* [PATCH v4 00/12] fuzz: update x86emul fuzzer
@ 2017-02-03 11:53 Wei Liu
2017-02-03 11:53 ` [PATCH v4 01/12] x86emul/test: add missing dependency for x86_emulate.o Wei Liu
` (12 more replies)
0 siblings, 13 replies; 19+ messages in thread
From: Wei Liu @ 2017-02-03 11:53 UTC (permalink / raw)
To: Xen-devel; +Cc: George Dunlap, Ian Jackson, Wei Liu, Jan Beulich, Andrew Cooper
The first few patches refactor x86emul code so that more code can be shared
between xen and userspace tools.
I have run XTF suite (tests subject to availability on the testbox I use, and
xsa-195 was skipped because qemu segfault -- a known issue) against this
series, no issue is found.
Please see individual patch for changelog.
Wei.
---
Cc: Ian Jackson <ian.jackson@eu.citrix.com>
Cc: Jan Beulich <jbeulich@suse.com>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: George Dunlap <george.dunlap@eu.citrix.com>
Wei Liu (12):
x86emul/test: add missing dependency for x86_emulate.o
fuzz/x86emul: use macro to reduce repetition in Makefile
x86: extract macros to x86-defns.h
x86: extract vendor numeric id to x86-vendors.h
x86emul/test: use x86-vendors.h
x86emul: use eflags definitions in x86-defns.h
x86emul: use msr definitions in msr-index.h
x86: add UMIP CR4 bit
x86emul: use CR definitions in x86-defns.h
fuzz/x86emul: update fuzzer
fuzz/x86emul: print out minimal input size
fuzz: update README.afl example
tools/fuzz/README.afl | 5 +-
tools/fuzz/x86_instruction_emulator/Makefile | 14 +-
.../afl-x86-insn-emulator-fuzzer.c | 8 +
.../x86-insn-emulator-fuzzer.c | 647 +++++++++++++++++++--
tools/tests/x86_emulator/Makefile | 14 +-
tools/tests/x86_emulator/test_x86_emulator.c | 9 -
tools/tests/x86_emulator/x86_emulate.c | 3 -
tools/tests/x86_emulator/x86_emulate.h | 9 +-
xen/arch/x86/x86_emulate/x86_emulate.c | 403 ++++++-------
xen/include/asm-x86/processor.h | 74 +--
xen/include/asm-x86/x86-defns.h | 69 +++
xen/include/asm-x86/x86-vendors.h | 13 +
12 files changed, 887 insertions(+), 381 deletions(-)
create mode 100644 xen/include/asm-x86/x86-defns.h
create mode 100644 xen/include/asm-x86/x86-vendors.h
--
2.11.0
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 19+ messages in thread
* [PATCH v4 01/12] x86emul/test: add missing dependency for x86_emulate.o
2017-02-03 11:53 [PATCH v4 00/12] fuzz: update x86emul fuzzer Wei Liu
@ 2017-02-03 11:53 ` Wei Liu
2017-02-03 12:11 ` Wei Liu
2017-02-03 13:38 ` Jan Beulich
2017-02-03 11:53 ` [PATCH v4 02/12] fuzz/x86emul: use macro to reduce repetition in Makefile Wei Liu
` (11 subsequent siblings)
12 siblings, 2 replies; 19+ messages in thread
From: Wei Liu @ 2017-02-03 11:53 UTC (permalink / raw)
To: Xen-devel; +Cc: Wei Liu
f4497d6b74 added x86_emulate.h private header but didn't add dependency
for it.
Use macro to reduce repetition.
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
---
tools/tests/x86_emulator/Makefile | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/tools/tests/x86_emulator/Makefile b/tools/tests/x86_emulator/Makefile
index 0b5baff67c..b489959d1d 100644
--- a/tools/tests/x86_emulator/Makefile
+++ b/tools/tests/x86_emulator/Makefile
@@ -45,8 +45,10 @@ x86_emulate/x86_emulate.c x86_emulate/x86_emulate.h:
HOSTCFLAGS += $(CFLAGS_xeninclude)
-x86_emulate.o: x86_emulate.c x86_emulate/x86_emulate.c x86_emulate/x86_emulate.h
+x86_emulate.h := x86_emulate.h x86_emulate/x86_emulate.h
+
+x86_emulate.o: x86_emulate.c x86_emulate/x86_emulate.c $(x86_emulate.h)
$(HOSTCC) $(HOSTCFLAGS) -D__XEN_TOOLS__ -c -g -o $@ $<
-test_x86_emulator.o: test_x86_emulator.c blowfish.h x86_emulate/x86_emulate.h
+test_x86_emulator.o: test_x86_emulator.c blowfish.h $(x86_emulate.h)
$(HOSTCC) $(HOSTCFLAGS) -c -g -o $@ $<
--
2.11.0
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH v4 02/12] fuzz/x86emul: use macro to reduce repetition in Makefile
2017-02-03 11:53 [PATCH v4 00/12] fuzz: update x86emul fuzzer Wei Liu
2017-02-03 11:53 ` [PATCH v4 01/12] x86emul/test: add missing dependency for x86_emulate.o Wei Liu
@ 2017-02-03 11:53 ` Wei Liu
2017-02-03 13:41 ` Jan Beulich
2017-02-03 11:53 ` [PATCH v4 03/12] x86: extract macros to x86-defns.h Wei Liu
` (10 subsequent siblings)
12 siblings, 1 reply; 19+ messages in thread
From: Wei Liu @ 2017-02-03 11:53 UTC (permalink / raw)
To: Xen-devel; +Cc: Ian Jackson, Wei Liu, Jan Beulich, Andrew Cooper
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
---
Cc: Ian Jackson <ian.jackson@eu.citrix.com>
Cc: Jan Beulich <jbeulich@suse.com>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
---
tools/fuzz/x86_instruction_emulator/Makefile | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/tools/fuzz/x86_instruction_emulator/Makefile b/tools/fuzz/x86_instruction_emulator/Makefile
index f2bb12e871..fbfbd4673f 100644
--- a/tools/fuzz/x86_instruction_emulator/Makefile
+++ b/tools/fuzz/x86_instruction_emulator/Makefile
@@ -16,9 +16,11 @@ x86_emulate.c x86_emulate.h: %:
CFLAGS += $(CFLAGS_xeninclude) -D__XEN_TOOLS__
-x86_emulate.o: x86_emulate.c x86_emulate.h x86_emulate/x86_emulate.c x86_emulate/x86_emulate.h
+x86_emulate.h := x86_emulate.h x86_emulate/x86_emulate.h
-x86-insn-emulator-fuzzer.o: x86_emulate.h x86_emulate/x86_emulate.h
+x86_emulate.o: x86_emulate.c x86_emulate/x86_emulate.c $(x86_emulate.h)
+
+x86-insn-emulator-fuzzer.o: $(x86_emulate.h)
x86-insn-emulator.a: x86_emulate.o
$(AR) rc $@ $^
--
2.11.0
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH v4 03/12] x86: extract macros to x86-defns.h
2017-02-03 11:53 [PATCH v4 00/12] fuzz: update x86emul fuzzer Wei Liu
2017-02-03 11:53 ` [PATCH v4 01/12] x86emul/test: add missing dependency for x86_emulate.o Wei Liu
2017-02-03 11:53 ` [PATCH v4 02/12] fuzz/x86emul: use macro to reduce repetition in Makefile Wei Liu
@ 2017-02-03 11:53 ` Wei Liu
2017-02-03 11:53 ` [PATCH v4 04/12] x86: extract vendor numeric id to x86-vendors.h Wei Liu
` (9 subsequent siblings)
12 siblings, 0 replies; 19+ messages in thread
From: Wei Liu @ 2017-02-03 11:53 UTC (permalink / raw)
To: Xen-devel; +Cc: Wei Liu
... so that they can be used by userspace x86 instruction emulator test
program and fuzzer as well.
No functional change.
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
---
xen/include/asm-x86/processor.h | 65 ++-------------------------------------
xen/include/asm-x86/x86-defns.h | 68 +++++++++++++++++++++++++++++++++++++++++
2 files changed, 70 insertions(+), 63 deletions(-)
create mode 100644 xen/include/asm-x86/x86-defns.h
diff --git a/xen/include/asm-x86/processor.h b/xen/include/asm-x86/processor.h
index 4da9c193e0..5902c93a7c 100644
--- a/xen/include/asm-x86/processor.h
+++ b/xen/include/asm-x86/processor.h
@@ -16,6 +16,8 @@
#include <asm/desc.h>
#endif
+#include <asm/x86-defns.h>
+
/*
* CPU vendor IDs
*/
@@ -25,69 +27,6 @@
#define X86_VENDOR_NUM 3
#define X86_VENDOR_UNKNOWN 0xff
-/*
- * EFLAGS bits
- */
-#define X86_EFLAGS_CF 0x00000001 /* Carry Flag */
-#define X86_EFLAGS_MBS 0x00000002 /* Resvd bit */
-#define X86_EFLAGS_PF 0x00000004 /* Parity Flag */
-#define X86_EFLAGS_AF 0x00000010 /* Auxillary carry Flag */
-#define X86_EFLAGS_ZF 0x00000040 /* Zero Flag */
-#define X86_EFLAGS_SF 0x00000080 /* Sign Flag */
-#define X86_EFLAGS_TF 0x00000100 /* Trap Flag */
-#define X86_EFLAGS_IF 0x00000200 /* Interrupt Flag */
-#define X86_EFLAGS_DF 0x00000400 /* Direction Flag */
-#define X86_EFLAGS_OF 0x00000800 /* Overflow Flag */
-#define X86_EFLAGS_IOPL 0x00003000 /* IOPL mask */
-#define X86_EFLAGS_NT 0x00004000 /* Nested Task */
-#define X86_EFLAGS_RF 0x00010000 /* Resume Flag */
-#define X86_EFLAGS_VM 0x00020000 /* Virtual Mode */
-#define X86_EFLAGS_AC 0x00040000 /* Alignment Check */
-#define X86_EFLAGS_VIF 0x00080000 /* Virtual Interrupt Flag */
-#define X86_EFLAGS_VIP 0x00100000 /* Virtual Interrupt Pending */
-#define X86_EFLAGS_ID 0x00200000 /* CPUID detection flag */
-
-#define X86_EFLAGS_ARITH_MASK \
- (X86_EFLAGS_CF | X86_EFLAGS_PF | X86_EFLAGS_AF | \
- X86_EFLAGS_ZF | X86_EFLAGS_SF | X86_EFLAGS_OF)
-
-/*
- * Intel CPU flags in CR0
- */
-#define X86_CR0_PE 0x00000001 /* Enable Protected Mode (RW) */
-#define X86_CR0_MP 0x00000002 /* Monitor Coprocessor (RW) */
-#define X86_CR0_EM 0x00000004 /* Require FPU Emulation (RO) */
-#define X86_CR0_TS 0x00000008 /* Task Switched (RW) */
-#define X86_CR0_ET 0x00000010 /* Extension type (RO) */
-#define X86_CR0_NE 0x00000020 /* Numeric Error Reporting (RW) */
-#define X86_CR0_WP 0x00010000 /* Supervisor Write Protect (RW) */
-#define X86_CR0_AM 0x00040000 /* Alignment Checking (RW) */
-#define X86_CR0_NW 0x20000000 /* Not Write-Through (RW) */
-#define X86_CR0_CD 0x40000000 /* Cache Disable (RW) */
-#define X86_CR0_PG 0x80000000 /* Paging (RW) */
-
-/*
- * Intel CPU features in CR4
- */
-#define X86_CR4_VME 0x00000001 /* enable vm86 extensions */
-#define X86_CR4_PVI 0x00000002 /* virtual interrupts flag enable */
-#define X86_CR4_TSD 0x00000004 /* disable time stamp at ipl 3 */
-#define X86_CR4_DE 0x00000008 /* enable debugging extensions */
-#define X86_CR4_PSE 0x00000010 /* enable page size extensions */
-#define X86_CR4_PAE 0x00000020 /* enable physical address extensions */
-#define X86_CR4_MCE 0x00000040 /* Machine check enable */
-#define X86_CR4_PGE 0x00000080 /* enable global pages */
-#define X86_CR4_PCE 0x00000100 /* enable performance counters at ipl 3 */
-#define X86_CR4_OSFXSR 0x00000200 /* enable fast FPU save and restore */
-#define X86_CR4_OSXMMEXCPT 0x00000400 /* enable unmasked SSE exceptions */
-#define X86_CR4_VMXE 0x00002000 /* enable VMX */
-#define X86_CR4_SMXE 0x00004000 /* enable SMX */
-#define X86_CR4_FSGSBASE 0x00010000 /* enable {rd,wr}{fs,gs}base */
-#define X86_CR4_PCIDE 0x00020000 /* enable PCID */
-#define X86_CR4_OSXSAVE 0x00040000 /* enable XSAVE/XRSTOR */
-#define X86_CR4_SMEP 0x00100000 /* enable SMEP */
-#define X86_CR4_SMAP 0x00200000 /* enable SMAP */
-#define X86_CR4_PKE 0x00400000 /* enable PKE */
/*
* Trap/fault mnemonics.
diff --git a/xen/include/asm-x86/x86-defns.h b/xen/include/asm-x86/x86-defns.h
new file mode 100644
index 0000000000..48ea5ea03b
--- /dev/null
+++ b/xen/include/asm-x86/x86-defns.h
@@ -0,0 +1,68 @@
+#ifndef __XEN_X86_DEFNS_H__
+#define __XEN_X86_DEFNS_H__
+
+/*
+ * EFLAGS bits
+ */
+#define X86_EFLAGS_CF 0x00000001 /* Carry Flag */
+#define X86_EFLAGS_MBS 0x00000002 /* Resvd bit */
+#define X86_EFLAGS_PF 0x00000004 /* Parity Flag */
+#define X86_EFLAGS_AF 0x00000010 /* Auxillary carry Flag */
+#define X86_EFLAGS_ZF 0x00000040 /* Zero Flag */
+#define X86_EFLAGS_SF 0x00000080 /* Sign Flag */
+#define X86_EFLAGS_TF 0x00000100 /* Trap Flag */
+#define X86_EFLAGS_IF 0x00000200 /* Interrupt Flag */
+#define X86_EFLAGS_DF 0x00000400 /* Direction Flag */
+#define X86_EFLAGS_OF 0x00000800 /* Overflow Flag */
+#define X86_EFLAGS_IOPL 0x00003000 /* IOPL mask */
+#define X86_EFLAGS_NT 0x00004000 /* Nested Task */
+#define X86_EFLAGS_RF 0x00010000 /* Resume Flag */
+#define X86_EFLAGS_VM 0x00020000 /* Virtual Mode */
+#define X86_EFLAGS_AC 0x00040000 /* Alignment Check */
+#define X86_EFLAGS_VIF 0x00080000 /* Virtual Interrupt Flag */
+#define X86_EFLAGS_VIP 0x00100000 /* Virtual Interrupt Pending */
+#define X86_EFLAGS_ID 0x00200000 /* CPUID detection flag */
+
+#define X86_EFLAGS_ARITH_MASK \
+ (X86_EFLAGS_CF | X86_EFLAGS_PF | X86_EFLAGS_AF | \
+ X86_EFLAGS_ZF | X86_EFLAGS_SF | X86_EFLAGS_OF)
+
+/*
+ * Intel CPU flags in CR0
+ */
+#define X86_CR0_PE 0x00000001 /* Enable Protected Mode (RW) */
+#define X86_CR0_MP 0x00000002 /* Monitor Coprocessor (RW) */
+#define X86_CR0_EM 0x00000004 /* Require FPU Emulation (RO) */
+#define X86_CR0_TS 0x00000008 /* Task Switched (RW) */
+#define X86_CR0_ET 0x00000010 /* Extension type (RO) */
+#define X86_CR0_NE 0x00000020 /* Numeric Error Reporting (RW) */
+#define X86_CR0_WP 0x00010000 /* Supervisor Write Protect (RW) */
+#define X86_CR0_AM 0x00040000 /* Alignment Checking (RW) */
+#define X86_CR0_NW 0x20000000 /* Not Write-Through (RW) */
+#define X86_CR0_CD 0x40000000 /* Cache Disable (RW) */
+#define X86_CR0_PG 0x80000000 /* Paging (RW) */
+
+/*
+ * Intel CPU features in CR4
+ */
+#define X86_CR4_VME 0x00000001 /* enable vm86 extensions */
+#define X86_CR4_PVI 0x00000002 /* virtual interrupts flag enable */
+#define X86_CR4_TSD 0x00000004 /* disable time stamp at ipl 3 */
+#define X86_CR4_DE 0x00000008 /* enable debugging extensions */
+#define X86_CR4_PSE 0x00000010 /* enable page size extensions */
+#define X86_CR4_PAE 0x00000020 /* enable physical address extensions */
+#define X86_CR4_MCE 0x00000040 /* Machine check enable */
+#define X86_CR4_PGE 0x00000080 /* enable global pages */
+#define X86_CR4_PCE 0x00000100 /* enable performance counters at ipl 3 */
+#define X86_CR4_OSFXSR 0x00000200 /* enable fast FPU save and restore */
+#define X86_CR4_OSXMMEXCPT 0x00000400 /* enable unmasked SSE exceptions */
+#define X86_CR4_VMXE 0x00002000 /* enable VMX */
+#define X86_CR4_SMXE 0x00004000 /* enable SMX */
+#define X86_CR4_FSGSBASE 0x00010000 /* enable {rd,wr}{fs,gs}base */
+#define X86_CR4_PCIDE 0x00020000 /* enable PCID */
+#define X86_CR4_OSXSAVE 0x00040000 /* enable XSAVE/XRSTOR */
+#define X86_CR4_SMEP 0x00100000 /* enable SMEP */
+#define X86_CR4_SMAP 0x00200000 /* enable SMAP */
+#define X86_CR4_PKE 0x00400000 /* enable PKE */
+
+#endif /* __XEN_X86_DEFNS_H__ */
--
2.11.0
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH v4 04/12] x86: extract vendor numeric id to x86-vendors.h
2017-02-03 11:53 [PATCH v4 00/12] fuzz: update x86emul fuzzer Wei Liu
` (2 preceding siblings ...)
2017-02-03 11:53 ` [PATCH v4 03/12] x86: extract macros to x86-defns.h Wei Liu
@ 2017-02-03 11:53 ` Wei Liu
2017-02-03 11:53 ` [PATCH v4 05/12] x86emul/test: use x86-vendors.h Wei Liu
` (8 subsequent siblings)
12 siblings, 0 replies; 19+ messages in thread
From: Wei Liu @ 2017-02-03 11:53 UTC (permalink / raw)
To: Xen-devel; +Cc: Wei Liu
They will be shared between xen and userspace programs.
This is not strictly necessary, but it helps reduce overall code size.
No functional change.
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>
---
xen/include/asm-x86/processor.h | 11 +----------
xen/include/asm-x86/x86-vendors.h | 13 +++++++++++++
2 files changed, 14 insertions(+), 10 deletions(-)
create mode 100644 xen/include/asm-x86/x86-vendors.h
diff --git a/xen/include/asm-x86/processor.h b/xen/include/asm-x86/processor.h
index 5902c93a7c..7735bc2a49 100644
--- a/xen/include/asm-x86/processor.h
+++ b/xen/include/asm-x86/processor.h
@@ -17,16 +17,7 @@
#endif
#include <asm/x86-defns.h>
-
-/*
- * CPU vendor IDs
- */
-#define X86_VENDOR_INTEL 0
-#define X86_VENDOR_AMD 1
-#define X86_VENDOR_CENTAUR 2
-#define X86_VENDOR_NUM 3
-#define X86_VENDOR_UNKNOWN 0xff
-
+#include <asm/x86-vendors.h>
/*
* Trap/fault mnemonics.
diff --git a/xen/include/asm-x86/x86-vendors.h b/xen/include/asm-x86/x86-vendors.h
new file mode 100644
index 0000000000..cae5507bd0
--- /dev/null
+++ b/xen/include/asm-x86/x86-vendors.h
@@ -0,0 +1,13 @@
+#ifndef __XEN_X86_VENDORS_H__
+#define __XEN_X86_VENDORS_H__
+
+/*
+ * CPU vendor IDs
+ */
+#define X86_VENDOR_INTEL 0
+#define X86_VENDOR_AMD 1
+#define X86_VENDOR_CENTAUR 2
+#define X86_VENDOR_NUM 3
+#define X86_VENDOR_UNKNOWN 0xff
+
+#endif /* __XEN_X86_VENDORS_H__ */
--
2.11.0
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH v4 05/12] x86emul/test: use x86-vendors.h
2017-02-03 11:53 [PATCH v4 00/12] fuzz: update x86emul fuzzer Wei Liu
` (3 preceding siblings ...)
2017-02-03 11:53 ` [PATCH v4 04/12] x86: extract vendor numeric id to x86-vendors.h Wei Liu
@ 2017-02-03 11:53 ` Wei Liu
2017-02-03 13:45 ` Jan Beulich
2017-02-03 11:53 ` [PATCH v4 06/12] x86emul: use eflags definitions in x86-defns.h Wei Liu
` (7 subsequent siblings)
12 siblings, 1 reply; 19+ messages in thread
From: Wei Liu @ 2017-02-03 11:53 UTC (permalink / raw)
To: Xen-devel; +Cc: Andrew Cooper, Wei Liu, Jan Beulich
No functional change.
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
---
Cc: Jan Beulich <jbeulich@suse.com>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
V4: introduce x86.h macro
V3: link asm-x86 to working directory
---
tools/fuzz/x86_instruction_emulator/Makefile | 12 ++++++++----
tools/tests/x86_emulator/Makefile | 12 ++++++++----
tools/tests/x86_emulator/x86_emulate.h | 7 ++-----
3 files changed, 18 insertions(+), 13 deletions(-)
diff --git a/tools/fuzz/x86_instruction_emulator/Makefile b/tools/fuzz/x86_instruction_emulator/Makefile
index fbfbd4673f..84be31cc26 100644
--- a/tools/fuzz/x86_instruction_emulator/Makefile
+++ b/tools/fuzz/x86_instruction_emulator/Makefile
@@ -11,16 +11,20 @@ endif
x86_emulate/x86_emulate.c x86_emulate/x86_emulate.h:
[ -L x86_emulate ] || ln -sf $(XEN_ROOT)/xen/arch/x86/x86_emulate .
+asm/x86-vendors.h:
+ [ -L asm ] || ln -sf $(XEN_ROOT)/xen/include/asm-x86 asm
+
x86_emulate.c x86_emulate.h: %:
[ -L $* ] || ln -sf $(XEN_ROOT)/tools/tests/x86_emulator/$*
-CFLAGS += $(CFLAGS_xeninclude) -D__XEN_TOOLS__
+CFLAGS += $(CFLAGS_xeninclude) -D__XEN_TOOLS__ -I.
x86_emulate.h := x86_emulate.h x86_emulate/x86_emulate.h
+x86.h := asm/x86-vendors.h
-x86_emulate.o: x86_emulate.c x86_emulate/x86_emulate.c $(x86_emulate.h)
+x86_emulate.o: x86_emulate.c x86_emulate/x86_emulate.c $(x86_emulate.h) $(x86.h)
-x86-insn-emulator-fuzzer.o: $(x86_emulate.h)
+x86-insn-emulator-fuzzer.o: $(x86_emulate.h) $(x86.h)
x86-insn-emulator.a: x86_emulate.o
$(AR) rc $@ $^
@@ -33,7 +37,7 @@ all: x86-instruction-emulator-fuzzer-all
.PHONY: distclean
distclean: clean
- rm -f x86_emulate x86_emulate.c x86_emulate.h
+ rm -f x86_emulate x86_emulate.c x86_emulate.h asm
.PHONY: clean
clean:
diff --git a/tools/tests/x86_emulator/Makefile b/tools/tests/x86_emulator/Makefile
index b489959d1d..4ba623936f 100644
--- a/tools/tests/x86_emulator/Makefile
+++ b/tools/tests/x86_emulator/Makefile
@@ -32,7 +32,7 @@ $(TARGET): x86_emulate.o test_x86_emulator.o
.PHONY: clean
clean:
- rm -rf $(TARGET) *.o *~ core blowfish.h blowfish.bin x86_emulate
+ rm -rf $(TARGET) *.o *~ core blowfish.h blowfish.bin x86_emulate asm
.PHONY: distclean
distclean: clean
@@ -43,12 +43,16 @@ install:
x86_emulate/x86_emulate.c x86_emulate/x86_emulate.h:
[ -L x86_emulate ] || ln -sf $(XEN_ROOT)/xen/arch/x86/x86_emulate .
-HOSTCFLAGS += $(CFLAGS_xeninclude)
+asm/x86-vendors.h:
+ [ -L asm ] || ln -sf $(XEN_ROOT)/xen/include/asm-x86 asm
+
+HOSTCFLAGS += $(CFLAGS_xeninclude) -I.
x86_emulate.h := x86_emulate.h x86_emulate/x86_emulate.h
+x86.h := asm/x86-vendors.h
-x86_emulate.o: x86_emulate.c x86_emulate/x86_emulate.c $(x86_emulate.h)
+x86_emulate.o: x86_emulate.c x86_emulate/x86_emulate.c $(x86_emulate.h) $(x86.h)
$(HOSTCC) $(HOSTCFLAGS) -D__XEN_TOOLS__ -c -g -o $@ $<
-test_x86_emulator.o: test_x86_emulator.c blowfish.h $(x86_emulate.h)
+test_x86_emulator.o: test_x86_emulator.c blowfish.h $(x86_emulate.h) $(x86.h)
$(HOSTCC) $(HOSTCFLAGS) -c -g -o $@ $<
diff --git a/tools/tests/x86_emulator/x86_emulate.h b/tools/tests/x86_emulator/x86_emulate.h
index 3a6badee46..db287004e6 100644
--- a/tools/tests/x86_emulator/x86_emulate.h
+++ b/tools/tests/x86_emulator/x86_emulate.h
@@ -6,6 +6,8 @@
#include <string.h>
#include <xen/xen.h>
+#include <asm/x86-vendors.h>
+
#define BUG() abort()
#define ASSERT assert
#define ASSERT_UNREACHABLE() assert(!__LINE__)
@@ -38,11 +40,6 @@
#define is_canonical_address(x) (((int64_t)(x) >> 47) == ((int64_t)(x) >> 63))
-/* There's no strict need for these to be in sync with processor.h. */
-#define X86_VENDOR_INTEL 0
-#define X86_VENDOR_AMD 2
-#define X86_VENDOR_UNKNOWN 0xff
-
#define MMAP_SZ 16384
bool emul_test_make_stack_executable(void);
--
2.11.0
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH v4 06/12] x86emul: use eflags definitions in x86-defns.h
2017-02-03 11:53 [PATCH v4 00/12] fuzz: update x86emul fuzzer Wei Liu
` (4 preceding siblings ...)
2017-02-03 11:53 ` [PATCH v4 05/12] x86emul/test: use x86-vendors.h Wei Liu
@ 2017-02-03 11:53 ` Wei Liu
2017-02-03 11:53 ` [PATCH v4 07/12] x86emul: use msr definitions in msr-index.h Wei Liu
` (6 subsequent siblings)
12 siblings, 0 replies; 19+ messages in thread
From: Wei Liu @ 2017-02-03 11:53 UTC (permalink / raw)
To: Xen-devel; +Cc: Wei Liu
Basically this patch does 's/EFLG_/X86_EFLAGS_/g' and with indentation
fixed up. And remove the duplicates in x86_emualte.c. This in turn
requires userspace test harness to include x86-defns.h. Also remove a
few duplicates in userspace harness program.
No functional change.
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
---
tools/fuzz/x86_instruction_emulator/Makefile | 4 +-
tools/tests/x86_emulator/Makefile | 4 +-
tools/tests/x86_emulator/test_x86_emulator.c | 9 -
tools/tests/x86_emulator/x86_emulate.h | 1 +
xen/arch/x86/x86_emulate/x86_emulate.c | 321 +++++++++++++--------------
5 files changed, 160 insertions(+), 179 deletions(-)
diff --git a/tools/fuzz/x86_instruction_emulator/Makefile b/tools/fuzz/x86_instruction_emulator/Makefile
index 84be31cc26..bbb781838b 100644
--- a/tools/fuzz/x86_instruction_emulator/Makefile
+++ b/tools/fuzz/x86_instruction_emulator/Makefile
@@ -11,7 +11,7 @@ endif
x86_emulate/x86_emulate.c x86_emulate/x86_emulate.h:
[ -L x86_emulate ] || ln -sf $(XEN_ROOT)/xen/arch/x86/x86_emulate .
-asm/x86-vendors.h:
+asm/x86-vendors.h asm/x86-defns.h:
[ -L asm ] || ln -sf $(XEN_ROOT)/xen/include/asm-x86 asm
x86_emulate.c x86_emulate.h: %:
@@ -20,7 +20,7 @@ x86_emulate.c x86_emulate.h: %:
CFLAGS += $(CFLAGS_xeninclude) -D__XEN_TOOLS__ -I.
x86_emulate.h := x86_emulate.h x86_emulate/x86_emulate.h
-x86.h := asm/x86-vendors.h
+x86.h := asm/x86-vendors.h asm/x86-defns.h
x86_emulate.o: x86_emulate.c x86_emulate/x86_emulate.c $(x86_emulate.h) $(x86.h)
diff --git a/tools/tests/x86_emulator/Makefile b/tools/tests/x86_emulator/Makefile
index 4ba623936f..0c53ec87e8 100644
--- a/tools/tests/x86_emulator/Makefile
+++ b/tools/tests/x86_emulator/Makefile
@@ -43,13 +43,13 @@ install:
x86_emulate/x86_emulate.c x86_emulate/x86_emulate.h:
[ -L x86_emulate ] || ln -sf $(XEN_ROOT)/xen/arch/x86/x86_emulate .
-asm/x86-vendors.h:
+asm/x86-vendors.h asm/x86-defns.h:
[ -L asm ] || ln -sf $(XEN_ROOT)/xen/include/asm-x86 asm
HOSTCFLAGS += $(CFLAGS_xeninclude) -I.
x86_emulate.h := x86_emulate.h x86_emulate/x86_emulate.h
-x86.h := asm/x86-vendors.h
+x86.h := asm/x86-vendors.h asm/x86-defns.h
x86_emulate.o: x86_emulate.c x86_emulate/x86_emulate.c $(x86_emulate.h) $(x86.h)
$(HOSTCC) $(HOSTCFLAGS) -D__XEN_TOOLS__ -c -g -o $@ $<
diff --git a/tools/tests/x86_emulator/test_x86_emulator.c b/tools/tests/x86_emulator/test_x86_emulator.c
index 924fd36f18..27200e0283 100644
--- a/tools/tests/x86_emulator/test_x86_emulator.c
+++ b/tools/tests/x86_emulator/test_x86_emulator.c
@@ -23,15 +23,6 @@ static const struct {
#endif
};
-/* EFLAGS bit definitions. */
-#define EFLG_OF (1<<11)
-#define EFLG_DF (1<<10)
-#define EFLG_SF (1<<7)
-#define EFLG_ZF (1<<6)
-#define EFLG_AF (1<<4)
-#define EFLG_PF (1<<2)
-#define EFLG_CF (1<<0)
-
static unsigned int bytes_read;
static int read(
diff --git a/tools/tests/x86_emulator/x86_emulate.h b/tools/tests/x86_emulator/x86_emulate.h
index db287004e6..e064deaeea 100644
--- a/tools/tests/x86_emulator/x86_emulate.h
+++ b/tools/tests/x86_emulator/x86_emulate.h
@@ -6,6 +6,7 @@
#include <string.h>
#include <xen/xen.h>
+#include <asm/x86-defns.h>
#include <asm/x86-vendors.h>
#define BUG() abort()
diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c
index dbda4b3b4a..c39756dd85 100644
--- a/xen/arch/x86/x86_emulate/x86_emulate.c
+++ b/xen/arch/x86/x86_emulate/x86_emulate.c
@@ -447,26 +447,6 @@ typedef union {
#define CR4_FSGSBASE (1<<16)
#define CR4_OSXSAVE (1<<18)
-/* EFLAGS bit definitions. */
-#define EFLG_ID (1<<21)
-#define EFLG_VIP (1<<20)
-#define EFLG_VIF (1<<19)
-#define EFLG_AC (1<<18)
-#define EFLG_VM (1<<17)
-#define EFLG_RF (1<<16)
-#define EFLG_NT (1<<14)
-#define EFLG_IOPL (3<<12)
-#define EFLG_OF (1<<11)
-#define EFLG_DF (1<<10)
-#define EFLG_IF (1<<9)
-#define EFLG_TF (1<<8)
-#define EFLG_SF (1<<7)
-#define EFLG_ZF (1<<6)
-#define EFLG_AF (1<<4)
-#define EFLG_PF (1<<2)
-#define EFLG_MBS (1<<1)
-#define EFLG_CF (1<<0)
-
/* Floating point status word definitions. */
#define FSW_ES (1U << 7)
@@ -521,14 +501,16 @@ typedef union {
* These EFLAGS bits are restored from saved value during emulation, and
* any changes are written back to the saved value after emulation.
*/
-#define EFLAGS_MASK (EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_AF|EFLG_PF|EFLG_CF)
+#define EFLAGS_MASK (X86_EFLAGS_OF | X86_EFLAGS_SF | X86_EFLAGS_ZF | \
+ X86_EFLAGS_AF | X86_EFLAGS_PF | X86_EFLAGS_CF)
/*
* These EFLAGS bits are modifiable (by POPF and IRET), possibly subject
* to further CPL and IOPL constraints.
*/
-#define EFLAGS_MODIFIABLE (EFLG_ID|EFLG_AC|EFLG_RF|EFLG_NT|EFLG_IOPL| \
- EFLG_DF|EFLG_IF|EFLG_TF|EFLAGS_MASK)
+#define EFLAGS_MODIFIABLE (X86_EFLAGS_ID | X86_EFLAGS_AC | X86_EFLAGS_RF | \
+ X86_EFLAGS_NT | X86_EFLAGS_IOPL | X86_EFLAGS_DF | \
+ X86_EFLAGS_IF | X86_EFLAGS_TF | EFLAGS_MASK)
/* Before executing instruction: restore necessary bits in EFLAGS. */
#define _PRE_EFLAGS(_sav, _msk, _tmp) \
@@ -761,7 +743,8 @@ do { \
} while (0)
#define register_address_adjust(reg, adj) \
_register_address_increment(reg, \
- _regs._eflags & EFLG_DF ? -(adj) : (adj), \
+ _regs._eflags & X86_EFLAGS_DF ? \
+ -(adj) : (adj), \
ad_bytes)
#define sp_pre_dec(dec) ({ \
@@ -784,7 +767,7 @@ do { \
rc = ops->insn_fetch(x86_seg_cs, ip, NULL, 0, ctxt); \
if ( rc ) goto done; \
_regs.r(ip) = ip; \
- singlestep = _regs._eflags & EFLG_TF; \
+ singlestep = _regs._eflags & X86_EFLAGS_TF; \
} while (0)
#define validate_far_branch(cs, ip) ({ \
@@ -801,7 +784,7 @@ do { \
#define commit_far_branch(cs, newip) ({ \
validate_far_branch(cs, newip); \
_regs.r(ip) = (newip); \
- singlestep = _regs._eflags & EFLG_TF; \
+ singlestep = _regs._eflags & X86_EFLAGS_TF; \
ops->write_segment(x86_seg_cs, cs, ctxt); \
})
@@ -854,7 +837,7 @@ static int _get_fpu(
if ( type >= X86EMUL_FPU_ymm )
{
/* Should be unreachable if VEX decoding is working correctly. */
- ASSERT((cr0 & CR0_PE) && !(ctxt->regs->_eflags & EFLG_VM));
+ ASSERT((cr0 & CR0_PE) && !(ctxt->regs->_eflags & X86_EFLAGS_VM));
}
if ( cr0 & CR0_EM )
{
@@ -946,7 +929,8 @@ do { \
: [eflags] "+g" (_regs._eflags), \
[tmp] "=&r" (tmp_), "+m" (fic) \
: [func] "rm" (stub.func), \
- [mask] "i" (EFLG_ZF|EFLG_PF|EFLG_CF) ); \
+ [mask] "i" (X86_EFLAGS_ZF|X86_EFLAGS_PF| \
+ X86_EFLAGS_CF) ); \
put_stub(stub); \
} while (0)
@@ -988,7 +972,7 @@ static inline void put_loop_count(
} \
goto complete_insn; \
} \
- if ( max_reps > 1 && (_regs._eflags & EFLG_TF) && \
+ if ( max_reps > 1 && (_regs._eflags & X86_EFLAGS_TF) && \
!is_branch_step(ctxt, ops) ) \
max_reps = 1; \
max_reps; \
@@ -1022,7 +1006,7 @@ static void __put_rep_prefix(
/* Clip maximum repetitions so that the index register at most just wraps. */
#define truncate_ea_and_reps(ea, reps, bytes_per_rep) ({ \
unsigned long todo__, ea__ = truncate_word(ea, ad_bytes); \
- if ( !(_regs._eflags & EFLG_DF) ) \
+ if ( !(_regs._eflags & X86_EFLAGS_DF) ) \
todo__ = truncate_word(-(ea), ad_bytes) / (bytes_per_rep); \
else if ( truncate_word((ea) + (bytes_per_rep) - 1, ad_bytes) < ea__ )\
todo__ = 1; \
@@ -1143,28 +1127,28 @@ test_cc(
switch ( (condition & 15) >> 1 )
{
case 0: /* o */
- rc |= (flags & EFLG_OF);
+ rc |= (flags & X86_EFLAGS_OF);
break;
case 1: /* b/c/nae */
- rc |= (flags & EFLG_CF);
+ rc |= (flags & X86_EFLAGS_CF);
break;
case 2: /* z/e */
- rc |= (flags & EFLG_ZF);
+ rc |= (flags & X86_EFLAGS_ZF);
break;
case 3: /* be/na */
- rc |= (flags & (EFLG_CF|EFLG_ZF));
+ rc |= (flags & (X86_EFLAGS_CF | X86_EFLAGS_ZF));
break;
case 4: /* s */
- rc |= (flags & EFLG_SF);
+ rc |= (flags & X86_EFLAGS_SF);
break;
case 5: /* p/pe */
- rc |= (flags & EFLG_PF);
+ rc |= (flags & X86_EFLAGS_PF);
break;
case 7: /* le/ng */
- rc |= (flags & EFLG_ZF);
+ rc |= (flags & X86_EFLAGS_ZF);
/* fall through */
case 6: /* l/nge */
- rc |= (!(flags & EFLG_SF) != !(flags & EFLG_OF));
+ rc |= (!(flags & X86_EFLAGS_SF) != !(flags & X86_EFLAGS_OF));
break;
}
@@ -1179,7 +1163,7 @@ get_cpl(
{
struct segment_register reg;
- if ( ctxt->regs->_eflags & EFLG_VM )
+ if ( ctxt->regs->_eflags & X86_EFLAGS_VM )
return 3;
if ( (ops->read_segment == NULL) ||
@@ -1197,7 +1181,7 @@ _mode_iopl(
int cpl = get_cpl(ctxt, ops);
if ( cpl == -1 )
return -1;
- return cpl <= MASK_EXTR(ctxt->regs->_eflags, EFLG_IOPL);
+ return cpl <= MASK_EXTR(ctxt->regs->_eflags, X86_EFLAGS_IOPL);
}
#define mode_ring0() ({ \
@@ -1217,7 +1201,7 @@ _mode_iopl(
rc = ops->read_cr(4, &cr4, ctxt); \
if ( rc != X86EMUL_OKAY ) goto done; \
} \
- !!(cr4 & (_regs._eflags & EFLG_VM ? CR4_VME : CR4_PVI)); \
+ !!(cr4 & (_regs._eflags & X86_EFLAGS_VM ? CR4_VME : CR4_PVI)); \
})
static int ioport_access_check(
@@ -1230,7 +1214,7 @@ static int ioport_access_check(
struct segment_register tr;
int rc = X86EMUL_OKAY;
- if ( !(ctxt->regs->_eflags & EFLG_VM) && mode_iopl() )
+ if ( !(ctxt->regs->_eflags & X86_EFLAGS_VM) && mode_iopl() )
return X86EMUL_OKAY;
fail_if(ops->read_segment == NULL);
@@ -1299,7 +1283,7 @@ in_protmode(
struct x86_emulate_ctxt *ctxt,
const struct x86_emulate_ops *ops)
{
- return !(in_realmode(ctxt, ops) || (ctxt->regs->_eflags & EFLG_VM));
+ return !(in_realmode(ctxt, ops) || (ctxt->regs->_eflags & X86_EFLAGS_VM));
}
#define EAX 0
@@ -1822,8 +1806,8 @@ static int inject_swint(enum x86_swint_type type,
* a 32bit OS. Someone with many TUITs can see about reading the
* TSS Software Interrupt Redirection bitmap.
*/
- if ( (ctxt->regs->_eflags & EFLG_VM) &&
- ((ctxt->regs->_eflags & EFLG_IOPL) != EFLG_IOPL) )
+ if ( (ctxt->regs->_eflags & X86_EFLAGS_VM) &&
+ ((ctxt->regs->_eflags & X86_EFLAGS_IOPL) != X86_EFLAGS_IOPL) )
goto raise_exn;
/*
@@ -2313,7 +2297,7 @@ x86_decode(
default:
BUG(); /* Shouldn't be possible. */
case 2:
- if ( state->regs->_eflags & EFLG_VM )
+ if ( state->regs->_eflags & X86_EFLAGS_VM )
break;
/* fall through */
case 4:
@@ -2676,7 +2660,8 @@ x86_emulate(
struct x86_emulate_state state;
int rc;
uint8_t b, d;
- bool singlestep = (_regs._eflags & EFLG_TF) && !is_branch_step(ctxt, ops);
+ bool singlestep = (_regs._eflags & X86_EFLAGS_TF) &&
+ !is_branch_step(ctxt, ops);
struct operand src = { .reg = PTR_POISON };
struct operand dst = { .reg = PTR_POISON };
enum x86_swint_type swint_type;
@@ -2954,33 +2939,34 @@ x86_emulate(
uint8_t al = _regs.al;
unsigned int eflags = _regs._eflags;
- _regs._eflags &= ~(EFLG_CF|EFLG_AF|EFLG_SF|EFLG_ZF|EFLG_PF);
- if ( ((al & 0x0f) > 9) || (eflags & EFLG_AF) )
+ _regs._eflags &= ~(X86_EFLAGS_CF | X86_EFLAGS_AF | X86_EFLAGS_SF |
+ X86_EFLAGS_ZF | X86_EFLAGS_PF);
+ if ( ((al & 0x0f) > 9) || (eflags & X86_EFLAGS_AF) )
{
- _regs._eflags |= EFLG_AF;
- if ( b == 0x2f && (al < 6 || (eflags & EFLG_CF)) )
- _regs._eflags |= EFLG_CF;
+ _regs._eflags |= X86_EFLAGS_AF;
+ if ( b == 0x2f && (al < 6 || (eflags & X86_EFLAGS_CF)) )
+ _regs._eflags |= X86_EFLAGS_CF;
_regs.al += (b == 0x27) ? 6 : -6;
}
- if ( (al > 0x99) || (eflags & EFLG_CF) )
+ if ( (al > 0x99) || (eflags & X86_EFLAGS_CF) )
{
_regs.al += (b == 0x27) ? 0x60 : -0x60;
- _regs._eflags |= EFLG_CF;
+ _regs._eflags |= X86_EFLAGS_CF;
}
- _regs._eflags |= !_regs.al ? EFLG_ZF : 0;
- _regs._eflags |= ((int8_t)_regs.al < 0) ? EFLG_SF : 0;
- _regs._eflags |= even_parity(_regs.al) ? EFLG_PF : 0;
+ _regs._eflags |= !_regs.al ? X86_EFLAGS_ZF : 0;
+ _regs._eflags |= ((int8_t)_regs.al < 0) ? X86_EFLAGS_SF : 0;
+ _regs._eflags |= even_parity(_regs.al) ? X86_EFLAGS_PF : 0;
break;
}
case 0x37: /* aaa */
case 0x3f: /* aas */
- _regs._eflags &= ~EFLG_CF;
- if ( (_regs.al > 9) || (_regs._eflags & EFLG_AF) )
+ _regs._eflags &= ~X86_EFLAGS_CF;
+ if ( (_regs.al > 9) || (_regs._eflags & X86_EFLAGS_AF) )
{
_regs.al += (b == 0x37) ? 6 : -6;
_regs.ah += (b == 0x37) ? 1 : -1;
- _regs._eflags |= EFLG_CF | EFLG_AF;
+ _regs._eflags |= X86_EFLAGS_CF | X86_EFLAGS_AF;
}
_regs.al &= 0x0f;
break;
@@ -3086,12 +3072,12 @@ x86_emulate(
goto done;
if ( src_rpl > (dst.val & 3) )
{
- _regs._eflags |= EFLG_ZF;
+ _regs._eflags |= X86_EFLAGS_ZF;
dst.val = (dst.val & ~3) | src_rpl;
}
else
{
- _regs._eflags &= ~EFLG_ZF;
+ _regs._eflags &= ~X86_EFLAGS_ZF;
dst.type = OP_NONE;
}
generate_exception_if(!in_protmode(ctxt, ops), EXC_UD);
@@ -3354,7 +3340,7 @@ x86_emulate(
goto done;
_regs.r(ip) = imm1;
- singlestep = _regs._eflags & EFLG_TF;
+ singlestep = _regs._eflags & X86_EFLAGS_TF;
break;
case 0x9b: /* wait/fwait */
@@ -3366,8 +3352,8 @@ x86_emulate(
break;
case 0x9c: /* pushf */
- if ( (_regs._eflags & EFLG_VM) &&
- MASK_EXTR(_regs._eflags, EFLG_IOPL) != 3 )
+ if ( (_regs._eflags & X86_EFLAGS_VM) &&
+ MASK_EXTR(_regs._eflags, X86_EFLAGS_IOPL) != 3 )
{
cr4 = 0;
if ( op_bytes == 2 && ops->read_cr )
@@ -3377,21 +3363,21 @@ x86_emulate(
goto done;
}
generate_exception_if(!(cr4 & CR4_VME), EXC_GP, 0);
- src.val = (_regs.flags & ~EFLG_IF) | EFLG_IOPL;
- if ( _regs._eflags & EFLG_VIF )
- src.val |= EFLG_IF;
+ src.val = (_regs.flags & ~X86_EFLAGS_IF) | X86_EFLAGS_IOPL;
+ if ( _regs._eflags & X86_EFLAGS_VIF )
+ src.val |= X86_EFLAGS_IF;
}
else
- src.val = _regs.r(flags) & ~(EFLG_VM | EFLG_RF);
+ src.val = _regs.r(flags) & ~(X86_EFLAGS_VM | X86_EFLAGS_RF);
goto push;
case 0x9d: /* popf */ {
- uint32_t mask = EFLG_VIP | EFLG_VIF | EFLG_VM;
+ uint32_t mask = X86_EFLAGS_VIP | X86_EFLAGS_VIF | X86_EFLAGS_VM;
cr4 = 0;
if ( !mode_ring0() )
{
- if ( _regs._eflags & EFLG_VM )
+ if ( _regs._eflags & X86_EFLAGS_VM )
{
if ( op_bytes == 2 && ops->read_cr )
{
@@ -3400,12 +3386,12 @@ x86_emulate(
goto done;
}
generate_exception_if(!(cr4 & CR4_VME) &&
- MASK_EXTR(_regs._eflags, EFLG_IOPL) != 3,
+ MASK_EXTR(_regs._eflags, X86_EFLAGS_IOPL) != 3,
EXC_GP, 0);
}
- mask |= EFLG_IOPL;
+ mask |= X86_EFLAGS_IOPL;
if ( !mode_iopl() )
- mask |= EFLG_IF;
+ mask |= X86_EFLAGS_IF;
}
/* 64-bit mode: POP defaults to a 64-bit operand. */
if ( mode_64bit() && (op_bytes == 4) )
@@ -3418,32 +3404,33 @@ x86_emulate(
dst.val = (uint16_t)dst.val | (_regs._eflags & 0xffff0000u);
if ( cr4 & CR4_VME )
{
- if ( dst.val & EFLG_IF )
+ if ( dst.val & X86_EFLAGS_IF )
{
- generate_exception_if(_regs._eflags & EFLG_VIP, EXC_GP, 0);
- dst.val |= EFLG_VIF;
+ generate_exception_if(_regs._eflags & X86_EFLAGS_VIP,
+ EXC_GP, 0);
+ dst.val |= X86_EFLAGS_VIF;
}
else
- dst.val &= ~EFLG_VIF;
- mask &= ~EFLG_VIF;
+ dst.val &= ~X86_EFLAGS_VIF;
+ mask &= ~X86_EFLAGS_VIF;
}
}
dst.val &= EFLAGS_MODIFIABLE;
_regs._eflags &= mask;
- _regs._eflags |= (dst.val & ~mask) | EFLG_MBS;
+ _regs._eflags |= (dst.val & ~mask) | X86_EFLAGS_MBS;
break;
}
case 0x9e: /* sahf */
if ( mode_64bit() )
vcpu_must_have(lahf_lm);
- *(uint8_t *)&_regs._eflags = (_regs.ah & EFLAGS_MASK) | EFLG_MBS;
+ *(uint8_t *)&_regs._eflags = (_regs.ah & EFLAGS_MASK) | X86_EFLAGS_MBS;
break;
case 0x9f: /* lahf */
if ( mode_64bit() )
vcpu_must_have(lahf_lm);
- _regs.ah = (_regs._eflags & EFLAGS_MASK) | EFLG_MBS;
+ _regs.ah = (_regs._eflags & EFLAGS_MASK) | X86_EFLAGS_MBS;
break;
case 0xa4 ... 0xa5: /* movs */ {
@@ -3487,8 +3474,8 @@ x86_emulate(
put_rep_prefix(1);
/* cmp: dst - src ==> src=*%%edi,dst=*%%esi ==> *%%esi - *%%edi */
emulate_2op_SrcV("cmp", src, dst, _regs._eflags);
- if ( (repe_prefix() && !(_regs._eflags & EFLG_ZF)) ||
- (repne_prefix() && (_regs._eflags & EFLG_ZF)) )
+ if ( (repe_prefix() && !(_regs._eflags & X86_EFLAGS_ZF)) ||
+ (repne_prefix() && (_regs._eflags & X86_EFLAGS_ZF)) )
_regs.r(ip) = next_eip;
break;
}
@@ -3537,8 +3524,8 @@ x86_emulate(
/* cmp: %%eax - *%%edi ==> src=%%eax,dst=*%%edi ==> src - dst */
dst.bytes = src.bytes;
emulate_2op_SrcV("cmp", dst, src, _regs._eflags);
- if ( (repe_prefix() && !(_regs._eflags & EFLG_ZF)) ||
- (repne_prefix() && (_regs._eflags & EFLG_ZF)) )
+ if ( (repe_prefix() && !(_regs._eflags & X86_EFLAGS_ZF)) ||
+ (repne_prefix() && (_regs._eflags & X86_EFLAGS_ZF)) )
_regs.r(ip) = next_eip;
break;
}
@@ -3683,7 +3670,7 @@ x86_emulate(
goto done;
case 0xce: /* into */
- if ( !(_regs._eflags & EFLG_OF) )
+ if ( !(_regs._eflags & X86_EFLAGS_OF) )
break;
src.val = EXC_OF;
swint_type = x86_swint_into;
@@ -3691,7 +3678,7 @@ x86_emulate(
case 0xcf: /* iret */ {
unsigned long sel, eip, eflags;
- uint32_t mask = EFLG_VIP | EFLG_VIF | EFLG_VM;
+ uint32_t mask = X86_EFLAGS_VIP | X86_EFLAGS_VIF | X86_EFLAGS_VM;
fail_if(!in_realmode(ctxt, ops));
if ( (rc = read_ulong(x86_seg_ss, sp_post_inc(op_bytes),
@@ -3705,7 +3692,7 @@ x86_emulate(
eflags = (uint16_t)eflags | (_regs._eflags & 0xffff0000u);
eflags &= EFLAGS_MODIFIABLE;
_regs._eflags &= mask;
- _regs._eflags |= (eflags & ~mask) | EFLG_MBS;
+ _regs._eflags |= (eflags & ~mask) | X86_EFLAGS_MBS;
if ( (rc = load_seg(x86_seg_cs, sel, 1, &cs, ctxt, ops)) ||
(rc = commit_far_branch(&cs, (uint32_t)eip)) )
goto done;
@@ -3737,15 +3724,15 @@ x86_emulate(
generate_exception_if(!base, EXC_DE);
_regs.ax = ((al / base) << 8) | (al % base);
}
- _regs._eflags &= ~(EFLG_SF|EFLG_ZF|EFLG_PF);
- _regs._eflags |= !_regs.al ? EFLG_ZF : 0;
- _regs._eflags |= ((int8_t)_regs.al < 0) ? EFLG_SF : 0;
- _regs._eflags |= even_parity(_regs.al) ? EFLG_PF : 0;
+ _regs._eflags &= ~(X86_EFLAGS_SF | X86_EFLAGS_ZF | X86_EFLAGS_PF);
+ _regs._eflags |= !_regs.al ? X86_EFLAGS_ZF : 0;
+ _regs._eflags |= ((int8_t)_regs.al < 0) ? X86_EFLAGS_SF : 0;
+ _regs._eflags |= even_parity(_regs.al) ? X86_EFLAGS_PF : 0;
break;
}
case 0xd6: /* salc */
- _regs.al = (_regs._eflags & EFLG_CF) ? 0xff : 0x00;
+ _regs.al = (_regs._eflags & X86_EFLAGS_CF) ? 0xff : 0x00;
break;
case 0xd7: /* xlat */ {
@@ -4263,7 +4250,7 @@ x86_emulate(
case 0xe0 ... 0xe2: /* loop{,z,nz} */ {
unsigned long count = get_loop_count(&_regs, ad_bytes);
- int do_jmp = !(_regs._eflags & EFLG_ZF); /* loopnz */
+ int do_jmp = !(_regs._eflags & X86_EFLAGS_ZF); /* loopnz */
if ( b == 0xe1 )
do_jmp = !do_jmp; /* loopz */
@@ -4351,7 +4338,7 @@ x86_emulate(
break;
case 0xf5: /* cmc */
- _regs._eflags ^= EFLG_CF;
+ _regs._eflags ^= X86_EFLAGS_CF;
break;
case 0xf6 ... 0xf7: /* Grp3 */
@@ -4371,21 +4358,21 @@ x86_emulate(
emulate_1op("neg", dst, _regs._eflags);
break;
case 4: /* mul */
- _regs._eflags &= ~(EFLG_OF|EFLG_CF);
+ _regs._eflags &= ~(X86_EFLAGS_OF | X86_EFLAGS_CF);
switch ( dst.bytes )
{
case 1:
dst.val = _regs.al;
dst.val *= src.val;
if ( (uint8_t)dst.val != (uint16_t)dst.val )
- _regs._eflags |= EFLG_OF|EFLG_CF;
+ _regs._eflags |= X86_EFLAGS_OF | X86_EFLAGS_CF;
dst.bytes = 2;
break;
case 2:
dst.val = _regs.ax;
dst.val *= src.val;
if ( (uint16_t)dst.val != (uint32_t)dst.val )
- _regs._eflags |= EFLG_OF|EFLG_CF;
+ _regs._eflags |= X86_EFLAGS_OF | X86_EFLAGS_CF;
_regs.dx = dst.val >> 16;
break;
#ifdef __x86_64__
@@ -4393,7 +4380,7 @@ x86_emulate(
dst.val = _regs._eax;
dst.val *= src.val;
if ( (uint32_t)dst.val != dst.val )
- _regs._eflags |= EFLG_OF|EFLG_CF;
+ _regs._eflags |= X86_EFLAGS_OF | X86_EFLAGS_CF;
_regs.rdx = dst.val >> 32;
break;
#endif
@@ -4401,7 +4388,7 @@ x86_emulate(
u[0] = src.val;
u[1] = _regs.r(ax);
if ( mul_dbl(u) )
- _regs._eflags |= EFLG_OF|EFLG_CF;
+ _regs._eflags |= X86_EFLAGS_OF | X86_EFLAGS_CF;
_regs.r(dx) = u[1];
dst.val = u[0];
break;
@@ -4409,13 +4396,13 @@ x86_emulate(
break;
case 5: /* imul */
imul:
- _regs._eflags &= ~(EFLG_OF|EFLG_CF);
+ _regs._eflags &= ~(X86_EFLAGS_OF | X86_EFLAGS_CF);
switch ( dst.bytes )
{
case 1:
dst.val = (int8_t)src.val * (int8_t)_regs.al;
if ( (int8_t)dst.val != (int16_t)dst.val )
- _regs._eflags |= EFLG_OF|EFLG_CF;
+ _regs._eflags |= X86_EFLAGS_OF | X86_EFLAGS_CF;
ASSERT(b > 0x6b);
dst.bytes = 2;
break;
@@ -4423,7 +4410,7 @@ x86_emulate(
dst.val = ((uint32_t)(int16_t)src.val *
(uint32_t)(int16_t)_regs.ax);
if ( (int16_t)dst.val != (int32_t)dst.val )
- _regs._eflags |= EFLG_OF|EFLG_CF;
+ _regs._eflags |= X86_EFLAGS_OF | X86_EFLAGS_CF;
if ( b > 0x6b )
_regs.dx = dst.val >> 16;
break;
@@ -4432,7 +4419,7 @@ x86_emulate(
dst.val = ((uint64_t)(int32_t)src.val *
(uint64_t)(int32_t)_regs._eax);
if ( (int32_t)dst.val != dst.val )
- _regs._eflags |= EFLG_OF|EFLG_CF;
+ _regs._eflags |= X86_EFLAGS_OF | X86_EFLAGS_CF;
if ( b > 0x6b )
_regs.rdx = dst.val >> 32;
break;
@@ -4441,7 +4428,7 @@ x86_emulate(
u[0] = src.val;
u[1] = _regs.r(ax);
if ( imul_dbl(u) )
- _regs._eflags |= EFLG_OF|EFLG_CF;
+ _regs._eflags |= X86_EFLAGS_OF | X86_EFLAGS_CF;
if ( b > 0x6b )
_regs.r(dx) = u[1];
dst.val = u[0];
@@ -4542,46 +4529,47 @@ x86_emulate(
break;
case 0xf8: /* clc */
- _regs._eflags &= ~EFLG_CF;
+ _regs._eflags &= ~X86_EFLAGS_CF;
break;
case 0xf9: /* stc */
- _regs._eflags |= EFLG_CF;
+ _regs._eflags |= X86_EFLAGS_CF;
break;
case 0xfa: /* cli */
if ( mode_iopl() )
- _regs._eflags &= ~EFLG_IF;
+ _regs._eflags &= ~X86_EFLAGS_IF;
else
{
generate_exception_if(!mode_vif(), EXC_GP, 0);
- _regs._eflags &= ~EFLG_VIF;
+ _regs._eflags &= ~X86_EFLAGS_VIF;
}
break;
case 0xfb: /* sti */
if ( mode_iopl() )
{
- if ( !(_regs._eflags & EFLG_IF) )
+ if ( !(_regs._eflags & X86_EFLAGS_IF) )
ctxt->retire.sti = true;
- _regs._eflags |= EFLG_IF;
+ _regs._eflags |= X86_EFLAGS_IF;
}
else
{
- generate_exception_if((_regs._eflags & EFLG_VIP) || !mode_vif(),
+ generate_exception_if((_regs._eflags & X86_EFLAGS_VIP) ||
+ !mode_vif(),
EXC_GP, 0);
- if ( !(_regs._eflags & EFLG_VIF) )
+ if ( !(_regs._eflags & X86_EFLAGS_VIF) )
ctxt->retire.sti = true;
- _regs._eflags |= EFLG_VIF;
+ _regs._eflags |= X86_EFLAGS_VIF;
}
break;
case 0xfc: /* cld */
- _regs._eflags &= ~EFLG_DF;
+ _regs._eflags &= ~X86_EFLAGS_DF;
break;
case 0xfd: /* std */
- _regs._eflags |= EFLG_DF;
+ _regs._eflags |= X86_EFLAGS_DF;
break;
case 0xfe: /* Grp4 */
@@ -4643,7 +4631,7 @@ x86_emulate(
goto done;
break;
case 4: /* verr / verw */
- _regs._eflags &= ~EFLG_ZF;
+ _regs._eflags &= ~X86_EFLAGS_ZF;
switch ( rc = protmode_load_seg(x86_seg_none, src.val, false,
&sreg, ctxt, ops) )
{
@@ -4651,7 +4639,7 @@ x86_emulate(
if ( sreg.attr.fields.s &&
((modrm_reg & 1) ? ((sreg.attr.fields.type & 0xa) == 0x2)
: ((sreg.attr.fields.type & 0xa) != 0x8)) )
- _regs._eflags |= EFLG_ZF;
+ _regs._eflags |= X86_EFLAGS_ZF;
break;
case X86EMUL_EXCEPTION:
if ( ctxt->event_pending )
@@ -4681,9 +4669,9 @@ x86_emulate(
vcpu_must_have(smap);
generate_exception_if(vex.pfx || !mode_ring0(), EXC_UD);
- _regs._eflags &= ~EFLG_AC;
+ _regs._eflags &= ~X86_EFLAGS_AC;
if ( modrm == 0xcb )
- _regs._eflags |= EFLG_AC;
+ _regs._eflags |= X86_EFLAGS_AC;
goto complete_insn;
#ifdef __XEN__
@@ -4717,7 +4705,7 @@ x86_emulate(
generate_exception_if(!vcpu_has_rtm() && !vcpu_has_hle(),
EXC_UD);
/* Neither HLE nor RTM can be active when we get here. */
- _regs._eflags |= EFLG_ZF;
+ _regs._eflags |= X86_EFLAGS_ZF;
goto complete_insn;
case 0xdf: /* invlpga */
@@ -4868,7 +4856,7 @@ x86_emulate(
case X86EMUL_OPC(0x0f, 0x02): /* lar */
generate_exception_if(!in_protmode(ctxt, ops), EXC_UD);
- _regs._eflags &= ~EFLG_ZF;
+ _regs._eflags &= ~X86_EFLAGS_ZF;
switch ( rc = protmode_load_seg(x86_seg_none, src.val, false, &sreg,
ctxt, ops) )
{
@@ -4888,12 +4876,12 @@ x86_emulate(
case 0x09: /* available 32/64-bit TSS */
case 0x0b: /* busy 32/64-bit TSS */
case 0x0c: /* 32/64-bit call gate */
- _regs._eflags |= EFLG_ZF;
+ _regs._eflags |= X86_EFLAGS_ZF;
break;
}
}
else
- _regs._eflags |= EFLG_ZF;
+ _regs._eflags |= X86_EFLAGS_ZF;
break;
case X86EMUL_EXCEPTION:
if ( ctxt->event_pending )
@@ -4906,7 +4894,7 @@ x86_emulate(
rc = X86EMUL_OKAY;
break;
}
- if ( _regs._eflags & EFLG_ZF )
+ if ( _regs._eflags & X86_EFLAGS_ZF )
dst.val = ((sreg.attr.bytes & 0xff) << 8) |
((sreg.limit >> (sreg.attr.fields.g ? 12 : 0)) &
0xf0000) |
@@ -4917,7 +4905,7 @@ x86_emulate(
case X86EMUL_OPC(0x0f, 0x03): /* lsl */
generate_exception_if(!in_protmode(ctxt, ops), EXC_UD);
- _regs._eflags &= ~EFLG_ZF;
+ _regs._eflags &= ~X86_EFLAGS_ZF;
switch ( rc = protmode_load_seg(x86_seg_none, src.val, false, &sreg,
ctxt, ops) )
{
@@ -4934,12 +4922,12 @@ x86_emulate(
case 0x02: /* LDT */
case 0x09: /* available 32/64-bit TSS */
case 0x0b: /* busy 32/64-bit TSS */
- _regs._eflags |= EFLG_ZF;
+ _regs._eflags |= X86_EFLAGS_ZF;
break;
}
}
else
- _regs._eflags |= EFLG_ZF;
+ _regs._eflags |= X86_EFLAGS_ZF;
break;
case X86EMUL_EXCEPTION:
if ( ctxt->event_pending )
@@ -4952,7 +4940,7 @@ x86_emulate(
rc = X86EMUL_OKAY;
break;
}
- if ( _regs._eflags & EFLG_ZF )
+ if ( _regs._eflags & X86_EFLAGS_ZF )
dst.val = sreg.limit;
else
dst.type = OP_NONE;
@@ -4988,7 +4976,7 @@ x86_emulate(
cs.attr.bytes = 0xa9b; /* L+DB+P+S+Code */
_regs.rcx = _regs.rip;
- _regs.r11 = _regs._eflags & ~EFLG_RF;
+ _regs.r11 = _regs._eflags & ~X86_EFLAGS_RF;
if ( (rc = ops->read_msr(mode_64bit() ? MSR_LSTAR : MSR_CSTAR,
&msr_content, ctxt)) != 0 )
@@ -4997,7 +4985,7 @@ x86_emulate(
if ( (rc = ops->read_msr(MSR_FMASK, &msr_content, ctxt)) != 0 )
goto done;
- _regs._eflags &= ~(msr_content | EFLG_RF);
+ _regs._eflags &= ~(msr_content | X86_EFLAGS_RF);
}
else
#endif
@@ -5006,7 +4994,7 @@ x86_emulate(
_regs.r(cx) = _regs._eip;
_regs._eip = msr_content;
- _regs._eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
+ _regs._eflags &= ~(X86_EFLAGS_VM | X86_EFLAGS_IF | X86_EFLAGS_RF);
}
fail_if(ops->write_segment == NULL);
@@ -5016,20 +5004,20 @@ x86_emulate(
/*
* SYSCALL (unlike most instructions) evaluates its singlestep action
- * based on the resulting EFLG_TF, not the starting EFLG_TF.
+ * based on the resulting EFLAGS.TF, not the starting EFLAGS.TF.
*
* As the #DB is raised after the CPL change and before the OS can
* switch stack, it is a large risk for privilege escalation.
*
- * 64bit kernels should mask EFLG_TF in MSR_FMASK to avoid any
+ * 64bit kernels should mask EFLAGS.TF in MSR_FMASK to avoid any
* vulnerability. Running the #DB handler on an IST stack is also a
* mitigation.
*
- * 32bit kernels have no ability to mask EFLG_TF at all. Their only
- * mitigation is to use a task gate for handling #DB (or to not use
- * enable EFER.SCE to start with).
+ * 32bit kernels have no ability to mask EFLAGS.TF at all.
+ * Their only mitigation is to use a task gate for handling
+ * #DB (or to not use enable EFER.SCE to start with).
*/
- singlestep = _regs._eflags & EFLG_TF;
+ singlestep = _regs._eflags & X86_EFLAGS_TF;
break;
}
@@ -5260,7 +5248,7 @@ x86_emulate(
if ( lm < 0 )
goto cannot_emulate;
- _regs._eflags &= ~(EFLG_VM | EFLG_IF | EFLG_RF);
+ _regs._eflags &= ~(X86_EFLAGS_VM | X86_EFLAGS_IF | X86_EFLAGS_RF);
cs.sel = msr_content & ~3; /* SELECTOR_RPL_MASK */
cs.base = 0; /* flat segment */
@@ -5286,7 +5274,7 @@ x86_emulate(
goto done;
_regs.r(sp) = lm ? msr_content : (uint32_t)msr_content;
- singlestep = _regs._eflags & EFLG_TF;
+ singlestep = _regs._eflags & X86_EFLAGS_TF;
break;
}
@@ -5328,7 +5316,7 @@ x86_emulate(
_regs.r(ip) = op_bytes == 8 ? _regs.r(dx) : _regs._edx;
_regs.r(sp) = op_bytes == 8 ? _regs.r(cx) : _regs._ecx;
- singlestep = _regs._eflags & EFLG_TF;
+ singlestep = _regs._eflags & X86_EFLAGS_TF;
break;
}
@@ -5517,14 +5505,15 @@ x86_emulate(
((dst.orig_val << shift) |
((src.val >> (width - shift)) & ((1ull << shift) - 1))));
dst.val = truncate_word(dst.val, dst.bytes);
- _regs._eflags &= ~(EFLG_OF|EFLG_SF|EFLG_ZF|EFLG_PF|EFLG_CF);
+ _regs._eflags &= ~(X86_EFLAGS_OF | X86_EFLAGS_SF | X86_EFLAGS_ZF |
+ X86_EFLAGS_PF | X86_EFLAGS_CF);
if ( (dst.val >> ((b & 8) ? (shift - 1) : (width - shift))) & 1 )
- _regs._eflags |= EFLG_CF;
+ _regs._eflags |= X86_EFLAGS_CF;
if ( ((dst.val ^ dst.orig_val) >> (width - 1)) & 1 )
- _regs._eflags |= EFLG_OF;
- _regs._eflags |= ((dst.val >> (width - 1)) & 1) ? EFLG_SF : 0;
- _regs._eflags |= (dst.val == 0) ? EFLG_ZF : 0;
- _regs._eflags |= even_parity(dst.val) ? EFLG_PF : 0;
+ _regs._eflags |= X86_EFLAGS_OF;
+ _regs._eflags |= ((dst.val >> (width - 1)) & 1) ? X86_EFLAGS_SF : 0;
+ _regs._eflags |= (dst.val == 0) ? X86_EFLAGS_ZF : 0;
+ _regs._eflags |= even_parity(dst.val) ? X86_EFLAGS_PF : 0;
break;
}
@@ -5624,7 +5613,7 @@ x86_emulate(
src.val = _regs.r(ax);
/* cmp: %%eax - dst ==> dst and src swapped for macro invocation */
emulate_2op_SrcV("cmp", dst, src, _regs._eflags);
- if ( _regs._eflags & EFLG_ZF )
+ if ( _regs._eflags & X86_EFLAGS_ZF )
{
/* Success: write back to memory. */
dst.val = src.orig_val;
@@ -5663,7 +5652,7 @@ x86_emulate(
asm ( "popcnt %1,%0" : "=r" (dst.val) : "rm" (src.val) );
_regs._eflags &= ~EFLAGS_MASK;
if ( !dst.val )
- _regs._eflags |= EFLG_ZF;
+ _regs._eflags |= X86_EFLAGS_ZF;
break;
case X86EMUL_OPC(0x0f, 0xba): /* Grp8 */
@@ -5688,21 +5677,21 @@ x86_emulate(
asm ( "bsf %2,%0" ASM_FLAG_OUT(, "; setz %1")
: "=r" (dst.val), ASM_FLAG_OUT("=@ccz", "=qm") (zf)
: "rm" (src.val) );
- _regs._eflags &= ~EFLG_ZF;
+ _regs._eflags &= ~X86_EFLAGS_ZF;
if ( (vex.pfx == vex_f3) && vcpu_has_bmi1() )
{
- _regs._eflags &= ~EFLG_CF;
+ _regs._eflags &= ~X86_EFLAGS_CF;
if ( zf )
{
- _regs._eflags |= EFLG_CF;
+ _regs._eflags |= X86_EFLAGS_CF;
dst.val = op_bytes * 8;
}
else if ( !dst.val )
- _regs._eflags |= EFLG_ZF;
+ _regs._eflags |= X86_EFLAGS_ZF;
}
else if ( zf )
{
- _regs._eflags |= EFLG_ZF;
+ _regs._eflags |= X86_EFLAGS_ZF;
dst.type = OP_NONE;
}
break;
@@ -5715,25 +5704,25 @@ x86_emulate(
asm ( "bsr %2,%0" ASM_FLAG_OUT(, "; setz %1")
: "=r" (dst.val), ASM_FLAG_OUT("=@ccz", "=qm") (zf)
: "rm" (src.val) );
- _regs._eflags &= ~EFLG_ZF;
+ _regs._eflags &= ~X86_EFLAGS_ZF;
if ( (vex.pfx == vex_f3) && vcpu_has_lzcnt() )
{
- _regs._eflags &= ~EFLG_CF;
+ _regs._eflags &= ~X86_EFLAGS_CF;
if ( zf )
{
- _regs._eflags |= EFLG_CF;
+ _regs._eflags |= X86_EFLAGS_CF;
dst.val = op_bytes * 8;
}
else
{
dst.val = op_bytes * 8 - 1 - dst.val;
if ( !dst.val )
- _regs._eflags |= EFLG_ZF;
+ _regs._eflags |= X86_EFLAGS_ZF;
}
}
else if ( zf )
{
- _regs._eflags |= EFLG_ZF;
+ _regs._eflags |= X86_EFLAGS_ZF;
dst.type = OP_NONE;
}
break;
@@ -5807,7 +5796,7 @@ x86_emulate(
}
_regs._eflags &= ~EFLAGS_MASK;
if ( carry )
- _regs._eflags |= EFLG_CF;
+ _regs._eflags |= X86_EFLAGS_CF;
break;
#endif
@@ -5850,7 +5839,7 @@ x86_emulate(
}
_regs._eflags &= ~EFLAGS_MASK;
if ( carry )
- _regs._eflags |= EFLG_CF;
+ _regs._eflags |= X86_EFLAGS_CF;
break;
#endif
}
@@ -5899,7 +5888,7 @@ x86_emulate(
/* Expected != actual: store actual to rDX:rAX and clear ZF. */
_regs.r(ax) = !(rex_prefix & REX_W) ? old->u32[0] : old->u64[0];
_regs.r(dx) = !(rex_prefix & REX_W) ? old->u32[1] : old->u64[1];
- _regs._eflags &= ~EFLG_ZF;
+ _regs._eflags &= ~X86_EFLAGS_ZF;
}
else
{
@@ -5921,7 +5910,7 @@ x86_emulate(
if ( (rc = ops->cmpxchg(ea.mem.seg, ea.mem.off, old, aux,
op_bytes, ctxt)) != X86EMUL_OKAY )
goto done;
- _regs._eflags |= EFLG_ZF;
+ _regs._eflags |= X86_EFLAGS_ZF;
}
break;
}
@@ -6070,7 +6059,7 @@ x86_emulate(
case X86EMUL_OPC_66(0x0f38, 0xf6): /* adcx r/m,r */
case X86EMUL_OPC_F3(0x0f38, 0xf6): /* adox r/m,r */
{
- unsigned int mask = rep_prefix() ? EFLG_OF : EFLG_CF;
+ unsigned int mask = rep_prefix() ? X86_EFLAGS_OF : X86_EFLAGS_CF;
unsigned int aux = _regs._eflags & mask ? ~0 : 0;
bool carry;
@@ -6263,7 +6252,7 @@ x86_emulate(
rc = X86EMUL_OKAY;
}
- ctxt->regs->_eflags &= ~EFLG_RF;
+ ctxt->regs->_eflags &= ~X86_EFLAGS_RF;
done:
_put_fpu();
--
2.11.0
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH v4 07/12] x86emul: use msr definitions in msr-index.h
2017-02-03 11:53 [PATCH v4 00/12] fuzz: update x86emul fuzzer Wei Liu
` (5 preceding siblings ...)
2017-02-03 11:53 ` [PATCH v4 06/12] x86emul: use eflags definitions in x86-defns.h Wei Liu
@ 2017-02-03 11:53 ` Wei Liu
2017-02-03 11:53 ` [PATCH v4 08/12] x86: add UMIP CR4 bit Wei Liu
` (5 subsequent siblings)
12 siblings, 0 replies; 19+ messages in thread
From: Wei Liu @ 2017-02-03 11:53 UTC (permalink / raw)
To: Xen-devel; +Cc: Wei Liu
Change the names used in code according to numeric values. Remove the
now unused macros in x86_emualte.c and fix indentation. This in turns
requires including msr-index.h and removing duplicates in userspace
x86_emulate.c in userspace harness program.
No functional change.
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
---
tools/fuzz/x86_instruction_emulator/Makefile | 4 +--
tools/tests/x86_emulator/Makefile | 4 +--
tools/tests/x86_emulator/x86_emulate.c | 3 --
tools/tests/x86_emulator/x86_emulate.h | 1 +
xen/arch/x86/x86_emulate/x86_emulate.c | 43 ++++++++++------------------
5 files changed, 20 insertions(+), 35 deletions(-)
diff --git a/tools/fuzz/x86_instruction_emulator/Makefile b/tools/fuzz/x86_instruction_emulator/Makefile
index bbb781838b..b6c6d5b183 100644
--- a/tools/fuzz/x86_instruction_emulator/Makefile
+++ b/tools/fuzz/x86_instruction_emulator/Makefile
@@ -11,7 +11,7 @@ endif
x86_emulate/x86_emulate.c x86_emulate/x86_emulate.h:
[ -L x86_emulate ] || ln -sf $(XEN_ROOT)/xen/arch/x86/x86_emulate .
-asm/x86-vendors.h asm/x86-defns.h:
+asm/x86-vendors.h asm/x86-defns.h asm/msr-index.h:
[ -L asm ] || ln -sf $(XEN_ROOT)/xen/include/asm-x86 asm
x86_emulate.c x86_emulate.h: %:
@@ -20,7 +20,7 @@ x86_emulate.c x86_emulate.h: %:
CFLAGS += $(CFLAGS_xeninclude) -D__XEN_TOOLS__ -I.
x86_emulate.h := x86_emulate.h x86_emulate/x86_emulate.h
-x86.h := asm/x86-vendors.h asm/x86-defns.h
+x86.h := asm/x86-vendors.h asm/x86-defns.h asm/msr-index.h
x86_emulate.o: x86_emulate.c x86_emulate/x86_emulate.c $(x86_emulate.h) $(x86.h)
diff --git a/tools/tests/x86_emulator/Makefile b/tools/tests/x86_emulator/Makefile
index 0c53ec87e8..33486c4681 100644
--- a/tools/tests/x86_emulator/Makefile
+++ b/tools/tests/x86_emulator/Makefile
@@ -43,13 +43,13 @@ install:
x86_emulate/x86_emulate.c x86_emulate/x86_emulate.h:
[ -L x86_emulate ] || ln -sf $(XEN_ROOT)/xen/arch/x86/x86_emulate .
-asm/x86-vendors.h asm/x86-defns.h:
+asm/x86-vendors.h asm/x86-defns.h asm/msr-index.h:
[ -L asm ] || ln -sf $(XEN_ROOT)/xen/include/asm-x86 asm
HOSTCFLAGS += $(CFLAGS_xeninclude) -I.
x86_emulate.h := x86_emulate.h x86_emulate/x86_emulate.h
-x86.h := asm/x86-vendors.h asm/x86-defns.h
+x86.h := asm/x86-vendors.h asm/x86-defns.h asm/msr-index.h
x86_emulate.o: x86_emulate.c x86_emulate/x86_emulate.c $(x86_emulate.h) $(x86.h)
$(HOSTCC) $(HOSTCFLAGS) -D__XEN_TOOLS__ -c -g -o $@ $<
diff --git a/tools/tests/x86_emulator/x86_emulate.c b/tools/tests/x86_emulator/x86_emulate.c
index 615326259b..cda0fd8ee1 100644
--- a/tools/tests/x86_emulator/x86_emulate.c
+++ b/tools/tests/x86_emulator/x86_emulate.c
@@ -2,9 +2,6 @@
#include <sys/mman.h>
-#define EFER_SCE (1 << 0)
-#define EFER_LMA (1 << 10)
-
#define cpu_has_amd_erratum(nr) 0
#define mark_regs_dirty(r) ((void)(r))
#define cpu_has_mpx false
diff --git a/tools/tests/x86_emulator/x86_emulate.h b/tools/tests/x86_emulator/x86_emulate.h
index e064deaeea..6d6f5125ca 100644
--- a/tools/tests/x86_emulator/x86_emulate.h
+++ b/tools/tests/x86_emulator/x86_emulate.h
@@ -6,6 +6,7 @@
#include <string.h>
#include <xen/xen.h>
+#include <asm/msr-index.h>
#include <asm/x86-defns.h>
#include <asm/x86-vendors.h>
diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c
index c39756dd85..288461eaec 100644
--- a/xen/arch/x86/x86_emulate/x86_emulate.c
+++ b/xen/arch/x86/x86_emulate/x86_emulate.c
@@ -415,23 +415,6 @@ typedef union {
# define ASM_FLAG_OUT(yes, no) no
#endif
-/* MSRs. */
-#define MSR_TSC 0x00000010
-#define MSR_SYSENTER_CS 0x00000174
-#define MSR_SYSENTER_ESP 0x00000175
-#define MSR_SYSENTER_EIP 0x00000176
-#define MSR_DEBUGCTL 0x000001d9
-#define DEBUGCTL_BTF (1 << 1)
-#define MSR_BNDCFGS 0x00000d90
-#define BNDCFG_ENABLE (1 << 0)
-#define BNDCFG_PRESERVE (1 << 1)
-#define MSR_EFER 0xc0000080
-#define MSR_STAR 0xc0000081
-#define MSR_LSTAR 0xc0000082
-#define MSR_CSTAR 0xc0000083
-#define MSR_FMASK 0xc0000084
-#define MSR_TSC_AUX 0xc0000103
-
/* Control register flags. */
#define CR0_PE (1<<0)
#define CR0_MP (1<<1)
@@ -1731,8 +1714,8 @@ static bool is_branch_step(struct x86_emulate_ctxt *ctxt,
uint64_t debugctl;
return ops->read_msr &&
- ops->read_msr(MSR_DEBUGCTL, &debugctl, ctxt) == X86EMUL_OKAY &&
- (debugctl & DEBUGCTL_BTF);
+ ops->read_msr(MSR_IA32_DEBUGCTLMSR, &debugctl, ctxt) == X86EMUL_OKAY &&
+ (debugctl & IA32_DEBUGCTLMSR_BTF);
}
static bool umip_active(struct x86_emulate_ctxt *ctxt,
@@ -1894,9 +1877,9 @@ static void adjust_bnd(struct x86_emulate_ctxt *ctxt,
if ( !mode_ring0() )
bndcfg = read_bndcfgu();
else if ( !ops->read_msr ||
- ops->read_msr(MSR_BNDCFGS, &bndcfg, ctxt) != X86EMUL_OKAY )
+ ops->read_msr(MSR_IA32_BNDCFGS, &bndcfg, ctxt) != X86EMUL_OKAY )
return;
- if ( (bndcfg & BNDCFG_ENABLE) && !(bndcfg & BNDCFG_PRESERVE) )
+ if ( (bndcfg & IA32_BNDCFGS_ENABLE) && !(bndcfg & IA32_BNDCFGS_PRESERVE) )
{
/*
* Using BNDMK or any other MPX instruction here is pointless, as
@@ -4983,7 +4966,7 @@ x86_emulate(
goto done;
_regs.rip = msr_content;
- if ( (rc = ops->read_msr(MSR_FMASK, &msr_content, ctxt)) != 0 )
+ if ( (rc = ops->read_msr(MSR_SYSCALL_MASK, &msr_content, ctxt)) != 0 )
goto done;
_regs._eflags &= ~(msr_content | X86_EFLAGS_RF);
}
@@ -5009,7 +4992,7 @@ x86_emulate(
* As the #DB is raised after the CPL change and before the OS can
* switch stack, it is a large risk for privilege escalation.
*
- * 64bit kernels should mask EFLAGS.TF in MSR_FMASK to avoid any
+ * 64bit kernels should mask EFLAGS.TF in MSR_SYSCALL_MASK to avoid any
* vulnerability. Running the #DB handler on an IST stack is also a
* mitigation.
*
@@ -5207,7 +5190,7 @@ x86_emulate(
generate_exception_if(cr4 & CR4_TSD, EXC_GP, 0);
}
fail_if(ops->read_msr == NULL);
- if ( (rc = ops->read_msr(MSR_TSC, &val, ctxt)) != 0 )
+ if ( (rc = ops->read_msr(MSR_IA32_TSC, &val, ctxt)) != 0 )
goto done;
_regs.r(dx) = val >> 32;
_regs.r(ax) = (uint32_t)val;
@@ -5240,7 +5223,8 @@ x86_emulate(
generate_exception_if(!in_protmode(ctxt, ops), EXC_GP, 0);
fail_if(ops->read_msr == NULL);
- if ( (rc = ops->read_msr(MSR_SYSENTER_CS, &msr_content, ctxt)) != 0 )
+ if ( (rc = ops->read_msr(MSR_IA32_SYSENTER_CS, &msr_content, ctxt))
+ != 0 )
goto done;
generate_exception_if(!(msr_content & 0xfffc), EXC_GP, 0);
@@ -5266,11 +5250,13 @@ x86_emulate(
(rc = ops->write_segment(x86_seg_ss, &sreg, ctxt)) != 0 )
goto done;
- if ( (rc = ops->read_msr(MSR_SYSENTER_EIP, &msr_content, ctxt)) != 0 )
+ if ( (rc = ops->read_msr(MSR_IA32_SYSENTER_EIP, &msr_content, ctxt))
+ != 0 )
goto done;
_regs.r(ip) = lm ? msr_content : (uint32_t)msr_content;
- if ( (rc = ops->read_msr(MSR_SYSENTER_ESP, &msr_content, ctxt)) != 0 )
+ if ( (rc = ops->read_msr(MSR_IA32_SYSENTER_ESP, &msr_content, ctxt))
+ != 0 )
goto done;
_regs.r(sp) = lm ? msr_content : (uint32_t)msr_content;
@@ -5287,7 +5273,8 @@ x86_emulate(
generate_exception_if(!in_protmode(ctxt, ops), EXC_GP, 0);
fail_if(ops->read_msr == NULL);
- if ( (rc = ops->read_msr(MSR_SYSENTER_CS, &msr_content, ctxt)) != 0 )
+ if ( (rc = ops->read_msr(MSR_IA32_SYSENTER_CS, &msr_content, ctxt))
+ != 0 )
goto done;
generate_exception_if(!(msr_content & 0xfffc), EXC_GP, 0);
--
2.11.0
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH v4 08/12] x86: add UMIP CR4 bit
2017-02-03 11:53 [PATCH v4 00/12] fuzz: update x86emul fuzzer Wei Liu
` (6 preceding siblings ...)
2017-02-03 11:53 ` [PATCH v4 07/12] x86emul: use msr definitions in msr-index.h Wei Liu
@ 2017-02-03 11:53 ` Wei Liu
2017-02-03 11:53 ` [PATCH v4 09/12] x86emul: use CR definitions in x86-defns.h Wei Liu
` (4 subsequent siblings)
12 siblings, 0 replies; 19+ messages in thread
From: Wei Liu @ 2017-02-03 11:53 UTC (permalink / raw)
To: Xen-devel; +Cc: Wei Liu
It will be used later to remove duplicates in x86emul.
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
---
xen/include/asm-x86/x86-defns.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/xen/include/asm-x86/x86-defns.h b/xen/include/asm-x86/x86-defns.h
index 48ea5ea03b..70453e8dfb 100644
--- a/xen/include/asm-x86/x86-defns.h
+++ b/xen/include/asm-x86/x86-defns.h
@@ -56,6 +56,7 @@
#define X86_CR4_PCE 0x00000100 /* enable performance counters at ipl 3 */
#define X86_CR4_OSFXSR 0x00000200 /* enable fast FPU save and restore */
#define X86_CR4_OSXMMEXCPT 0x00000400 /* enable unmasked SSE exceptions */
+#define X86_CR4_UMIP 0x00000800 /* enable UMIP */
#define X86_CR4_VMXE 0x00002000 /* enable VMX */
#define X86_CR4_SMXE 0x00004000 /* enable SMX */
#define X86_CR4_FSGSBASE 0x00010000 /* enable {rd,wr}{fs,gs}base */
--
2.11.0
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH v4 09/12] x86emul: use CR definitions in x86-defns.h
2017-02-03 11:53 [PATCH v4 00/12] fuzz: update x86emul fuzzer Wei Liu
` (7 preceding siblings ...)
2017-02-03 11:53 ` [PATCH v4 08/12] x86: add UMIP CR4 bit Wei Liu
@ 2017-02-03 11:53 ` Wei Liu
2017-02-03 11:53 ` [PATCH v4 10/12] fuzz/x86emul: update fuzzer Wei Liu
` (3 subsequent siblings)
12 siblings, 0 replies; 19+ messages in thread
From: Wei Liu @ 2017-02-03 11:53 UTC (permalink / raw)
To: Xen-devel; +Cc: Wei Liu
And remove the duplicates.
No functional change.
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
---
xen/arch/x86/x86_emulate/x86_emulate.c | 45 ++++++++++++----------------------
1 file changed, 15 insertions(+), 30 deletions(-)
diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c
index 288461eaec..270b5c6441 100644
--- a/xen/arch/x86/x86_emulate/x86_emulate.c
+++ b/xen/arch/x86/x86_emulate/x86_emulate.c
@@ -415,21 +415,6 @@ typedef union {
# define ASM_FLAG_OUT(yes, no) no
#endif
-/* Control register flags. */
-#define CR0_PE (1<<0)
-#define CR0_MP (1<<1)
-#define CR0_EM (1<<2)
-#define CR0_TS (1<<3)
-
-#define CR4_VME (1<<0)
-#define CR4_PVI (1<<1)
-#define CR4_TSD (1<<2)
-#define CR4_OSFXSR (1<<9)
-#define CR4_OSXMMEXCPT (1<<10)
-#define CR4_UMIP (1<<11)
-#define CR4_FSGSBASE (1<<16)
-#define CR4_OSXSAVE (1<<18)
-
/* Floating point status word definitions. */
#define FSW_ES (1U << 7)
@@ -810,7 +795,7 @@ static int _get_fpu(
if ( rc != X86EMUL_OKAY )
return rc;
generate_exception_if(!(cr4 & ((type == X86EMUL_FPU_xmm)
- ? CR4_OSFXSR : CR4_OSXSAVE)),
+ ? X86_CR4_OSFXSR : X86_CR4_OSXSAVE)),
EXC_UD);
}
@@ -820,16 +805,16 @@ static int _get_fpu(
if ( type >= X86EMUL_FPU_ymm )
{
/* Should be unreachable if VEX decoding is working correctly. */
- ASSERT((cr0 & CR0_PE) && !(ctxt->regs->_eflags & X86_EFLAGS_VM));
+ ASSERT((cr0 & X86_CR0_PE) && !(ctxt->regs->_eflags & X86_EFLAGS_VM));
}
- if ( cr0 & CR0_EM )
+ if ( cr0 & X86_CR0_EM )
{
generate_exception_if(type == X86EMUL_FPU_fpu, EXC_NM);
generate_exception_if(type == X86EMUL_FPU_mmx, EXC_UD);
generate_exception_if(type == X86EMUL_FPU_xmm, EXC_UD);
}
- generate_exception_if((cr0 & CR0_TS) &&
- (type != X86EMUL_FPU_wait || (cr0 & CR0_MP)),
+ generate_exception_if((cr0 & X86_CR0_TS) &&
+ (type != X86EMUL_FPU_wait || (cr0 & X86_CR0_MP)),
EXC_NM);
}
@@ -852,7 +837,7 @@ do { \
_put_fpu(); \
if ( (_fic)->exn_raised == EXC_XM && ops->read_cr && \
ops->read_cr(4, &cr4, ctxt) == X86EMUL_OKAY && \
- !(cr4 & CR4_OSXMMEXCPT) ) \
+ !(cr4 & X86_CR4_OSXMMEXCPT) ) \
(_fic)->exn_raised = EXC_UD; \
generate_exception_if((_fic)->exn_raised >= 0, \
(_fic)->exn_raised); \
@@ -1184,7 +1169,7 @@ _mode_iopl(
rc = ops->read_cr(4, &cr4, ctxt); \
if ( rc != X86EMUL_OKAY ) goto done; \
} \
- !!(cr4 & (_regs._eflags & X86_EFLAGS_VM ? CR4_VME : CR4_PVI)); \
+ !!(cr4 & (_regs._eflags & X86_EFLAGS_VM ? X86_CR4_VME : X86_CR4_PVI)); \
})
static int ioport_access_check(
@@ -1258,7 +1243,7 @@ in_realmode(
return 0;
rc = ops->read_cr(0, &cr0, ctxt);
- return (!rc && !(cr0 & CR0_PE));
+ return (!rc && !(cr0 & X86_CR0_PE));
}
static bool
@@ -1726,7 +1711,7 @@ static bool umip_active(struct x86_emulate_ctxt *ctxt,
/* Intentionally not using mode_ring0() here to avoid its fail_if(). */
return get_cpl(ctxt, ops) > 0 &&
ops->read_cr && ops->read_cr(4, &cr4, ctxt) == X86EMUL_OKAY &&
- (cr4 & CR4_UMIP);
+ (cr4 & X86_CR4_UMIP);
}
/* Inject a software interrupt/exception, emulating if needed. */
@@ -3345,7 +3330,7 @@ x86_emulate(
if ( rc != X86EMUL_OKAY )
goto done;
}
- generate_exception_if(!(cr4 & CR4_VME), EXC_GP, 0);
+ generate_exception_if(!(cr4 & X86_CR4_VME), EXC_GP, 0);
src.val = (_regs.flags & ~X86_EFLAGS_IF) | X86_EFLAGS_IOPL;
if ( _regs._eflags & X86_EFLAGS_VIF )
src.val |= X86_EFLAGS_IF;
@@ -3368,7 +3353,7 @@ x86_emulate(
if ( rc != X86EMUL_OKAY )
goto done;
}
- generate_exception_if(!(cr4 & CR4_VME) &&
+ generate_exception_if(!(cr4 & X86_CR4_VME) &&
MASK_EXTR(_regs._eflags, X86_EFLAGS_IOPL) != 3,
EXC_GP, 0);
}
@@ -3385,7 +3370,7 @@ x86_emulate(
if ( op_bytes == 2 )
{
dst.val = (uint16_t)dst.val | (_regs._eflags & 0xffff0000u);
- if ( cr4 & CR4_VME )
+ if ( cr4 & X86_CR4_VME )
{
if ( dst.val & X86_EFLAGS_IF )
{
@@ -5009,7 +4994,7 @@ x86_emulate(
generate_exception_if(!mode_ring0(), EXC_GP, 0);
fail_if((ops->read_cr == NULL) || (ops->write_cr == NULL));
if ( (rc = ops->read_cr(0, &dst.val, ctxt)) != X86EMUL_OKAY ||
- (rc = ops->write_cr(0, dst.val & ~CR0_TS, ctxt)) != X86EMUL_OKAY )
+ (rc = ops->write_cr(0, dst.val & ~X86_CR0_TS, ctxt)) != X86EMUL_OKAY )
goto done;
break;
@@ -5187,7 +5172,7 @@ x86_emulate(
fail_if(ops->read_cr == NULL);
if ( (rc = ops->read_cr(4, &cr4, ctxt)) )
goto done;
- generate_exception_if(cr4 & CR4_TSD, EXC_GP, 0);
+ generate_exception_if(cr4 & X86_CR4_TSD, EXC_GP, 0);
}
fail_if(ops->read_msr == NULL);
if ( (rc = ops->read_msr(MSR_IA32_TSC, &val, ctxt)) != 0 )
@@ -5560,7 +5545,7 @@ x86_emulate(
fail_if(!ops->read_cr);
if ( (rc = ops->read_cr(4, &cr4, ctxt)) != X86EMUL_OKAY )
goto done;
- generate_exception_if(!(cr4 & CR4_FSGSBASE), EXC_UD);
+ generate_exception_if(!(cr4 & X86_CR4_FSGSBASE), EXC_UD);
seg = modrm_reg & 1 ? x86_seg_gs : x86_seg_fs;
fail_if(!ops->read_segment);
if ( (rc = ops->read_segment(seg, &sreg, ctxt)) != X86EMUL_OKAY )
--
2.11.0
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH v4 10/12] fuzz/x86emul: update fuzzer
2017-02-03 11:53 [PATCH v4 00/12] fuzz: update x86emul fuzzer Wei Liu
` (8 preceding siblings ...)
2017-02-03 11:53 ` [PATCH v4 09/12] x86emul: use CR definitions in x86-defns.h Wei Liu
@ 2017-02-03 11:53 ` Wei Liu
2017-02-06 8:17 ` Jan Beulich
2017-02-03 11:53 ` [PATCH v4 11/12] fuzz/x86emul: print out minimal input size Wei Liu
` (2 subsequent siblings)
12 siblings, 1 reply; 19+ messages in thread
From: Wei Liu @ 2017-02-03 11:53 UTC (permalink / raw)
To: Xen-devel
Cc: Wei Liu, George Dunlap, Andrew Cooper, Ian Jackson, George Dunlap,
Jan Beulich
Provide the fuzzer with more ops, and more sophisticated input
structure.
Based on a patch originally written by Andrew and George.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: George Dunlap <george.dunlap@citrix.com>
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
---
Cc: Ian Jackson <ian.jackson@eu.citrix.com>
Cc: Jan Beulich <jbeulich@suse.com>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: George Dunlap <george.dunlap@eu.citrix.com>
v2:
1. Address comments from Jan.
2. Provide architecturally correct behaviour for rep stub.
---
.../x86-insn-emulator-fuzzer.c | 642 +++++++++++++++++++--
1 file changed, 581 insertions(+), 61 deletions(-)
diff --git a/tools/fuzz/x86_instruction_emulator/x86-insn-emulator-fuzzer.c b/tools/fuzz/x86_instruction_emulator/x86-insn-emulator-fuzzer.c
index 7d7f731677..08e11e91eb 100644
--- a/tools/fuzz/x86_instruction_emulator/x86-insn-emulator-fuzzer.c
+++ b/tools/fuzz/x86_instruction_emulator/x86-insn-emulator-fuzzer.c
@@ -4,6 +4,7 @@
#include <inttypes.h>
#include <limits.h>
#include <stdbool.h>
+#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
@@ -16,26 +17,78 @@
#include "x86_emulate.h"
-static unsigned char data[4096];
+#define MSR_INDEX_MAX 16
+
+#define SEG_NUM x86_seg_none
+
+struct input_struct {
+ unsigned long cr[5];
+ uint64_t msr[MSR_INDEX_MAX];
+ struct cpu_user_regs regs;
+ struct segment_register segments[SEG_NUM];
+ unsigned long options;
+ unsigned char data[4096];
+} input;
+#define DATA_OFFSET offsetof(struct input_struct, data)
static unsigned int data_index;
-static unsigned int data_max;
+static unsigned int data_num;
+
+/*
+ * Randomly return success or failure when processing data. If
+ * `exception` is false, this function turns _EXCEPTION to _OKAY.
+ */
+static int maybe_fail(const char *why, bool exception)
+{
+ int rc;
+
+ if ( data_index >= data_num )
+ rc = X86EMUL_EXCEPTION;
+ else
+ {
+ /* Randomly returns value:
+ * 50% okay
+ * 25% unhandlable
+ * 25% exception
+ */
+ if ( input.data[data_index] > 0xc0 )
+ rc = X86EMUL_EXCEPTION;
+ else if ( input.data[data_index] > 0x80 )
+ rc = X86EMUL_UNHANDLEABLE;
+ else
+ rc = X86EMUL_OKAY;
+ data_index++;
+ }
+
+ if ( rc == X86EMUL_EXCEPTION && !exception )
+ rc = X86EMUL_OKAY;
+
+ printf("maybe_fail %s: %d\n", why, rc);
+
+ return rc;
+}
static int data_read(const char *why, void *dst, unsigned int bytes)
{
unsigned int i;
+ int rc;
- if ( data_index + bytes > data_max )
- return X86EMUL_EXCEPTION;
+ if ( data_index + bytes > data_num )
+ rc = X86EMUL_EXCEPTION;
+ else
+ rc = maybe_fail(why, true);
- memcpy(dst, data + data_index, bytes);
- data_index += bytes;
+ if ( rc == X86EMUL_OKAY )
+ {
+ memcpy(dst, input.data + data_index, bytes);
+ data_index += bytes;
- printf("%s: ", why);
- for ( i = 0; i < bytes; i++ )
- printf(" %02x", *(unsigned char *)(dst + i));
- printf("\n");
+ printf("%s: ", why);
+ for ( i = 0; i < bytes; i++ )
+ printf(" %02x", *(unsigned char *)(dst + i));
+ printf("\n");
+ }
- return X86EMUL_OKAY;
+ return rc;
}
static int fuzz_read(
@@ -48,14 +101,114 @@ static int fuzz_read(
return data_read("read", p_data, bytes);
}
-static int fuzz_fetch(
+static int fuzz_read_io(
+ unsigned int port,
+ unsigned int bytes,
+ unsigned long *val,
+ struct x86_emulate_ctxt *ctxt)
+{
+ return data_read("read_io", val, bytes);
+}
+
+static int fuzz_insn_fetch(
unsigned int seg,
unsigned long offset,
void *p_data,
unsigned int bytes,
struct x86_emulate_ctxt *ctxt)
{
- return data_read("fetch", p_data, bytes);
+ return data_read("insn_fetch", p_data, bytes);
+}
+
+static int _fuzz_rep_read(const char *why, unsigned long *reps)
+{
+ int rc;
+ unsigned long bytes_read = 0;
+
+ rc = data_read(why, &bytes_read, sizeof(bytes_read));
+
+ if ( bytes_read <= *reps )
+ *reps = bytes_read;
+
+ switch ( rc )
+ {
+ case X86EMUL_UNHANDLEABLE:
+ /* No work is done in this case */
+ *reps = 0;
+ break;
+ case X86EMUL_EXCEPTION:
+ case X86EMUL_RETRY:
+ /* Halve the amount in this case */
+ *reps /= 2;
+ break;
+ }
+
+ return rc;
+}
+
+static int _fuzz_rep_write(const char *why, unsigned long *reps)
+{
+ int rc = maybe_fail(why, true);
+
+ switch ( rc )
+ {
+ case X86EMUL_UNHANDLEABLE:
+ /* No work is done in this case */
+ *reps = 0;
+ break;
+ case X86EMUL_EXCEPTION:
+ case X86EMUL_RETRY:
+ /* Halve the amount in this case */
+ *reps /= 2;
+ break;
+ }
+
+ return rc;
+}
+
+static int fuzz_rep_ins(
+ uint16_t src_port,
+ enum x86_segment dst_seg,
+ unsigned long dst_offset,
+ unsigned int bytes_per_rep,
+ unsigned long *reps,
+ struct x86_emulate_ctxt *ctxt)
+{
+ return _fuzz_rep_read("rep_ins", reps);
+}
+
+static int fuzz_rep_movs(
+ enum x86_segment src_seg,
+ unsigned long src_offset,
+ enum x86_segment dst_seg,
+ unsigned long dst_offset,
+ unsigned int bytes_per_rep,
+ unsigned long *reps,
+ struct x86_emulate_ctxt *ctxt)
+{
+ return _fuzz_rep_read("rep_movs", reps);
+}
+
+static int fuzz_rep_outs(
+ enum x86_segment src_seg,
+ unsigned long src_offset,
+ uint16_t dst_port,
+ unsigned int bytes_per_rep,
+ unsigned long *reps,
+ struct x86_emulate_ctxt *ctxt)
+{
+ return _fuzz_rep_write("rep_outs", reps);
+}
+
+static int fuzz_rep_stos(
+ void *p_data,
+ enum x86_segment seg,
+ unsigned long offset,
+ unsigned int bytes_per_rep,
+ unsigned long *reps,
+ struct x86_emulate_ctxt *ctxt)
+{
+ return _fuzz_rep_write("rep_stos", reps);
}
static int fuzz_write(
@@ -65,7 +218,7 @@ static int fuzz_write(
unsigned int bytes,
struct x86_emulate_ctxt *ctxt)
{
- return X86EMUL_OKAY;
+ return maybe_fail("write", true);
}
static int fuzz_cmpxchg(
@@ -76,18 +229,265 @@ static int fuzz_cmpxchg(
unsigned int bytes,
struct x86_emulate_ctxt *ctxt)
{
+ return maybe_fail("cmpxchg", true);
+}
+
+static int fuzz_invlpg(
+ enum x86_segment seg,
+ unsigned long offset,
+ struct x86_emulate_ctxt *ctxt)
+{
+ return maybe_fail("invlpg", false);
+}
+
+static int fuzz_wbinvd(
+ struct x86_emulate_ctxt *ctxt)
+{
+ return maybe_fail("wbinvd", true);
+}
+
+static int fuzz_write_io(
+ unsigned int port,
+ unsigned int bytes,
+ unsigned long val,
+ struct x86_emulate_ctxt *ctxt)
+{
+ return maybe_fail("write_io", true);
+}
+
+static int fuzz_read_segment(
+ enum x86_segment seg,
+ struct segment_register *reg,
+ struct x86_emulate_ctxt *ctxt)
+{
+ if ( seg >= SEG_NUM )
+ return X86EMUL_UNHANDLEABLE;
+
+ *reg = input.segments[seg];
+
+ return X86EMUL_OKAY;
+}
+
+static int fuzz_write_segment(
+ enum x86_segment seg,
+ const struct segment_register *reg,
+ struct x86_emulate_ctxt *ctxt)
+{
+ int rc;
+
+ if ( seg >= SEG_NUM )
+ return X86EMUL_UNHANDLEABLE;
+
+ rc = maybe_fail("write_segment", true);
+
+ if ( rc == X86EMUL_OKAY )
+ input.segments[seg] = *reg;
+
+ return rc;
+}
+
+static int fuzz_read_cr(
+ unsigned int reg,
+ unsigned long *val,
+ struct x86_emulate_ctxt *ctxt)
+{
+ if ( reg >= ARRAY_SIZE(input.cr) )
+ return X86EMUL_UNHANDLEABLE;
+
+ *val = input.cr[reg];
+
return X86EMUL_OKAY;
}
+static int fuzz_write_cr(
+ unsigned int reg,
+ unsigned long val,
+ struct x86_emulate_ctxt *ctxt)
+{
+ if ( reg >= ARRAY_SIZE(input.cr) )
+ return X86EMUL_UNHANDLEABLE;
+
+ input.cr[reg] = val;
+
+ return X86EMUL_OKAY;
+}
+
+enum {
+ MSRI_IA32_SYSENTER_CS,
+ MSRI_IA32_SYSENTER_ESP,
+ MSRI_IA32_SYSENTER_EIP,
+ MSRI_EFER,
+ MSRI_STAR,
+ MSRI_LSTAR,
+ MSRI_CSTAR,
+ MSRI_SYSCALL_MASK
+};
+
+static const unsigned int msr_index[MSR_INDEX_MAX] = {
+ [MSRI_IA32_SYSENTER_CS] = MSR_IA32_SYSENTER_CS,
+ [MSRI_IA32_SYSENTER_ESP] = MSR_IA32_SYSENTER_ESP,
+ [MSRI_IA32_SYSENTER_EIP] = MSR_IA32_SYSENTER_EIP,
+ [MSRI_EFER] = MSR_EFER,
+ [MSRI_STAR] = MSR_STAR,
+ [MSRI_LSTAR] = MSR_LSTAR,
+ [MSRI_CSTAR] = MSR_CSTAR,
+ [MSRI_SYSCALL_MASK] = MSR_SYSCALL_MASK
+};
+
+static int fuzz_read_msr(
+ unsigned int reg,
+ uint64_t *val,
+ struct x86_emulate_ctxt *ctxt)
+{
+ unsigned int idx;
+
+ if ( reg >= MSR_INDEX_MAX )
+ return X86EMUL_UNHANDLEABLE;
+
+ switch ( reg )
+ {
+ case MSR_TSC_AUX:
+ case MSR_IA32_TSC:
+ /*
+ * TSC should return monotonically increasing values, TSC_AUX
+ * should preferably return consistent values, but returning
+ * random values is fine in fuzzer.
+ */
+ return data_read("read_msr", val, sizeof(*val));
+ case MSR_EFER:
+ *val = input.msr[MSRI_EFER];
+ *val &= ~EFER_LMA;
+ if ( (*val & EFER_LME) && (input.cr[4] & X86_CR4_PAE) &&
+ (input.cr[0] & X86_CR0_PG) )
+ {
+ printf("Setting EFER_LMA\n");
+ *val |= EFER_LMA;
+ }
+ return X86EMUL_OKAY;
+ }
+
+ for ( idx = 0; idx < MSR_INDEX_MAX; idx++ )
+ {
+ if ( msr_index[idx] == reg )
+ {
+ *val = input.msr[idx];
+ return X86EMUL_OKAY;
+ }
+ }
+
+ return X86EMUL_EXCEPTION;
+}
+
+static int fuzz_write_msr(
+ unsigned int reg,
+ uint64_t val,
+ struct x86_emulate_ctxt *ctxt)
+{
+ unsigned int idx;
+ int rc;
+
+ rc = maybe_fail("write_ms", true);
+ if ( rc != X86EMUL_OKAY )
+ return rc;
+
+ switch ( reg )
+ {
+ case MSR_TSC_AUX:
+ case MSR_IA32_TSC:
+ return X86EMUL_OKAY;
+ }
+
+ for ( idx = 0; idx < MSR_INDEX_MAX; idx++ )
+ {
+ if ( msr_index[idx] == reg )
+ {
+ input.msr[idx] = val;
+ return X86EMUL_OKAY;
+ }
+ }
+
+ return X86EMUL_EXCEPTION;
+}
+
+#define SET(h) .h = fuzz_##h
static struct x86_emulate_ops fuzz_emulops = {
- .read = fuzz_read,
- .insn_fetch = fuzz_fetch,
- .write = fuzz_write,
- .cmpxchg = fuzz_cmpxchg,
- .cpuid = emul_test_cpuid,
- .read_cr = emul_test_read_cr,
+ SET(read),
+ SET(insn_fetch),
+ SET(write),
+ SET(cmpxchg),
+ SET(rep_ins),
+ SET(rep_outs),
+ SET(rep_movs),
+ SET(rep_stos),
+ SET(read_segment),
+ SET(write_segment),
+ SET(read_io),
+ SET(write_io),
+ SET(read_cr),
+ SET(write_cr),
+ SET(read_msr),
+ SET(write_msr),
+ SET(wbinvd),
+ SET(invlpg),
.get_fpu = emul_test_get_fpu,
+ .cpuid = emul_test_cpuid,
};
+#undef SET
+
+static void setup_fpu_exception_handler(void)
+{
+ /* FIXME - just disable exceptions for now */
+ unsigned long a;
+
+ asm volatile ( "fnclex");
+ a = 0x37f; /* FCW_DEFAULT in Xen */
+ asm volatile ( "fldcw %0" :: "m" (a));
+ a = 0x1f80; /* MXCSR_DEFAULT in Xen */
+ asm volatile ( "ldmxcsr %0" :: "m" (a) );
+}
+
+static void dump_state(struct x86_emulate_ctxt *ctxt)
+{
+ struct cpu_user_regs *regs = ctxt->regs;
+ uint64_t val = 0;
+
+ printf(" -- State -- \n");
+ printf("addr / sp size: %d / %d\n", ctxt->addr_size, ctxt->sp_size);
+ printf(" cr0: %lx\n", input.cr[0]);
+ printf(" cr3: %lx\n", input.cr[3]);
+ printf(" cr4: %lx\n", input.cr[4]);
+
+ printf(" rip: %"PRIx64"\n", regs->rip);
+
+ fuzz_read_msr(MSR_EFER, &val, ctxt);
+ printf("EFER: %"PRIx64"\n", val);
+}
+
+static bool long_mode_active(struct x86_emulate_ctxt *ctxt)
+{
+ uint64_t val;
+
+ if ( fuzz_read_msr(MSR_EFER, &val, ctxt) != X86EMUL_OKAY )
+ return false;
+
+ return val & EFER_LMA;
+}
+
+static bool in_longmode(struct x86_emulate_ctxt *ctxt)
+{
+ return long_mode_active(ctxt) && input.segments[x86_seg_cs].attr.fields.l;
+}
+
+static void set_sizes(struct x86_emulate_ctxt *ctxt)
+{
+ if ( in_longmode(ctxt) )
+ ctxt->addr_size = ctxt->sp_size = 64;
+ else
+ {
+ ctxt->addr_size = input.segments[x86_seg_cs].attr.fields.db ? 32 : 16;
+ ctxt->sp_size = input.segments[x86_seg_ss].attr.fields.db ? 32 : 16;
+ }
+}
#define CANONICALIZE(x) \
do { \
@@ -100,10 +500,146 @@ static struct x86_emulate_ops fuzz_emulops = {
(x) = _y; \
} while( 0 )
-#define ADDR_SIZE_SHIFT 60
-#define ADDR_SIZE_64 (2ULL << ADDR_SIZE_SHIFT)
-#define ADDR_SIZE_32 (1ULL << ADDR_SIZE_SHIFT)
-#define ADDR_SIZE_16 (0)
+/* Expects bitmap and regs to be defined */
+#define CANONICALIZE_MAYBE(reg) \
+ if ( !(bitmap & (1 << CANONICALIZE_##reg)) ) \
+ CANONICALIZE(regs->reg); \
+
+enum {
+ HOOK_read,
+ HOOK_insn_fetch,
+ HOOK_write,
+ HOOK_cmpxchg,
+ HOOK_rep_ins,
+ HOOK_rep_outs,
+ HOOK_rep_movs,
+ HOOK_rep_stos,
+ HOOK_read_segment,
+ HOOK_write_segment,
+ HOOK_read_io,
+ HOOK_write_io,
+ HOOK_read_cr,
+ HOOK_write_cr,
+ HOOK_read_dr,
+ HOOK_write_dr,
+ HOOK_read_msr,
+ HOOK_write_msr,
+ HOOK_wbinvd,
+ HOOK_cpuid,
+ HOOK_inject_hw_exception,
+ HOOK_inject_sw_interrupt,
+ HOOK_get_fpu,
+ HOOK_put_fpu,
+ HOOK_invlpg,
+ HOOK_vmfunc,
+ OPTION_swint_emulation, /* Two bits */
+ CANONICALIZE_rip = OPTION_swint_emulation + 2,
+ CANONICALIZE_rsp,
+ CANONICALIZE_rbp
+};
+
+/* Expects bitmap to be defined */
+#define MAYBE_DISABLE_HOOK(h) \
+ if ( bitmap & (1 << HOOK_##h) ) \
+ { \
+ fuzz_emulops.h = NULL; \
+ printf("Disabling hook "#h"\n"); \
+ }
+
+static void disable_hooks(void)
+{
+ unsigned long bitmap = input.options;
+
+ /* See also sanitize_input, some hooks can't be disabled. */
+ MAYBE_DISABLE_HOOK(read);
+ MAYBE_DISABLE_HOOK(insn_fetch);
+ MAYBE_DISABLE_HOOK(write);
+ MAYBE_DISABLE_HOOK(cmpxchg);
+ MAYBE_DISABLE_HOOK(rep_ins);
+ MAYBE_DISABLE_HOOK(rep_outs);
+ MAYBE_DISABLE_HOOK(rep_movs);
+ MAYBE_DISABLE_HOOK(rep_stos);
+ MAYBE_DISABLE_HOOK(read_segment);
+ MAYBE_DISABLE_HOOK(write_segment);
+ MAYBE_DISABLE_HOOK(read_io);
+ MAYBE_DISABLE_HOOK(write_io);
+ MAYBE_DISABLE_HOOK(read_cr);
+ MAYBE_DISABLE_HOOK(write_cr);
+ MAYBE_DISABLE_HOOK(read_msr);
+ MAYBE_DISABLE_HOOK(write_msr);
+ MAYBE_DISABLE_HOOK(wbinvd);
+ MAYBE_DISABLE_HOOK(cpuid);
+ MAYBE_DISABLE_HOOK(get_fpu);
+ MAYBE_DISABLE_HOOK(invlpg);
+}
+
+static void set_swint_support(struct x86_emulate_ctxt *ctxt)
+{
+ unsigned int swint_opt = (input.options >> OPTION_swint_emulation) & 3;
+ static const enum x86_swint_emulation map[4] = {
+ x86_swint_emulate_none,
+ x86_swint_emulate_none,
+ x86_swint_emulate_icebp,
+ x86_swint_emulate_all };
+
+ ctxt->swint_emulate = map[swint_opt];
+}
+
+/*
+ * Constrain input to architecturally-possible states where
+ * the emulator relies on these
+ *
+ * In general we want the emulator to be as absolutely robust as
+ * possible; which means that we want to minimize the number of things
+ * it assumes about the input state. Tesing this means minimizing and
+ * removing as much of the input constraints as possible.
+ *
+ * So we only add constraints that (in general) have been proven to
+ * cause crashes in the emulator.
+ *
+ * For future reference: other constraints which might be necessary at
+ * some point:
+ *
+ * - EFER.LMA => !EFLAGS.NT
+ * - In VM86 mode, force segment...
+ * - ...access rights to 0xf3
+ * - ...limits to 0xffff
+ * - ...bases to below 1Mb, 16-byte aligned
+ * - ...selectors to (base >> 4)
+ */
+static void sanitize_input(struct x86_emulate_ctxt *ctxt)
+{
+ struct cpu_user_regs *regs = &input.regs;
+ unsigned long bitmap = input.options;
+
+ /* Some hooks can't be disabled. */
+ input.options &= ~((1<<HOOK_read)|(1<<HOOK_insn_fetch));
+
+ /* Zero 'private' entries */
+ regs->error_code = 0;
+ regs->entry_vector = 0;
+
+ CANONICALIZE_MAYBE(rip);
+ CANONICALIZE_MAYBE(rsp);
+ CANONICALIZE_MAYBE(rbp);
+
+ /*
+ * CR0.PG can't be set if CR0.PE isn't set. Set is more interesting, so
+ * set PE if PG is set.
+ */
+ if ( input.cr[0] & X86_CR0_PG )
+ input.cr[0] |= X86_CR0_PE;
+
+ /* EFLAGS.VM not available in long mode */
+ if ( long_mode_active(ctxt) )
+ regs->rflags &= ~X86_EFLAGS_VM;
+
+ /* EFLAGS.VM implies 16-bit mode */
+ if ( regs->rflags & X86_EFLAGS_VM ) {
+ input.segments[x86_seg_cs].attr.fields.db = 0;
+ input.segments[x86_seg_ss].attr.fields.db = 0;
+ }
+}
int LLVMFuzzerTestOneInput(const uint8_t *data_p, size_t size)
{
@@ -114,10 +650,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data_p, size_t size)
.addr_size = 8 * sizeof(void *),
.sp_size = 8 * sizeof(void *),
};
- unsigned int nr = 0;
int rc;
- unsigned int x;
- const uint8_t *p = data_p;
stack_exec = emul_test_make_stack_executable();
if ( !stack_exec )
@@ -127,52 +660,39 @@ int LLVMFuzzerTestOneInput(const uint8_t *data_p, size_t size)
}
/* Reset all global state variables */
- memset(data, 0, sizeof(data));
+ memset(&input, 0, sizeof(input));
data_index = 0;
- data_max = 0;
-
- nr = size < sizeof(regs) ? size : sizeof(regs);
+ data_num = 0;
- memcpy(®s, p, nr);
- p += sizeof(regs);
+ if ( size <= DATA_OFFSET )
+ {
+ printf("Input too small\n");
+ return 1;
+ }
- if ( nr < size )
+ if ( size > sizeof(input) )
{
- memcpy(data, p, size - nr);
- data_max = size - nr;
+ printf("Input too large\n");
+ return 1;
}
- ctxt.force_writeback = false;
+ memcpy(&input, data_p, size);
- /* Zero 'private' fields */
- regs.error_code = 0;
- regs.entry_vector = 0;
+ data_num = size - DATA_OFFSET;
- /* Use the upper bits of regs.eip to determine addr_size */
- x = (regs.rip >> ADDR_SIZE_SHIFT) & 0x3;
- if ( x == 3 )
- x = 2;
- ctxt.addr_size = 16 << x;
- printf("addr_size: %d\n", ctxt.addr_size);
+ sanitize_input(&ctxt);
- /* Use the upper bit of regs.rsp to determine sp_size (if appropriate) */
- if ( ctxt.addr_size == 64 )
- ctxt.sp_size = 64;
- else
- {
- /* If addr_size isn't 64-bits, sp_size can only be 16 or 32 bits */
- x = (regs.rsp >> ADDR_SIZE_SHIFT) & 0x1;
- ctxt.sp_size = 16 << x;
- }
- printf("sp_size: %d\n", ctxt.sp_size);
- CANONICALIZE(regs.rip);
- CANONICALIZE(regs.rsp);
- CANONICALIZE(regs.rbp);
+ disable_hooks();
- /* Zero all segments for now */
- regs.cs = regs.ss = regs.es = regs.ds = regs.fs = regs.gs = 0;
+ set_swint_support(&ctxt);
do {
+ /* FIXME: Until we actually implement SIGFPE handling properly */
+ setup_fpu_exception_handler();
+
+ set_sizes(&ctxt);
+ dump_state(&ctxt);
+
rc = x86_emulate(&ctxt, &fuzz_emulops);
printf("Emulation result: %d\n", rc);
} while ( rc == X86EMUL_OKAY );
--
2.11.0
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH v4 11/12] fuzz/x86emul: print out minimal input size
2017-02-03 11:53 [PATCH v4 00/12] fuzz: update x86emul fuzzer Wei Liu
` (9 preceding siblings ...)
2017-02-03 11:53 ` [PATCH v4 10/12] fuzz/x86emul: update fuzzer Wei Liu
@ 2017-02-03 11:53 ` Wei Liu
2017-02-03 11:53 ` [PATCH v4 12/12] fuzz: update README.afl example Wei Liu
2017-02-06 10:29 ` [PATCH v4 00/12] fuzz: update x86emul fuzzer Wei Liu
12 siblings, 0 replies; 19+ messages in thread
From: Wei Liu @ 2017-02-03 11:53 UTC (permalink / raw)
To: Xen-devel; +Cc: Wei Liu
... so that users can know how big the initial input should be.
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
---
.../fuzz/x86_instruction_emulator/afl-x86-insn-emulator-fuzzer.c | 8 ++++++++
tools/fuzz/x86_instruction_emulator/x86-insn-emulator-fuzzer.c | 5 +++++
2 files changed, 13 insertions(+)
diff --git a/tools/fuzz/x86_instruction_emulator/afl-x86-insn-emulator-fuzzer.c b/tools/fuzz/x86_instruction_emulator/afl-x86-insn-emulator-fuzzer.c
index 494c23ba2e..16edbd6bab 100644
--- a/tools/fuzz/x86_instruction_emulator/afl-x86-insn-emulator-fuzzer.c
+++ b/tools/fuzz/x86_instruction_emulator/afl-x86-insn-emulator-fuzzer.c
@@ -2,8 +2,10 @@
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
+#include <string.h>
extern int LLVMFuzzerTestOneInput(const uint8_t *data_p, size_t size);
+extern unsigned int fuzz_minimal_input_size(void);
#define INPUT_SIZE 4096
static uint8_t input[INPUT_SIZE];
@@ -21,6 +23,12 @@ int main(int argc, char **argv)
exit(-1);
}
+ if ( !strcmp(argv[1], "--min-input-size") )
+ {
+ printf("%u\n", fuzz_minimal_input_size());
+ exit(0);
+ }
+
fp = fopen(argv[1], "rb");
if ( fp == NULL )
{
diff --git a/tools/fuzz/x86_instruction_emulator/x86-insn-emulator-fuzzer.c b/tools/fuzz/x86_instruction_emulator/x86-insn-emulator-fuzzer.c
index 08e11e91eb..82a7aa44b6 100644
--- a/tools/fuzz/x86_instruction_emulator/x86-insn-emulator-fuzzer.c
+++ b/tools/fuzz/x86_instruction_emulator/x86-insn-emulator-fuzzer.c
@@ -700,6 +700,11 @@ int LLVMFuzzerTestOneInput(const uint8_t *data_p, size_t size)
return 0;
}
+unsigned int fuzz_minimal_input_size(void)
+{
+ return DATA_OFFSET + 1;
+}
+
/*
* Local variables:
* mode: C
--
2.11.0
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH v4 12/12] fuzz: update README.afl example
2017-02-03 11:53 [PATCH v4 00/12] fuzz: update x86emul fuzzer Wei Liu
` (10 preceding siblings ...)
2017-02-03 11:53 ` [PATCH v4 11/12] fuzz/x86emul: print out minimal input size Wei Liu
@ 2017-02-03 11:53 ` Wei Liu
2017-02-06 10:29 ` [PATCH v4 00/12] fuzz: update x86emul fuzzer Wei Liu
12 siblings, 0 replies; 19+ messages in thread
From: Wei Liu @ 2017-02-03 11:53 UTC (permalink / raw)
To: Xen-devel; +Cc: Wei Liu
Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>
---
tools/fuzz/README.afl | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/tools/fuzz/README.afl b/tools/fuzz/README.afl
index 431b4a8cbf..68e0fa396f 100644
--- a/tools/fuzz/README.afl
+++ b/tools/fuzz/README.afl
@@ -20,9 +20,10 @@ Use the x86 instruction emulator fuzzer as an example.
$ make distclean
$ make CC=$AFLPATH/afl-gcc afl # produces afl-x86-insn-emulator-fuzzer
-3. provide initial test case:
+3. provide initial test case (fuzzer dependent, see afl-*.c):
$ mkdir testcase_dir
- $ echo -n -e '\xc3' > testcase_dir/ret.bin
+ $ dd if=/dev/urandom of=testcase_dir/rand.bin \
+ bs=`./afl-x86-insn-emulator-fuzzer --min-input-size` count=1
4. run the fuzzer with AFL:
$ $AFLPATH/afl-fuzz -m none -t 1000 -i testcase_dir -o findings_dir -- \
--
2.11.0
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply related [flat|nested] 19+ messages in thread
* Re: [PATCH v4 01/12] x86emul/test: add missing dependency for x86_emulate.o
2017-02-03 11:53 ` [PATCH v4 01/12] x86emul/test: add missing dependency for x86_emulate.o Wei Liu
@ 2017-02-03 12:11 ` Wei Liu
2017-02-03 13:38 ` Jan Beulich
1 sibling, 0 replies; 19+ messages in thread
From: Wei Liu @ 2017-02-03 12:11 UTC (permalink / raw)
To: Xen-devel; +Cc: Andrew Cooper, Wei Liu, Ian Jackson, Jan Beulich
Forgot to CC people on this one.
On Fri, Feb 03, 2017 at 11:53:03AM +0000, Wei Liu wrote:
> f4497d6b74 added x86_emulate.h private header but didn't add dependency
> for it.
>
> Use macro to reduce repetition.
>
> Signed-off-by: Wei Liu <wei.liu2@citrix.com>
> ---
> tools/tests/x86_emulator/Makefile | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/tools/tests/x86_emulator/Makefile b/tools/tests/x86_emulator/Makefile
> index 0b5baff67c..b489959d1d 100644
> --- a/tools/tests/x86_emulator/Makefile
> +++ b/tools/tests/x86_emulator/Makefile
> @@ -45,8 +45,10 @@ x86_emulate/x86_emulate.c x86_emulate/x86_emulate.h:
>
> HOSTCFLAGS += $(CFLAGS_xeninclude)
>
> -x86_emulate.o: x86_emulate.c x86_emulate/x86_emulate.c x86_emulate/x86_emulate.h
> +x86_emulate.h := x86_emulate.h x86_emulate/x86_emulate.h
> +
> +x86_emulate.o: x86_emulate.c x86_emulate/x86_emulate.c $(x86_emulate.h)
> $(HOSTCC) $(HOSTCFLAGS) -D__XEN_TOOLS__ -c -g -o $@ $<
>
> -test_x86_emulator.o: test_x86_emulator.c blowfish.h x86_emulate/x86_emulate.h
> +test_x86_emulator.o: test_x86_emulator.c blowfish.h $(x86_emulate.h)
> $(HOSTCC) $(HOSTCFLAGS) -c -g -o $@ $<
> --
> 2.11.0
>
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH v4 01/12] x86emul/test: add missing dependency for x86_emulate.o
2017-02-03 11:53 ` [PATCH v4 01/12] x86emul/test: add missing dependency for x86_emulate.o Wei Liu
2017-02-03 12:11 ` Wei Liu
@ 2017-02-03 13:38 ` Jan Beulich
1 sibling, 0 replies; 19+ messages in thread
From: Jan Beulich @ 2017-02-03 13:38 UTC (permalink / raw)
To: Wei Liu; +Cc: Xen-devel
>>> On 03.02.17 at 12:53, <wei.liu2@citrix.com> wrote:
> f4497d6b74 added x86_emulate.h private header but didn't add dependency
> for it.
>
> Use macro to reduce repetition.
>
> Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH v4 02/12] fuzz/x86emul: use macro to reduce repetition in Makefile
2017-02-03 11:53 ` [PATCH v4 02/12] fuzz/x86emul: use macro to reduce repetition in Makefile Wei Liu
@ 2017-02-03 13:41 ` Jan Beulich
0 siblings, 0 replies; 19+ messages in thread
From: Jan Beulich @ 2017-02-03 13:41 UTC (permalink / raw)
To: Wei Liu; +Cc: Andrew Cooper, Ian Jackson, Xen-devel
>>> On 03.02.17 at 12:53, <wei.liu2@citrix.com> wrote:
> Signed-off-by: Wei Liu <wei.liu2@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH v4 05/12] x86emul/test: use x86-vendors.h
2017-02-03 11:53 ` [PATCH v4 05/12] x86emul/test: use x86-vendors.h Wei Liu
@ 2017-02-03 13:45 ` Jan Beulich
0 siblings, 0 replies; 19+ messages in thread
From: Jan Beulich @ 2017-02-03 13:45 UTC (permalink / raw)
To: Wei Liu; +Cc: AndrewCooper, Xen-devel
>>> On 03.02.17 at 12:53, <wei.liu2@citrix.com> wrote:
> --- a/tools/fuzz/x86_instruction_emulator/Makefile
> +++ b/tools/fuzz/x86_instruction_emulator/Makefile
> @@ -11,16 +11,20 @@ endif
> x86_emulate/x86_emulate.c x86_emulate/x86_emulate.h:
> [ -L x86_emulate ] || ln -sf $(XEN_ROOT)/xen/arch/x86/x86_emulate .
>
> +asm/x86-vendors.h:
> + [ -L asm ] || ln -sf $(XEN_ROOT)/xen/include/asm-x86 asm
> +
> x86_emulate.c x86_emulate.h: %:
> [ -L $* ] || ln -sf $(XEN_ROOT)/tools/tests/x86_emulator/$*
>
> -CFLAGS += $(CFLAGS_xeninclude) -D__XEN_TOOLS__
> +CFLAGS += $(CFLAGS_xeninclude) -D__XEN_TOOLS__ -I.
>
> x86_emulate.h := x86_emulate.h x86_emulate/x86_emulate.h
> +x86.h := asm/x86-vendors.h
>
> -x86_emulate.o: x86_emulate.c x86_emulate/x86_emulate.c $(x86_emulate.h)
> +x86_emulate.o: x86_emulate.c x86_emulate/x86_emulate.c $(x86_emulate.h) $(x86.h)
>
> -x86-insn-emulator-fuzzer.o: $(x86_emulate.h)
> +x86-insn-emulator-fuzzer.o: $(x86_emulate.h) $(x86.h)
It's probably okay as is, but the consistent model would have been
to add to x86_emulate.h, as that's the header which does the
inclusion (and that's what the macro is supposed to represent). Of
course you could collect things in x86.h first and then add $(x86.h)
to x86_emulate.h.
Preferably with that adjustment (but I won't grumble too much if
you don't want to do it)
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Jan
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH v4 10/12] fuzz/x86emul: update fuzzer
2017-02-03 11:53 ` [PATCH v4 10/12] fuzz/x86emul: update fuzzer Wei Liu
@ 2017-02-06 8:17 ` Jan Beulich
0 siblings, 0 replies; 19+ messages in thread
From: Jan Beulich @ 2017-02-06 8:17 UTC (permalink / raw)
To: Wei Liu; +Cc: George Dunlap, Andrew Cooper, Ian Jackson, George Dunlap,
Xen-devel
>>> On 03.02.17 at 12:53, <wei.liu2@citrix.com> wrote:
> +static int fuzz_write_cr(
> + unsigned int reg,
> + unsigned long val,
> + struct x86_emulate_ctxt *ctxt)
> +{
> + if ( reg >= ARRAY_SIZE(input.cr) )
> + return X86EMUL_UNHANDLEABLE;
> +
> + input.cr[reg] = val;
> +
> + return X86EMUL_OKAY;
> +}
Just like write_segment and write_msr, this ought to be fine to fail
randomly.
> +static int fuzz_write_msr(
> + unsigned int reg,
> + uint64_t val,
> + struct x86_emulate_ctxt *ctxt)
> +{
> + unsigned int idx;
> + int rc;
> +
> + rc = maybe_fail("write_ms", true);
"write_msr"
> +static void sanitize_input(struct x86_emulate_ctxt *ctxt)
> +{
> + struct cpu_user_regs *regs = &input.regs;
> + unsigned long bitmap = input.options;
> +
> + /* Some hooks can't be disabled. */
> + input.options &= ~((1<<HOOK_read)|(1<<HOOK_insn_fetch));
> +
> + /* Zero 'private' entries */
> + regs->error_code = 0;
> + regs->entry_vector = 0;
> +
> + CANONICALIZE_MAYBE(rip);
> + CANONICALIZE_MAYBE(rsp);
> + CANONICALIZE_MAYBE(rbp);
> +
> + /*
> + * CR0.PG can't be set if CR0.PE isn't set. Set is more interesting, so
> + * set PE if PG is set.
> + */
> + if ( input.cr[0] & X86_CR0_PG )
> + input.cr[0] |= X86_CR0_PE;
> +
> + /* EFLAGS.VM not available in long mode */
> + if ( long_mode_active(ctxt) )
> + regs->rflags &= ~X86_EFLAGS_VM;
> +
> + /* EFLAGS.VM implies 16-bit mode */
> + if ( regs->rflags & X86_EFLAGS_VM ) {
Brace on its own line please.
With these taken care of
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Jan
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH v4 00/12] fuzz: update x86emul fuzzer
2017-02-03 11:53 [PATCH v4 00/12] fuzz: update x86emul fuzzer Wei Liu
` (11 preceding siblings ...)
2017-02-03 11:53 ` [PATCH v4 12/12] fuzz: update README.afl example Wei Liu
@ 2017-02-06 10:29 ` Wei Liu
12 siblings, 0 replies; 19+ messages in thread
From: Wei Liu @ 2017-02-06 10:29 UTC (permalink / raw)
To: Xen-devel; +Cc: George Dunlap, Ian Jackson, Wei Liu, Jan Beulich, Andrew Cooper
Took care of the adjustment requirements in #5 and #10 and pushed to
staging.
Wei.
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 19+ messages in thread
end of thread, other threads:[~2017-02-06 10:29 UTC | newest]
Thread overview: 19+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-02-03 11:53 [PATCH v4 00/12] fuzz: update x86emul fuzzer Wei Liu
2017-02-03 11:53 ` [PATCH v4 01/12] x86emul/test: add missing dependency for x86_emulate.o Wei Liu
2017-02-03 12:11 ` Wei Liu
2017-02-03 13:38 ` Jan Beulich
2017-02-03 11:53 ` [PATCH v4 02/12] fuzz/x86emul: use macro to reduce repetition in Makefile Wei Liu
2017-02-03 13:41 ` Jan Beulich
2017-02-03 11:53 ` [PATCH v4 03/12] x86: extract macros to x86-defns.h Wei Liu
2017-02-03 11:53 ` [PATCH v4 04/12] x86: extract vendor numeric id to x86-vendors.h Wei Liu
2017-02-03 11:53 ` [PATCH v4 05/12] x86emul/test: use x86-vendors.h Wei Liu
2017-02-03 13:45 ` Jan Beulich
2017-02-03 11:53 ` [PATCH v4 06/12] x86emul: use eflags definitions in x86-defns.h Wei Liu
2017-02-03 11:53 ` [PATCH v4 07/12] x86emul: use msr definitions in msr-index.h Wei Liu
2017-02-03 11:53 ` [PATCH v4 08/12] x86: add UMIP CR4 bit Wei Liu
2017-02-03 11:53 ` [PATCH v4 09/12] x86emul: use CR definitions in x86-defns.h Wei Liu
2017-02-03 11:53 ` [PATCH v4 10/12] fuzz/x86emul: update fuzzer Wei Liu
2017-02-06 8:17 ` Jan Beulich
2017-02-03 11:53 ` [PATCH v4 11/12] fuzz/x86emul: print out minimal input size Wei Liu
2017-02-03 11:53 ` [PATCH v4 12/12] fuzz: update README.afl example Wei Liu
2017-02-06 10:29 ` [PATCH v4 00/12] fuzz: update x86emul fuzzer Wei Liu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).