b95d6b9236
Use an additional constant to specifiy the size of the crash notifier code in 32 bit mode (submit_panic / submit_kasan).
151 lines
4.8 KiB
C
151 lines
4.8 KiB
C
/*
|
|
|
|
Copyright (C) 2017 Sergej Schumilo
|
|
|
|
This file is part of QEMU-PT (kAFL).
|
|
|
|
QEMU-PT is free software: you can redistribute it and/or modify
|
|
it under the terms of the GNU General Public License as published by
|
|
the Free Software Foundation, either version 2 of the License, or
|
|
(at your option) any later version.
|
|
|
|
QEMU-PT is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with QEMU-PT. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
*/
|
|
|
|
#pragma once
|
|
|
|
#define PAYLOAD_BUFFER_SIZE_64 26
|
|
#define PAYLOAD_BUFFER_SIZE_32 20
|
|
|
|
#define KAFL_MODE_64 0
|
|
#define KAFL_MODE_32 1
|
|
#define KAFL_MODE_16 2
|
|
|
|
typedef struct{
|
|
uint64_t ip[4];
|
|
uint64_t size[4];
|
|
uint8_t enabled[4];
|
|
} kAFL_ranges;
|
|
|
|
bool check_bitmap_byte(uint32_t value);
|
|
|
|
//#define PANIC_DEBUG
|
|
|
|
/*
|
|
* Panic Notifier Payload (x86-64)
|
|
* fa cli
|
|
* 48 c7 c0 1f 00 00 00 mov rax,0x1f
|
|
* 48 c7 c3 08 00 00 00 mov rbx,0x8
|
|
* 48 c7 c1 00 00 00 00 mov rcx,0x0
|
|
* 0f 01 c1 vmcall
|
|
* f4 hlt
|
|
*/
|
|
#define PANIC_PAYLOAD_64 "\xFA\x48\xC7\xC0\x1F\x00\x00\x00\x48\xC7\xC3\x08\x00\x00\x00\x48\xC7\xC1\x00\x00\x00\x00\x0F\x01\xC1\xF4"
|
|
|
|
/*
|
|
* Panic Notifier Payload (x86-32)
|
|
* fa cli
|
|
* b8 1f 00 00 00 mov $0x1f,%eax
|
|
* bb 08 00 00 00 mov $0x8,%ebx
|
|
* b9 00 00 00 00 mov $0x0,%ecx
|
|
* 0f 01 c1 vmcall
|
|
* f4 hlt
|
|
*/
|
|
#define PANIC_PAYLOAD_32 "\xFA\xB8\x1F\x00\x00\x00\xBB\x08\x00\x00\x00\xB9\x00\x00\x00\x00\x0F\x01\xC1\xF4"
|
|
|
|
/*
|
|
* KASAN Notifier Payload (x86-64)
|
|
* fa cli
|
|
* 48 c7 c0 1f 00 00 00 mov rax,0x1f
|
|
* 48 c7 c3 09 00 00 00 mov rbx,0x9
|
|
* 48 c7 c1 00 00 00 00 mov rcx,0x0
|
|
* 0f 01 c1 vmcall
|
|
* f4 hlt
|
|
*/
|
|
#define KASAN_PAYLOAD_64 "\xFA\x48\xC7\xC0\x1F\x00\x00\x00\x48\xC7\xC3\x09\x00\x00\x00\x48\xC7\xC1\x00\x00\x00\x00\x0F\x01\xC1\xF4"
|
|
|
|
/*
|
|
* KASAN Notifier Payload (x86-32)
|
|
* fa cli
|
|
* b8 1f 00 00 00 mov $0x1f,%eax
|
|
* bb 09 00 00 00 mov $0x9,%ebx
|
|
* b9 00 00 00 00 mov $0x0,%ecx
|
|
* 0f 01 c1 vmcall
|
|
* f4 hlt
|
|
*/
|
|
#define KASAN_PAYLOAD_32 "\xFA\xB8\x1F\x00\x00\x00\xBB\x09\x00\x00\x00\xB9\x00\x00\x00\x00\x0F\x01\xC1\xF4"
|
|
|
|
/*
|
|
* printk Notifier Payload (x86-64)
|
|
* 0f 01 c1 vmcall
|
|
* c3 retn
|
|
*/
|
|
#define PRINTK_PAYLOAD "\x0F\x01\xC1\xC3"
|
|
|
|
void pt_setup_program(void* ptr);
|
|
void pt_setup_snd_handler(void (*tmp)(char, void*), void* tmp_s);
|
|
void pt_setup_ip_filters(uint8_t filter_id, uint64_t start, uint64_t end);
|
|
void pt_setup_enable_hypercalls(void);
|
|
|
|
void pt_disable_wrapper(CPUState *cpu);
|
|
|
|
void hypercall_submit_address(uint64_t address);
|
|
bool hypercall_check_tuple(uint64_t current_addr, uint64_t prev_addr);
|
|
//void hypercall_check_in_range(uint64_t* addr);
|
|
|
|
|
|
bool hypercall_check_transition(uint64_t value);
|
|
void hypercall_submit_transition(uint32_t value);
|
|
|
|
void hypercall_enable_filter(void);
|
|
void hypercall_disable_filter(void);
|
|
void hypercall_commit_filter(void);
|
|
|
|
bool pt_hypercalls_enabled(void);
|
|
|
|
void hypercall_unlock(void);
|
|
void hypercall_reload(void);
|
|
|
|
void handle_hypercall_kafl_acquire(struct kvm_run *run, CPUState *cpu, uint64_t hypercall_arg);
|
|
void handle_hypercall_kafl_release(struct kvm_run *run, CPUState *cpu, uint64_t hypercall_arg);
|
|
void handle_hypercall_kafl_panic(struct kvm_run *run, CPUState *cpu, uint64_t hypercall_arg);
|
|
|
|
void handle_hypercall_kafl_page_dump_bp(struct kvm_run *run, CPUState *cpu, uint64_t hypercall_arg, uint64_t page);
|
|
|
|
|
|
void hprintf(char* msg);
|
|
|
|
bool handle_hypercall_kafl_next_payload(struct kvm_run *run, CPUState *cpu, uint64_t hypercall_arg);
|
|
void hypercall_reset_hprintf_counter(void);
|
|
|
|
bool handle_hypercall_kafl_hook(struct kvm_run *run, CPUState *cpu, uint64_t hypercall_arg);
|
|
void handle_hypercall_kafl_mtf(struct kvm_run *run, CPUState *cpu, uint64_t hypercall_arg);
|
|
void pt_enable_rqo(CPUState *cpu);
|
|
void pt_disable_rqo(CPUState *cpu);
|
|
void pt_enable_rqi(CPUState *cpu);
|
|
void pt_disable_rqi(CPUState *cpu);
|
|
void pt_set_redqueen_instrumentation_mode(CPUState *cpu, int redqueen_instruction_mode);
|
|
void pt_set_redqueen_update_blacklist(CPUState *cpu, bool newval);
|
|
void pt_set_enable_patches_pending(CPUState *cpu);
|
|
void pt_set_disable_patches_pending(CPUState *cpu);
|
|
|
|
void create_fast_snapshot(CPUState *cpu, bool nested);
|
|
int handle_kafl_hypercall(struct kvm_run *run, CPUState *cpu, uint64_t hypercall, uint64_t arg);
|
|
|
|
void skip_init(void);
|
|
|
|
typedef struct kafl_dump_file_s{
|
|
uint64_t file_name_str_ptr;
|
|
uint64_t data_ptr;
|
|
uint64_t bytes;
|
|
uint8_t append;
|
|
} __attribute__((packed)) kafl_dump_file_t;
|
|
|