From patchwork Wed Apr 5 17:53:33 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrew Cooper X-Patchwork-Id: 9665357 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 9C07A60364 for ; Wed, 5 Apr 2017 17:56:24 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 951E92856D for ; Wed, 5 Apr 2017 17:56:24 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 8A16028581; Wed, 5 Apr 2017 17:56:24 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 2D3D92856D for ; Wed, 5 Apr 2017 17:56:24 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cvp85-0006RC-Pa; Wed, 05 Apr 2017 17:54:01 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cvp84-0006P7-J2 for xen-devel@lists.xen.org; Wed, 05 Apr 2017 17:54:00 +0000 Received: from [85.158.137.68] by server-4.bemta-3.messagelabs.com id 31/6B-03705-73F25E85; Wed, 05 Apr 2017 17:53:59 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprEIsWRWlGSWpSXmKPExsXitHSDva65/tM Igz0flCyWfFzM4sDocXT3b6YAxijWzLyk/IoE1ownJ16wFLyUrTj/qZG1gXGyeBcjJ4eEgL9E x+orrCA2m4C+xO4Xn5hAbBEBdYnTHReB4lwczAJLGCUWf30MViQskCCxuHEBC4jNIqAisfT/R WYQm1fAU2LZlNMsEEPlJM4f/wkW5xTwkph5/yzYUCGgmpO3drFD2GoS1/ovsUP0CkqcnPkErJ dZQELi4IsXzBMYeWchSc1CklrAyLSKUaM4tagstUjXyFgvqSgzPaMkNzEzR9fQwFgvN7W4ODE 9NScxqVgvOT93EyMwfOoZGBh3MPbt9TvEKMnBpCTKq+DzJEKILyk/pTIjsTgjvqg0J7X4EKMM B4eSBK+30tMIIcGi1PTUirTMHGAgw6QlOHiURHg7QdK8xQWJucWZ6RCpU4y6HHNm737DJMSSl 5+XKiXOmwhSJABSlFGaBzcCFlWXGGWlhHkZGRgYhHgKUotyM0tQ5V8xinMwKgnzMosATeHJzC uB2/QK6AgmoCOe3HkIckRJIkJKqoGxsizYZaJNvc5eq3/c3FK7tL587PNl2MSQ+Pj0kVcFDdO urX9UFaUvs/VgC7fgqRxRn2mV7QKb/Le/uxv4KYa/ZfeJSSUiXO8b8u0SGhdHf9hoXT355oUH UR5sVrsLEiyfKE2d0L2L38o9do+V8xKhcLtTdcuyzgoV/ytoL9xquW6yZuZ+fTslluKMREMt5 qLiRADeaSLKpQIAAA== X-Env-Sender: prvs=2611a3b55=Andrew.Cooper3@citrix.com X-Msg-Ref: server-3.tower-31.messagelabs.com!1491414835!94391945!3 X-Originating-IP: [66.165.176.63] X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni42MyA9PiAzMDYwNDg=\n, received_headers: No Received headers X-StarScan-Received: X-StarScan-Version: 9.2.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 400 invoked from network); 5 Apr 2017 17:53:59 -0000 Received: from smtp02.citrix.com (HELO SMTP02.CITRIX.COM) (66.165.176.63) by server-3.tower-31.messagelabs.com with RC4-SHA encrypted SMTP; 5 Apr 2017 17:53:59 -0000 X-IronPort-AV: E=Sophos;i="5.37,279,1488844800"; d="scan'208";a="426363580" From: Andrew Cooper To: Xen-devel Date: Wed, 5 Apr 2017 18:53:33 +0100 Message-ID: <1491414813-30003-8-git-send-email-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.1.4 In-Reply-To: <1491414813-30003-1-git-send-email-andrew.cooper3@citrix.com> References: <1491414813-30003-1-git-send-email-andrew.cooper3@citrix.com> MIME-Version: 1.0 Cc: George Dunlap , Andrew Cooper , Ian Jackson , Wei Liu Subject: [Xen-devel] [PATCH v2 for-4.9 7/7] tools/insn-fuzz: Fix assertion failures in x86_emulate_wrapper() X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xen.org Sender: "Xen-devel" X-Virus-Scanned: ClamAV using ClamSMTP c/s 92cf67888 "x86/emul: Hold x86_emulate() to strict X86EMUL_EXCEPTION requirements" was appropriate for the hypervisor, but the fuzzer stubs didn't conform to the stricter requirements. AFL is very quick to discover this. Extend the fuzzing harness exception logic to raise exceptions appropriately. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich --- CC: George Dunlap CC: Ian Jackson CC: Wei Liu --- tools/fuzz/x86_instruction_emulator/fuzz-emul.c | 27 ++++++++++++++++++++----- 1 file changed, 22 insertions(+), 5 deletions(-) diff --git a/tools/fuzz/x86_instruction_emulator/fuzz-emul.c b/tools/fuzz/x86_instruction_emulator/fuzz-emul.c index 9e3a10a..8cf683d 100644 --- a/tools/fuzz/x86_instruction_emulator/fuzz-emul.c +++ b/tools/fuzz/x86_instruction_emulator/fuzz-emul.c @@ -86,10 +86,15 @@ static int maybe_fail(struct x86_emulate_ctxt *ctxt, printf("maybe_fail %s: %d\n", why, rc); + if ( rc == X86EMUL_EXCEPTION ) + /* Fake up a pagefault. */ + x86_emul_pagefault(0, 0, ctxt); + return rc; } static int data_read(struct x86_emulate_ctxt *ctxt, + enum x86_segment seg, const char *why, void *dst, unsigned int bytes) { struct fuzz_state *s = ctxt->data; @@ -98,7 +103,17 @@ static int data_read(struct x86_emulate_ctxt *ctxt, int rc; if ( s->data_index + bytes > s->data_num ) + { + /* + * Fake up a segment limit violation. System segment limit volations + * are reported by X86EMUL_EXCEPTION alone, so the emulator can fill + * in the correct context. + */ + if ( !is_x86_system_segment(seg) ) + x86_emul_hw_exception(13, 0, ctxt); + rc = X86EMUL_EXCEPTION; + } else rc = maybe_fail(ctxt, why, true); @@ -126,7 +141,7 @@ static int fuzz_read( /* Reads expected for all user and system segments. */ assert((unsigned int)seg < x86_seg_none); - return data_read(ctxt, "read", p_data, bytes); + return data_read(ctxt, seg, "read", p_data, bytes); } static int fuzz_read_io( @@ -135,7 +150,7 @@ static int fuzz_read_io( unsigned long *val, struct x86_emulate_ctxt *ctxt) { - return data_read(ctxt, "read_io", val, bytes); + return data_read(ctxt, x86_seg_none, "read_io", val, bytes); } static int fuzz_insn_fetch( @@ -157,7 +172,7 @@ static int fuzz_insn_fetch( return maybe_fail(ctxt, "insn_fetch", true); } - return data_read(ctxt, "insn_fetch", p_data, bytes); + return data_read(ctxt, seg, "insn_fetch", p_data, bytes); } static int _fuzz_rep_read(struct x86_emulate_ctxt *ctxt, @@ -166,7 +181,7 @@ static int _fuzz_rep_read(struct x86_emulate_ctxt *ctxt, int rc; unsigned long bytes_read = 0; - rc = data_read(ctxt, why, &bytes_read, sizeof(bytes_read)); + rc = data_read(ctxt, x86_seg_none, why, &bytes_read, sizeof(bytes_read)); if ( bytes_read <= *reps ) *reps = bytes_read; @@ -436,7 +451,7 @@ static int fuzz_read_msr( * should preferably return consistent values, but returning * random values is fine in fuzzer. */ - return data_read(ctxt, "read_msr", val, sizeof(*val)); + return data_read(ctxt, x86_seg_none, "read_msr", val, sizeof(*val)); case MSR_EFER: *val = c->msr[MSRI_EFER]; *val &= ~EFER_LMA; @@ -458,6 +473,7 @@ static int fuzz_read_msr( } } + x86_emul_hw_exception(13, 0, ctxt); return X86EMUL_EXCEPTION; } @@ -491,6 +507,7 @@ static int fuzz_write_msr( } } + x86_emul_hw_exception(13, 0, ctxt); return X86EMUL_EXCEPTION; }