david.venhoff/QEMU-Nyx-fork
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

patch KASAN hypercall back in

Browse Source
This commit is contained in:
Steffen Schulz 2022-02-08 18:45:03 +01:00
parent c2c69cfc52
commit 35c4f356ab
5 changed files with 63 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
nyx/auxiliary_buffer.c
View File

@ -166,6 +166,10 @@ void set_crash_auxiliary_result_buffer(auxilary_buffer_t* auxilary_buffer){
VOLATILE_WRITE_8(auxilary_buffer->result.exec_result_code, rc_crash); VOLATILE_WRITE_8(auxilary_buffer->result.exec_result_code, rc_crash);
} }
void set_asan_auxiliary_result_buffer(auxilary_buffer_t* auxilary_buffer){
VOLATILE_WRITE_8(auxilary_buffer->result.exec_result_code, rc_sanitizer);
}
void set_timeout_auxiliary_result_buffer(auxilary_buffer_t* auxilary_buffer){ void set_timeout_auxiliary_result_buffer(auxilary_buffer_t* auxilary_buffer){
VOLATILE_WRITE_8(auxilary_buffer->result.exec_result_code, rc_timeout); VOLATILE_WRITE_8(auxilary_buffer->result.exec_result_code, rc_timeout);
} }
@ -259,4 +263,4 @@ void set_result_bb_coverage(auxilary_buffer_t* auxilary_buffer, uint32_t value){
if (value != auxilary_buffer->result.bb_coverage){ if (value != auxilary_buffer->result.bb_coverage){
VOLATILE_WRITE_32(auxilary_buffer->result.bb_coverage, value); VOLATILE_WRITE_32(auxilary_buffer->result.bb_coverage, value);
} }
} }

4
nyx/auxiliary_buffer.h
View File

@ -44,6 +44,7 @@ enum nyx_result_codes {
rc_timeout = 3, rc_timeout = 3,
rc_input_buffer_write = 4, rc_input_buffer_write = 4,
rc_aborted = 5, rc_aborted = 5,
rc_sanitizer = 6,
}; };
typedef struct auxilary_buffer_header_s{ typedef struct auxilary_buffer_header_s{
@ -149,6 +150,7 @@ void init_auxiliary_buffer(auxilary_buffer_t* auxilary_buffer);
void check_auxiliary_config_buffer(auxilary_buffer_t* auxilary_buffer, auxilary_buffer_config_t* shadow_config); void check_auxiliary_config_buffer(auxilary_buffer_t* auxilary_buffer, auxilary_buffer_config_t* shadow_config);
void set_crash_auxiliary_result_buffer(auxilary_buffer_t* auxilary_buffer); void set_crash_auxiliary_result_buffer(auxilary_buffer_t* auxilary_buffer);
void set_asan_auxiliary_result_buffer(auxilary_buffer_t* auxilary_buffer);
void set_timeout_auxiliary_result_buffer(auxilary_buffer_t* auxilary_buffer); void set_timeout_auxiliary_result_buffer(auxilary_buffer_t* auxilary_buffer);
void set_reload_auxiliary_result_buffer(auxilary_buffer_t* auxilary_buffer); void set_reload_auxiliary_result_buffer(auxilary_buffer_t* auxilary_buffer);
void set_pt_overflow_auxiliary_result_buffer(auxilary_buffer_t* auxilary_buffer); void set_pt_overflow_auxiliary_result_buffer(auxilary_buffer_t* auxilary_buffer);
@ -173,4 +175,4 @@ void set_result_pt_trace_size(auxilary_buffer_t* auxilary_buffer, uint32_t value
void set_result_bb_coverage(auxilary_buffer_t* auxilary_buffer, uint32_t value); void set_result_bb_coverage(auxilary_buffer_t* auxilary_buffer, uint32_t value);
void set_payload_buffer_write_reason_auxiliary_buffer(auxilary_buffer_t* auxilary_buffer, char* msg, uint32_t len); void set_payload_buffer_write_reason_auxiliary_buffer(auxilary_buffer_t* auxilary_buffer, char* msg, uint32_t len);

36
nyx/hypercall/hypercall.c
View File

@ -439,6 +439,13 @@ static void handle_hypercall_kafl_submit_panic(struct kvm_run *run, CPUState *cp
} }
} }
static void handle_hypercall_kafl_submit_kasan(struct kvm_run *run, CPUState *cpu, uint64_t hypercall_arg){
if(hypercall_enabled){
QEMU_PT_PRINTF(CORE_PREFIX, "kASAN address:\t%lx", hypercall_arg);
write_virtual_memory(hypercall_arg, (uint8_t*)KASAN_PAYLOAD, PAYLOAD_BUFFER_SIZE, cpu);
}
}
//#define PANIC_DEBUG //#define PANIC_DEBUG
static void handle_hypercall_kafl_panic(struct kvm_run *run, CPUState *cpu, uint64_t hypercall_arg){ static void handle_hypercall_kafl_panic(struct kvm_run *run, CPUState *cpu, uint64_t hypercall_arg){
@ -550,6 +557,27 @@ static void handle_hypercall_kafl_panic_extended(struct kvm_run *run, CPUState *
} }
} }
static void handle_hypercall_kafl_kasan(struct kvm_run *run, CPUState *cpu, uint64_t hypercall_arg){
if(hypercall_enabled){
#ifdef PANIC_DEBUG
if(hypercall_arg){
QEMU_PT_PRINTF(CORE_PREFIX, "ASan notification in user mode!");
} else{
QEMU_PT_PRINTF(CORE_PREFIX, "ASan notification in kernel mode!");
}
#endif
if(fast_reload_snapshot_exists(get_fast_reload_snapshot())){
synchronization_lock_asan_found();
//synchronization_stop_vm_kasan(cpu);
} else{
QEMU_PT_PRINTF(CORE_PREFIX, "KASAN detected during initialization of stage 1 or stage 2 loader");
//hypercall_snd_char(KAFL_PROTO_KASAN);
QEMU_PT_PRINTF_DEBUG("Protocol - SEND: KAFL_PROTO_KASAN");
}
}
}
static void handle_hypercall_kafl_lock(struct kvm_run *run, CPUState *cpu, uint64_t hypercall_arg){ static void handle_hypercall_kafl_lock(struct kvm_run *run, CPUState *cpu, uint64_t hypercall_arg){
if(is_called_in_fuzzing_mode("KVM_EXIT_KAFL_LOCK")){ if(is_called_in_fuzzing_mode("KVM_EXIT_KAFL_LOCK")){
@ -804,7 +832,9 @@ int handle_kafl_hypercall(struct kvm_run *run, CPUState *cpu, uint64_t hypercall
ret = 0; ret = 0;
break; break;
case KVM_EXIT_KAFL_SUBMIT_KASAN: case KVM_EXIT_KAFL_SUBMIT_KASAN:
nyx_abort((char*)"Deprecated hypercall called (HYPERCALL_SUBMIT_KASAN)..."); //timeout_reload_pending = false;
//fprintf(stderr, "KVM_EXIT_KAFL_SUBMIT_KASAN\n");
handle_hypercall_kafl_submit_kasan(run, cpu, arg);
ret = 0; ret = 0;
break; break;
case KVM_EXIT_KAFL_PANIC: case KVM_EXIT_KAFL_PANIC:
@ -814,7 +844,9 @@ int handle_kafl_hypercall(struct kvm_run *run, CPUState *cpu, uint64_t hypercall
ret = 0; ret = 0;
break; break;
case KVM_EXIT_KAFL_KASAN: case KVM_EXIT_KAFL_KASAN:
nyx_abort((char*)"Deprecated hypercall called (HYPERCALL_KAFL_KASAN)..."); //timeout_reload_pending = false;
//fprintf(stderr, "KVM_EXIT_KAFL_KASAN\n");
handle_hypercall_kafl_kasan(run, cpu, arg);
ret = 0; ret = 0;
break; break;
case KVM_EXIT_KAFL_LOCK: case KVM_EXIT_KAFL_LOCK:

19
nyx/synchronization.c
View File

@ -335,6 +335,25 @@ void synchronization_lock_crash_found(void){
in_fuzzing_loop = false; in_fuzzing_loop = false;
} }
void synchronization_lock_asan_found(void){
if(!in_fuzzing_loop){
fprintf(stderr, "<%d-%ld>\t%s [NOT IN FUZZING LOOP]\n", getpid(), run_counter, __func__);
set_success_auxiliary_result_buffer(GET_GLOBAL_STATE()->auxilary_buffer, 0);
}
pt_disable(qemu_get_cpu(0), false);
handle_tmp_snapshot_state();
set_asan_auxiliary_result_buffer(GET_GLOBAL_STATE()->auxilary_buffer);
perform_reload();
//synchronization_lock();
in_fuzzing_loop = false;
}
void synchronization_lock_timeout_found(void){ void synchronization_lock_timeout_found(void){
//fprintf(stderr, "<%d>\t%s\n", getpid(), __func__); //fprintf(stderr, "<%d>\t%s\n", getpid(), __func__);

3
nyx/synchronization.h
View File

@ -37,6 +37,7 @@ void synchronization_lock_hprintf(void);
void synchronization_lock(void); void synchronization_lock(void);
void synchronization_lock_crash_found(void); void synchronization_lock_crash_found(void);
void synchronization_lock_asan_found(void);
void synchronization_lock_timeout_found(void); void synchronization_lock_timeout_found(void);
void synchronization_lock_shutdown_detected(void); void synchronization_lock_shutdown_detected(void);
void synchronization_cow_full_detected(void); void synchronization_cow_full_detected(void);
@ -45,4 +46,4 @@ void synchronization_enter_fuzzing_loop(CPUState *cpu);
void synchronization_payload_buffer_write_detected(void); void synchronization_payload_buffer_write_detected(void);
void enable_timeout_detector(timeout_detector_t* timeout_detector); void enable_timeout_detector(timeout_detector_t* timeout_detector);
void reset_timeout_detector_timeout(timeout_detector_t* timeout_detector); void reset_timeout_detector_timeout(timeout_detector_t* timeout_detector);