From 35c4f356ab6e134833e52c8dfdc6a5ebda12396f Mon Sep 17 00:00:00 2001 From: Steffen Schulz Date: Tue, 8 Feb 2022 18:45:03 +0100 Subject: [PATCH] patch KASAN hypercall back in --- nyx/auxiliary_buffer.c | 6 +++++- nyx/auxiliary_buffer.h | 4 +++- nyx/hypercall/hypercall.c | 36 ++++++++++++++++++++++++++++++++++-- nyx/synchronization.c | 19 +++++++++++++++++++ nyx/synchronization.h | 3 ++- 5 files changed, 63 insertions(+), 5 deletions(-) diff --git a/nyx/auxiliary_buffer.c b/nyx/auxiliary_buffer.c index a4d5928994..34df9c4d67 100644 --- a/nyx/auxiliary_buffer.c +++ b/nyx/auxiliary_buffer.c @@ -166,6 +166,10 @@ void set_crash_auxiliary_result_buffer(auxilary_buffer_t* auxilary_buffer){ VOLATILE_WRITE_8(auxilary_buffer->result.exec_result_code, rc_crash); } +void set_asan_auxiliary_result_buffer(auxilary_buffer_t* auxilary_buffer){ + VOLATILE_WRITE_8(auxilary_buffer->result.exec_result_code, rc_sanitizer); +} + void set_timeout_auxiliary_result_buffer(auxilary_buffer_t* auxilary_buffer){ VOLATILE_WRITE_8(auxilary_buffer->result.exec_result_code, rc_timeout); } @@ -259,4 +263,4 @@ void set_result_bb_coverage(auxilary_buffer_t* auxilary_buffer, uint32_t value){ if (value != auxilary_buffer->result.bb_coverage){ VOLATILE_WRITE_32(auxilary_buffer->result.bb_coverage, value); } -} \ No newline at end of file +} diff --git a/nyx/auxiliary_buffer.h b/nyx/auxiliary_buffer.h index 53edb09b2a..566f4aca3c 100644 --- a/nyx/auxiliary_buffer.h +++ b/nyx/auxiliary_buffer.h @@ -44,6 +44,7 @@ enum nyx_result_codes { rc_timeout = 3, rc_input_buffer_write = 4, rc_aborted = 5, + rc_sanitizer = 6, }; typedef struct auxilary_buffer_header_s{ @@ -149,6 +150,7 @@ void init_auxiliary_buffer(auxilary_buffer_t* auxilary_buffer); void check_auxiliary_config_buffer(auxilary_buffer_t* auxilary_buffer, auxilary_buffer_config_t* shadow_config); void set_crash_auxiliary_result_buffer(auxilary_buffer_t* auxilary_buffer); +void set_asan_auxiliary_result_buffer(auxilary_buffer_t* auxilary_buffer); void set_timeout_auxiliary_result_buffer(auxilary_buffer_t* auxilary_buffer); void set_reload_auxiliary_result_buffer(auxilary_buffer_t* auxilary_buffer); void set_pt_overflow_auxiliary_result_buffer(auxilary_buffer_t* auxilary_buffer); @@ -173,4 +175,4 @@ void set_result_pt_trace_size(auxilary_buffer_t* auxilary_buffer, uint32_t value void set_result_bb_coverage(auxilary_buffer_t* auxilary_buffer, uint32_t value); -void set_payload_buffer_write_reason_auxiliary_buffer(auxilary_buffer_t* auxilary_buffer, char* msg, uint32_t len); \ No newline at end of file +void set_payload_buffer_write_reason_auxiliary_buffer(auxilary_buffer_t* auxilary_buffer, char* msg, uint32_t len); diff --git a/nyx/hypercall/hypercall.c b/nyx/hypercall/hypercall.c index 64703657e2..21f478f93c 100644 --- a/nyx/hypercall/hypercall.c +++ b/nyx/hypercall/hypercall.c @@ -439,6 +439,13 @@ static void handle_hypercall_kafl_submit_panic(struct kvm_run *run, CPUState *cp } } +static void handle_hypercall_kafl_submit_kasan(struct kvm_run *run, CPUState *cpu, uint64_t hypercall_arg){ + if(hypercall_enabled){ + QEMU_PT_PRINTF(CORE_PREFIX, "kASAN address:\t%lx", hypercall_arg); + write_virtual_memory(hypercall_arg, (uint8_t*)KASAN_PAYLOAD, PAYLOAD_BUFFER_SIZE, cpu); + } +} + //#define PANIC_DEBUG static void handle_hypercall_kafl_panic(struct kvm_run *run, CPUState *cpu, uint64_t hypercall_arg){ @@ -550,6 +557,27 @@ static void handle_hypercall_kafl_panic_extended(struct kvm_run *run, CPUState * } } +static void handle_hypercall_kafl_kasan(struct kvm_run *run, CPUState *cpu, uint64_t hypercall_arg){ + if(hypercall_enabled){ +#ifdef PANIC_DEBUG + if(hypercall_arg){ + QEMU_PT_PRINTF(CORE_PREFIX, "ASan notification in user mode!"); + } else{ + QEMU_PT_PRINTF(CORE_PREFIX, "ASan notification in kernel mode!"); + } +#endif + if(fast_reload_snapshot_exists(get_fast_reload_snapshot())){ + synchronization_lock_asan_found(); + //synchronization_stop_vm_kasan(cpu); + } else{ + QEMU_PT_PRINTF(CORE_PREFIX, "KASAN detected during initialization of stage 1 or stage 2 loader"); + //hypercall_snd_char(KAFL_PROTO_KASAN); + QEMU_PT_PRINTF_DEBUG("Protocol - SEND: KAFL_PROTO_KASAN"); + + } + } +} + static void handle_hypercall_kafl_lock(struct kvm_run *run, CPUState *cpu, uint64_t hypercall_arg){ if(is_called_in_fuzzing_mode("KVM_EXIT_KAFL_LOCK")){ @@ -804,7 +832,9 @@ int handle_kafl_hypercall(struct kvm_run *run, CPUState *cpu, uint64_t hypercall ret = 0; break; case KVM_EXIT_KAFL_SUBMIT_KASAN: - nyx_abort((char*)"Deprecated hypercall called (HYPERCALL_SUBMIT_KASAN)..."); + //timeout_reload_pending = false; + //fprintf(stderr, "KVM_EXIT_KAFL_SUBMIT_KASAN\n"); + handle_hypercall_kafl_submit_kasan(run, cpu, arg); ret = 0; break; case KVM_EXIT_KAFL_PANIC: @@ -814,7 +844,9 @@ int handle_kafl_hypercall(struct kvm_run *run, CPUState *cpu, uint64_t hypercall ret = 0; break; case KVM_EXIT_KAFL_KASAN: - nyx_abort((char*)"Deprecated hypercall called (HYPERCALL_KAFL_KASAN)..."); + //timeout_reload_pending = false; + //fprintf(stderr, "KVM_EXIT_KAFL_KASAN\n"); + handle_hypercall_kafl_kasan(run, cpu, arg); ret = 0; break; case KVM_EXIT_KAFL_LOCK: diff --git a/nyx/synchronization.c b/nyx/synchronization.c index ad279dbbbe..fe0707a989 100644 --- a/nyx/synchronization.c +++ b/nyx/synchronization.c @@ -335,6 +335,25 @@ void synchronization_lock_crash_found(void){ in_fuzzing_loop = false; } +void synchronization_lock_asan_found(void){ + if(!in_fuzzing_loop){ + fprintf(stderr, "<%d-%ld>\t%s [NOT IN FUZZING LOOP]\n", getpid(), run_counter, __func__); + set_success_auxiliary_result_buffer(GET_GLOBAL_STATE()->auxilary_buffer, 0); + } + + pt_disable(qemu_get_cpu(0), false); + + handle_tmp_snapshot_state(); + + set_asan_auxiliary_result_buffer(GET_GLOBAL_STATE()->auxilary_buffer); + + perform_reload(); + + //synchronization_lock(); + + in_fuzzing_loop = false; +} + void synchronization_lock_timeout_found(void){ //fprintf(stderr, "<%d>\t%s\n", getpid(), __func__); diff --git a/nyx/synchronization.h b/nyx/synchronization.h index 7cd7ef902f..802d6f080c 100644 --- a/nyx/synchronization.h +++ b/nyx/synchronization.h @@ -37,6 +37,7 @@ void synchronization_lock_hprintf(void); void synchronization_lock(void); void synchronization_lock_crash_found(void); +void synchronization_lock_asan_found(void); void synchronization_lock_timeout_found(void); void synchronization_lock_shutdown_detected(void); void synchronization_cow_full_detected(void); @@ -45,4 +46,4 @@ void synchronization_enter_fuzzing_loop(CPUState *cpu); void synchronization_payload_buffer_write_detected(void); void enable_timeout_detector(timeout_detector_t* timeout_detector); -void reset_timeout_detector_timeout(timeout_detector_t* timeout_detector); \ No newline at end of file +void reset_timeout_detector_timeout(timeout_detector_t* timeout_detector);