| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <6f9f4746-7850-0de0-b531-0ea0e6d7ca82@amazon.com>
Date: Fri, 31 May 2019 10:39:43 +0200
From: Alexander Graf <graf@...zon.com>
To: Sam Caccavale <samcacc@...zon.de>
CC: <samcaccavale@...il.com>, <nmanthey@...zon.de>,
<wipawel@...zon.de>, <dwmw@...zon.co.uk>, <mpohlack@...zon.de>,
<graf@...zon.de>, <karahmed@...zon.de>,
<andrew.cooper3@...rix.com>, <JBeulich@...e.com>,
<pbonzini@...hat.com>, <rkrcmar@...hat.com>, <tglx@...utronix.de>,
<mingo@...hat.com>, <bp@...en8.de>, <hpa@...or.com>,
<paullangton4@...il.com>, <anirudhkaushik@...gle.com>,
<x86@...nel.org>, <kvm@...r.kernel.org>,
<linux-kernel@...r.kernel.org>
Subject: Re: x86 instruction emulator fuzzing
On 21.05.19 17:39, Sam Caccavale wrote:
> Dear all,
>
> This series aims to provide an entrypoint for, and fuzz KVM's x86 instruction
> emulator from userspace. It mirrors Xen's application of the AFL fuzzer to
> it's instruction emulator in the hopes of discovering vulnerabilities.
> Since this entrypoint also allows arbitrary execution of the emulators code
> from userspace, it may also be useful for testing.
>
> The current 3 patches build the emulator and 2 harnesses: simple-harness is
> an example of unit testing; afl-harness is a frontend for the AFL fuzzer.
> They are early POC and include some issues outlined under "Issues."
>
> Patches
> =======
>
> - 01: Builds and links afl-harness with the required kernel objects.
> - 02: Introduces the minimal set of emulator operations and supporting code
> to emulate simple instructions.
> - 03: Demonstrates simple-harness as a unit test.
>
> Issues
> =======
>
> 1. Currently, building requires manually running the `make_deps` script
> since I was unable to make the kernel objects a dependency of the tool.
> 2. The code will segfault if `CONFIG_STACKPROTECTOR=y` in config.
> 3. The code requires stderr to be buffered or it otherwise segfaults.
>
> The latter two issues seem related and all of them are likely fixable by
> someone more familiar with the linux than me.
>
> Concerns
> =======
>
> I was able to carve the `arch/x86/kvm/emulate.c` code, but the emulator is
> constructed in such a way that a lot of the code which enforces expected
> behavior lives in the x86_emulate_ops supplied in `arch/x86/kvm/x86.c`.
> Testing the emulator is still valuable, but a reproducible way to use the kvm
> ops would be useful.
>
> Any comments/suggestions are greatly appreciated.
First off, thanks a lot for this :). The x86 emulator has been a sore
(bug prone) point in KVM for a long time and I'm surprised it's not
covered by fuzzing yet. It's great to see that finally happening.
A few nits:
1) Cover letter should be [PATCH 0/3]. Just generate it with git
format-patch --cover-letter.
2) The directory name "x86_instruction_emulation" is a bit long, no?
3) I think the cover letter should also detail how this relates to
other fuzzing efforts and why we need another, separate one.
Alex
Powered by blists - more mailing lists