From patchwork Wed Apr  5 17:53:28 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andrew Cooper <andrew.cooper3@citrix.com>
X-Patchwork-Id: 9665353
Return-Path: <xen-devel-bounces@lists.xen.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	B42E860365 for <patchwork-xen-devel@patchwork.kernel.org>;
	Wed,  5 Apr 2017 17:56:21 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AD4CE2856D
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Wed,  5 Apr 2017 17:56:21 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id A1F7F2856E; Wed,  5 Apr 2017 17:56:21 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED
	autolearn=ham version=3.3.1
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 4E4B92857B
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Wed,  5 Apr 2017 17:56:21 +0000 (UTC)
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <xen-devel-bounces@lists.xen.org>)
	id 1cvp85-0006Q4-Bo; Wed, 05 Apr 2017 17:54:01 +0000
Received: from mail6.bemta3.messagelabs.com ([195.245.230.39])
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <prvs=2611a3b55=Andrew.Cooper3@citrix.com>)
	id 1cvp83-0006Og-Sr
	for xen-devel@lists.xen.org; Wed, 05 Apr 2017 17:53:59 +0000
Received: from [85.158.137.68] by server-16.bemta-3.messagelabs.com id
	49/4C-06437-73F25E85; Wed, 05 Apr 2017 17:53:59 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpjkeJIrShJLcpLzFFi42JxWrrBXtdM/2m
	EwZslGhZLPi5mcWD0OLr7N1MAYxRrZl5SfkUCa8aEiZ9YC/5wV3Sd+cnWwPiXs4uRk0NCwF/i
	x84vrCA2m4C+xO4Xn5hAbBEBdYnTHReB4lwczAIzGCX2f2wBSwgLREqsufSTEcRmEVCRuLyug
	QXE5hXwlPg37TMLxFA5ifPHfzKD2JwCXhIz758F6xUCqjl5axc7hK0mca3/EjtEr6DEyZlPwH
	qZBSQkDr54wTyBkXcWktQsJKkFjEyrGDWKU4vKUot0jYz1kooy0zNKchMzc3QNDYz1clOLixP
	TU3MSk4r1kvNzNzECw6eegYFxB2PfXr9DjJIcTEqivAo+TyKE+JLyUyozEosz4otKc1KLDzHK
	cHAoSfB6Kz2NEBIsSk1PrUjLzAEGMkxagoNHSYS3EyTNW1yQmFucmQ6ROsWoKCXOmwiSEABJZ
	JTmwbXBoucSo6yUMC8jAwODEE9BalFuZgmq/CtGcQ5GJWFeZhGgKTyZeSVw018BLWYCWvzkzk
	OQxSWJCCmpBkapnC3/TL4Zy8/ZE3luc5TFrzl/07rTra9MVO4T/fD94J6p0ox+pzjuf+idmPf
	75e4XUlNfSIps2FYbZC2Xu/Xz6ybvV987UgWfTL+beE8p99u7K32Jk7za77TvMG7f47fIu7dw
	+4f3m4PbnvrG2GilqRZ8VPBjfd0cf1Th0s28X56HpMM8PhkqsRRnJBpqMRcVJwIAPD3TwZkCA
	AA=
X-Env-Sender: prvs=2611a3b55=Andrew.Cooper3@citrix.com
X-Msg-Ref: server-3.tower-31.messagelabs.com!1491414835!94391945!2
X-Originating-IP: [66.165.176.63]
X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor:
	VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni42MyA9PiAzMDYwNDg=\n,
	received_headers: No Received headers
X-StarScan-Received: 
X-StarScan-Version: 9.2.3; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 65256 invoked from network); 5 Apr 2017 17:53:58 -0000
Received: from smtp02.citrix.com (HELO SMTP02.CITRIX.COM) (66.165.176.63)
	by server-3.tower-31.messagelabs.com with RC4-SHA encrypted SMTP;
	5 Apr 2017 17:53:58 -0000
X-IronPort-AV: E=Sophos;i="5.37,279,1488844800"; d="scan'208";a="426363573"
From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Xen-devel <xen-devel@lists.xen.org>
Date: Wed, 5 Apr 2017 18:53:28 +0100
Message-ID: <1491414813-30003-3-git-send-email-andrew.cooper3@citrix.com>
X-Mailer: git-send-email 2.1.4
In-Reply-To: <1491414813-30003-1-git-send-email-andrew.cooper3@citrix.com>
References: <1491414813-30003-1-git-send-email-andrew.cooper3@citrix.com>
MIME-Version: 1.0
Cc: Andrew Cooper <andrew.cooper3@citrix.com>,
	Ian Jackson <Ian.Jackson@eu.citrix.com>, Wei Liu <wei.liu2@citrix.com>,
	Jan Beulich <JBeulich@suse.com>
Subject: [Xen-devel] [PATCH v2 for-4.9 2/7] tools/insn-fuzz: Don't hit
	memcpy() for zero-length reads
X-BeenThere: xen-devel@lists.xen.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Xen developer discussion <xen-devel.lists.xen.org>
List-Unsubscribe: <https://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <https://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xen.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xen.org>
X-Virus-Scanned: ClamAV using ClamSMTP

For control-flow changes, the emulator needs to perform a zero-length
instruction fetch at the target offset.  It also passes NULL for the
destination buffer, as there is no instruction stream to collect.

This trips up UBSAN when passed to memcpy(), as passing NULL is undefined
behaviour per the C spec (irrespective of passing a size of 0).

Special case these fetches in fuzz_insn_fetch() before reaching data_read().

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: George Dunlap <george.dunlap@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
---
CC: Jan Beulich <JBeulich@suse.com>
CC: Ian Jackson <Ian.Jackson@eu.citrix.com>
CC: Wei Liu <wei.liu2@citrix.com>

v2:
 * Rework in terms of special casing zero-length fetches only.
---
 tools/fuzz/x86_instruction_emulator/fuzz-emul.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/tools/fuzz/x86_instruction_emulator/fuzz-emul.c b/tools/fuzz/x86_instruction_emulator/fuzz-emul.c
index 65c5a3b..64b7fb2 100644
--- a/tools/fuzz/x86_instruction_emulator/fuzz-emul.c
+++ b/tools/fuzz/x86_instruction_emulator/fuzz-emul.c
@@ -117,6 +117,16 @@ static int fuzz_insn_fetch(
     unsigned int bytes,
     struct x86_emulate_ctxt *ctxt)
 {
+    /*
+     * Zero-length instruction fetches are made at the destination of jumps,
+     * to perform segmentation checks.  No data needs returning.
+     */
+    if ( bytes == 0 )
+    {
+        assert(p_data == NULL);
+        return maybe_fail("insn_fetch", true);
+    }
+
     return data_read("insn_fetch", p_data, bytes);
 }