[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH VERY RFC 3/5] tools/fuzz: introduce x86 instruction emulator target
Instruction emulator fuzzing code is from code previous written by Andrew and George. Adapted to llvm fuzzer and hook up the build system. Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> Signed-off-by: George Dunlap <george.dunlap@xxxxxxxxxx> Signed-off-by: Wei Liu <wei.liu2@xxxxxxxxxx> --- Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> Cc: George Dunlap <George.Dunlap@xxxxxxxxxxxxx> Cc: Ian Jackson <ian.jackson@xxxxxxxxxxxxx> Cc: Jan Beulich <jbeulich@xxxxxxxx> Cc: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx> Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx> Cc: Tim Deegan <tim@xxxxxxx> Cc: Wei Liu <wei.liu2@xxxxxxxxxx> --- .gitignore | 1 + tools/fuzz/x86_instruction_emulator/Makefile | 33 ++ .../x86-insn-emulator-fuzzer.c | 335 +++++++++++++++++++++ 3 files changed, 369 insertions(+) create mode 100644 tools/fuzz/x86_instruction_emulator/Makefile create mode 100644 tools/fuzz/x86_instruction_emulator/x86-insn-emulator-fuzzer.c diff --git a/.gitignore b/.gitignore index a2f34a1..d507243 100644 --- a/.gitignore +++ b/.gitignore @@ -145,6 +145,7 @@ tools/flask/utils/flask-loadpolicy tools/flask/utils/flask-setenforce tools/flask/utils/flask-set-bool tools/flask/utils/flask-label-pci +tools/fuzz/x86_instruction_emulator/x86_emulate* tools/helpers/_paths.h tools/helpers/init-xenstore-domain tools/helpers/xen-init-dom0 diff --git a/tools/fuzz/x86_instruction_emulator/Makefile b/tools/fuzz/x86_instruction_emulator/Makefile new file mode 100644 index 0000000..374c84a --- /dev/null +++ b/tools/fuzz/x86_instruction_emulator/Makefile @@ -0,0 +1,33 @@ +XEN_ROOT=$(CURDIR)/../../.. +include $(XEN_ROOT)/tools/Rules.mk + +x86-instruction-emulator-fuzzer-all: x86-insn-emulator.a x86-insn-emulator-fuzzer.o + +x86_emulate/x86_emulate.c x86_emulate/x86_emulate.h: + [ -L x86_emulate ] || ln -sf $(XEN_ROOT)/xen/arch/x86/x86_emulate . + +x86_emulate.c: + [ -L x86_emulate.c ] || ln -sf $(XEN_ROOT)/tools/tests/x86_emulator/x86_emulate.c + +x86_emulate.h: + [ -L x86_emulate.h ] || ln -sf $(XEN_ROOT)/tools/tests/x86_emulator/x86_emulate.h + +CFLAGS += $(CFLAGS_xeninclude) + +x86_emulate.o: x86_emulate.c x86_emulate.h x86_emulate/x86_emulate.c x86_emulate/x86_emulate.h + +x86-insn-emulator.a: x86_emulate.o + $(AR) rc $@ $^ + +x86-insn-emulator-fuzzer.o: x86-insn-emulator-fuzzer.c + +# Common targets +.PHONY: all +all: x86-instruction-emulator-fuzzer-all + +.PHONY: distclean +distclean: clean + +.PHONY: clean +clean: + rm -f *.a *.o diff --git a/tools/fuzz/x86_instruction_emulator/x86-insn-emulator-fuzzer.c b/tools/fuzz/x86_instruction_emulator/x86-insn-emulator-fuzzer.c new file mode 100644 index 0000000..01ee7a4 --- /dev/null +++ b/tools/fuzz/x86_instruction_emulator/x86-insn-emulator-fuzzer.c @@ -0,0 +1,335 @@ +#include <errno.h> +#include <limits.h> +#include <stdbool.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <stdint.h> +#include <inttypes.h> +#include <xen/xen.h> +#include <unistd.h> +#include <assert.h> +#include <sys/types.h> +#include <sys/stat.h> +#include <fcntl.h> +#include <sys/mman.h> + +#define __packed __attribute__((packed)) +#define ASSERT assert + +#include "x86_emulate/x86_emulate.h" + +/* EFLAGS bit definitions. */ +#define EFLG_OF (1<<11) +#define EFLG_DF (1<<10) +#define EFLG_SF (1<<7) +#define EFLG_ZF (1<<6) +#define EFLG_AF (1<<4) +#define EFLG_PF (1<<2) +#define EFLG_CF (1<<0) + +static unsigned char data[4096]; +static unsigned int data_index = 0; +static unsigned int data_max; + +int data_read(const char *why, void *dst, unsigned int bytes) { + + if ( data_index + bytes > data_max ) + return X86EMUL_EXCEPTION; + + memcpy(dst, data+data_index, bytes); + data_index += bytes; + + return X86EMUL_OKAY; +} + +static int emul_read( + unsigned int seg, + unsigned long offset, + void *p_data, + unsigned int bytes, + struct x86_emulate_ctxt *ctxt) +{ + return data_read("read", p_data, bytes); +} + +static int emul_fetch( + unsigned int seg, + unsigned long offset, + void *p_data, + unsigned int bytes, + struct x86_emulate_ctxt *ctxt) +{ + return data_read("fetch", p_data, bytes); +} + +static int emul_write( + unsigned int seg, + unsigned long offset, + void *p_data, + unsigned int bytes, + struct x86_emulate_ctxt *ctxt) +{ + return X86EMUL_OKAY; +} + +static int emul_cmpxchg( + unsigned int seg, + unsigned long offset, + void *old, + void *new, + unsigned int bytes, + struct x86_emulate_ctxt *ctxt) +{ + return X86EMUL_OKAY; +} + +static int emul_cpuid( + unsigned int *eax, + unsigned int *ebx, + unsigned int *ecx, + unsigned int *edx, + struct x86_emulate_ctxt *ctxt) +{ + unsigned int leaf = *eax; + + asm ("cpuid" : "+a" (*eax), "+c" (*ecx), "=d" (*edx), "=b" (*ebx)); + + /* The emulator doesn't itself use MOVBE, so we can always run the test. */ + if ( leaf == 1 ) + *ecx |= 1U << 22; + + return X86EMUL_OKAY; +} + +#define cache_line_size() ({ \ + unsigned int eax = 1, ebx, ecx = 0, edx; \ + emul_cpuid(&eax, &ebx, &ecx, &edx, NULL); \ + edx & (1U << 19) ? (ebx >> 5) & 0x7f8 : 0; \ +}) + +#define cpu_has_mmx ({ \ + unsigned int eax = 1, ecx = 0, edx; \ + emul_cpuid(&eax, &ecx, &ecx, &edx, NULL); \ + (edx & (1U << 23)) != 0; \ +}) + +#define cpu_has_sse ({ \ + unsigned int eax = 1, ecx = 0, edx; \ + emul_cpuid(&eax, &ecx, &ecx, &edx, NULL); \ + (edx & (1U << 25)) != 0; \ +}) + +#define cpu_has_sse2 ({ \ + unsigned int eax = 1, ecx = 0, edx; \ + emul_cpuid(&eax, &ecx, &ecx, &edx, NULL); \ + (edx & (1U << 26)) != 0; \ +}) + +#define cpu_has_xsave ({ \ + unsigned int eax = 1, ecx = 0; \ + emul_cpuid(&eax, &eax, &ecx, &eax, NULL); \ + /* Intentionally checking OSXSAVE here. */ \ + (ecx & (1U << 27)) != 0; \ +}) + +static inline uint64_t xgetbv(uint32_t xcr) +{ + uint32_t lo, hi; + + asm ( ".byte 0x0f, 0x01, 0xd0" : "=a" (lo), "=d" (hi) : "c" (xcr) ); + + return ((uint64_t)hi << 32) | lo; +} + +#define cpu_has_avx ({ \ + unsigned int eax = 1, ecx = 0; \ + emul_cpuid(&eax, &eax, &ecx, &eax, NULL); \ + if ( !(ecx & (1U << 27)) || ((xgetbv(0) & 6) != 6) ) \ + ecx = 0; \ + (ecx & (1U << 28)) != 0; \ +}) + +#define cpu_has_avx2 ({ \ + unsigned int eax = 1, ebx, ecx = 0; \ + emul_cpuid(&eax, &ebx, &ecx, &eax, NULL); \ + if ( !(ecx & (1U << 27)) || ((xgetbv(0) & 6) != 6) ) \ + ebx = 0; \ + else { \ + eax = 7, ecx = 0; \ + cpuid(&eax, &ebx, &ecx, &eax, NULL); \ + } \ + (ebx & (1U << 5)) != 0; \ +}) + +static int emul_read_cr( + unsigned int reg, + unsigned long *val, + struct x86_emulate_ctxt *ctxt) +{ + /* Fake just enough state for the emulator's _get_fpu() to be happy. */ + switch ( reg ) + { + case 0: + *val = 0x00000001; /* PE */ + return X86EMUL_OKAY; + + case 4: + /* OSFXSR, OSXMMEXCPT, and maybe OSXSAVE */ + *val = 0x00000600 | (cpu_has_xsave ? 0x00040000 : 0); + return X86EMUL_OKAY; + } + + return X86EMUL_UNHANDLEABLE; +} + +int emul_get_fpu( + void (*exception_callback)(void *, struct cpu_user_regs *), + void *exception_callback_arg, + enum x86_emulate_fpu_type type, + struct x86_emulate_ctxt *ctxt) +{ + switch ( type ) + { + case X86EMUL_FPU_fpu: + break; + case X86EMUL_FPU_mmx: + if ( cpu_has_mmx ) + break; + case X86EMUL_FPU_xmm: + if ( cpu_has_sse ) + break; + case X86EMUL_FPU_ymm: + if ( cpu_has_avx ) + break; + default: + return X86EMUL_UNHANDLEABLE; + } + return X86EMUL_OKAY; +} + +struct x86_emulate_ops emulops = { + .read = emul_read, + .insn_fetch = emul_fetch, + .write = emul_write, + .cmpxchg = emul_cmpxchg, + .cpuid = emul_cpuid, + .read_cr = emul_read_cr, + .get_fpu = emul_get_fpu, +}; + +bool make_stack_executable(void) { + unsigned long sp; + bool stack_exec; + + /* + * Mark the entire stack executable so that the stub executions + * don't fault + */ +#define MMAP_SZ 16384 + +#ifdef __x86_64__ + asm ("movq %%rsp, %0" : "=g" (sp)); +#else + asm ("movl %%esp, %0" : "=g" (sp)); +#endif + + stack_exec = mprotect((void *)(sp & -0x1000L) - (MMAP_SZ - 0x1000), + MMAP_SZ, PROT_READ|PROT_WRITE|PROT_EXEC) == 0; + if ( !stack_exec ) + printf("Warning: Stack could not be made executable (%d).\n", errno); + + return stack_exec; +} + +#define CANONICALIZE(x) \ + do { \ + uint64_t _y = (x); \ + if ( _y & (1ULL<<47) ) { \ + _y |= (~0ULL)<<48; \ + } else { \ + _y &= (1ULL<<48)-1; \ + } \ + printf("Canonicalized %" PRIx64 " to %" PRIx64 "\n", x, _y); \ + (x) = _y; \ + } while(0) + +#define ADDR_SIZE_SHIFT 60 +#define ADDR_SIZE_64 (2ULL<<ADDR_SIZE_SHIFT) +#define ADDR_SIZE_32 (1ULL<<ADDR_SIZE_SHIFT) +#define ADDR_SIZE_16 (0) + +int LLVMFuzzerTestOneInput(const uint8_t *data_p, size_t size) { + struct cpu_user_regs regs = {}; + struct x86_emulate_ctxt ctxt = + { + .regs = ®s, + .addr_size = 8 * sizeof(void *), + .sp_size = 8 * sizeof(void *), + }; + + int nr = 0; + int rc; + unsigned x; + const uint8_t *p = data_p; + + make_stack_executable(); + + memset(data, 0, sizeof(data)); + + nr = size < sizeof(regs) ? size : sizeof(regs); + + memcpy(®s, p, nr); + p += sizeof(regs); + nr += sizeof(regs); + + if (nr <= size) { + memcpy(data, p, size - nr); + data_max = size - nr; + } + + ctxt.force_writeback = 0; + + /* Zero 'private' entries */ + regs.error_code = 0; + regs.entry_vector = 0; + + /* Use the upper bits of regs.eip to determine addr_size */ + x = (regs.rip >> ADDR_SIZE_SHIFT) & 0x3; + if (x == 3) + x = 2; + ctxt.addr_size = 16 << x; + printf("addr_size: %d\n", ctxt.addr_size); + + /* Use the upper bit of regs.rsp to determine sp_size (if appropriate) */ + if ( ctxt.addr_size == 64) { + ctxt.sp_size = 64; + } else { + /* If addr_size isn't 64-bits, sp_size can only be 16 or 32 bits */ + x = (regs.rsp >> ADDR_SIZE_SHIFT) & 0x1; + ctxt.sp_size = 16 << x; + } + printf("sp_size: %d\n", ctxt.sp_size); + CANONICALIZE(regs.rip); + CANONICALIZE(regs.rsp); + CANONICALIZE(regs.rbp); + + /* Zero all segments for now */ + regs.cs = regs.ss = regs.es = regs.ds = regs.fs = regs.gs = 0; + + do { + rc = x86_emulate(&ctxt, &emulops); + printf("Emulation result: %d\n", rc); + } while (rc == X86EMUL_OKAY); + + return 0; +} + +/* + * Local variables: + * mode: C + * c-file-style: "BSD" + * c-basic-offset: 4 + * indent-tabs-mode: nil + * End: + */ -- 2.1.4 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx https://lists.xen.org/xen-devel
|
![]() |
Lists.xenproject.org is hosted with RackSpace, monitoring our |