Re: [Xen-devel] [PATCH 05/10] tools/insn-fuzz: Fix a stability bug in afl-clang-fast mode

2017-03-27 Thread Jan Beulich 
>>> On 27.03.17 at 11:56,  wrote:
> The fuzzing harness conditionally disables hooks to test error paths in the
> emulator.  However, fuzz_emulops is a static structure.
> 
> c/s 69f4633 "tools/insn-fuzz: Support AFL's afl-clang-fast mode" introduced
> persistent mode, but because fuzz_emulops is static, the clobbering of hooks
> accumulates over repeated input, meaning that previous corpora influence the
> execution over the current corpus.
> 
> Move the partially clobbered struct x86_emulate_ops into struct fuzz_state,
> which is re-initialised from full on each call to LLVMFuzzerTestOneInput()
> 
> Signed-off-by: Andrew Cooper 

Reviewed-by: Jan Beulich 



___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

[Xen-devel] [PATCH 05/10] tools/insn-fuzz: Fix a stability bug in afl-clang-fast mode

2017-03-27 Thread Andrew Cooper 
The fuzzing harness conditionally disables hooks to test error paths in the
emulator.  However, fuzz_emulops is a static structure.

c/s 69f4633 "tools/insn-fuzz: Support AFL's afl-clang-fast mode" introduced
persistent mode, but because fuzz_emulops is static, the clobbering of hooks
accumulates over repeated input, meaning that previous corpora influence the
execution over the current corpus.

Move the partially clobbered struct x86_emulate_ops into struct fuzz_state,
which is re-initialised from full on each call to LLVMFuzzerTestOneInput()

Signed-off-by: Andrew Cooper 
---
CC: Jan Beulich 
CC: George Dunlap 
CC: Ian Jackson 
CC: Wei Liu 
---
 tools/fuzz/x86_instruction_emulator/fuzz-emul.c | 13 +
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/tools/fuzz/x86_instruction_emulator/fuzz-emul.c 
b/tools/fuzz/x86_instruction_emulator/fuzz-emul.c
index 907275b..06d7cdc 100644
--- a/tools/fuzz/x86_instruction_emulator/fuzz-emul.c
+++ b/tools/fuzz/x86_instruction_emulator/fuzz-emul.c
@@ -47,6 +47,9 @@ struct fuzz_state
 
 /* Amount of corpus->data[] consumed thus far. */
 size_t data_index;
+
+/* Emulation ops, some of which are disabled based on corpus->options. */
+struct x86_emulate_ops ops;
 };
 
 /*
@@ -451,7 +454,7 @@ static int fuzz_write_msr(
 }
 
 #define SET(h) .h = fuzz_##h
-static struct x86_emulate_ops fuzz_emulops = {
+static const struct x86_emulate_ops all_fuzzer_ops = {
 SET(read),
 SET(insn_fetch),
 SET(write),
@@ -592,7 +595,7 @@ enum {
 #define MAYBE_DISABLE_HOOK(h)  \
 if ( bitmap & (1 << HOOK_##h) )\
 {  \
-fuzz_emulops.h = NULL; \
+s->ops.h = NULL;   \
 printf("Disabling hook "#h"\n");   \
 }
 
@@ -713,7 +716,9 @@ int LLVMFuzzerInitialize(int *argc, char ***argv)
 int LLVMFuzzerTestOneInput(const uint8_t *data_p, size_t size)
 {
 struct cpu_user_regs regs = {};
-struct fuzz_state state = {};
+struct fuzz_state state = {
+.ops = all_fuzzer_ops,
+};
 struct x86_emulate_ctxt ctxt = {
 .data = &state,
 .regs = ®s,
@@ -755,7 +760,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data_p, size_t 
size)
 set_sizes(&ctxt);
 dump_state(&ctxt);
 
-rc = x86_emulate(&ctxt, &fuzz_emulops);
+rc = x86_emulate(&ctxt, &state.ops);
 printf("Emulation result: %d\n", rc);
 } while ( rc == X86EMUL_OKAY );
 
-- 
2.1.4


___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel