[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v3] x86emul/fuzz: add a state sanity checking function



>>> On 27.05.19 at 12:51, <george.dunlap@xxxxxxxxxx> wrote:
> On 4/2/19 2:01 PM, Jan Beulich wrote:
>> This is to accompany sanitize_input(). Just like for initial state we
>> want to have state between two emulated insns sane, at least as far as
>> assumptions in the main emulator go. Do minimal checking after segment
>> register, CR, and MSR writes, and roll back to the old value in case of
>> failure (raising #GP(0) at the same time).
>> 
>> In the particular case observed, a CR0 write clearing CR0.PE was
>> followed by a VEX-encoded insn, which the decoder accepts based on
>> guest address size, restricting things just outside of the 64-bit case
>> (real and virtual modes don't allow VEX-encoded insns). Subsequently
>> _get_fpu() would then assert that CR0.PE must be set (and EFLAGS.VM
>> clear) when trying to invoke YMM, ZMM, or OPMASK state.
>> 
>> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
> 
> Reviewed-by: George Dunlap <george.dunlap@xxxxxxxxxx>

Thanks.

> That said, I wonder if there's a way to avoid the duplication between
> sanitize_input() and check_state().  Another option would be to rework
> sanitize_input() (perhaps as sanizite_state()):
>  * Accept a parameter saying whether to do optional changes (like
> CANONICALIZE_MAYBE)
>  * Return a boolean saying whether any state was in fact sanitized.
> 
> Then the current callers of check_state() could instead call
> sanitize_state(), and throw an exception if it returns 1.  (Or some
> variation thereof.)

I did consider this at the time, but the two functions aren't doing
exactly the same validation. For example this

    /* EFLAGS.VM not available in long mode */
    if ( long_mode_active(ctxt) )
        regs->rflags &= ~X86_EFLAGS_VM;

has no equivalent in check_state(), for it being an emulator bug
to ever set EFLAGS.VM in long mode. I therefore thought it would
be better to keep them separate despite there being partial
redundancy. If the set of checks grows, we could consider
factoring out the common subset into a helper function.

Jan



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.