From b95d6b9236390f7d8f60ed361a44524d25d595c5 Mon Sep 17 00:00:00 2001
From: Sergej Schumilo <sergej@schumilo.de>
Date: Wed, 23 Feb 2022 08:55:00 +0100
Subject: [PATCH] fix a global oob read

Use an additional constant to specifiy the size of the crash notifier
code in 32 bit mode (submit_panic / submit_kasan).
---
 nyx/hypercall/hypercall.c | 8 ++++----
 nyx/hypercall/hypercall.h | 3 ++-
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/nyx/hypercall/hypercall.c b/nyx/hypercall/hypercall.c
index 282da6860f..7d26c74469 100644
--- a/nyx/hypercall/hypercall.c
+++ b/nyx/hypercall/hypercall.c
@@ -443,9 +443,9 @@ static void handle_hypercall_kafl_submit_panic(struct kvm_run *run, CPUState *cp
 	if(hypercall_enabled){
 		QEMU_PT_PRINTF(CORE_PREFIX, "Panic address:\t%lx", hypercall_arg);
 		if (run->hypercall.longmode) {
-			write_virtual_memory(hypercall_arg, (uint8_t*)PANIC_PAYLOAD_64, PAYLOAD_BUFFER_SIZE, cpu);
+			write_virtual_memory(hypercall_arg, (uint8_t*)PANIC_PAYLOAD_64, PAYLOAD_BUFFER_SIZE_64, cpu);
 		} else {
-			write_virtual_memory(hypercall_arg, (uint8_t*)PANIC_PAYLOAD_32, PAYLOAD_BUFFER_SIZE, cpu);
+			write_virtual_memory(hypercall_arg, (uint8_t*)PANIC_PAYLOAD_32, PAYLOAD_BUFFER_SIZE_32, cpu);
 		}
 	}
 }
@@ -454,9 +454,9 @@ static void handle_hypercall_kafl_submit_kasan(struct kvm_run *run, CPUState *cp
 	if(hypercall_enabled){
 		QEMU_PT_PRINTF(CORE_PREFIX, "kASAN address:\t%lx", hypercall_arg);
 		if (run->hypercall.longmode){
-			write_virtual_memory(hypercall_arg, (uint8_t*)KASAN_PAYLOAD_64, PAYLOAD_BUFFER_SIZE, cpu);
+			write_virtual_memory(hypercall_arg, (uint8_t*)KASAN_PAYLOAD_64, PAYLOAD_BUFFER_SIZE_64, cpu);
 		} else {
-			write_virtual_memory(hypercall_arg, (uint8_t*)KASAN_PAYLOAD_32, PAYLOAD_BUFFER_SIZE, cpu);
+			write_virtual_memory(hypercall_arg, (uint8_t*)KASAN_PAYLOAD_32, PAYLOAD_BUFFER_SIZE_32, cpu);
 		}
 	}
 }
diff --git a/nyx/hypercall/hypercall.h b/nyx/hypercall/hypercall.h
index d48115758c..544292f98f 100644
--- a/nyx/hypercall/hypercall.h
+++ b/nyx/hypercall/hypercall.h
@@ -21,7 +21,8 @@ along with QEMU-PT.  If not, see <http://www.gnu.org/licenses/>.
 
 #pragma once 
 
-#define PAYLOAD_BUFFER_SIZE		26
+#define PAYLOAD_BUFFER_SIZE_64		26
+#define PAYLOAD_BUFFER_SIZE_32		20
 
 #define KAFL_MODE_64	0
 #define KAFL_MODE_32	1