starved: signal if guest was reading beyond end of payload

2020-12-29 01:13:43 +00:00 · 2020-12-29 01:13:43 +00:00 · c12c6bd70d
commit c12c6bd70d
parent 95742719f5
6 changed files with 22 additions and 2 deletions
--- a/nyx/auxiliary_buffer.c
+++ b/nyx/auxiliary_buffer.c
@ -229,7 +229,12 @@ void reset_page_not_found_result_buffer(auxilary_buffer_t* auxilary_buffer){
 }

 void set_success_auxiliary_result_buffer(auxilary_buffer_t* auxilary_buffer, uint8_t success){
+  //should refactor to let caller directly set the result codes
+  if (success == 2) {
+	  VOLATILE_WRITE_8(auxilary_buffer->result.exec_result_code, rc_starved);
+  } else {
 	  VOLATILE_WRITE_8(auxilary_buffer->result.exec_result_code, rc_success);
+  }
 }

 void set_payload_buffer_write_reason_auxiliary_buffer(auxilary_buffer_t* auxilary_buffer, char* msg, uint32_t len){
--- a/nyx/auxiliary_buffer.h
+++ b/nyx/auxiliary_buffer.h
@ -45,6 +45,7 @@ enum nyx_result_codes {
  rc_input_buffer_write = 4,
  rc_aborted = 5,
  rc_sanitizer = 6, 
+  rc_starved = 7,
 };

 typedef struct auxilary_buffer_header_s{
--- a/nyx/hypercall/hypercall.c
+++ b/nyx/hypercall/hypercall.c
@ -349,6 +349,13 @@ void handle_hypercall_kafl_release(struct kvm_run *run, CPUState *cpu, uint64_t
 		if (init_state){
 			init_state = false;	
 		} else {
+			//printf(CORE_PREFIX, "Got STARVED notification (num=%llu)\n", run->hypercall.args[0]);
+			if (run->hypercall.args[0] > 0) {
+				GET_GLOBAL_STATE()->starved = 1;
+			} else {
+				GET_GLOBAL_STATE()->starved = 0;
+			}
+
 			synchronization_disable_pt(cpu);
 			release_print_once(cpu);
 		}
--- a/nyx/state/state.c
+++ b/nyx/state/state.c
@ -89,6 +89,7 @@ void state_init_global(void){

    global_state.in_fuzzing_mode = false;
    global_state.in_reload_mode = true;
+    global_state.starved = false;
    global_state.shutdown_requested = false;
    global_state.cow_cache_full = false;

--- a/nyx/state/state.h
+++ b/nyx/state/state.h
@ -131,6 +131,7 @@ typedef struct qemu_nyx_state_s{

    bool in_fuzzing_mode;
    bool in_reload_mode; 
+     bool starved;

    bool shutdown_requested;
    bool cow_cache_full;
--- a/nyx/synchronization.c
+++ b/nyx/synchronization.c
@ -291,6 +291,11 @@ void synchronization_lock(void){
 	pthread_mutex_unlock(&synchronization_lock_mutex);

 	check_auxiliary_config_buffer(GET_GLOBAL_STATE()->auxilary_buffer, &GET_GLOBAL_STATE()->shadow_config);
+
+	//set_success_auxiliary_result_buffer(GET_GLOBAL_STATE()->auxilary_buffer, 1);
+	if (GET_GLOBAL_STATE()->starved == true)
+		set_success_auxiliary_result_buffer(GET_GLOBAL_STATE()->auxilary_buffer, 2);
+	else
 		set_success_auxiliary_result_buffer(GET_GLOBAL_STATE()->auxilary_buffer, 1);

 	GET_GLOBAL_STATE()->pt_trace_size = 0;