patch KASAN hypercall back in

2022-02-08 18:45:03 +01:00 · 2022-02-08 18:45:03 +01:00 · 35c4f356ab
commit 35c4f356ab
parent c2c69cfc52
5 changed files with 63 additions and 5 deletions
--- a/nyx/auxiliary_buffer.c
+++ b/nyx/auxiliary_buffer.c
@ -166,6 +166,10 @@ void set_crash_auxiliary_result_buffer(auxilary_buffer_t* auxilary_buffer){
  VOLATILE_WRITE_8(auxilary_buffer->result.exec_result_code, rc_crash);
 }

+void set_asan_auxiliary_result_buffer(auxilary_buffer_t* auxilary_buffer){
+  VOLATILE_WRITE_8(auxilary_buffer->result.exec_result_code, rc_sanitizer);
+}
+
 void set_timeout_auxiliary_result_buffer(auxilary_buffer_t* auxilary_buffer){
  VOLATILE_WRITE_8(auxilary_buffer->result.exec_result_code, rc_timeout);
 }
--- a/nyx/auxiliary_buffer.h
+++ b/nyx/auxiliary_buffer.h
@ -44,6 +44,7 @@ enum nyx_result_codes {
  rc_timeout = 3,
  rc_input_buffer_write = 4,
  rc_aborted = 5,
+  rc_sanitizer = 6, 
 };

 typedef struct auxilary_buffer_header_s{
@ -149,6 +150,7 @@ void init_auxiliary_buffer(auxilary_buffer_t* auxilary_buffer);
 void check_auxiliary_config_buffer(auxilary_buffer_t* auxilary_buffer, auxilary_buffer_config_t* shadow_config);

 void set_crash_auxiliary_result_buffer(auxilary_buffer_t* auxilary_buffer);
+void set_asan_auxiliary_result_buffer(auxilary_buffer_t* auxilary_buffer);
 void set_timeout_auxiliary_result_buffer(auxilary_buffer_t* auxilary_buffer);
 void set_reload_auxiliary_result_buffer(auxilary_buffer_t* auxilary_buffer);
 void set_pt_overflow_auxiliary_result_buffer(auxilary_buffer_t* auxilary_buffer);
--- a/nyx/hypercall/hypercall.c
+++ b/nyx/hypercall/hypercall.c
@ -439,6 +439,13 @@ static void handle_hypercall_kafl_submit_panic(struct kvm_run *run, CPUState *cp
 	}
 }

+static void handle_hypercall_kafl_submit_kasan(struct kvm_run *run, CPUState *cpu, uint64_t hypercall_arg){
+	if(hypercall_enabled){
+		QEMU_PT_PRINTF(CORE_PREFIX, "kASAN address:\t%lx", hypercall_arg);
+		write_virtual_memory(hypercall_arg, (uint8_t*)KASAN_PAYLOAD, PAYLOAD_BUFFER_SIZE, cpu);
+	}
+}
+
 //#define PANIC_DEBUG

 static void handle_hypercall_kafl_panic(struct kvm_run *run, CPUState *cpu, uint64_t hypercall_arg){
@ -550,6 +557,27 @@ static void handle_hypercall_kafl_panic_extended(struct kvm_run *run, CPUState *
 		}
 }

+static void handle_hypercall_kafl_kasan(struct kvm_run *run, CPUState *cpu, uint64_t hypercall_arg){
+	if(hypercall_enabled){
+#ifdef PANIC_DEBUG
+		if(hypercall_arg){
+			QEMU_PT_PRINTF(CORE_PREFIX, "ASan notification in user mode!");
+		} else{
+			QEMU_PT_PRINTF(CORE_PREFIX, "ASan notification in kernel mode!");
+		}
+#endif
+		if(fast_reload_snapshot_exists(get_fast_reload_snapshot())){
+			synchronization_lock_asan_found();
+			//synchronization_stop_vm_kasan(cpu);
+		} else{
+			QEMU_PT_PRINTF(CORE_PREFIX, "KASAN detected during initialization of stage 1 or stage 2 loader");
+			//hypercall_snd_char(KAFL_PROTO_KASAN);
+			QEMU_PT_PRINTF_DEBUG("Protocol - SEND: KAFL_PROTO_KASAN");
+
+		}
+	}
+}
+
 static void handle_hypercall_kafl_lock(struct kvm_run *run, CPUState *cpu, uint64_t hypercall_arg){

 	if(is_called_in_fuzzing_mode("KVM_EXIT_KAFL_LOCK")){
@ -804,7 +832,9 @@ int handle_kafl_hypercall(struct kvm_run *run, CPUState *cpu, uint64_t hypercall
 			ret = 0;
 			break;
 		case KVM_EXIT_KAFL_SUBMIT_KASAN:
-			nyx_abort((char*)"Deprecated hypercall called (HYPERCALL_SUBMIT_KASAN)...");
+			//timeout_reload_pending = false;
+			//fprintf(stderr, "KVM_EXIT_KAFL_SUBMIT_KASAN\n");
+			handle_hypercall_kafl_submit_kasan(run, cpu, arg);
 			ret = 0;
 			break;
 		case KVM_EXIT_KAFL_PANIC:
@ -814,7 +844,9 @@ int handle_kafl_hypercall(struct kvm_run *run, CPUState *cpu, uint64_t hypercall
 			ret = 0;
 			break;
 		case KVM_EXIT_KAFL_KASAN:
-			nyx_abort((char*)"Deprecated hypercall called (HYPERCALL_KAFL_KASAN)...");
+			//timeout_reload_pending = false;
+			//fprintf(stderr, "KVM_EXIT_KAFL_KASAN\n");
+			handle_hypercall_kafl_kasan(run, cpu, arg);
 			ret = 0;
 			break;
 		case KVM_EXIT_KAFL_LOCK:
--- a/nyx/synchronization.c
+++ b/nyx/synchronization.c
@ -335,6 +335,25 @@ void synchronization_lock_crash_found(void){
 	in_fuzzing_loop = false;
 }

+void synchronization_lock_asan_found(void){
+	if(!in_fuzzing_loop){
+		fprintf(stderr, "<%d-%ld>\t%s [NOT IN FUZZING LOOP]\n", getpid(), run_counter, __func__);
+		set_success_auxiliary_result_buffer(GET_GLOBAL_STATE()->auxilary_buffer, 0);
+	}
+
+	pt_disable(qemu_get_cpu(0), false);
+
+	handle_tmp_snapshot_state();
+
+	set_asan_auxiliary_result_buffer(GET_GLOBAL_STATE()->auxilary_buffer);
+	
+	perform_reload();
+
+	//synchronization_lock();
+
+	in_fuzzing_loop = false;
+}
+
 void synchronization_lock_timeout_found(void){		
 	
 	//fprintf(stderr, "<%d>\t%s\n", getpid(), __func__);
--- a/nyx/synchronization.h
+++ b/nyx/synchronization.h
@ -37,6 +37,7 @@ void synchronization_lock_hprintf(void);

 void synchronization_lock(void);
 void synchronization_lock_crash_found(void);
+void synchronization_lock_asan_found(void);
 void synchronization_lock_timeout_found(void);
 void synchronization_lock_shutdown_detected(void);
 void synchronization_cow_full_detected(void);