fix a global oob read

Use an additional constant to specifiy the size of the crash notifier code in 32 bit mode (submit_panic / submit_kasan).
2022-02-23 08:55:00 +01:00 · 2022-02-23 08:55:00 +01:00 · b95d6b9236
commit b95d6b9236
parent 954158c43a
2 changed files with 6 additions and 5 deletions
--- a/nyx/hypercall/hypercall.c
+++ b/nyx/hypercall/hypercall.c
@ -443,9 +443,9 @@ static void handle_hypercall_kafl_submit_panic(struct kvm_run *run, CPUState *cp
 	if(hypercall_enabled){
 		QEMU_PT_PRINTF(CORE_PREFIX, "Panic address:\t%lx", hypercall_arg);
 		if (run->hypercall.longmode) {
-			write_virtual_memory(hypercall_arg, (uint8_t*)PANIC_PAYLOAD_64, PAYLOAD_BUFFER_SIZE, cpu);
+			write_virtual_memory(hypercall_arg, (uint8_t*)PANIC_PAYLOAD_64, PAYLOAD_BUFFER_SIZE_64, cpu);
 		} else {
-			write_virtual_memory(hypercall_arg, (uint8_t*)PANIC_PAYLOAD_32, PAYLOAD_BUFFER_SIZE, cpu);
+			write_virtual_memory(hypercall_arg, (uint8_t*)PANIC_PAYLOAD_32, PAYLOAD_BUFFER_SIZE_32, cpu);
 		}
 	}
 }
@ -454,9 +454,9 @@ static void handle_hypercall_kafl_submit_kasan(struct kvm_run *run, CPUState *cp
 	if(hypercall_enabled){
 		QEMU_PT_PRINTF(CORE_PREFIX, "kASAN address:\t%lx", hypercall_arg);
 		if (run->hypercall.longmode){
-			write_virtual_memory(hypercall_arg, (uint8_t*)KASAN_PAYLOAD_64, PAYLOAD_BUFFER_SIZE, cpu);
+			write_virtual_memory(hypercall_arg, (uint8_t*)KASAN_PAYLOAD_64, PAYLOAD_BUFFER_SIZE_64, cpu);
 		} else {
-			write_virtual_memory(hypercall_arg, (uint8_t*)KASAN_PAYLOAD_32, PAYLOAD_BUFFER_SIZE, cpu);
+			write_virtual_memory(hypercall_arg, (uint8_t*)KASAN_PAYLOAD_32, PAYLOAD_BUFFER_SIZE_32, cpu);
 		}
 	}
 }
--- a/nyx/hypercall/hypercall.h
+++ b/nyx/hypercall/hypercall.h
@ -21,7 +21,8 @@ along with QEMU-PT.  If not, see <http://www.gnu.org/licenses/>.

 #pragma once 

-#define PAYLOAD_BUFFER_SIZE		26
+#define PAYLOAD_BUFFER_SIZE_64		26
+#define PAYLOAD_BUFFER_SIZE_32		20

 #define KAFL_MODE_64	0
 #define KAFL_MODE_32	1