david.venhoff/QEMU-Nyx-fork
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

use 32bit kasan/panic notifier payload when on 32bit

Browse Source
This commit is contained in:
Steffen Schulz 2020-11-24 17:30:29 +00:00
parent 31b8c05afe
commit 95742719f5
2 changed files with 35 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
nyx/hypercall/hypercall.c
View File

@ -435,14 +435,22 @@ static void handle_hypercall_kafl_submit_panic(struct kvm_run *run, CPUState *cp
if(hypercall_enabled){ if(hypercall_enabled){
QEMU_PT_PRINTF(CORE_PREFIX, "Panic address:\t%lx", hypercall_arg); QEMU_PT_PRINTF(CORE_PREFIX, "Panic address:\t%lx", hypercall_arg);
write_virtual_memory(hypercall_arg, (uint8_t*)PANIC_PAYLOAD, PAYLOAD_BUFFER_SIZE, cpu); if (run->hypercall.longmode) {
write_virtual_memory(hypercall_arg, (uint8_t*)PANIC_PAYLOAD_64, PAYLOAD_BUFFER_SIZE, cpu);
} else {
write_virtual_memory(hypercall_arg, (uint8_t*)PANIC_PAYLOAD_32, PAYLOAD_BUFFER_SIZE, cpu);
}
} }
} }
static void handle_hypercall_kafl_submit_kasan(struct kvm_run *run, CPUState *cpu, uint64_t hypercall_arg){ static void handle_hypercall_kafl_submit_kasan(struct kvm_run *run, CPUState *cpu, uint64_t hypercall_arg){
if(hypercall_enabled){ if(hypercall_enabled){
QEMU_PT_PRINTF(CORE_PREFIX, "kASAN address:\t%lx", hypercall_arg); QEMU_PT_PRINTF(CORE_PREFIX, "kASAN address:\t%lx", hypercall_arg);
write_virtual_memory(hypercall_arg, (uint8_t*)KASAN_PAYLOAD, PAYLOAD_BUFFER_SIZE, cpu); if (run->hypercall.longmode){
write_virtual_memory(hypercall_arg, (uint8_t*)KASAN_PAYLOAD_64, PAYLOAD_BUFFER_SIZE, cpu);
} else {
write_virtual_memory(hypercall_arg, (uint8_t*)KASAN_PAYLOAD_32, PAYLOAD_BUFFER_SIZE, cpu);
}
} }
} }

28
nyx/hypercall/hypercall.h
View File

@ -46,18 +46,40 @@ bool check_bitmap_byte(uint32_t value);
* 0f 01 c1 vmcall * 0f 01 c1 vmcall
* f4 hlt * f4 hlt
*/ */
#define PANIC_PAYLOAD "\xFA\x48\xC7\xC0\x1F\x00\x00\x00\x48\xC7\xC3\x08\x00\x00\x00\x48\xC7\xC1\x00\x00\x00\x00\x0F\x01\xC1\xF4" #define PANIC_PAYLOAD_64 "\xFA\x48\xC7\xC0\x1F\x00\x00\x00\x48\xC7\xC3\x08\x00\x00\x00\x48\xC7\xC1\x00\x00\x00\x00\x0F\x01\xC1\xF4"
/*
* Panic Notifier Payload (x86-32)
* fa cli
* b8 1f 00 00 00 mov $0x1f,%eax
* bb 08 00 00 00 mov $0x8,%ebx
* b9 00 00 00 00 mov $0x0,%ecx
* 0f 01 c1 vmcall
* f4 hlt
*/
#define PANIC_PAYLOAD_32 "\xFA\xB8\x1F\x00\x00\x00\xBB\x08\x00\x00\x00\xB9\x00\x00\x00\x00\x0F\x01\xC1\xF4"
/* /*
* KASAN Notifier Payload (x86-64) * KASAN Notifier Payload (x86-64)
* fa cli * fa cli
* 48 c7 c0 1f 00 00 00 mov rax,0x1f * 48 c7 c0 1f 00 00 00 mov rax,0x1f
* 48 c7 c3 08 00 00 00 mov rbx,0x9 * 48 c7 c3 09 00 00 00 mov rbx,0x9
* 48 c7 c1 00 00 00 00 mov rcx,0x0 * 48 c7 c1 00 00 00 00 mov rcx,0x0
* 0f 01 c1 vmcall * 0f 01 c1 vmcall
* f4 hlt * f4 hlt
*/ */
#define KASAN_PAYLOAD "\xFA\x48\xC7\xC0\x1F\x00\x00\x00\x48\xC7\xC3\x09\x00\x00\x00\x48\xC7\xC1\x00\x00\x00\x00\x0F\x01\xC1\xF4" #define KASAN_PAYLOAD_64 "\xFA\x48\xC7\xC0\x1F\x00\x00\x00\x48\xC7\xC3\x09\x00\x00\x00\x48\xC7\xC1\x00\x00\x00\x00\x0F\x01\xC1\xF4"
/*
* KASAN Notifier Payload (x86-32)
* fa cli
* b8 1f 00 00 00 mov $0x1f,%eax
* bb 09 00 00 00 mov $0x9,%ebx
* b9 00 00 00 00 mov $0x0,%ecx
* 0f 01 c1 vmcall
* f4 hlt
*/
#define KASAN_PAYLOAD_32 "\xFA\xB8\x1F\x00\x00\x00\xBB\x09\x00\x00\x00\xB9\x00\x00\x00\x00\x0F\x01\xC1\xF4"
/* /*
* printk Notifier Payload (x86-64) * printk Notifier Payload (x86-64)