fix write protection

2021-12-08 18:22:35 +01:00 · 2021-12-08 18:22:35 +01:00 · 23a408e2cf
commit 23a408e2cf
parent 5d6f07cc22
3 changed files with 26 additions and 14 deletions
--- a/accel/kvm/kvm-all.c
+++ b/accel/kvm/kvm-all.c
@ -2495,11 +2495,17 @@ int kvm_cpu_exec(CPUState *cpu)
                    strerror(-run_ret));
 #else
            if(run_ret == -EFAULT){
-                if(GET_GLOBAL_STATE()->protect_payload_buffer && GET_GLOBAL_STATE()->in_fuzzing_mode){
-                    /* Fuzzing is enabled at this point -> don't exit */
-                    synchronization_payload_buffer_write_detected();
-                    ret = 0;
-                    break;
+                if(GET_GLOBAL_STATE()->protect_payload_buffer){
+                    if (GET_GLOBAL_STATE()->in_fuzzing_mode){
+                        /* Fuzzing is enabled at this point -> don't exit */
+                        synchronization_payload_buffer_write_detected();
+                        ret = 0;
+                        break;
+                    }
+                    else{
+                        fprintf(stderr, "ERROR: invalid write to input buffer detected before harness was ready (write protection is enabled)!\n");
+                        exit(1);
+                    }
                }
            }

--- a/nyx/memory_access.c
+++ b/nyx/memory_access.c
@ -301,6 +301,10 @@ bool remap_payload_buffer(uint64_t virt_guest_addr, CPUState *cpu){

                memset((block->host) + phys_addr, 0xab, 0x1000);

+                if(GET_GLOBAL_STATE()->protect_payload_buffer){
+                    mprotect((block->host) + phys_addr, 0x1000, PROT_READ);
+                }
+
                fast_reload_blacklist_page(get_fast_reload_snapshot(), phys_addr);
                break;
            }
--- a/nyx/state.c
+++ b/nyx/state.c
@ -80,7 +80,7 @@ void state_init_global(void){
    global_state.payload_buffer = 0;
    global_state.nested_payload_pages = NULL;
    global_state.nested_payload_pages_num = 0;
-    global_state.protect_payload_buffer = 1; 
+    global_state.protect_payload_buffer = 0; 
    global_state.discard_tmp_snapshot = 0;
    global_state.mem_mode = mm_unkown;

@ -239,6 +239,7 @@ void dump_global_state(const char* filename_prefix){
        fwrite(&global_state.cap_cr3, sizeof(global_state.cap_cr3), 1, fp);
        fwrite(&global_state.cap_compile_time_tracing_buffer_vaddr, sizeof(global_state.cap_compile_time_tracing_buffer_vaddr), 1, fp);
        fwrite(&global_state.cap_ijon_tracing_buffer_vaddr, sizeof(global_state.cap_ijon_tracing_buffer_vaddr), 1, fp);
+        fwrite(&global_state.protect_payload_buffer, sizeof(bool), 1, fp);
    }
    else{
        assert(global_state.nested_payload_pages != NULL && global_state.nested_payload_pages_num != 0);
@ -312,7 +313,16 @@ void load_global_state(const char* filename_prefix){
        assert(fread(&global_state.payload_buffer, sizeof(uint64_t), 1, fp) == 1);
        debug_printf("LOADING global_state.payload_buffer: %lx\n", global_state.payload_buffer);

+        assert(fread(&global_state.cap_timeout_detection, sizeof(global_state.cap_timeout_detection), 1, fp) == 1);
+        assert(fread(&global_state.cap_only_reload_mode, sizeof(global_state.cap_only_reload_mode), 1, fp) == 1);
+        assert(fread(&global_state.cap_compile_time_tracing, sizeof(global_state.cap_compile_time_tracing), 1, fp) == 1);
+        assert(fread(&global_state.cap_ijon_tracing, sizeof(global_state.cap_ijon_tracing), 1, fp) == 1);
+        assert(fread(&global_state.cap_cr3, sizeof(global_state.cap_cr3), 1, fp) == 1);
+        assert(fread(&global_state.cap_compile_time_tracing_buffer_vaddr, sizeof(global_state.cap_compile_time_tracing_buffer_vaddr), 1, fp) == 1);
+        assert(fread(&global_state.cap_ijon_tracing_buffer_vaddr, sizeof(global_state.cap_ijon_tracing_buffer_vaddr), 1, fp) == 1);
+
        if(!global_state.fast_reload_pre_image){
+            assert(fread(&global_state.protect_payload_buffer, sizeof(bool), 1, fp) == 1);
            if(global_state.payload_buffer != 0){
                debug_printf("REMAP PAYLOAD BUFFER!\n");
                remap_payload_buffer(global_state.payload_buffer, ((CPUState *)qemu_get_cpu(0)) );
@ -322,14 +332,6 @@ void load_global_state(const char* filename_prefix){
            }
        }

-        assert(fread(&global_state.cap_timeout_detection, sizeof(global_state.cap_timeout_detection), 1, fp) == 1);
-        assert(fread(&global_state.cap_only_reload_mode, sizeof(global_state.cap_only_reload_mode), 1, fp) == 1);
-        assert(fread(&global_state.cap_compile_time_tracing, sizeof(global_state.cap_compile_time_tracing), 1, fp) == 1);
-        assert(fread(&global_state.cap_ijon_tracing, sizeof(global_state.cap_ijon_tracing), 1, fp) == 1);
-        assert(fread(&global_state.cap_cr3, sizeof(global_state.cap_cr3), 1, fp) == 1);
-        assert(fread(&global_state.cap_compile_time_tracing_buffer_vaddr, sizeof(global_state.cap_compile_time_tracing_buffer_vaddr), 1, fp) == 1);
-        assert(fread(&global_state.cap_ijon_tracing_buffer_vaddr, sizeof(global_state.cap_ijon_tracing_buffer_vaddr), 1, fp) == 1);
-
        apply_capabilities(qemu_get_cpu(0));
    }
    else{