lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 31 May 2019 10:39:43 +0200
From:   Alexander Graf <graf@...zon.com>
To:     Sam Caccavale <samcacc@...zon.de>
CC:     <samcaccavale@...il.com>, <nmanthey@...zon.de>,
        <wipawel@...zon.de>, <dwmw@...zon.co.uk>, <mpohlack@...zon.de>,
        <graf@...zon.de>, <karahmed@...zon.de>,
        <andrew.cooper3@...rix.com>, <JBeulich@...e.com>,
        <pbonzini@...hat.com>, <rkrcmar@...hat.com>, <tglx@...utronix.de>,
        <mingo@...hat.com>, <bp@...en8.de>, <hpa@...or.com>,
        <paullangton4@...il.com>, <anirudhkaushik@...gle.com>,
        <x86@...nel.org>, <kvm@...r.kernel.org>,
        <linux-kernel@...r.kernel.org>
Subject: Re: x86 instruction emulator fuzzing


On 21.05.19 17:39, Sam Caccavale wrote:
> Dear all,
>
> This series aims to provide an entrypoint for, and fuzz KVM's x86 instruction
> emulator from userspace.  It mirrors Xen's application of the AFL fuzzer to
> it's instruction emulator in the hopes of discovering vulnerabilities.
> Since this entrypoint also allows arbitrary execution of the emulators code
> from userspace, it may also be useful for testing.
>
> The current 3 patches build the emulator and 2 harnesses: simple-harness is
> an example of unit testing; afl-harness is a frontend for the AFL fuzzer.
> They are early POC and include some issues outlined under "Issues."
>
> Patches
> =======
>
> - 01: Builds and links afl-harness with the required kernel objects.
> - 02: Introduces the minimal set of emulator operations and supporting code
> to emulate simple instructions.
> - 03: Demonstrates simple-harness as a unit test.
>
> Issues
> =======
>
> 1. Currently, building requires manually running the `make_deps` script
> since I was unable to make the kernel objects a dependency of the tool.
> 2. The code will segfault if `CONFIG_STACKPROTECTOR=y` in config.
> 3. The code requires stderr to be buffered or it otherwise segfaults.
>
> The latter two issues seem related and all of them are likely fixable by
> someone more familiar with the linux than me.
>
> Concerns
> =======
>
> I was able to carve the `arch/x86/kvm/emulate.c` code, but the emulator is
> constructed in such a way that a lot of the code which enforces expected
> behavior lives in the x86_emulate_ops supplied in `arch/x86/kvm/x86.c`.
> Testing the emulator is still valuable, but a reproducible way to use the kvm
> ops would be useful.
>
> Any comments/suggestions are greatly appreciated.


First off, thanks a lot for this :). The x86 emulator has been a sore 
(bug prone) point in KVM for a long time and I'm surprised it's not 
covered by fuzzing yet. It's great to see that finally happening.

A few nits:

   1) Cover letter should be [PATCH 0/3]. Just generate it with git 
format-patch --cover-letter.
   2) The directory name "x86_instruction_emulation" is a bit long, no?
   3) I think the cover letter should also detail how this relates to 
other fuzzing efforts and why we need another, separate one.


Alex

Powered by blists - more mailing lists