subject:"\[Xen\-devel\] \[PATCH v3 10\/12\] fuzz\/x86_emulate\: Add \-\-rerun option to try to track down instability"

Re: [Xen-devel] [PATCH v3 10/12] fuzz/x86_emulate: Add --rerun option to try to track down instability

2017-10-11 Thread George Dunlap

On 10/10/2017 07:44 PM, Andrew Cooper wrote:
> On 10/10/17 17:20, George Dunlap wrote:
>> @@ -659,7 +667,10 @@ static void setup_state(struct x86_emulate_ctxt *ctxt)
>>  {
>>  /* Fuzz all of the state in one go */
>>  if ( !input_read(s, s, DATA_SIZE_FULL) )
>> +{
>> +printf("Input size too small\n");
>>  exit(-1);
>> +}
> 
> Is this hunk intended to be in the previous patch?

Looking more into it, I suppose it shouldn't be needed at all, since we
check the input size in the main fuzzing function.

> 
>> @@ -886,21 +896,144 @@ int LLVMFuzzerInitialize(int *argc, char ***argv)
>>  return 0;
>>  }
>>  
>> -int LLVMFuzzerTestOneInput(const uint8_t *data_p, size_t size)
>> +static void setup_fuzz_state(struct fuzz_state *state, const void *data_p, 
>> size_t size)
>>  {
>> -struct fuzz_state state = {
>> -.ops = all_fuzzer_ops,
>> -};
>> -struct x86_emulate_ctxt ctxt = {
>> -.data = ,
>> -.regs = ,
>> -.addr_size = 8 * sizeof(void *),
>> -.sp_size = 8 * sizeof(void *),
>> -};
>> +memset(state, 0, sizeof(*state));
>> +state->corpus = data_p;
>> +state->data_num = size;
>> +}
>> +
>> +static int runtest(struct fuzz_state *state) {
>>  int rc;
>>  
>> -/* Reset all global state variables */
>> -memset(, 0, sizeof(input));
>> +struct x86_emulate_ctxt *ctxt = >ctxt;
>> +
>> +state->ops = all_fuzzer_ops;
>> +
>> +ctxt->data = state;
>> +ctxt->regs = >regs;
>> +
>> +setup_state(ctxt);
>> +
>> +sanitize_state(ctxt);
>> +
>> +disable_hooks(state);
>> +
>> +do {
>> +/* FIXME: Until we actually implement SIGFPE handling properly */
>> +setup_fpu_exception_handler();
>> +
>> +set_sizes(ctxt);
>> +dump_state(ctxt);
>> +
>> +rc = x86_emulate(ctxt, >ops);
>> +printf("Emulation result: %d\n", rc);
>> +} while ( rc == X86EMUL_OKAY );
>> +
>> +return 0;
>> +}
>> +
>> +static void compare_states(struct fuzz_state state[2])
>> +{
>> +// First zero any "internal" pointers
> 
> /* */

Ack

> 
>> +state[0].corpus = state[1].corpus = NULL;
>> +state[0].ctxt.data = state[1].ctxt.data = NULL;
>> +state[0].ctxt.regs = state[1].ctxt.regs = NULL;
>> +
>> +if ( memcmp([0], [1], sizeof(struct fuzz_state)) )
>> +{
>> +unsigned int i;
>> +
>> +printf("State mismatch\n");
>> +
>> +for ( i=0; i 
> Various spaces.

Ack

> 
>> +if ( state[0].cr[i] != state[1].cr[i] )
>> +printf("cr[%u]: %lx != %lx\n",
>> +   i, state[0].cr[i], state[1].cr[i]);
>> +
>> +for ( i=0; i> +if ( state[0].msr[i] != state[1].msr[i] )
>> +printf("msr[%u]: %lx != %lx\n",
>> +   i, state[0].msr[i], state[1].msr[i]);
>> +
>> +for ( i=0; i> +if ( memcmp([0].segments[i], [1].segments[i],
>> +sizeof(state[0].segments[0])) )
>> +printf("segments[%u]: [%x:%x:%x:%lx] != [%x:%x:%x:%lx]!\n", 
>> i,
>> +   (unsigned)state[0].segments[i].sel,
>> +   (unsigned)state[0].segments[i].attr,
>> +   state[0].segments[i].limit,
>> +   state[0].segments[i].base,
>> +   (unsigned)state[1].segments[i].sel,
>> +   (unsigned)state[1].segments[i].attr,
>> +   state[1].segments[i].limit,
>> +   state[1].segments[i].base);
>> +
>> +if ( state[0].data_num != state[1].data_num )
>> +printf("data_num: %lx !=  %lx\n", state[0].data_num,
>> +   state[1].data_num);
>> +if ( state[0].data_index != state[1].data_index )
>> +printf("data_index: %lx !=  %lx\n", state[0].data_index,
>> +   state[1].data_index);
>> +
>> +if ( memcmp([0].regs, [1].regs, sizeof(state[0].regs)) )
>> +{
>> +printf("registers differ!\n");
>> +/* Print If Not Equal */
>> +#define PINE(elem)\
> 
> PRINT_NE() ?

OK.

> 
>> +if ( state[0].elem != state[1].elem ) \
>> +printf(#elem " differ: %lx != %lx\n", \
>> +   (unsigned long)state[0].elem, \
>> +   (unsigned long)state[1].elem)
>> +PINE(regs.r15);
> 
> Hmm - this is going to cause problems for the 32bit build.  I can't
> think of an easy suggestion to fix it.
> 
>> +PINE(regs.r14);
>> +PINE(regs.r13);
>> +PINE(regs.r12);
>> +PINE(regs.rbp);
>> +PINE(regs.rbx);
>> +PINE(regs.r10);
>> +PINE(regs.r11);
>> +PINE(regs.r9);
>> +PINE(regs.r8);
>> +PINE(regs.rax);
>> +

Re: [Xen-devel] [PATCH v3 10/12] fuzz/x86_emulate: Add --rerun option to try to track down instability

2017-10-11 Thread Jan Beulich

>>> On 10.10.17 at 20:44,  wrote:
> On 10/10/17 17:20, George Dunlap wrote:
>> +if ( state[0].elem != state[1].elem ) \
>> +printf(#elem " differ: %lx != %lx\n", \
>> +   (unsigned long)state[0].elem, \
>> +   (unsigned long)state[1].elem)
>> +PINE(regs.r15);
> 
> Hmm - this is going to cause problems for the 32bit build.  I can't
> think of an easy suggestion to fix it.

The fuzzer isn't being built as a 32-bit binary:

ifeq ($(CONFIG_X86_64),y)
x86-insn-fuzz-all: x86-insn-fuzzer.a fuzz-emul.o afl
else
x86-insn-fuzz-all:
endif

Jan


___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [Xen-devel] [PATCH v3 10/12] fuzz/x86_emulate: Add --rerun option to try to track down instability

2017-10-10 Thread Andrew Cooper

On 10/10/17 17:20, George Dunlap wrote:
> @@ -659,7 +667,10 @@ static void setup_state(struct x86_emulate_ctxt *ctxt)
>  {
>  /* Fuzz all of the state in one go */
>  if ( !input_read(s, s, DATA_SIZE_FULL) )
> +{
> +printf("Input size too small\n");
>  exit(-1);
> +}

Is this hunk intended to be in the previous patch?

> @@ -886,21 +896,144 @@ int LLVMFuzzerInitialize(int *argc, char ***argv)
>  return 0;
>  }
>  
> -int LLVMFuzzerTestOneInput(const uint8_t *data_p, size_t size)
> +static void setup_fuzz_state(struct fuzz_state *state, const void *data_p, 
> size_t size)
>  {
> -struct fuzz_state state = {
> -.ops = all_fuzzer_ops,
> -};
> -struct x86_emulate_ctxt ctxt = {
> -.data = ,
> -.regs = ,
> -.addr_size = 8 * sizeof(void *),
> -.sp_size = 8 * sizeof(void *),
> -};
> +memset(state, 0, sizeof(*state));
> +state->corpus = data_p;
> +state->data_num = size;
> +}
> +
> +static int runtest(struct fuzz_state *state) {
>  int rc;
>  
> -/* Reset all global state variables */
> -memset(, 0, sizeof(input));
> +struct x86_emulate_ctxt *ctxt = >ctxt;
> +
> +state->ops = all_fuzzer_ops;
> +
> +ctxt->data = state;
> +ctxt->regs = >regs;
> +
> +setup_state(ctxt);
> +
> +sanitize_state(ctxt);
> +
> +disable_hooks(state);
> +
> +do {
> +/* FIXME: Until we actually implement SIGFPE handling properly */
> +setup_fpu_exception_handler();
> +
> +set_sizes(ctxt);
> +dump_state(ctxt);
> +
> +rc = x86_emulate(ctxt, >ops);
> +printf("Emulation result: %d\n", rc);
> +} while ( rc == X86EMUL_OKAY );
> +
> +return 0;
> +}
> +
> +static void compare_states(struct fuzz_state state[2])
> +{
> +// First zero any "internal" pointers

/* */

> +state[0].corpus = state[1].corpus = NULL;
> +state[0].ctxt.data = state[1].ctxt.data = NULL;
> +state[0].ctxt.regs = state[1].ctxt.regs = NULL;
> +
> +if ( memcmp([0], [1], sizeof(struct fuzz_state)) )
> +{
> +unsigned int i;
> +
> +printf("State mismatch\n");
> +
> +for ( i=0; i +if ( state[0].cr[i] != state[1].cr[i] )
> +printf("cr[%u]: %lx != %lx\n",
> +   i, state[0].cr[i], state[1].cr[i]);
> +
> +for ( i=0; i +if ( state[0].msr[i] != state[1].msr[i] )
> +printf("msr[%u]: %lx != %lx\n",
> +   i, state[0].msr[i], state[1].msr[i]);
> +
> +for ( i=0; i +if ( memcmp([0].segments[i], [1].segments[i],
> +sizeof(state[0].segments[0])) )
> +printf("segments[%u]: [%x:%x:%x:%lx] != [%x:%x:%x:%lx]!\n", 
> i,
> +   (unsigned)state[0].segments[i].sel,
> +   (unsigned)state[0].segments[i].attr,
> +   state[0].segments[i].limit,
> +   state[0].segments[i].base,
> +   (unsigned)state[1].segments[i].sel,
> +   (unsigned)state[1].segments[i].attr,
> +   state[1].segments[i].limit,
> +   state[1].segments[i].base);
> +
> +if ( state[0].data_num != state[1].data_num )
> +printf("data_num: %lx !=  %lx\n", state[0].data_num,
> +   state[1].data_num);
> +if ( state[0].data_index != state[1].data_index )
> +printf("data_index: %lx !=  %lx\n", state[0].data_index,
> +   state[1].data_index);
> +
> +if ( memcmp([0].regs, [1].regs, sizeof(state[0].regs)) )
> +{
> +printf("registers differ!\n");
> +/* Print If Not Equal */
> +#define PINE(elem)\

PRINT_NE() ?

> +if ( state[0].elem != state[1].elem ) \
> +printf(#elem " differ: %lx != %lx\n", \
> +   (unsigned long)state[0].elem, \
> +   (unsigned long)state[1].elem)
> +PINE(regs.r15);

Hmm - this is going to cause problems for the 32bit build.  I can't
think of an easy suggestion to fix it.

> +PINE(regs.r14);
> +PINE(regs.r13);
> +PINE(regs.r12);
> +PINE(regs.rbp);
> +PINE(regs.rbx);
> +PINE(regs.r10);
> +PINE(regs.r11);
> +PINE(regs.r9);
> +PINE(regs.r8);
> +PINE(regs.rax);
> +PINE(regs.rcx);
> +PINE(regs.rdx);
> +PINE(regs.rsi);
> +PINE(regs.rdi);
> +
> +for ( i = offsetof(struct cpu_user_regs, error_code) / 
> sizeof(unsigned);
> +  i < sizeof(state[1].regs)/sizeof(unsigned); i++ )
> +{
> +printf("[%04lu] %08x

[Xen-devel] [PATCH v3 10/12] fuzz/x86_emulate: Add --rerun option to try to track down instability

2017-10-10 Thread George Dunlap

Current stability numbers are not 100%.  In order to help track this
down, add a --rerun option which will run the same input twice,
resetting the state between each run, and comparing the state
afterwards.  If the state differs, call abort().

This allows AFL to help the process of tracking down what state is not
being reset properly between runs by proving testcases that
demonstrate the behavior.

To do this:

- Move ctxt into struct fuzz-state to simplify handling

- Rather than copying the data into input, treat the data handed as
  immutable and point each "copy" to it

- Factor out various steps (setting up fuzz state, running an
  individual test) so that they can be efficiently run either once or
  twice (as necessary)

- Compare the states afterwards, printing what's different and calling
  abort() if anything is found.

Signed-off-by: George Dunlap 
---
v3:
- Make new local functions static
- Avoid losing const-ness of pointer in setup_fuzz_state()
- Remove useless *_size initialization
- Remove extra blank line
- Use ARRAY_SIZE() when appropriate
- Move opt_rerun declaration into fuzz-emul.h
- Change loop variable to unsigned int
- Print segment contents when segments differ
v2:
- Fix some coding style issues
- Port over previous changes

CC: Ian Jackson 
CC: Wei Liu 
CC: Andrew Cooper 
CC: Jan Beulich 
---
 tools/fuzz/x86_instruction_emulator/afl-harness.c |   8 +-
 tools/fuzz/x86_instruction_emulator/fuzz-emul.c   | 194 ++
 tools/fuzz/x86_instruction_emulator/fuzz-emul.h   |   1 +
 3 files changed, 171 insertions(+), 32 deletions(-)

diff --git a/tools/fuzz/x86_instruction_emulator/afl-harness.c 
b/tools/fuzz/x86_instruction_emulator/afl-harness.c
index 052239cea4..4a55ac3c3f 100644
--- a/tools/fuzz/x86_instruction_emulator/afl-harness.c
+++ b/tools/fuzz/x86_instruction_emulator/afl-harness.c
@@ -23,10 +23,12 @@ int main(int argc, char **argv)
 enum {
 OPT_MIN_SIZE,
 OPT_COMPACT,
+OPT_RERUN,
 };
 static const struct option lopts[] = {
 { "min-input-size", no_argument, NULL, OPT_MIN_SIZE },
 { "compact", required_argument, NULL, OPT_COMPACT },
+{ "rerun", no_argument, NULL, OPT_RERUN },
 { 0, 0, 0, 0 }
 };
 int c = getopt_long_only(argc, argv, "", lopts, NULL);
@@ -45,8 +47,12 @@ int main(int argc, char **argv)
 opt_compact = atoi(optarg);
 break;
 
+case OPT_RERUN:
+opt_rerun = true;
+break;
+
 case '?':
-printf("Usage: %s [--compact=0|1] $FILE [$FILE...] | 
[--min-input-size]\n", argv[0]);
+printf("Usage: %s [--compact=0|1] [--rerun] $FILE [$FILE...] | 
[--min-input-size]\n", argv[0]);
 exit(-1);
 break;
 
diff --git a/tools/fuzz/x86_instruction_emulator/fuzz-emul.c 
b/tools/fuzz/x86_instruction_emulator/fuzz-emul.c
index b6ebcebc19..7685e976b8 100644
--- a/tools/fuzz/x86_instruction_emulator/fuzz-emul.c
+++ b/tools/fuzz/x86_instruction_emulator/fuzz-emul.c
@@ -43,7 +43,7 @@ struct fuzz_state
 
 /* Fuzzer's input data. */
 #define DATA_SIZE_FULL offsetof(struct fuzz_state, corpus)
-struct fuzz_corpus *corpus;
+const struct fuzz_corpus *corpus;
 
 /* Real amount of data backing corpus->data[]. */
 size_t data_num;
@@ -53,6 +53,7 @@ struct fuzz_state
 
 /* Emulation ops, some of which are disabled based on corpus->options. */
 struct x86_emulate_ops ops;
+struct x86_emulate_ctxt ctxt;
 };
 
 bool opt_compact = true;
@@ -495,6 +496,12 @@ static int fuzz_read_msr(
 const struct fuzz_state *s = ctxt->data;
 unsigned int idx;
 
+/* 
+ * NB at the moment dump_state() relies on the fact that this
+ * cannot fail.  If we add in fuzzed failures we'll have to handle
+ * that differently.
+ */
+
 switch ( reg )
 {
 case MSR_TSC_AUX:
@@ -615,6 +622,7 @@ static void dump_state(struct x86_emulate_ctxt *ctxt)
 
 printf(" rip: %"PRIx64"\n", regs->rip);
 
+/* read_msr() never fails at the moment */
 fuzz_read_msr(MSR_EFER, , ctxt);
 printf("EFER: %"PRIx64"\n", val);
 }
@@ -659,7 +667,10 @@ static void setup_state(struct x86_emulate_ctxt *ctxt)
 {
 /* Fuzz all of the state in one go */
 if ( !input_read(s, s, DATA_SIZE_FULL) )
+{
+printf("Input size too small\n");
 exit(-1);
+}
 return;
 }
 
@@ -789,9 +800,8 @@ enum {
 printf("Disabling hook "#h"\n");   \
 }
 
-static void disable_hooks(struct x86_emulate_ctxt *ctxt)
+static void disable_hooks(struct fuzz_state *s)
 {
-struct fuzz_state *s = ctxt->data;
 unsigned long bitmap = s->options;
 
 /* See also sanitize_input, some hooks can't be disabled. */
@@ -839,7 +849,7 @@ static void

Re: [Xen-devel] [PATCH v3 10/12] fuzz/x86_emulate: Add --rerun option to try to track down instability

Re: [Xen-devel] [PATCH v3 10/12] fuzz/x86_emulate: Add --rerun option to try to track down instability

Re: [Xen-devel] [PATCH v3 10/12] fuzz/x86_emulate: Add --rerun option to try to track down instability

[Xen-devel] [PATCH v3 10/12] fuzz/x86_emulate: Add --rerun option to try to track down instability

4 matches

Site Navigation

Mail list logo

Footer information