david.venhoff/QEMU-Nyx-fork
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix req_stream_data_bulk() return size

Browse Source 
Hypercall failed to handle the default case where 0 < ret_value < 4096.
The handler keeps looping over num_addresses, returning a too large
overall file size to the guest.

For a 4 byte test file, hget_bulk() would fetch + write 960 bytes.

Also moved struct definition to header + set __attribute__((packed)).
This commit is contained in:
Steffen Schulz 2022-11-09 17:15:53 -08:00 committed by Sergej Schumilo
parent f1bb7b29c4
commit 3be0ec292e
2 changed files with 29 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
nyx/hypercall/hypercall.c
View File

@ -234,18 +234,11 @@ static void handle_hypercall_kafl_req_stream_data(struct kvm_run *run,
} }
} }
typedef struct req_data_bulk_s {
char file_name[256];
uint64_t num_addresses;
uint64_t addresses[479];
} req_data_bulk_t;
static void handle_hypercall_kafl_req_stream_data_bulk(struct kvm_run *run, static void handle_hypercall_kafl_req_stream_data_bulk(struct kvm_run *run,
CPUState *cpu, CPUState *cpu,
uint64_t hypercall_arg) uint64_t hypercall_arg)
{ {
static uint8_t req_stream_buffer[0x1000]; static uint8_t req_stream_buffer[0x1000];
// static uint64_t addresses[512];
req_data_bulk_t req_data_bulk_data; req_data_bulk_t req_data_bulk_data;
if (is_called_in_fuzzing_mode("HYPERCALL_KAFL_REQ_STREAM_DATA_BULK")) { if (is_called_in_fuzzing_mode("HYPERCALL_KAFL_REQ_STREAM_DATA_BULK")) {
@ -257,10 +250,11 @@ static void handle_hypercall_kafl_req_stream_data_bulk(struct kvm_run *run,
if ((hypercall_arg & 0xFFF) != 0) { if ((hypercall_arg & 0xFFF) != 0) {
nyx_debug("%s: ERROR -> address is not page aligned!\n", __func__); nyx_debug("%s: ERROR -> address is not page aligned!\n", __func__);
set_return_value(cpu, 0xFFFFFFFFFFFFFFFFUL); set_return_value(cpu, 0xFFFFFFFFFFFFFFFFUL);
} else { return;
}
uint64_t bytes = 0; uint64_t bytes = 0;
read_virtual_memory(hypercall_arg, (uint8_t *)&req_data_bulk_data, 0x1000, read_virtual_memory(hypercall_arg, (uint8_t *)&req_data_bulk_data, 0x1000, cpu);
cpu);
assert(req_data_bulk_data.num_addresses <= 479); assert(req_data_bulk_data.num_addresses <= 479);
for (int i = 0; i < req_data_bulk_data.num_addresses; i++) { for (int i = 0; i < req_data_bulk_data.num_addresses; i++) {
@ -268,23 +262,20 @@ static void handle_hypercall_kafl_req_stream_data_bulk(struct kvm_run *run,
sharedir_request_file(GET_GLOBAL_STATE()->sharedir, sharedir_request_file(GET_GLOBAL_STATE()->sharedir,
(const char *)req_data_bulk_data.file_name, (const char *)req_data_bulk_data.file_name,
req_stream_buffer); req_stream_buffer);
if (ret_val != 0xFFFFFFFFFFFFFFFFUL) { if (ret_val == 0xFFFFFFFFFFFFFFFFUL) {
bytes = ret_val;
break;
}
if (ret_val == 0) {
break;
}
bytes += ret_val; bytes += ret_val;
write_virtual_memory((uint64_t)req_data_bulk_data.addresses[i], write_virtual_memory((uint64_t)req_data_bulk_data.addresses[i],
(uint8_t *)req_stream_buffer, ret_val, cpu); (uint8_t *)req_stream_buffer, ret_val, cpu);
} else if (ret_val == 0) {
break;
} else {
bytes = 0xFFFFFFFFFFFFFFFFUL;
break;
} }
}
set_return_value(cpu, bytes); set_return_value(cpu, bytes);
}
} }
static void handle_hypercall_kafl_range_submit(struct kvm_run *run, static void handle_hypercall_kafl_range_submit(struct kvm_run *run,
CPUState *cpu, CPUState *cpu,
uint64_t hypercall_arg) uint64_t hypercall_arg)

6
nyx/hypercall/hypercall.h
View File

@ -168,3 +168,9 @@ typedef struct kafl_dump_file_s {
uint64_t bytes; uint64_t bytes;
uint8_t append; uint8_t append;
} __attribute__((packed)) kafl_dump_file_t; } __attribute__((packed)) kafl_dump_file_t;
typedef struct req_data_bulk_s {
char file_name[256];
uint64_t num_addresses;
uint64_t addresses[479];
} __attribute__((packed)) req_data_bulk_t;