From patchwork Fri Aug 25 16:43:42 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: George Dunlap X-Patchwork-Id: 9922509 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 025546022E for ; Fri, 25 Aug 2017 16:48:40 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E6CF8281D2 for ; Fri, 25 Aug 2017 16:48:39 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id DBE73283CF; Fri, 25 Aug 2017 16:48:39 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 6B570281D2 for ; Fri, 25 Aug 2017 16:48:39 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dlHkg-00066s-7s; Fri, 25 Aug 2017 16:46:34 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dlHke-00066K-WF for xen-devel@lists.xenproject.org; Fri, 25 Aug 2017 16:46:33 +0000 Received: from [85.158.137.68] by server-11.bemta-3.messagelabs.com id 2C/B3-01724-86450A95; Fri, 25 Aug 2017 16:46:32 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupjkeJIrShJLcpLzFFi42JxWrrBXjc9ZEG kweTlahbft0xmcmD0OPzhCksAYxRrZl5SfkUCa8bvXetYC+6pVKx6/4KlgbFPuouRk0NCwF+i 9XILO4jNJqAnMe/4V5YuRg4OEQEVidt7DboYuTiYBfYzSvR+/cEGUiMs4CLRsvA+mM0ioCpxc cIGMJtXwE7i8v0n7BAz5SXOPbjNDDKHEyi+6yQXiCkkYCvx4oweSIUQUOfiB0fZIToFJU7OfM ICYjMLSEgcfPGCeQIj7ywkqVlIUgsYmVYxqhenFpWlFuma6iUVZaZnlOQmZuboGhoY6+WmFhc npqfmJCYV6yXn525iBIZNPQMD4w7Gy1+dDjFKcjApifJav5wfKcSXlJ9SmZFYnBFfVJqTWnyI UYaDQ0mClz14QaSQYFFqempFWmYOMIBh0hIcPEoivCUgad7igsTc4sx0iNQpRl2ODavXf2ESY snLz0uVEuddDlIkAFKUUZoHNwIWTZcYZaWEeRkZGBiEeApSi3IzS1DlXzGKczAqCfOmgkzhyc wrgdv0CugIJqAjJp2YA3JESSJCSqqB0dfz02lfqf+562eZdc8oOhvW+XKxM+utORNe9mlEtUw zes6UrKjD9u7l68z8hZvbV+8Lu7Xm/+LU5M/LPz44r7l83/Sgs617q0wan01KfhzwVdGu/9/1 wNceKUcOP8pdkv41943fSp+ZDT76n46q8sTuNEw6zbOh99HtWxPnbrFMCbzUXco9pUGJpTgj0 VCLuag4EQAS0horoQIAAA== X-Env-Sender: prvs=4030414b0=George.Dunlap@citrix.com X-Msg-Ref: server-3.tower-31.messagelabs.com!1503679589!111658874!1 X-Originating-IP: [66.165.176.63] X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni42MyA9PiAzMDYwNDg=\n, received_headers: No Received headers X-StarScan-Received: X-StarScan-Version: 9.4.45; banners=-,-,- X-VirusChecked: Checked Received: (qmail 26193 invoked from network); 25 Aug 2017 16:46:31 -0000 Received: from smtp02.citrix.com (HELO SMTP02.CITRIX.COM) (66.165.176.63) by server-3.tower-31.messagelabs.com with RC4-SHA encrypted SMTP; 25 Aug 2017 16:46:31 -0000 X-IronPort-AV: E=Sophos;i="5.41,426,1498521600"; d="scan'208";a="445164297" From: George Dunlap To: Date: Fri, 25 Aug 2017 17:43:42 +0100 Message-ID: <20170825164343.29015-13-george.dunlap@citrix.com> X-Mailer: git-send-email 2.14.1 In-Reply-To: <20170825164343.29015-1-george.dunlap@citrix.com> References: <20170825164343.29015-1-george.dunlap@citrix.com> MIME-Version: 1.0 Cc: Ian Jackson , Wei Liu , George Dunlap , Jan Beulich , Andrew Cooper Subject: [Xen-devel] [PATCH 13/14] fuzz/x86_emulate: Set and fuzz more CPU state X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xen.org Sender: "Xen-devel" X-Virus-Scanned: ClamAV using ClamSMTP x86_emulate() operates not only on state passed to it in cpu_user_regs, but also on state currently found on the cpu: namely, the FPU and XMM registers. At the moment, we re-zero (and/or re-initialize) cpu_user_regs on every invocation, but leave the cpu-stored state alone. In "persistent mode", this causes test cases to behave differently -- sometimes significantly so -- depending on which test cases have been run beforehand. Zero out the state before each test run, and then fuzz it based on the corpus input. Signed-off-by: George Dunlap --- CC: Ian Jackson CC: Wei Liu CC: Andrew Cooper CC: Jan Beulich --- tools/fuzz/x86_instruction_emulator/fuzz-emul.c | 71 +++++++++++++++++++++++++ 1 file changed, 71 insertions(+) diff --git a/tools/fuzz/x86_instruction_emulator/fuzz-emul.c b/tools/fuzz/x86_instruction_emulator/fuzz-emul.c index 1d0293e990..7a07e7e37a 100644 --- a/tools/fuzz/x86_instruction_emulator/fuzz-emul.c +++ b/tools/fuzz/x86_instruction_emulator/fuzz-emul.c @@ -38,6 +38,8 @@ struct fuzz_state uint64_t msr[MSR_INDEX_MAX]; struct segment_register segments[SEG_NUM]; struct cpu_user_regs regs; + char fxsave[512] __attribute__((aligned(16))); + /* Fuzzer's input data. */ const struct fuzz_corpus *corpus; @@ -597,6 +599,47 @@ static const struct x86_emulate_ops all_fuzzer_ops = { }; #undef SET +static void _set_fpu_state(char *fxsave, bool store) +{ + if ( cpu_has_fxsr ) + { + static union __attribute__((__aligned__(16))) { + char x[464]; + struct { + uint32_t other[6]; + uint32_t mxcsr; + uint32_t mxcsr_mask; + /* ... */ + }; + } *fxs; + + fxs = (typeof(fxs)) fxsave; + + if ( store ) { + char null[512] __attribute__((aligned(16))) = { 0 }; + asm volatile(" fxrstor %0; "::"m"(*null)); + asm volatile(" fxrstor %0; "::"m"(*fxsave)); + } + + asm volatile( "fxsave %0" : "=m" (*fxs) ); + + if ( fxs->mxcsr_mask ) + mxcsr_mask = fxs->mxcsr_mask; + else + mxcsr_mask = 0x000ffbf; + } +} + +static void set_fpu_state(char *fxsave) +{ + _set_fpu_state(fxsave, true); +} + +static void save_fpu_state(char *fxsave) +{ + _set_fpu_state(fxsave, false); +} + static void setup_fpu_exception_handler(void) { /* FIXME - just disable exceptions for now */ @@ -737,6 +780,17 @@ static void setup_state(struct x86_emulate_ctxt *ctxt) printf("Setting cpu_user_regs offset %x\n", offset); continue; } + offset -= sizeof(struct cpu_user_regs); + + /* Fuzz fxsave state */ + if ( offset < 128 ) + { + if ( !dread(s, s->fxsave + (offset * 4), 4) ) + return; + printf("Setting fxsave offset %x\n", offset * 4); + continue; + } + offset -= 128; /* None of the above -- take that as "start emulating" */ @@ -883,6 +937,9 @@ static void sanitize_state(struct x86_emulate_ctxt *ctxt) s->segments[x86_seg_cs].db = 0; s->segments[x86_seg_ss].db = 0; } + + /* Setting this value seems to cause crashes in fxrstor */ + *((unsigned int *)(s->fxsave) + 6) = 0; } int LLVMFuzzerInitialize(int *argc, char ***argv) @@ -920,6 +977,8 @@ int runtest(struct fuzz_state *state) { disable_hooks(state); + set_fpu_state(state->fxsave); + do { /* FIXME: Until we actually implement SIGFPE handling properly */ setup_fpu_exception_handler(); @@ -931,6 +990,8 @@ int runtest(struct fuzz_state *state) { printf("Emulation result: %d\n", rc); } while ( rc == X86EMUL_OKAY ); + save_fpu_state(state->fxsave); + return 0; } @@ -1002,6 +1063,16 @@ void compare_states(struct fuzz_state state[2]) if ( memcmp(&state[0].ops, &state[1].ops, sizeof(state[0].ops)) ) printf("ops differ!\n"); + if ( memcmp(&state[0].fxsave, &state[1].fxsave, sizeof(state[0].fxsave)) ) + { + printf("fxsave differs!\n"); + for ( i = 0; i < sizeof(state[0].fxsave)/sizeof(unsigned); i++ ) + { + printf("[%04lu] %08x %08x\n", + i * sizeof(unsigned), ((unsigned *)&state[0].fxsave)[i], ((unsigned *)&state[1].fxsave)[i]); + } + } + if ( memcmp(&state[0].ctxt, &state[1].ctxt, sizeof(state[0].ctxt)) ) { printf("ctxt differs!\n");