add config option to enable hypervisor-assisted write protection of the input buffer
This commit is contained in:
Sergej Schumilo
parent
e1126bf73b
commit
4134f7d64b
@ -129,7 +129,8 @@ pub struct FuzzerConfig {
|
|||||||
pub dict: Vec<Vec<u8>>,
|
pub dict: Vec<Vec<u8>>,
|
||||||
pub snapshot_placement: SnapshotPlacement,
|
pub snapshot_placement: SnapshotPlacement,
|
||||||
pub dump_python_code_for_inputs: Option<bool>,
|
pub dump_python_code_for_inputs: Option<bool>,
|
||||||
pub exit_after_first_crash: bool
|
pub exit_after_first_crash: bool,
|
||||||
|
pub write_protected_input_buffer: bool,
|
||||||
}
|
}
|
||||||
impl FuzzerConfig{
|
impl FuzzerConfig{
|
||||||
pub fn new_from_loader(sharedir: &str, default: FuzzerConfigLoader, config: FuzzerConfigLoader) -> Self {
|
pub fn new_from_loader(sharedir: &str, default: FuzzerConfigLoader, config: FuzzerConfigLoader) -> Self {
|
||||||
@ -157,6 +158,7 @@ impl FuzzerConfig{
|
|||||||
snapshot_placement: config.snapshot_placement.or(default.snapshot_placement).expect("no snapshot_placement specified"),
|
snapshot_placement: config.snapshot_placement.or(default.snapshot_placement).expect("no snapshot_placement specified"),
|
||||||
dump_python_code_for_inputs: config.dump_python_code_for_inputs.or(default.dump_python_code_for_inputs),
|
dump_python_code_for_inputs: config.dump_python_code_for_inputs.or(default.dump_python_code_for_inputs),
|
||||||
exit_after_first_crash: config.exit_after_first_crash.unwrap_or(default.exit_after_first_crash.unwrap_or(false)),
|
exit_after_first_crash: config.exit_after_first_crash.unwrap_or(default.exit_after_first_crash.unwrap_or(false)),
|
||||||
|
write_protected_input_buffer: config.write_protected_input_buffer,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -36,6 +36,9 @@ pub enum FuzzRunnerConfigLoader {
|
|||||||
|
|
||||||
#[derive(Clone, Serialize, Deserialize)]
|
#[derive(Clone, Serialize, Deserialize)]
|
||||||
pub struct FuzzerConfigLoader {
|
pub struct FuzzerConfigLoader {
|
||||||
|
#[serde(default = "default_write_protected_input_buffer")]
|
||||||
|
pub write_protected_input_buffer: bool,
|
||||||
|
|
||||||
pub workdir_path: Option<String>,
|
pub workdir_path: Option<String>,
|
||||||
pub bitmap_size: Option<usize>,
|
pub bitmap_size: Option<usize>,
|
||||||
pub mem_limit: Option<usize>,
|
pub mem_limit: Option<usize>,
|
||||||
@ -51,6 +54,10 @@ pub struct FuzzerConfigLoader {
|
|||||||
pub exit_after_first_crash: Option<bool>,
|
pub exit_after_first_crash: Option<bool>,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
fn default_write_protected_input_buffer() -> bool {
|
||||||
|
false
|
||||||
|
}
|
||||||
|
|
||||||
#[derive(Clone, Serialize, Deserialize)]
|
#[derive(Clone, Serialize, Deserialize)]
|
||||||
pub struct ConfigLoader {
|
pub struct ConfigLoader {
|
||||||
pub include_default_config_path: Option<String>,
|
pub include_default_config_path: Option<String>,
|
||||||
|
|||||||
@ -36,7 +36,8 @@ pub fn qemu_process_new_from_kernel(sharedir: String, cfg: &QemuKernelConfig, fu
|
|||||||
dump_python_code_for_inputs: match fuzz_cfg.dump_python_code_for_inputs{
|
dump_python_code_for_inputs: match fuzz_cfg.dump_python_code_for_inputs{
|
||||||
None => false,
|
None => false,
|
||||||
Some(x) => x,
|
Some(x) => x,
|
||||||
}
|
},
|
||||||
|
write_protected_input_buffer: fuzz_cfg.write_protected_input_buffer,
|
||||||
};
|
};
|
||||||
let qemu_id = fuzz_cfg.thread_id;
|
let qemu_id = fuzz_cfg.thread_id;
|
||||||
let qemu_params = params::QemuParams::new_from_kernel(&fuzz_cfg.workdir_path, qemu_id, ¶ms, fuzz_cfg.threads > 1);
|
let qemu_params = params::QemuParams::new_from_kernel(&fuzz_cfg.workdir_path, qemu_id, ¶ms, fuzz_cfg.threads > 1);
|
||||||
@ -75,7 +76,8 @@ pub fn qemu_process_new_from_snapshot(sharedir: String, cfg: &QemuSnapshotConfig
|
|||||||
dump_python_code_for_inputs: match fuzz_cfg.dump_python_code_for_inputs{
|
dump_python_code_for_inputs: match fuzz_cfg.dump_python_code_for_inputs{
|
||||||
None => false,
|
None => false,
|
||||||
Some(x) => x,
|
Some(x) => x,
|
||||||
}
|
},
|
||||||
|
write_protected_input_buffer: fuzz_cfg.write_protected_input_buffer,
|
||||||
};
|
};
|
||||||
let qemu_id = fuzz_cfg.thread_id;
|
let qemu_id = fuzz_cfg.thread_id;
|
||||||
let qemu_params = params::QemuParams::new_from_snapshot(&fuzz_cfg.workdir_path, qemu_id, fuzz_cfg.cpu_pin_start_at, ¶ms, fuzz_cfg.threads > 1);
|
let qemu_params = params::QemuParams::new_from_snapshot(&fuzz_cfg.workdir_path, qemu_id, fuzz_cfg.cpu_pin_start_at, ¶ms, fuzz_cfg.threads > 1);
|
||||||
@ -113,6 +115,7 @@ mod tests {
|
|||||||
bitmap_size: 0x1 << 16,
|
bitmap_size: 0x1 << 16,
|
||||||
debug: false,
|
debug: false,
|
||||||
dump_python_code_for_inputs: false,
|
dump_python_code_for_inputs: false,
|
||||||
|
write_protected_input_buffer: false,
|
||||||
};
|
};
|
||||||
let qemu_id = 1;
|
let qemu_id = 1;
|
||||||
let qemu_params = QemuParams::new_from_kernel(workdir, qemu_id, ¶ms);
|
let qemu_params = QemuParams::new_from_kernel(workdir, qemu_id, ¶ms);
|
||||||
|
|||||||
@ -11,6 +11,7 @@ pub struct KernelVmParams {
|
|||||||
pub debug: bool,
|
pub debug: bool,
|
||||||
|
|
||||||
pub dump_python_code_for_inputs: bool,
|
pub dump_python_code_for_inputs: bool,
|
||||||
|
pub write_protected_input_buffer: bool,
|
||||||
}
|
}
|
||||||
|
|
||||||
pub struct SnapshotVmParams{
|
pub struct SnapshotVmParams{
|
||||||
@ -24,6 +25,7 @@ pub struct SnapshotVmParams{
|
|||||||
pub debug: bool,
|
pub debug: bool,
|
||||||
|
|
||||||
pub dump_python_code_for_inputs: bool,
|
pub dump_python_code_for_inputs: bool,
|
||||||
|
pub write_protected_input_buffer: bool,
|
||||||
}
|
}
|
||||||
|
|
||||||
pub struct QemuParams {
|
pub struct QemuParams {
|
||||||
@ -39,6 +41,7 @@ pub struct QemuParams {
|
|||||||
pub payload_size: usize,
|
pub payload_size: usize,
|
||||||
|
|
||||||
pub dump_python_code_for_inputs: bool,
|
pub dump_python_code_for_inputs: bool,
|
||||||
|
pub write_protected_input_buffer: bool,
|
||||||
}
|
}
|
||||||
|
|
||||||
impl QemuParams {
|
impl QemuParams {
|
||||||
@ -152,6 +155,7 @@ impl QemuParams {
|
|||||||
bitmap_size: params.bitmap_size,
|
bitmap_size: params.bitmap_size,
|
||||||
payload_size: (1 << 16),
|
payload_size: (1 << 16),
|
||||||
dump_python_code_for_inputs: params.dump_python_code_for_inputs,
|
dump_python_code_for_inputs: params.dump_python_code_for_inputs,
|
||||||
|
write_protected_input_buffer: params.write_protected_input_buffer,
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -261,6 +265,7 @@ impl QemuParams {
|
|||||||
bitmap_size: params.bitmap_size,
|
bitmap_size: params.bitmap_size,
|
||||||
payload_size: (128 << 10),
|
payload_size: (128 << 10),
|
||||||
dump_python_code_for_inputs: params.dump_python_code_for_inputs,
|
dump_python_code_for_inputs: params.dump_python_code_for_inputs,
|
||||||
|
write_protected_input_buffer: params.write_protected_input_buffer,
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -176,7 +176,13 @@ impl QemuProcess {
|
|||||||
let mut aux_buffer = AuxBuffer::new(aux_shm_f);
|
let mut aux_buffer = AuxBuffer::new(aux_shm_f);
|
||||||
|
|
||||||
aux_buffer.validate_header();
|
aux_buffer.validate_header();
|
||||||
aux_buffer.config.protect_payload_buffer = 1;
|
if params.write_protected_input_buffer{
|
||||||
|
if params.qemu_id == 0 {
|
||||||
|
println!("[!] libnyx: input buffer is write protected");
|
||||||
|
}
|
||||||
|
aux_buffer.config.protect_payload_buffer = 1;
|
||||||
|
aux_buffer.config.changed = 1;
|
||||||
|
}
|
||||||
|
|
||||||
loop {
|
loop {
|
||||||
if aux_buffer.result.hprintf == 1 {
|
if aux_buffer.result.hprintf == 1 {
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user