCSR bit definitions. */
> #define MXCSR_MM (1U << 17)
>
> -/* Exception definitions. */
> -#define EXC_DE 0
> -#define EXC_DB 1
> -#define EXC_BP 3
> -#define EXC_OF 4
> -#define EXC_BR 5
> -#define EXC_UD 6
> -#define EXC_NM 7
> -#define EXC_DF 8
> -#define EXC_TS 10
> -#define EXC_NP 11
> -#define EXC_SS 12
> -#define EXC_GP 13
> -#define EXC_PF 14
> -#define EXC_MF 16
> -#define EXC_AC 17
> -#define EXC_XM 19
> -
> -#define EXC_HAS_EC \
> - ((1u << EXC_DF) | (1u << EXC_TS) | (1u << EXC_NP) | \
> - (1u << EXC_SS) | (1u << EXC_GP) | (1u << EXC_PF) | (1u << EXC_AC))
Most of the changes are fine, but this one I was planning to do the
other way round. X86_EXC_xx is a more concise representation, more
accurately named (i.e. without 'trap') and matches the terminology used
in the Intel and AMD manuals.
IMO it would be fine to have duplicate names in x86-defs.h for a
transition period.
~Andrew
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: [PATCH v2 01/12] fuzz: don't buffer stdout in afl stubs
2017-01-31 11:07 ` [PATCH v2 01/12] fuzz: don't buffer stdout in afl stubs Wei Liu
@ 2017-01-31 12:44 ` Jan Beulich
0 siblings, 0 replies; 37+ messages in thread
From: Jan Beulich @ 2017-01-31 12:44 UTC (permalink / raw)
To: Wei Liu; +Cc: George Dunlap, Andrew Cooper, Ian Jackson, Xen-devel
>>> On 31.01.17 at 12:07, <wei.liu2@citrix.com> wrote:
> ... to avoid obscuring output.
>
> Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: [PATCH v2 02/12] x86: extract macros to x86-defns.h
2017-01-31 11:07 ` [PATCH v2 02/12] x86: extract macros to x86-defns.h Wei Liu
@ 2017-01-31 12:45 ` Jan Beulich
2017-01-31 13:28 ` Wei Liu
0 siblings, 1 reply; 37+ messages in thread
From: Jan Beulich @ 2017-01-31 12:45 UTC (permalink / raw)
To: Wei Liu; +Cc: AndrewCooper, Xen-devel
>>> On 31.01.17 at 12:07, <wei.liu2@citrix.com> wrote:
> +/*
> + * Trap/fault mnemonics.
> + */
> +#define TRAP_divide_error 0
> +#define TRAP_debug 1
> +#define TRAP_nmi 2
> +#define TRAP_int3 3
> +#define TRAP_overflow 4
> +#define TRAP_bounds 5
> +#define TRAP_invalid_op 6
> +#define TRAP_no_device 7
> +#define TRAP_double_fault 8
> +#define TRAP_copro_seg 9
> +#define TRAP_invalid_tss 10
> +#define TRAP_no_segment 11
> +#define TRAP_stack_error 12
> +#define TRAP_gp_fault 13
> +#define TRAP_page_fault 14
> +#define TRAP_spurious_int 15
> +#define TRAP_copro_error 16
> +#define TRAP_alignment_check 17
> +#define TRAP_machine_check 18
> +#define TRAP_simd_error 19
> +#define TRAP_virtualisation 20
> +#define TRAP_nr 32
> +
> +#define TRAP_HAVE_EC \
> + ((1u << TRAP_double_fault) | (1u << TRAP_invalid_tss) | \
> + (1u << TRAP_no_segment) | (1u << TRAP_stack_error) | \
> + (1u << TRAP_gp_fault) | (1u << TRAP_page_fault) | \
> + (1u << TRAP_alignment_check))
I agree with Andrew's reply to another patch: These shouldn't be
moved here, and we should transition over to X86_EXC_*.
Jan
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: [PATCH v2 03/12] x86: extract vendor numeric id to x86-vendors.h
2017-01-31 11:08 ` [PATCH v2 03/12] x86: extract vendor numeric id to x86-vendors.h Wei Liu
@ 2017-01-31 12:48 ` Jan Beulich
0 siblings, 0 replies; 37+ messages in thread
From: Jan Beulich @ 2017-01-31 12:48 UTC (permalink / raw)
To: Wei Liu; +Cc: AndrewCooper, Xen-devel
>>> On 31.01.17 at 12:08, <wei.liu2@citrix.com> wrote:
> They will be shared between xen and userspace programs.
Please clarify here that this is not strictly necessary, but rather just
a convenience / reduction of overall code size. Otherwise someone
looking back in a couple of years may wonder where the hidden
dependency is for values to be identical between hypervisor and
user space testing code.
> No functional change.
>
> Signed-off-by: Wei Liu <wei.liu2@citrix.com>
With the above clarification in place,
Acked-by: Jan Beulich <jbeulich@suse.com>
Jan
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: [PATCH v2 04/12] x86emul/test: use x86-vendors.h
2017-01-31 11:08 ` [PATCH v2 04/12] x86emul/test: use x86-vendors.h Wei Liu
@ 2017-01-31 12:50 ` Jan Beulich
2017-01-31 14:36 ` Wei Liu
0 siblings, 1 reply; 37+ messages in thread
From: Jan Beulich @ 2017-01-31 12:50 UTC (permalink / raw)
To: Wei Liu; +Cc: AndrewCooper, Xen-devel
>>> On 31.01.17 at 12:08, <wei.liu2@citrix.com> wrote:
> --- a/tools/tests/x86_emulator/x86_emulate.h
> +++ b/tools/tests/x86_emulator/x86_emulate.h
> @@ -6,6 +6,8 @@
> #include <string.h>
> #include <xen/xen.h>
>
> +#include "../../../xen/include/asm-x86/x86-vendors.h"
I think we'd better avoid includes of this style. May I suggest
symlinking the needed headers, just like we already do with the
x86_emulate/x86_emulate[ch] files (perhaps to an include/
subdirectory in the build tree)?
Jan
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: [PATCH v2 05/12] x86emul: use eflags definitions in x86-defns.h
2017-01-31 11:08 ` [PATCH v2 05/12] x86emul: use eflags definitions in x86-defns.h Wei Liu
@ 2017-01-31 12:56 ` Jan Beulich
2017-01-31 14:55 ` Wei Liu
0 siblings, 1 reply; 37+ messages in thread
From: Jan Beulich @ 2017-01-31 12:56 UTC (permalink / raw)
To: Wei Liu; +Cc: AndrewCooper, Xen-devel
>>> On 31.01.17 at 12:08, <wei.liu2@citrix.com> wrote:
> @@ -5016,20 +5004,20 @@ x86_emulate(
>
> /*
> * SYSCALL (unlike most instructions) evaluates its singlestep action
> - * based on the resulting EFLG_TF, not the starting EFLG_TF.
> + * based on the resulting X86_EFLAGS_TF, not the starting X86_EFLAGS_TF.
> *
> * As the #DB is raised after the CPL change and before the OS can
> * switch stack, it is a large risk for privilege escalation.
> *
> - * 64bit kernels should mask EFLG_TF in MSR_FMASK to avoid any
> + * 64bit kernels should mask X86_EFLAGS_TF in MSR_FMASK to avoid any
> * vulnerability. Running the #DB handler on an IST stack is also a
> * mitigation.
> *
> - * 32bit kernels have no ability to mask EFLG_TF at all. Their only
> - * mitigation is to use a task gate for handling #DB (or to not use
> - * enable EFER.SCE to start with).
> + * 32bit kernels have no ability to mask X86_EFLAGS_TF at all.
> + * Their only mitigation is to use a task gate for handling
> + * #DB (or to not use enable EFER.SCE to start with).
Please use EFLAGS.TF instead here, matching e.g. EFER.SCE.
With this taken care of and the #include style matching whatever
is chosen as the final model in the earlier patch,
Reviewed-by: Jan Beulich <jbeulich@suse.com>
However, I'd appreciate if you took the opportunity to add blanks
around binary operators as mandated by our coding style, on the
lines that you touch anyway.
Jan
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: [PATCH v2 06/12] x86emul: use msr definitions in msr-index.h
2017-01-31 11:08 ` [PATCH v2 06/12] x86emul: use msr definitions in msr-index.h Wei Liu
@ 2017-01-31 12:59 ` Jan Beulich
0 siblings, 0 replies; 37+ messages in thread
From: Jan Beulich @ 2017-01-31 12:59 UTC (permalink / raw)
To: Wei Liu; +Cc: AndrewCooper, Xen-devel
>>> On 31.01.17 at 12:08, <wei.liu2@citrix.com> wrote:
> Change the names used in code according to numeric values. Remove the
> now unused macros in x86_emualte.c and fix indentation. This in turns
> requires including msr-index.h and removing duplicates in userspace
> x86_emulate.c in userspace harness program.
>
> No functional change.
>
> Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Again with the #include style suitably adjusted
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Jan
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: [PATCH v2 07/12] x86: add UMIP CR4 bit
2017-01-31 11:08 ` [PATCH v2 07/12] x86: add UMIP CR4 bit Wei Liu
@ 2017-01-31 13:00 ` Jan Beulich
0 siblings, 0 replies; 37+ messages in thread
From: Jan Beulich @ 2017-01-31 13:00 UTC (permalink / raw)
To: Wei Liu; +Cc: AndrewCooper, Xen-devel
>>> On 31.01.17 at 12:08, <wei.liu2@citrix.com> wrote:
> It will be used later to remove duplicates in x86emul.
>
> Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: [PATCH v2 08/12] x86emul: use CR definitions in x86-defns.h
2017-01-31 11:08 ` [PATCH v2 08/12] x86emul: use CR definitions in x86-defns.h Wei Liu
@ 2017-01-31 13:01 ` Jan Beulich
0 siblings, 0 replies; 37+ messages in thread
From: Jan Beulich @ 2017-01-31 13:01 UTC (permalink / raw)
To: Wei Liu; +Cc: AndrewCooper, Xen-devel
>>> On 31.01.17 at 12:08, <wei.liu2@citrix.com> wrote:
> And remove the duplicates.
>
> No functional change.
>
> Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: [PATCH v2 02/12] x86: extract macros to x86-defns.h
2017-01-31 12:45 ` Jan Beulich
@ 2017-01-31 13:28 ` Wei Liu
0 siblings, 0 replies; 37+ messages in thread
From: Wei Liu @ 2017-01-31 13:28 UTC (permalink / raw)
To: Jan Beulich; +Cc: AndrewCooper, Wei Liu, Xen-devel
On Tue, Jan 31, 2017 at 05:45:59AM -0700, Jan Beulich wrote:
> >>> On 31.01.17 at 12:07, <wei.liu2@citrix.com> wrote:
> > +/*
> > + * Trap/fault mnemonics.
> > + */
> > +#define TRAP_divide_error 0
> > +#define TRAP_debug 1
> > +#define TRAP_nmi 2
> > +#define TRAP_int3 3
> > +#define TRAP_overflow 4
> > +#define TRAP_bounds 5
> > +#define TRAP_invalid_op 6
> > +#define TRAP_no_device 7
> > +#define TRAP_double_fault 8
> > +#define TRAP_copro_seg 9
> > +#define TRAP_invalid_tss 10
> > +#define TRAP_no_segment 11
> > +#define TRAP_stack_error 12
> > +#define TRAP_gp_fault 13
> > +#define TRAP_page_fault 14
> > +#define TRAP_spurious_int 15
> > +#define TRAP_copro_error 16
> > +#define TRAP_alignment_check 17
> > +#define TRAP_machine_check 18
> > +#define TRAP_simd_error 19
> > +#define TRAP_virtualisation 20
> > +#define TRAP_nr 32
> > +
> > +#define TRAP_HAVE_EC \
> > + ((1u << TRAP_double_fault) | (1u << TRAP_invalid_tss) | \
> > + (1u << TRAP_no_segment) | (1u << TRAP_stack_error) | \
> > + (1u << TRAP_gp_fault) | (1u << TRAP_page_fault) | \
> > + (1u << TRAP_alignment_check))
>
> I agree with Andrew's reply to another patch: These shouldn't be
> moved here, and we should transition over to X86_EXC_*.
>
OK. I have no problem dropping this hunk and the patch that replaces
EXC_ with TRAP_. I will leave that to Andrew.
Wei.
> Jan
>
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: [PATCH v2 10/12] fuzz/x86emul: update fuzzer
2017-01-31 11:08 ` [PATCH v2 10/12] fuzz/x86emul: update fuzzer Wei Liu
@ 2017-01-31 13:33 ` Jan Beulich
2017-01-31 15:51 ` Wei Liu
0 siblings, 1 reply; 37+ messages in thread
From: Jan Beulich @ 2017-01-31 13:33 UTC (permalink / raw)
To: Wei Liu; +Cc: George Dunlap, Andrew Cooper, Ian Jackson, George Dunlap,
Xen-devel
>>> On 31.01.17 at 12:08, <wei.liu2@citrix.com> wrote:
> @@ -16,26 +17,79 @@
>
> #include "x86_emulate.h"
>
> -static unsigned char data[4096];
> +#include "../../../xen/include/asm-x86/msr-index.h"
> +
> +#define MSR_INDEX_MAX 16
> +
> +#define SEG_NUM x86_seg_none
> +
> +struct input_struct {
> + unsigned long cr[5];
> + uint64_t msr[MSR_INDEX_MAX];
> + struct cpu_user_regs regs;
> + struct segment_register segments[SEG_NUM];
> + unsigned long options;
> + unsigned char data[4096];
> +} input;
> +#define DATA_OFFSET offsetof(struct input_struct, data)
> static unsigned int data_index;
> -static unsigned int data_max;
> +static unsigned int data_num;
> +
> +/* Randomly return success or failure when processing data. If
> + * `exception` is false, this function turns _EXCEPTION to _OKAY.
> + */
I'm not sure what coding style is to apply here, but if I consider this
an extension to the insn emulator harness, which in turn is covered
by hypervisor style, then the comment here needs /* to go on a
separate line.
> +int maybe_fail(const char *why, bool exception)
> +{
> + int rc;
> +
> + if ( data_index + 1 > data_num )
"data_index >= data_num" would be the more conventional way
to express this.
> +static int _fuzz_rep_read(const char *why, unsigned long *reps)
> +{
> + int rc;
> + unsigned long bytes_read = 0;
> +
> + rc = data_read(why, &bytes_read, sizeof(bytes_read));
> +
> + if ( bytes_read < *reps )
> + *reps -= bytes_read;
I don't understand this: In the success case, *reps upon return
indicates the number of iterations done, not the number of
iterations left. So at least the variable naming deserves
improvement.
> + /* Indicate we haven't done any work if emulation has failed */
> + if ( rc != X86EMUL_OKAY )
> + *reps = 0;
That'll result in some code paths never taken. I'd suggest clearing
to zero only in the UNHANDLEABLE case, and simply halving the
amount for EXCEPTION or RETRY (granted the latter can't occur
right now), or even using input data too for determining the new
value.
> +static int fuzz_rep_ins(
> + uint16_t src_port,
> + enum x86_segment dst_seg,
> + unsigned long dst_offset,
> + unsigned int bytes_per_rep,
> + unsigned long *reps,
> + struct x86_emulate_ctxt *ctxt)
> +{
> + return _fuzz_rep_read("rep_in", reps);
"rep_ins"
> +static int fuzz_cpuid(
> + uint32_t leaf,
> + uint32_t subleaf,
> + struct cpuid_leaf *res,
> + struct x86_emulate_ctxt *ctxt)
> +{
> + return emul_test_cpuid(leaf, subleaf, res, ctxt);
> +}
I don't think you need this wrapper anymore. For the purpose of
SET() below a simple #define will do.
> +static int fuzz_read_segment(
> + enum x86_segment seg,
> + struct segment_register *reg,
> + struct x86_emulate_ctxt *ctxt)
> +{
> + int rc;
> +
> + if ( seg > SEG_NUM )
> + return X86EMUL_UNHANDLEABLE;
As said before - this wants to be >= (even more so with
input.segments only having SEG_NUM elements).
> + rc = maybe_fail("read_segment", true);
> +
> + if ( rc == X86EMUL_OKAY )
> + memcpy(reg, input.segments+seg, sizeof(struct segment_register));
Please prefer (type safe) structure assignment.
> +static int fuzz_read_cr(
> + unsigned int reg,
> + unsigned long *val,
> + struct x86_emulate_ctxt *ctxt)
> +{
> + int rc;
> +
> + if ( reg > ARRAY_SIZE(input.cr) )
> + return X86EMUL_UNHANDLEABLE;
>= again.
> +enum {
> + MSRI_IA32_SYSENTER_CS,
> + MSRI_IA32_SYSENTER_ESP,
> + MSRI_IA32_SYSENTER_EIP,
> + MSRI_EFER,
> + MSRI_STAR,
> + MSRI_LSTAR,
> + MSRI_CSTAR,
> + MSRI_SYSCALL_MASK
> +};
> +
> +const static unsigned int msr_index[MSR_INDEX_MAX] = {
Conventionally static comes first (as not being part of the type).
> +static int fuzz_read_msr(
> + unsigned int reg,
> + uint64_t *val,
> + struct x86_emulate_ctxt *ctxt) {
> + int rc;
> +
> + rc = maybe_fail("read_msr", true);
> + if ( rc != X86EMUL_OKAY )
> + return rc;
> + else
No need for "else".
> +static void setup_fpu_exception_handler(void)
> +{
> + /* FIXME - just disable exceptions for now */
> + unsigned long a;
> +
> + asm volatile ( "fnclex");
> + a=0x37f; /* FCW_DEFAULT in Xen */
> + asm volatile ( "fldcw %0" :: "m" (a));
> + a=0x1f80; /* MXCSR_DEFAULT in Xen */
> + asm volatile ( "ldmxcsr %0" :: "m" (a) );
> +}
While I see that the FCW value has changed, the strange local
variable is still there. If you really want to keep it, please at least
add the missing spaces around the = signs. But I'd prefer
asm volatile ( "fldcw %0" :: "m" (0x37f /* FCW_DEFAULT in Xen */));
asm volatile ( "ldmxcsr %0" :: "m" (0x1f80 /* MXCSR_DEFAULT in Xen */) );
And then - doesn't the ABI require these settings to be in effect
upon program startup anyway?
> +/*
> + * Constrain input to architecturally-possible states where
> + * the emulator relies on these
> + *
> + * In general we want the emulator to be as absolutely robust as
> + * possible; which means that we want to minimize the number of things
> + * it assumes about the input state. Tesing this means minimizing and
> + * removing as much of the input constraints as possible.
> + *
> + * So we only add constraints that (in general) have been proven to
> + * cause crashes in the emulator.
> + *
> + * For future reference: other constraints which might be necessary at
> + * some point:
> + *
> + * - EFER.LMA => !EFLAGS.NT
> + * - In VM86 mode (and real mode?), force segment...
As asked for before - please drop the mentioning of real mode here.
> +void sanitize_input(struct x86_emulate_ctxt *ctxt) {
> + struct cpu_user_regs *regs = &input.regs;
> + unsigned long bitmap = input.options;
> +
> + /* Some hooks can't be disabled. */
> + input.options &= ~((1<<HOOK_read)|(1<<HOOK_insn_fetch));
> +
> + /* Zero 'private' entries */
> + regs->error_code = 0;
> + regs->entry_vector = 0;
> +
> + CANONICALIZE_MAYBE(rip);
> + CANONICALIZE_MAYBE(rsp);
> + CANONICALIZE_MAYBE(rbp);
> +
> + /*
> + * CR0.PG can't be set if CR0.PE isn't set. Set is more interesting, so
> + * set PE if PG is set.
> + */
> + if ( input.cr[0] & X86_CR0_PG )
> + input.cr[0] |= X86_CR0_PE;
> +
> + /*
> + * EFLAGS.VM not available in long mode
> + */
> + if ( long_mode_active(ctxt) )
> + regs->rflags &= ~X86_EFLAGS_VM;
> +
> + /*
> + * EFLAGS.VM implies 16-bit mode
> + */
Both of these are single line comments.
> do {
> + /* FIXME: Until we actually implement SIGFPE handling properly */
> + setup_fpu_exception_handler();
I don't think the comment is appropriate here - all that needs fixing is
the body of that function (which iirc already has a respective comment).
Jan
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: [PATCH v2 11/12] fuzz/x86emul: print out minimal input size
2017-01-31 11:08 ` [PATCH v2 11/12] fuzz/x86emul: print out minimal input size Wei Liu
@ 2017-01-31 13:33 ` Jan Beulich
0 siblings, 0 replies; 37+ messages in thread
From: Jan Beulich @ 2017-01-31 13:33 UTC (permalink / raw)
To: Wei Liu; +Cc: George Dunlap, Andrew Cooper, Ian Jackson, Xen-devel
>>> On 31.01.17 at 12:08, <wei.liu2@citrix.com> wrote:
> ... so that users can know how big the initial input should be.
>
> Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: [PATCH v2 12/12] fuzz: update README.afl example
2017-01-31 11:08 ` [PATCH v2 12/12] fuzz: update README.afl example Wei Liu
@ 2017-01-31 13:34 ` Jan Beulich
0 siblings, 0 replies; 37+ messages in thread
From: Jan Beulich @ 2017-01-31 13:34 UTC (permalink / raw)
To: Wei Liu; +Cc: George Dunlap, Andrew Cooper, Ian Jackson, Xen-devel
>>> On 31.01.17 at 12:08, <wei.liu2@citrix.com> wrote:
> Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: [PATCH v2 04/12] x86emul/test: use x86-vendors.h
2017-01-31 12:50 ` Jan Beulich
@ 2017-01-31 14:36 ` Wei Liu
2017-01-31 15:16 ` Jan Beulich
0 siblings, 1 reply; 37+ messages in thread
From: Wei Liu @ 2017-01-31 14:36 UTC (permalink / raw)
To: Jan Beulich; +Cc: AndrewCooper, Wei Liu, Xen-devel
On Tue, Jan 31, 2017 at 05:50:09AM -0700, Jan Beulich wrote:
> >>> On 31.01.17 at 12:08, <wei.liu2@citrix.com> wrote:
> > --- a/tools/tests/x86_emulator/x86_emulate.h
> > +++ b/tools/tests/x86_emulator/x86_emulate.h
> > @@ -6,6 +6,8 @@
> > #include <string.h>
> > #include <xen/xen.h>
> >
> > +#include "../../../xen/include/asm-x86/x86-vendors.h"
>
> I think we'd better avoid includes of this style. May I suggest
> symlinking the needed headers, just like we already do with the
> x86_emulate/x86_emulate[ch] files (perhaps to an include/
> subdirectory in the build tree)?
>
I will just link this (and later headers) to tools/tests/x86_emulator --
using a dedicated directory is not strictly necessary.
Wei.
> Jan
>
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: [PATCH v2 05/12] x86emul: use eflags definitions in x86-defns.h
2017-01-31 12:56 ` Jan Beulich
@ 2017-01-31 14:55 ` Wei Liu
2017-01-31 15:16 ` Jan Beulich
0 siblings, 1 reply; 37+ messages in thread
From: Wei Liu @ 2017-01-31 14:55 UTC (permalink / raw)
To: Jan Beulich; +Cc: AndrewCooper, Wei Liu, Xen-devel
On Tue, Jan 31, 2017 at 05:56:38AM -0700, Jan Beulich wrote:
> >>> On 31.01.17 at 12:08, <wei.liu2@citrix.com> wrote:
> > @@ -5016,20 +5004,20 @@ x86_emulate(
> >
> > /*
> > * SYSCALL (unlike most instructions) evaluates its singlestep action
> > - * based on the resulting EFLG_TF, not the starting EFLG_TF.
> > + * based on the resulting X86_EFLAGS_TF, not the starting X86_EFLAGS_TF.
> > *
> > * As the #DB is raised after the CPL change and before the OS can
> > * switch stack, it is a large risk for privilege escalation.
> > *
> > - * 64bit kernels should mask EFLG_TF in MSR_FMASK to avoid any
> > + * 64bit kernels should mask X86_EFLAGS_TF in MSR_FMASK to avoid any
> > * vulnerability. Running the #DB handler on an IST stack is also a
> > * mitigation.
> > *
> > - * 32bit kernels have no ability to mask EFLG_TF at all. Their only
> > - * mitigation is to use a task gate for handling #DB (or to not use
> > - * enable EFER.SCE to start with).
> > + * 32bit kernels have no ability to mask X86_EFLAGS_TF at all.
> > + * Their only mitigation is to use a task gate for handling
> > + * #DB (or to not use enable EFER.SCE to start with).
>
> Please use EFLAGS.TF instead here, matching e.g. EFER.SCE.
>
Fixed.
> With this taken care of and the #include style matching whatever
> is chosen as the final model in the earlier patch,
> Reviewed-by: Jan Beulich <jbeulich@suse.com>
> However, I'd appreciate if you took the opportunity to add blanks
> around binary operators as mandated by our coding style, on the
> lines that you touch anyway.
>
The only place I can think of is the bitwise or '|', I will add blanks
around that.
Wei.
> Jan
>
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: [PATCH v2 04/12] x86emul/test: use x86-vendors.h
2017-01-31 14:36 ` Wei Liu
@ 2017-01-31 15:16 ` Jan Beulich
2017-01-31 15:16 ` Wei Liu
0 siblings, 1 reply; 37+ messages in thread
From: Jan Beulich @ 2017-01-31 15:16 UTC (permalink / raw)
To: Wei Liu; +Cc: AndrewCooper, Xen-devel
>>> On 31.01.17 at 15:36, <wei.liu2@citrix.com> wrote:
> On Tue, Jan 31, 2017 at 05:50:09AM -0700, Jan Beulich wrote:
>> >>> On 31.01.17 at 12:08, <wei.liu2@citrix.com> wrote:
>> > --- a/tools/tests/x86_emulator/x86_emulate.h
>> > +++ b/tools/tests/x86_emulator/x86_emulate.h
>> > @@ -6,6 +6,8 @@
>> > #include <string.h>
>> > #include <xen/xen.h>
>> >
>> > +#include "../../../xen/include/asm-x86/x86-vendors.h"
>>
>> I think we'd better avoid includes of this style. May I suggest
>> symlinking the needed headers, just like we already do with the
>> x86_emulate/x86_emulate[ch] files (perhaps to an include/
>> subdirectory in the build tree)?
>
> I will just link this (and later headers) to tools/tests/x86_emulator --
> using a dedicated directory is not strictly necessary.
Hmm, for consistency with hypervisor #include directives, linking
to asm/ (and adding -I. to CFLAGS) might be a good idea.
Jan
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: [PATCH v2 04/12] x86emul/test: use x86-vendors.h
2017-01-31 15:16 ` Jan Beulich
@ 2017-01-31 15:16 ` Wei Liu
0 siblings, 0 replies; 37+ messages in thread
From: Wei Liu @ 2017-01-31 15:16 UTC (permalink / raw)
To: Jan Beulich; +Cc: AndrewCooper, Wei Liu, Xen-devel
On Tue, Jan 31, 2017 at 08:16:00AM -0700, Jan Beulich wrote:
> >>> On 31.01.17 at 15:36, <wei.liu2@citrix.com> wrote:
> > On Tue, Jan 31, 2017 at 05:50:09AM -0700, Jan Beulich wrote:
> >> >>> On 31.01.17 at 12:08, <wei.liu2@citrix.com> wrote:
> >> > --- a/tools/tests/x86_emulator/x86_emulate.h
> >> > +++ b/tools/tests/x86_emulator/x86_emulate.h
> >> > @@ -6,6 +6,8 @@
> >> > #include <string.h>
> >> > #include <xen/xen.h>
> >> >
> >> > +#include "../../../xen/include/asm-x86/x86-vendors.h"
> >>
> >> I think we'd better avoid includes of this style. May I suggest
> >> symlinking the needed headers, just like we already do with the
> >> x86_emulate/x86_emulate[ch] files (perhaps to an include/
> >> subdirectory in the build tree)?
> >
> > I will just link this (and later headers) to tools/tests/x86_emulator --
> > using a dedicated directory is not strictly necessary.
>
> Hmm, for consistency with hypervisor #include directives, linking
> to asm/ (and adding -I. to CFLAGS) might be a good idea.
>
Sure, I don't feel strongly about this.
Wei.
> Jan
>
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: [PATCH v2 05/12] x86emul: use eflags definitions in x86-defns.h
2017-01-31 14:55 ` Wei Liu
@ 2017-01-31 15:16 ` Jan Beulich
0 siblings, 0 replies; 37+ messages in thread
From: Jan Beulich @ 2017-01-31 15:16 UTC (permalink / raw)
To: Wei Liu; +Cc: AndrewCooper, Xen-devel
>>> On 31.01.17 at 15:55, <wei.liu2@citrix.com> wrote:
> On Tue, Jan 31, 2017 at 05:56:38AM -0700, Jan Beulich wrote:
>> With this taken care of and the #include style matching whatever
>> is chosen as the final model in the earlier patch,
>> Reviewed-by: Jan Beulich <jbeulich@suse.com>
>> However, I'd appreciate if you took the opportunity to add blanks
>> around binary operators as mandated by our coding style, on the
>> lines that you touch anyway.
>
> The only place I can think of is the bitwise or '|', I will add blanks
> around that.
Right, I too think I didn't seen other instances.
Jan
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: [PATCH v2 10/12] fuzz/x86emul: update fuzzer
2017-01-31 13:33 ` Jan Beulich
@ 2017-01-31 15:51 ` Wei Liu
2017-01-31 15:57 ` Andrew Cooper
2017-01-31 16:02 ` Jan Beulich
0 siblings, 2 replies; 37+ messages in thread
From: Wei Liu @ 2017-01-31 15:51 UTC (permalink / raw)
To: Jan Beulich
Cc: Wei Liu, George Dunlap, Andrew Cooper, Ian Jackson, George Dunlap,
Xen-devel
On Tue, Jan 31, 2017 at 06:33:11AM -0700, Jan Beulich wrote:
> >>> On 31.01.17 at 12:08, <wei.liu2@citrix.com> wrote:
> > @@ -16,26 +17,79 @@
> >
> > #include "x86_emulate.h"
> >
> > -static unsigned char data[4096];
> > +#include "../../../xen/include/asm-x86/msr-index.h"
> > +
> > +#define MSR_INDEX_MAX 16
> > +
> > +#define SEG_NUM x86_seg_none
> > +
> > +struct input_struct {
> > + unsigned long cr[5];
> > + uint64_t msr[MSR_INDEX_MAX];
> > + struct cpu_user_regs regs;
> > + struct segment_register segments[SEG_NUM];
> > + unsigned long options;
> > + unsigned char data[4096];
> > +} input;
> > +#define DATA_OFFSET offsetof(struct input_struct, data)
> > static unsigned int data_index;
> > -static unsigned int data_max;
> > +static unsigned int data_num;
> > +
> > +/* Randomly return success or failure when processing data. If
> > + * `exception` is false, this function turns _EXCEPTION to _OKAY.
> > + */
>
> I'm not sure what coding style is to apply here, but if I consider this
> an extension to the insn emulator harness, which in turn is covered
> by hypervisor style, then the comment here needs /* to go on a
> separate line.
>
Fixed.
> > +int maybe_fail(const char *why, bool exception)
> > +{
> > + int rc;
> > +
> > + if ( data_index + 1 > data_num )
>
> "data_index >= data_num" would be the more conventional way
> to express this.
>
Fixed.
> > +static int _fuzz_rep_read(const char *why, unsigned long *reps)
> > +{
> > + int rc;
> > + unsigned long bytes_read = 0;
> > +
> > + rc = data_read(why, &bytes_read, sizeof(bytes_read));
> > +
> > + if ( bytes_read < *reps )
> > + *reps -= bytes_read;
>
> I don't understand this: In the success case, *reps upon return
> indicates the number of iterations done, not the number of
> iterations left. So at least the variable naming deserves
> improvement.
>
OK, so this should be *reps = bytes_read.
> > + /* Indicate we haven't done any work if emulation has failed */
> > + if ( rc != X86EMUL_OKAY )
> > + *reps = 0;
>
> That'll result in some code paths never taken. I'd suggest clearing
> to zero only in the UNHANDLEABLE case, and simply halving the
> amount for EXCEPTION or RETRY (granted the latter can't occur
> right now), or even using input data too for determining the new
> value.
>
No problem. This function is now like:
static int _fuzz_rep_read(const char *why, unsigned long *reps)
{
int rc;
unsigned long bytes_read = 0;
rc = data_read(why, &bytes_read, sizeof(bytes_read));
if ( bytes_read < *reps )
*reps = bytes_read;
switch ( rc )
{
case X86EMUL_UNHANDLEABLE:
*reps = 0;
break;
case X86EMUL_EXCEPTION:
case X86EMUL_RETRY:
*reps /= 2;
}
return rc;
}
And I will do the same to rep_write.
> > +static int fuzz_rep_ins(
> > + uint16_t src_port,
> > + enum x86_segment dst_seg,
> > + unsigned long dst_offset,
> > + unsigned int bytes_per_rep,
> > + unsigned long *reps,
> > + struct x86_emulate_ctxt *ctxt)
> > +{
> > + return _fuzz_rep_read("rep_in", reps);
>
> "rep_ins"
>
Fixed.
> > +static int fuzz_cpuid(
> > + uint32_t leaf,
> > + uint32_t subleaf,
> > + struct cpuid_leaf *res,
> > + struct x86_emulate_ctxt *ctxt)
> > +{
> > + return emul_test_cpuid(leaf, subleaf, res, ctxt);
> > +}
>
> I don't think you need this wrapper anymore. For the purpose of
> SET() below a simple #define will do.
>
Fixed.
> > +static int fuzz_read_segment(
> > + enum x86_segment seg,
> > + struct segment_register *reg,
> > + struct x86_emulate_ctxt *ctxt)
> > +{
> > + int rc;
> > +
> > + if ( seg > SEG_NUM )
> > + return X86EMUL_UNHANDLEABLE;
>
> As said before - this wants to be >= (even more so with
> input.segments only having SEG_NUM elements).
>
Done, and fixed write_segment too.
> > + rc = maybe_fail("read_segment", true);
> > +
> > + if ( rc == X86EMUL_OKAY )
> > + memcpy(reg, input.segments+seg, sizeof(struct segment_register));
>
> Please prefer (type safe) structure assignment.
>
> > +static int fuzz_read_cr(
> > + unsigned int reg,
> > + unsigned long *val,
> > + struct x86_emulate_ctxt *ctxt)
> > +{
> > + int rc;
> > +
> > + if ( reg > ARRAY_SIZE(input.cr) )
> > + return X86EMUL_UNHANDLEABLE;
>
> >= again.
>
Done, and fixed write_cr.
> > +enum {
> > + MSRI_IA32_SYSENTER_CS,
> > + MSRI_IA32_SYSENTER_ESP,
> > + MSRI_IA32_SYSENTER_EIP,
> > + MSRI_EFER,
> > + MSRI_STAR,
> > + MSRI_LSTAR,
> > + MSRI_CSTAR,
> > + MSRI_SYSCALL_MASK
> > +};
> > +
> > +const static unsigned int msr_index[MSR_INDEX_MAX] = {
>
> Conventionally static comes first (as not being part of the type).
>
Done.
> > +static int fuzz_read_msr(
> > + unsigned int reg,
> > + uint64_t *val,
> > + struct x86_emulate_ctxt *ctxt) {
> > + int rc;
> > +
> > + rc = maybe_fail("read_msr", true);
> > + if ( rc != X86EMUL_OKAY )
> > + return rc;
> > + else
>
> No need for "else".
>
Done.
> > +static void setup_fpu_exception_handler(void)
> > +{
> > + /* FIXME - just disable exceptions for now */
> > + unsigned long a;
> > +
> > + asm volatile ( "fnclex");
> > + a=0x37f; /* FCW_DEFAULT in Xen */
> > + asm volatile ( "fldcw %0" :: "m" (a));
> > + a=0x1f80; /* MXCSR_DEFAULT in Xen */
> > + asm volatile ( "ldmxcsr %0" :: "m" (a) );
> > +}
>
> While I see that the FCW value has changed, the strange local
> variable is still there. If you really want to keep it, please at least
> add the missing spaces around the = signs. But I'd prefer
>
> asm volatile ( "fldcw %0" :: "m" (0x37f /* FCW_DEFAULT in Xen */));
> asm volatile ( "ldmxcsr %0" :: "m" (0x1f80 /* MXCSR_DEFAULT in Xen */) );
>
This doesn't work.
x86-insn-emulator-fuzzer.c:445:5: error: memory input 0 is not directly addressable
That's why I kept the local variable. But I will add spaces around =.
> And then - doesn't the ABI require these settings to be in effect
> upon program startup anyway?
>
I'm not sure about this -- reading AMD64 ABI Draft 0.99.8 doesn't reveal
much for me. But having the code arranged like this hasn't caused any
SIGFPE so far.
What do you suggest I do here?
> > +/*
> > + * Constrain input to architecturally-possible states where
> > + * the emulator relies on these
> > + *
> > + * In general we want the emulator to be as absolutely robust as
> > + * possible; which means that we want to minimize the number of things
> > + * it assumes about the input state. Tesing this means minimizing and
> > + * removing as much of the input constraints as possible.
> > + *
> > + * So we only add constraints that (in general) have been proven to
> > + * cause crashes in the emulator.
> > + *
> > + * For future reference: other constraints which might be necessary at
> > + * some point:
> > + *
> > + * - EFER.LMA => !EFLAGS.NT
> > + * - In VM86 mode (and real mode?), force segment...
>
> As asked for before - please drop the mentioning of real mode here.
Done.
>
> > +void sanitize_input(struct x86_emulate_ctxt *ctxt) {
> > + struct cpu_user_regs *regs = &input.regs;
> > + unsigned long bitmap = input.options;
> > +
> > + /* Some hooks can't be disabled. */
> > + input.options &= ~((1<<HOOK_read)|(1<<HOOK_insn_fetch));
> > +
> > + /* Zero 'private' entries */
> > + regs->error_code = 0;
> > + regs->entry_vector = 0;
> > +
> > + CANONICALIZE_MAYBE(rip);
> > + CANONICALIZE_MAYBE(rsp);
> > + CANONICALIZE_MAYBE(rbp);
> > +
> > + /*
> > + * CR0.PG can't be set if CR0.PE isn't set. Set is more interesting, so
> > + * set PE if PG is set.
> > + */
> > + if ( input.cr[0] & X86_CR0_PG )
> > + input.cr[0] |= X86_CR0_PE;
> > +
> > + /*
> > + * EFLAGS.VM not available in long mode
> > + */
> > + if ( long_mode_active(ctxt) )
> > + regs->rflags &= ~X86_EFLAGS_VM;
> > +
> > + /*
> > + * EFLAGS.VM implies 16-bit mode
> > + */
>
> Both of these are single line comments.
Done.
>
> > do {
> > + /* FIXME: Until we actually implement SIGFPE handling properly */
> > + setup_fpu_exception_handler();
>
> I don't think the comment is appropriate here - all that needs fixing is
> the body of that function (which iirc already has a respective comment).
>
Deleted this comment.
> Jan
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: [PATCH v2 10/12] fuzz/x86emul: update fuzzer
2017-01-31 15:51 ` Wei Liu
@ 2017-01-31 15:57 ` Andrew Cooper
2017-01-31 16:01 ` George Dunlap
2017-01-31 16:05 ` Jan Beulich
2017-01-31 16:02 ` Jan Beulich
1 sibling, 2 replies; 37+ messages in thread
From: Andrew Cooper @ 2017-01-31 15:57 UTC (permalink / raw)
To: Wei Liu, Jan Beulich; +Cc: George Dunlap, Xen-devel, Ian Jackson, George Dunlap
On 31/01/17 15:51, Wei Liu wrote:
> On Tue, Jan 31, 2017 at 06:33:11AM -0700, Jan Beulich wrote:
>>> +static void setup_fpu_exception_handler(void)
>>> +{
>>> + /* FIXME - just disable exceptions for now */
>>> + unsigned long a;
>>> +
>>> + asm volatile ( "fnclex");
>>> + a=0x37f; /* FCW_DEFAULT in Xen */
>>> + asm volatile ( "fldcw %0" :: "m" (a));
>>> + a=0x1f80; /* MXCSR_DEFAULT in Xen */
>>> + asm volatile ( "ldmxcsr %0" :: "m" (a) );
>>> +}
>> While I see that the FCW value has changed, the strange local
>> variable is still there. If you really want to keep it, please at least
>> add the missing spaces around the = signs. But I'd prefer
>>
>> asm volatile ( "fldcw %0" :: "m" (0x37f /* FCW_DEFAULT in Xen */));
>> asm volatile ( "ldmxcsr %0" :: "m" (0x1f80 /* MXCSR_DEFAULT in Xen */) );
>>
> This doesn't work.
>
> x86-insn-emulator-fuzzer.c:445:5: error: memory input 0 is not directly addressable
Indeed. Both fldcw and ldmxcsr can only take memory operands, so cannot
take immediate values in the inline asm.
>> And then - doesn't the ABI require these settings to be in effect
>> upon program startup anyway?
>>
> I'm not sure about this -- reading AMD64 ABI Draft 0.99.8 doesn't reveal
> much for me. But having the code arranged like this hasn't caused any
> SIGFPE so far.
>
> What do you suggest I do here?
The issue George hit was that AFL managed to emulate alternative loads,
which then caused SIGFPE's to start happening to the test harness.
IIRC, the easy fix was to reset this state before emulating each
instruction.
~Andrew
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: [PATCH v2 10/12] fuzz/x86emul: update fuzzer
2017-01-31 15:57 ` Andrew Cooper
@ 2017-01-31 16:01 ` George Dunlap
2017-01-31 16:05 ` Jan Beulich
1 sibling, 0 replies; 37+ messages in thread
From: George Dunlap @ 2017-01-31 16:01 UTC (permalink / raw)
To: Andrew Cooper, Wei Liu, Jan Beulich; +Cc: George Dunlap, Xen-devel, Ian Jackson
On 31/01/17 15:57, Andrew Cooper wrote:
> On 31/01/17 15:51, Wei Liu wrote:
>> On Tue, Jan 31, 2017 at 06:33:11AM -0700, Jan Beulich wrote:
>>>> +static void setup_fpu_exception_handler(void)
>>>> +{
>>>> + /* FIXME - just disable exceptions for now */
>>>> + unsigned long a;
>>>> +
>>>> + asm volatile ( "fnclex");
>>>> + a=0x37f; /* FCW_DEFAULT in Xen */
>>>> + asm volatile ( "fldcw %0" :: "m" (a));
>>>> + a=0x1f80; /* MXCSR_DEFAULT in Xen */
>>>> + asm volatile ( "ldmxcsr %0" :: "m" (a) );
>>>> +}
>>> While I see that the FCW value has changed, the strange local
>>> variable is still there. If you really want to keep it, please at least
>>> add the missing spaces around the = signs. But I'd prefer
>>>
>>> asm volatile ( "fldcw %0" :: "m" (0x37f /* FCW_DEFAULT in Xen */));
>>> asm volatile ( "ldmxcsr %0" :: "m" (0x1f80 /* MXCSR_DEFAULT in Xen */) );
>>>
>> This doesn't work.
>>
>> x86-insn-emulator-fuzzer.c:445:5: error: memory input 0 is not directly addressable
>
> Indeed. Both fldcw and ldmxcsr can only take memory operands, so cannot
> take immediate values in the inline asm.
>
>>> And then - doesn't the ABI require these settings to be in effect
>>> upon program startup anyway?
>>>
>> I'm not sure about this -- reading AMD64 ABI Draft 0.99.8 doesn't reveal
>> much for me. But having the code arranged like this hasn't caused any
>> SIGFPE so far.
>>
>> What do you suggest I do here?
>
> The issue George hit was that AFL managed to emulate alternative loads,
> which then caused SIGFPE's to start happening to the test harness.
>
> IIRC, the easy fix was to reset this state before emulating each
> instruction.
Yes, the "proper" fix is to catch SIGFPE and implement the #FP callback
functionality. Clearing the exceptions every instruction was a
work-around so that I could get useful results without doing so.
-George
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: [PATCH v2 10/12] fuzz/x86emul: update fuzzer
2017-01-31 15:51 ` Wei Liu
2017-01-31 15:57 ` Andrew Cooper
@ 2017-01-31 16:02 ` Jan Beulich
2017-01-31 17:37 ` Wei Liu
1 sibling, 1 reply; 37+ messages in thread
From: Jan Beulich @ 2017-01-31 16:02 UTC (permalink / raw)
To: Wei Liu; +Cc: George Dunlap, Andrew Cooper, Ian Jackson, George Dunlap,
Xen-devel
>>> On 31.01.17 at 16:51, <wei.liu2@citrix.com> wrote:
> On Tue, Jan 31, 2017 at 06:33:11AM -0700, Jan Beulich wrote:
>> >>> On 31.01.17 at 12:08, <wei.liu2@citrix.com> wrote:
>> > +static int _fuzz_rep_read(const char *why, unsigned long *reps)
>> > +{
>> > + int rc;
>> > + unsigned long bytes_read = 0;
>> > +
>> > + rc = data_read(why, &bytes_read, sizeof(bytes_read));
>> > +
>> > + if ( bytes_read < *reps )
>> > + *reps -= bytes_read;
>>
>> I don't understand this: In the success case, *reps upon return
>> indicates the number of iterations done, not the number of
>> iterations left. So at least the variable naming deserves
>> improvement.
>
> OK, so this should be *reps = bytes_read.
And the comparison should then presumably become <= .
>> > +static void setup_fpu_exception_handler(void)
>> > +{
>> > + /* FIXME - just disable exceptions for now */
>> > + unsigned long a;
>> > +
>> > + asm volatile ( "fnclex");
>> > + a=0x37f; /* FCW_DEFAULT in Xen */
>> > + asm volatile ( "fldcw %0" :: "m" (a));
>> > + a=0x1f80; /* MXCSR_DEFAULT in Xen */
>> > + asm volatile ( "ldmxcsr %0" :: "m" (a) );
>> > +}
>>
>> While I see that the FCW value has changed, the strange local
>> variable is still there. If you really want to keep it, please at least
>> add the missing spaces around the = signs. But I'd prefer
>>
>> asm volatile ( "fldcw %0" :: "m" (0x37f /* FCW_DEFAULT in Xen */));
>> asm volatile ( "ldmxcsr %0" :: "m" (0x1f80 /* MXCSR_DEFAULT in Xen */)
> );
>>
>
> This doesn't work.
>
> x86-insn-emulator-fuzzer.c:445:5: error: memory input 0 is not directly
> addressable
Oh. Not sure why that is.
>> And then - doesn't the ABI require these settings to be in effect
>> upon program startup anyway?
>>
>
> I'm not sure about this -- reading AMD64 ABI Draft 0.99.8 doesn't reveal
> much for me. But having the code arranged like this hasn't caused any
> SIGFPE so far.
>
> What do you suggest I do here?
Well, you can keep the code as is if there's uncertainty. The
question was mainly from the perspective of whether the non-
fuzzing test would need to do something similar. With the
SSEn/AVX test blob I'm close to round up, I haven't run into
any situation where the initial settings hadn't been the intended
ones.
Jan
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: [PATCH v2 10/12] fuzz/x86emul: update fuzzer
2017-01-31 15:57 ` Andrew Cooper
2017-01-31 16:01 ` George Dunlap
@ 2017-01-31 16:05 ` Jan Beulich
1 sibling, 0 replies; 37+ messages in thread
From: Jan Beulich @ 2017-01-31 16:05 UTC (permalink / raw)
To: Andrew Cooper
Cc: George Dunlap, Ian Jackson, Wei Liu, George Dunlap, Xen-devel
>>> On 31.01.17 at 16:57, <andrew.cooper3@citrix.com> wrote:
> On 31/01/17 15:51, Wei Liu wrote:
>> On Tue, Jan 31, 2017 at 06:33:11AM -0700, Jan Beulich wrote:
>>>> +static void setup_fpu_exception_handler(void)
>>>> +{
>>>> + /* FIXME - just disable exceptions for now */
>>>> + unsigned long a;
>>>> +
>>>> + asm volatile ( "fnclex");
>>>> + a=0x37f; /* FCW_DEFAULT in Xen */
>>>> + asm volatile ( "fldcw %0" :: "m" (a));
>>>> + a=0x1f80; /* MXCSR_DEFAULT in Xen */
>>>> + asm volatile ( "ldmxcsr %0" :: "m" (a) );
>>>> +}
>>> While I see that the FCW value has changed, the strange local
>>> variable is still there. If you really want to keep it, please at least
>>> add the missing spaces around the = signs. But I'd prefer
>>>
>>> asm volatile ( "fldcw %0" :: "m" (0x37f /* FCW_DEFAULT in Xen */));
>>> asm volatile ( "ldmxcsr %0" :: "m" (0x1f80 /* MXCSR_DEFAULT in Xen */) );
>>>
>> This doesn't work.
>>
>> x86-insn-emulator-fuzzer.c:445:5: error: memory input 0 is not directly addressable
>
> Indeed. Both fldcw and ldmxcsr can only take memory operands, so cannot
> take immediate values in the inline asm.
Nevertheless I don't understand: The constraint correctly says
memory only. I'd have expected the compiler to materialize a
memory object (initialized with the given value) in order to hand
it to the asm().
>>> And then - doesn't the ABI require these settings to be in effect
>>> upon program startup anyway?
>>>
>> I'm not sure about this -- reading AMD64 ABI Draft 0.99.8 doesn't reveal
>> much for me. But having the code arranged like this hasn't caused any
>> SIGFPE so far.
>>
>> What do you suggest I do here?
>
> The issue George hit was that AFL managed to emulate alternative loads,
> which then caused SIGFPE's to start happening to the test harness.
>
> IIRC, the easy fix was to reset this state before emulating each
> instruction.
Oh, right, this isn't done just once at startup.
Jan
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 37+ messages in thread
* Re: [PATCH v2 10/12] fuzz/x86emul: update fuzzer
2017-01-31 16:02 ` Jan Beulich
@ 2017-01-31 17:37 ` Wei Liu
0 siblings, 0 replies; 37+ messages in thread
From: Wei Liu @ 2017-01-31 17:37 UTC (permalink / raw)
To: Jan Beulich
Cc: Wei Liu, George Dunlap, Andrew Cooper, Ian Jackson, George Dunlap,
Xen-devel
On Tue, Jan 31, 2017 at 09:02:46AM -0700, Jan Beulich wrote:
> >>> On 31.01.17 at 16:51, <wei.liu2@citrix.com> wrote:
> > On Tue, Jan 31, 2017 at 06:33:11AM -0700, Jan Beulich wrote:
> >> >>> On 31.01.17 at 12:08, <wei.liu2@citrix.com> wrote:
> >> > +static int _fuzz_rep_read(const char *why, unsigned long *reps)
> >> > +{
> >> > + int rc;
> >> > + unsigned long bytes_read = 0;
> >> > +
> >> > + rc = data_read(why, &bytes_read, sizeof(bytes_read));
> >> > +
> >> > + if ( bytes_read < *reps )
> >> > + *reps -= bytes_read;
> >>
> >> I don't understand this: In the success case, *reps upon return
> >> indicates the number of iterations done, not the number of
> >> iterations left. So at least the variable naming deserves
> >> improvement.
> >
> > OK, so this should be *reps = bytes_read.
>
> And the comparison should then presumably become <= .
>
Ah, yes.
> >> > +static void setup_fpu_exception_handler(void)
> >> > +{
> >> > + /* FIXME - just disable exceptions for now */
> >> > + unsigned long a;
> >> > +
> >> > + asm volatile ( "fnclex");
> >> > + a=0x37f; /* FCW_DEFAULT in Xen */
> >> > + asm volatile ( "fldcw %0" :: "m" (a));
> >> > + a=0x1f80; /* MXCSR_DEFAULT in Xen */
> >> > + asm volatile ( "ldmxcsr %0" :: "m" (a) );
> >> > +}
> >>
> >> While I see that the FCW value has changed, the strange local
> >> variable is still there. If you really want to keep it, please at least
> >> add the missing spaces around the = signs. But I'd prefer
> >>
> >> asm volatile ( "fldcw %0" :: "m" (0x37f /* FCW_DEFAULT in Xen */));
> >> asm volatile ( "ldmxcsr %0" :: "m" (0x1f80 /* MXCSR_DEFAULT in Xen */)
> > );
> >>
> >
> > This doesn't work.
> >
> > x86-insn-emulator-fuzzer.c:445:5: error: memory input 0 is not directly
> > addressable
>
> Oh. Not sure why that is.
>
> >> And then - doesn't the ABI require these settings to be in effect
> >> upon program startup anyway?
> >>
> >
> > I'm not sure about this -- reading AMD64 ABI Draft 0.99.8 doesn't reveal
> > much for me. But having the code arranged like this hasn't caused any
> > SIGFPE so far.
> >
> > What do you suggest I do here?
>
> Well, you can keep the code as is if there's uncertainty. The
> question was mainly from the perspective of whether the non-
> fuzzing test would need to do something similar. With the
> SSEn/AVX test blob I'm close to round up, I haven't run into
> any situation where the initial settings hadn't been the intended
> ones.
>
> Jan
Right. I will leave the code as-is for now.
Wei.
>
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 37+ messages in thread
end of thread, other threads:[~2017-01-31 17:37 UTC | newest]
Thread overview: 37+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-01-31 11:07 [PATCH v2 00/12] fuzz: update x86emul fuzzer Wei Liu
2017-01-31 11:07 ` [PATCH v2 01/12] fuzz: don't buffer stdout in afl stubs Wei Liu
2017-01-31 12:44 ` Jan Beulich
2017-01-31 11:07 ` [PATCH v2 02/12] x86: extract macros to x86-defns.h Wei Liu
2017-01-31 12:45 ` Jan Beulich
2017-01-31 13:28 ` Wei Liu
2017-01-31 11:08 ` [PATCH v2 03/12] x86: extract vendor numeric id to x86-vendors.h Wei Liu
2017-01-31 12:48 ` Jan Beulich
2017-01-31 11:08 ` [PATCH v2 04/12] x86emul/test: use x86-vendors.h Wei Liu
2017-01-31 12:50 ` Jan Beulich
2017-01-31 14:36 ` Wei Liu
2017-01-31 15:16 ` Jan Beulich
2017-01-31 15:16 ` Wei Liu
2017-01-31 11:08 ` [PATCH v2 05/12] x86emul: use eflags definitions in x86-defns.h Wei Liu
2017-01-31 12:56 ` Jan Beulich
2017-01-31 14:55 ` Wei Liu
2017-01-31 15:16 ` Jan Beulich
2017-01-31 11:08 ` [PATCH v2 06/12] x86emul: use msr definitions in msr-index.h Wei Liu
2017-01-31 12:59 ` Jan Beulich
2017-01-31 11:08 ` [PATCH v2 07/12] x86: add UMIP CR4 bit Wei Liu
2017-01-31 13:00 ` Jan Beulich
2017-01-31 11:08 ` [PATCH v2 08/12] x86emul: use CR definitions in x86-defns.h Wei Liu
2017-01-31 13:01 ` Jan Beulich
2017-01-31 11:08 ` [PATCH v2 09/12] x86emul: use TRAP " Wei Liu
2017-01-31 11:26 ` Andrew Cooper
2017-01-31 11:08 ` [PATCH v2 10/12] fuzz/x86emul: update fuzzer Wei Liu
2017-01-31 13:33 ` Jan Beulich
2017-01-31 15:51 ` Wei Liu
2017-01-31 15:57 ` Andrew Cooper
2017-01-31 16:01 ` George Dunlap
2017-01-31 16:05 ` Jan Beulich
2017-01-31 16:02 ` Jan Beulich
2017-01-31 17:37 ` Wei Liu
2017-01-31 11:08 ` [PATCH v2 11/12] fuzz/x86emul: print out minimal input size Wei Liu
2017-01-31 13:33 ` Jan Beulich
2017-01-31 11:08 ` [PATCH v2 12/12] fuzz: update README.afl example Wei Liu
2017-01-31 13:34 ` Jan Beulich
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).