| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 12 Jun 2019 17:19:10 +0200
From: <samcacc@...zon.com>
To: Alexander Graf <graf@...zon.com>, Sam Caccavale <samcacc@...zon.de>
CC: <samcaccavale@...il.com>, <nmanthey@...zon.de>,
<wipawel@...zon.de>, <dwmw@...zon.co.uk>, <mpohlack@...zon.de>,
<graf@...zon.de>, <karahmed@...zon.de>,
<andrew.cooper3@...rix.com>, <JBeulich@...e.com>,
<pbonzini@...hat.com>, <rkrcmar@...hat.com>, <tglx@...utronix.de>,
<mingo@...hat.com>, <bp@...en8.de>, <hpa@...or.com>,
<paullangton4@...il.com>, <anirudhkaushik@...gle.com>,
<x86@...nel.org>, <kvm@...r.kernel.org>,
<linux-kernel@...r.kernel.org>
Subject: Re: x86 instruction emulator fuzzing
On 5/31/19 10:39 AM, Alexander Graf wrote:
>
> On 21.05.19 17:39, Sam Caccavale wrote:
>> Dear all,
>>
>> This series aims to provide an entrypoint for, and fuzz KVM's x86
>> instruction
>> emulator from userspace. It mirrors Xen's application of the AFL
>> fuzzer to
>> it's instruction emulator in the hopes of discovering vulnerabilities.
>> Since this entrypoint also allows arbitrary execution of the emulators
>> code
>> from userspace, it may also be useful for testing.
>>
>> The current 3 patches build the emulator and 2 harnesses:
>> simple-harness is
>> an example of unit testing; afl-harness is a frontend for the AFL fuzzer.
>> They are early POC and include some issues outlined under "Issues."
>>
>> Patches
>> =======
>>
>> - 01: Builds and links afl-harness with the required kernel objects.
>> - 02: Introduces the minimal set of emulator operations and supporting
>> code
>> to emulate simple instructions.
>> - 03: Demonstrates simple-harness as a unit test.
>>
>> Issues
>> =======
>>
>> 1. Currently, building requires manually running the `make_deps` script
>> since I was unable to make the kernel objects a dependency of the tool.
>> 2. The code will segfault if `CONFIG_STACKPROTECTOR=y` in config.
>> 3. The code requires stderr to be buffered or it otherwise segfaults.
>>
>> The latter two issues seem related and all of them are likely fixable by
>> someone more familiar with the linux than me.
>>
>> Concerns
>> =======
>>
>> I was able to carve the `arch/x86/kvm/emulate.c` code, but the
>> emulator is
>> constructed in such a way that a lot of the code which enforces expected
>> behavior lives in the x86_emulate_ops supplied in `arch/x86/kvm/x86.c`.
>> Testing the emulator is still valuable, but a reproducible way to use
>> the kvm
>> ops would be useful.
>>
>> Any comments/suggestions are greatly appreciated.
>
>
> First off, thanks a lot for this :). The x86 emulator has been a sore
> (bug prone) point in KVM for a long time and I'm surprised it's not
> covered by fuzzing yet. It's great to see that finally happening.
>
> A few nits:
>
> 1) Cover letter should be [PATCH 0/3]. Just generate it with git
> format-patch --cover-letter.
Understood and corrected in v2.
> 2) The directory name "x86_instruction_emulation" is a bit long, no?
Yes it is. While tab completion has mostly kept me sane until now, I've
renamed the folder to `x86ie`s
> 3) I think the cover letter should also detail how this relates to
> other fuzzing efforts and why we need another, separate one.
This sounds worthwhile. In the interest of time I haven't included this
in v2, but I'll write it up as soon as possible and update.
>
>
> Alex
>
>
Thanks for the advice, v2 to follow.
Sam
Powered by blists - more mailing lists