From patchwork Wed Apr  5 17:53:30 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andrew Cooper <andrew.cooper3@citrix.com>
X-Patchwork-Id: 9665355
Return-Path: <xen-devel-bounces@lists.xen.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	77E6460352 for <patchwork-xen-devel@patchwork.kernel.org>;
	Wed,  5 Apr 2017 17:56:22 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 70FAC2856D
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Wed,  5 Apr 2017 17:56:22 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 65B2D28573; Wed,  5 Apr 2017 17:56:22 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED
	autolearn=ham version=3.3.1
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 1292B2856D
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Wed,  5 Apr 2017 17:56:22 +0000 (UTC)
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <xen-devel-bounces@lists.xen.org>)
	id 1cvp7m-0006JG-WE; Wed, 05 Apr 2017 17:53:42 +0000
Received: from mail6.bemta6.messagelabs.com ([193.109.254.103])
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <prvs=2611a3b55=Andrew.Cooper3@citrix.com>)
	id 1cvp7l-0006In-67
	for xen-devel@lists.xen.org; Wed, 05 Apr 2017 17:53:41 +0000
Received: from [85.158.143.35] by server-10.bemta-6.messagelabs.com id
	C8/F8-13192-42F25E85; Wed, 05 Apr 2017 17:53:40 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpjkeJIrShJLcpLzFFi42JxWrohUldF/2m
	EQe9mNoslHxezODB6HN39mymAMYo1My8pvyKBNWPGn+eMBQtFK873zmNrYJwh0MXIySEh4C9x
	c/UcdhCbTUBfYveLT0wgtoiAusTpjousXYxcHMwCSxglFn99zAqSEBaIltjXfpsFxGYRUJE4v
	XcVWAOvgKdE4+zp7BBD5STOH//JDGJzCnhJzLx/FqxGCKjm5K1d7BC2msS1/kvsEL2CEidnPg
	GbySwgIXHwxQvmCYy8s5CkZiFJLWBkWsWoUZxaVJZapGtoqZdUlJmeUZKbmJmja2hgppebWly
	cmJ6ak5hUrJecn7uJERg+DECwg/HHsoBDjJIcTEqivAo+TyKE+JLyUyozEosz4otKc1KLDzHK
	cHAoSfCqij6NEBIsSk1PrUjLzAEGMkxagoNHSYRXFiTNW1yQmFucmQ6ROsWoKCXO+0wEKCEAk
	sgozYNrg0XPJUZZKWFeRqBDhHgKUotyM0tQ5V8xinMwKgnz6oCM58nMK4Gb/gpoMRPQ4id3Ho
	IsLklESEk1MPKK/ChZZr3/yDmtg5f2p/Hz3lfZOOFy72n90oDV4sHOlhaHlI5m9XJsyTjwwtL
	y4NlulvafU21rankXLHnVMbVnVe7KSrG5dWXrV3+VsQoX82fk2nTd8Jgp48mieLbON5Mnx+a7
	RbD93jCfcY6K1J8Vv8+xTb56XOvv2gh+1r6tKisWf7Ir26bEUpyRaKjFXFScCAAchuhgmQIAA
	A==
X-Env-Sender: prvs=2611a3b55=Andrew.Cooper3@citrix.com
X-Msg-Ref: server-12.tower-21.messagelabs.com!1491414817!62383595!2
X-Originating-IP: [66.165.176.89]
X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor:
	VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni44OSA9PiAyMDMwMDc=\n,
	received_headers: No Received headers
X-StarScan-Received: 
X-StarScan-Version: 9.4.12; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 36297 invoked from network); 5 Apr 2017 17:53:39 -0000
Received: from smtp.citrix.com (HELO SMTP.CITRIX.COM) (66.165.176.89)
	by server-12.tower-21.messagelabs.com with RC4-SHA encrypted SMTP;
	5 Apr 2017 17:53:39 -0000
X-IronPort-AV: E=Sophos;i="5.37,279,1488844800"; d="scan'208";a="417582158"
From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Xen-devel <xen-devel@lists.xen.org>
Date: Wed, 5 Apr 2017 18:53:30 +0100
Message-ID: <1491414813-30003-5-git-send-email-andrew.cooper3@citrix.com>
X-Mailer: git-send-email 2.1.4
In-Reply-To: <1491414813-30003-1-git-send-email-andrew.cooper3@citrix.com>
References: <1491414813-30003-1-git-send-email-andrew.cooper3@citrix.com>
MIME-Version: 1.0
Cc: George Dunlap <george.dunlap@eu.citrix.com>,
	Andrew Cooper <andrew.cooper3@citrix.com>,
	Ian Jackson <Ian.Jackson@eu.citrix.com>, Wei Liu <wei.liu2@citrix.com>
Subject: [Xen-devel] [PATCH v2 for-4.9 4/7] tools/insn-fuzz: Fix a stability
	bug in afl-clang-fast mode
X-BeenThere: xen-devel@lists.xen.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Xen developer discussion <xen-devel.lists.xen.org>
List-Unsubscribe: <https://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <https://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xen.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xen.org>
X-Virus-Scanned: ClamAV using ClamSMTP

The fuzzing harness conditionally disables hooks to test error paths in the
emulator.  However, fuzz_emulops is a static structure.

c/s 69f4633 "tools/insn-fuzz: Support AFL's afl-clang-fast mode" introduced
persistent mode, but because fuzz_emulops is static, the clobbering of hooks
accumulates over repeated input, meaning that previous corpora influence the
execution over the current corpus.

Move the partially clobbered struct x86_emulate_ops into struct fuzz_state,
which is re-initialised from full on each call to LLVMFuzzerTestOneInput()

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
---
CC: George Dunlap <george.dunlap@eu.citrix.com>
CC: Ian Jackson <Ian.Jackson@eu.citrix.com>
CC: Wei Liu <wei.liu2@citrix.com>
---
 tools/fuzz/x86_instruction_emulator/fuzz-emul.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/tools/fuzz/x86_instruction_emulator/fuzz-emul.c b/tools/fuzz/x86_instruction_emulator/fuzz-emul.c
index db0719e..a20212e 100644
--- a/tools/fuzz/x86_instruction_emulator/fuzz-emul.c
+++ b/tools/fuzz/x86_instruction_emulator/fuzz-emul.c
@@ -47,6 +47,9 @@ struct fuzz_state
 
     /* Amount of corpus->data[] consumed thus far. */
     size_t data_index;
+
+    /* Emulation ops, some of which are disabled based on corpus->options. */
+    struct x86_emulate_ops ops;
 };
 
 /*
@@ -461,7 +464,7 @@ static int fuzz_write_msr(
 }
 
 #define SET(h) .h = fuzz_##h
-static struct x86_emulate_ops fuzz_emulops = {
+static const struct x86_emulate_ops all_fuzzer_ops = {
     SET(read),
     SET(insn_fetch),
     SET(write),
@@ -603,7 +606,7 @@ enum {
 #define MAYBE_DISABLE_HOOK(h)                          \
     if ( bitmap & (1 << HOOK_##h) )                    \
     {                                                  \
-        fuzz_emulops.h = NULL;                         \
+        s->ops.h = NULL;                               \
         printf("Disabling hook "#h"\n");               \
     }
 
@@ -709,7 +712,9 @@ int LLVMFuzzerInitialize(int *argc, char ***argv)
 int LLVMFuzzerTestOneInput(const uint8_t *data_p, size_t size)
 {
     struct cpu_user_regs regs = {};
-    struct fuzz_state state = {};
+    struct fuzz_state state = {
+        .ops = all_fuzzer_ops,
+    };
     struct x86_emulate_ctxt ctxt = {
         .data = &state,
         .regs = &regs,
@@ -749,7 +754,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data_p, size_t size)
         set_sizes(&ctxt);
         dump_state(&ctxt);
 
-        rc = x86_emulate(&ctxt, &fuzz_emulops);
+        rc = x86_emulate(&ctxt, &state.ops);
         printf("Emulation result: %d\n", rc);
     } while ( rc == X86EMUL_OKAY );