Re: [Xen-devel] [PATCH v3 10/12] fuzz/x86_emulate: Add --rerun option to try to track down instability
On 10/10/2017 07:44 PM, Andrew Cooper wrote: > On 10/10/17 17:20, George Dunlap wrote: >> @@ -659,7 +667,10 @@ static void setup_state(struct x86_emulate_ctxt *ctxt) >> { >> /* Fuzz all of the state in one go */ >> if ( !input_read(s, s, DATA_SIZE_FULL) ) >> +{ >> +printf("Input size too small\n"); >> exit(-1); >> +} > > Is this hunk intended to be in the previous patch? Looking more into it, I suppose it shouldn't be needed at all, since we check the input size in the main fuzzing function. > >> @@ -886,21 +896,144 @@ int LLVMFuzzerInitialize(int *argc, char ***argv) >> return 0; >> } >> >> -int LLVMFuzzerTestOneInput(const uint8_t *data_p, size_t size) >> +static void setup_fuzz_state(struct fuzz_state *state, const void *data_p, >> size_t size) >> { >> -struct fuzz_state state = { >> -.ops = all_fuzzer_ops, >> -}; >> -struct x86_emulate_ctxt ctxt = { >> -.data = , >> -.regs = , >> -.addr_size = 8 * sizeof(void *), >> -.sp_size = 8 * sizeof(void *), >> -}; >> +memset(state, 0, sizeof(*state)); >> +state->corpus = data_p; >> +state->data_num = size; >> +} >> + >> +static int runtest(struct fuzz_state *state) { >> int rc; >> >> -/* Reset all global state variables */ >> -memset(, 0, sizeof(input)); >> +struct x86_emulate_ctxt *ctxt = >ctxt; >> + >> +state->ops = all_fuzzer_ops; >> + >> +ctxt->data = state; >> +ctxt->regs = >regs; >> + >> +setup_state(ctxt); >> + >> +sanitize_state(ctxt); >> + >> +disable_hooks(state); >> + >> +do { >> +/* FIXME: Until we actually implement SIGFPE handling properly */ >> +setup_fpu_exception_handler(); >> + >> +set_sizes(ctxt); >> +dump_state(ctxt); >> + >> +rc = x86_emulate(ctxt, >ops); >> +printf("Emulation result: %d\n", rc); >> +} while ( rc == X86EMUL_OKAY ); >> + >> +return 0; >> +} >> + >> +static void compare_states(struct fuzz_state state[2]) >> +{ >> +// First zero any "internal" pointers > > /* */ Ack > >> +state[0].corpus = state[1].corpus = NULL; >> +state[0].ctxt.data = state[1].ctxt.data = NULL; >> +state[0].ctxt.regs = state[1].ctxt.regs = NULL; >> + >> +if ( memcmp([0], [1], sizeof(struct fuzz_state)) ) >> +{ >> +unsigned int i; >> + >> +printf("State mismatch\n"); >> + >> +for ( i=0; i> Various spaces. Ack > >> +if ( state[0].cr[i] != state[1].cr[i] ) >> +printf("cr[%u]: %lx != %lx\n", >> + i, state[0].cr[i], state[1].cr[i]); >> + >> +for ( i=0; i > +if ( state[0].msr[i] != state[1].msr[i] ) >> +printf("msr[%u]: %lx != %lx\n", >> + i, state[0].msr[i], state[1].msr[i]); >> + >> +for ( i=0; i > +if ( memcmp([0].segments[i], [1].segments[i], >> +sizeof(state[0].segments[0])) ) >> +printf("segments[%u]: [%x:%x:%x:%lx] != [%x:%x:%x:%lx]!\n", >> i, >> + (unsigned)state[0].segments[i].sel, >> + (unsigned)state[0].segments[i].attr, >> + state[0].segments[i].limit, >> + state[0].segments[i].base, >> + (unsigned)state[1].segments[i].sel, >> + (unsigned)state[1].segments[i].attr, >> + state[1].segments[i].limit, >> + state[1].segments[i].base); >> + >> +if ( state[0].data_num != state[1].data_num ) >> +printf("data_num: %lx != %lx\n", state[0].data_num, >> + state[1].data_num); >> +if ( state[0].data_index != state[1].data_index ) >> +printf("data_index: %lx != %lx\n", state[0].data_index, >> + state[1].data_index); >> + >> +if ( memcmp([0].regs, [1].regs, sizeof(state[0].regs)) ) >> +{ >> +printf("registers differ!\n"); >> +/* Print If Not Equal */ >> +#define PINE(elem)\ > > PRINT_NE() ? OK. > >> +if ( state[0].elem != state[1].elem ) \ >> +printf(#elem " differ: %lx != %lx\n", \ >> + (unsigned long)state[0].elem, \ >> + (unsigned long)state[1].elem) >> +PINE(regs.r15); > > Hmm - this is going to cause problems for the 32bit build. I can't > think of an easy suggestion to fix it. > >> +PINE(regs.r14); >> +PINE(regs.r13); >> +PINE(regs.r12); >> +PINE(regs.rbp); >> +PINE(regs.rbx); >> +PINE(regs.r10); >> +PINE(regs.r11); >> +PINE(regs.r9); >> +PINE(regs.r8); >> +PINE(regs.rax); >> +
Re: [Xen-devel] [PATCH v3 10/12] fuzz/x86_emulate: Add --rerun option to try to track down instability
>>> On 10.10.17 at 20:44,wrote: > On 10/10/17 17:20, George Dunlap wrote: >> +if ( state[0].elem != state[1].elem ) \ >> +printf(#elem " differ: %lx != %lx\n", \ >> + (unsigned long)state[0].elem, \ >> + (unsigned long)state[1].elem) >> +PINE(regs.r15); > > Hmm - this is going to cause problems for the 32bit build. I can't > think of an easy suggestion to fix it. The fuzzer isn't being built as a 32-bit binary: ifeq ($(CONFIG_X86_64),y) x86-insn-fuzz-all: x86-insn-fuzzer.a fuzz-emul.o afl else x86-insn-fuzz-all: endif Jan ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
Re: [Xen-devel] [PATCH v3 10/12] fuzz/x86_emulate: Add --rerun option to try to track down instability
On 10/10/17 17:20, George Dunlap wrote: > @@ -659,7 +667,10 @@ static void setup_state(struct x86_emulate_ctxt *ctxt) > { > /* Fuzz all of the state in one go */ > if ( !input_read(s, s, DATA_SIZE_FULL) ) > +{ > +printf("Input size too small\n"); > exit(-1); > +} Is this hunk intended to be in the previous patch? > @@ -886,21 +896,144 @@ int LLVMFuzzerInitialize(int *argc, char ***argv) > return 0; > } > > -int LLVMFuzzerTestOneInput(const uint8_t *data_p, size_t size) > +static void setup_fuzz_state(struct fuzz_state *state, const void *data_p, > size_t size) > { > -struct fuzz_state state = { > -.ops = all_fuzzer_ops, > -}; > -struct x86_emulate_ctxt ctxt = { > -.data = , > -.regs = , > -.addr_size = 8 * sizeof(void *), > -.sp_size = 8 * sizeof(void *), > -}; > +memset(state, 0, sizeof(*state)); > +state->corpus = data_p; > +state->data_num = size; > +} > + > +static int runtest(struct fuzz_state *state) { > int rc; > > -/* Reset all global state variables */ > -memset(, 0, sizeof(input)); > +struct x86_emulate_ctxt *ctxt = >ctxt; > + > +state->ops = all_fuzzer_ops; > + > +ctxt->data = state; > +ctxt->regs = >regs; > + > +setup_state(ctxt); > + > +sanitize_state(ctxt); > + > +disable_hooks(state); > + > +do { > +/* FIXME: Until we actually implement SIGFPE handling properly */ > +setup_fpu_exception_handler(); > + > +set_sizes(ctxt); > +dump_state(ctxt); > + > +rc = x86_emulate(ctxt, >ops); > +printf("Emulation result: %d\n", rc); > +} while ( rc == X86EMUL_OKAY ); > + > +return 0; > +} > + > +static void compare_states(struct fuzz_state state[2]) > +{ > +// First zero any "internal" pointers /* */ > +state[0].corpus = state[1].corpus = NULL; > +state[0].ctxt.data = state[1].ctxt.data = NULL; > +state[0].ctxt.regs = state[1].ctxt.regs = NULL; > + > +if ( memcmp([0], [1], sizeof(struct fuzz_state)) ) > +{ > +unsigned int i; > + > +printf("State mismatch\n"); > + > +for ( i=0; i+if ( state[0].cr[i] != state[1].cr[i] ) > +printf("cr[%u]: %lx != %lx\n", > + i, state[0].cr[i], state[1].cr[i]); > + > +for ( i=0; i +if ( state[0].msr[i] != state[1].msr[i] ) > +printf("msr[%u]: %lx != %lx\n", > + i, state[0].msr[i], state[1].msr[i]); > + > +for ( i=0; i +if ( memcmp([0].segments[i], [1].segments[i], > +sizeof(state[0].segments[0])) ) > +printf("segments[%u]: [%x:%x:%x:%lx] != [%x:%x:%x:%lx]!\n", > i, > + (unsigned)state[0].segments[i].sel, > + (unsigned)state[0].segments[i].attr, > + state[0].segments[i].limit, > + state[0].segments[i].base, > + (unsigned)state[1].segments[i].sel, > + (unsigned)state[1].segments[i].attr, > + state[1].segments[i].limit, > + state[1].segments[i].base); > + > +if ( state[0].data_num != state[1].data_num ) > +printf("data_num: %lx != %lx\n", state[0].data_num, > + state[1].data_num); > +if ( state[0].data_index != state[1].data_index ) > +printf("data_index: %lx != %lx\n", state[0].data_index, > + state[1].data_index); > + > +if ( memcmp([0].regs, [1].regs, sizeof(state[0].regs)) ) > +{ > +printf("registers differ!\n"); > +/* Print If Not Equal */ > +#define PINE(elem)\ PRINT_NE() ? > +if ( state[0].elem != state[1].elem ) \ > +printf(#elem " differ: %lx != %lx\n", \ > + (unsigned long)state[0].elem, \ > + (unsigned long)state[1].elem) > +PINE(regs.r15); Hmm - this is going to cause problems for the 32bit build. I can't think of an easy suggestion to fix it. > +PINE(regs.r14); > +PINE(regs.r13); > +PINE(regs.r12); > +PINE(regs.rbp); > +PINE(regs.rbx); > +PINE(regs.r10); > +PINE(regs.r11); > +PINE(regs.r9); > +PINE(regs.r8); > +PINE(regs.rax); > +PINE(regs.rcx); > +PINE(regs.rdx); > +PINE(regs.rsi); > +PINE(regs.rdi); > + > +for ( i = offsetof(struct cpu_user_regs, error_code) / > sizeof(unsigned); > + i < sizeof(state[1].regs)/sizeof(unsigned); i++ ) > +{ > +printf("[%04lu] %08x
[Xen-devel] [PATCH v3 10/12] fuzz/x86_emulate: Add --rerun option to try to track down instability
Current stability numbers are not 100%. In order to help track this down, add a --rerun option which will run the same input twice, resetting the state between each run, and comparing the state afterwards. If the state differs, call abort(). This allows AFL to help the process of tracking down what state is not being reset properly between runs by proving testcases that demonstrate the behavior. To do this: - Move ctxt into struct fuzz-state to simplify handling - Rather than copying the data into input, treat the data handed as immutable and point each "copy" to it - Factor out various steps (setting up fuzz state, running an individual test) so that they can be efficiently run either once or twice (as necessary) - Compare the states afterwards, printing what's different and calling abort() if anything is found. Signed-off-by: George Dunlap--- v3: - Make new local functions static - Avoid losing const-ness of pointer in setup_fuzz_state() - Remove useless *_size initialization - Remove extra blank line - Use ARRAY_SIZE() when appropriate - Move opt_rerun declaration into fuzz-emul.h - Change loop variable to unsigned int - Print segment contents when segments differ v2: - Fix some coding style issues - Port over previous changes CC: Ian Jackson CC: Wei Liu CC: Andrew Cooper CC: Jan Beulich --- tools/fuzz/x86_instruction_emulator/afl-harness.c | 8 +- tools/fuzz/x86_instruction_emulator/fuzz-emul.c | 194 ++ tools/fuzz/x86_instruction_emulator/fuzz-emul.h | 1 + 3 files changed, 171 insertions(+), 32 deletions(-) diff --git a/tools/fuzz/x86_instruction_emulator/afl-harness.c b/tools/fuzz/x86_instruction_emulator/afl-harness.c index 052239cea4..4a55ac3c3f 100644 --- a/tools/fuzz/x86_instruction_emulator/afl-harness.c +++ b/tools/fuzz/x86_instruction_emulator/afl-harness.c @@ -23,10 +23,12 @@ int main(int argc, char **argv) enum { OPT_MIN_SIZE, OPT_COMPACT, +OPT_RERUN, }; static const struct option lopts[] = { { "min-input-size", no_argument, NULL, OPT_MIN_SIZE }, { "compact", required_argument, NULL, OPT_COMPACT }, +{ "rerun", no_argument, NULL, OPT_RERUN }, { 0, 0, 0, 0 } }; int c = getopt_long_only(argc, argv, "", lopts, NULL); @@ -45,8 +47,12 @@ int main(int argc, char **argv) opt_compact = atoi(optarg); break; +case OPT_RERUN: +opt_rerun = true; +break; + case '?': -printf("Usage: %s [--compact=0|1] $FILE [$FILE...] | [--min-input-size]\n", argv[0]); +printf("Usage: %s [--compact=0|1] [--rerun] $FILE [$FILE...] | [--min-input-size]\n", argv[0]); exit(-1); break; diff --git a/tools/fuzz/x86_instruction_emulator/fuzz-emul.c b/tools/fuzz/x86_instruction_emulator/fuzz-emul.c index b6ebcebc19..7685e976b8 100644 --- a/tools/fuzz/x86_instruction_emulator/fuzz-emul.c +++ b/tools/fuzz/x86_instruction_emulator/fuzz-emul.c @@ -43,7 +43,7 @@ struct fuzz_state /* Fuzzer's input data. */ #define DATA_SIZE_FULL offsetof(struct fuzz_state, corpus) -struct fuzz_corpus *corpus; +const struct fuzz_corpus *corpus; /* Real amount of data backing corpus->data[]. */ size_t data_num; @@ -53,6 +53,7 @@ struct fuzz_state /* Emulation ops, some of which are disabled based on corpus->options. */ struct x86_emulate_ops ops; +struct x86_emulate_ctxt ctxt; }; bool opt_compact = true; @@ -495,6 +496,12 @@ static int fuzz_read_msr( const struct fuzz_state *s = ctxt->data; unsigned int idx; +/* + * NB at the moment dump_state() relies on the fact that this + * cannot fail. If we add in fuzzed failures we'll have to handle + * that differently. + */ + switch ( reg ) { case MSR_TSC_AUX: @@ -615,6 +622,7 @@ static void dump_state(struct x86_emulate_ctxt *ctxt) printf(" rip: %"PRIx64"\n", regs->rip); +/* read_msr() never fails at the moment */ fuzz_read_msr(MSR_EFER, , ctxt); printf("EFER: %"PRIx64"\n", val); } @@ -659,7 +667,10 @@ static void setup_state(struct x86_emulate_ctxt *ctxt) { /* Fuzz all of the state in one go */ if ( !input_read(s, s, DATA_SIZE_FULL) ) +{ +printf("Input size too small\n"); exit(-1); +} return; } @@ -789,9 +800,8 @@ enum { printf("Disabling hook "#h"\n"); \ } -static void disable_hooks(struct x86_emulate_ctxt *ctxt) +static void disable_hooks(struct fuzz_state *s) { -struct fuzz_state *s = ctxt->data; unsigned long bitmap = s->options; /* See also sanitize_input, some hooks can't be disabled. */ @@ -839,7 +849,7 @@ static void