-
Notifications
You must be signed in to change notification settings - Fork 27
/
fuzzvm.rs
4594 lines (3977 loc) · 177 KB
/
fuzzvm.rs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
//! Provides [`FuzzVm`] used for fuzzing on a given core with a snapshot register state
//! and physical memory dump
#![allow(clippy::enum_glob_use)]
#![allow(clippy::missing_errors_doc)]
#![allow(clippy::missing_panics_doc)]
use iced_x86::Code::*;
use anyhow::{ensure, Context, Result};
use iced_x86::{Instruction, MemorySize, OpKind};
use kvm_bindings::{
kvm_debugregs, kvm_fpu, kvm_guest_debug, kvm_guest_debug_arch, kvm_msr_entry, kvm_pit_config,
kvm_regs, kvm_sregs, kvm_userspace_memory_region, kvm_vcpu_events, CpuId, Msrs,
KVM_GUESTDBG_ENABLE, KVM_GUESTDBG_SINGLESTEP, KVM_GUESTDBG_USE_SW_BP, KVM_MAX_CPUID_ENTRIES,
};
use kvm_ioctls::{SyncReg, VcpuExit, VcpuFd, VmFd};
use thiserror::Error;
use x86_64::registers::control::{Cr0Flags, Cr4Flags, EferFlags};
use x86_64::registers::rflags::RFlags;
use crate::addrs::{Cr3, PhysAddr, VirtAddr};
use crate::colors::Colorized;
use crate::config::Config;
use crate::exception::Exception;
use crate::filesystem::FileSystem;
use crate::fuzzer::{Breakpoint, BreakpointLookup, BreakpointType, Fuzzer, ResetBreakpointType};
use crate::interrupts::IdtEntry;
use crate::linux::{PtRegs, Signal};
use crate::memory::{ChainVal, Memory, WriteMem};
use crate::msr::Msr;
use crate::page_table::Translation;
use crate::rng::Rng;
use crate::stack_unwinder::{StackUnwinders, UnwindInfo};
use crate::symbols::Symbol;
use crate::utils::rdtsc;
use crate::vbcpu::VbCpu;
use crate::{handle_vmexit, Execution, DIRTY_BITMAPS};
use crate::{try_u32, try_u64, try_u8, try_usize};
#[cfg(feature = "redqueen")]
use crate::{cmp_analysis::RedqueenRule, fuzz_input::FuzzInput};
use std::collections::{BTreeMap, VecDeque};
use std::convert::TryInto;
use std::sync::atomic::Ordering;
use std::time::{Duration, Instant};
#[cfg(feature = "redqueen")]
use std::{collections::BTreeSet, path::PathBuf};
/// APIC base we are expecting the guest to adhere to. Primarily comes into play when
/// mapping guest memory regions in KVM as we need to leave to leave a gap in the guest
/// memory for the APIC.
pub const APIC_BASE: u64 = 0xfee0_0000;
/// TSS address
pub const TSS_BASE: u64 = 0xfffb_d000;
/// The CR3 used to signify any possible CR3 for a virutal address
pub(crate) const WILDCARD_CR3: Cr3 = Cr3(0x1234_1234_1234_1234);
/// Sets the type of memory (dirty or not) for a given breakpoint. This is primarily used
/// for coverage breakpoints that have a very expensive cost to reset all coverage
/// breakpoints on each iterations.
#[derive(Debug, Copy, Clone)]
pub enum BreakpointMemory {
/// Set the written memory as dirty
Dirty,
/// Do not set the written memory as dirty
NotDirty,
}
/// Hook function protoype
pub type HookFn<F> =
fn(fuzzvm: &mut FuzzVm<F>, input: &<F as Fuzzer>::Input, fuzzer: &mut F) -> Result<Execution>;
/// Type of custom hook to call when a breakpoint is triggered
pub enum BreakpointHook<FUZZER: Fuzzer> {
/// Call the given function when this breakpoint is hit
Func(HookFn<FUZZER>),
/// No breakpoint hook function set for this breakpoint
None,
}
/// Custom errors [`FuzzVm`] can throw
#[derive(Error, Debug)]
pub enum Error {
/// Failed to create the PIT2
#[error("Failed to create the PIT2")]
FailedToCreatePIT2,
/// Failed to create the VCPU
#[error("Failed to create the VCPU")]
FailedToCreateVcpu,
/// The given fuzzer RIP does not match the given snapshot RIP
#[error("The given fuzzer RIP does not match the given snapshot RIP")]
SnapshotMismatch,
/// Attempted to use an out of bounds breakpoint index
#[error("Attempted to use an out of bounds breakpoint index")]
InvalidBreakpointIndex,
/// Hit a breakpoint that was set by some other source other than the fuzzer
#[error("Hit a breakpoint that was set by some other source other than the fuzzer")]
ExternalBreakpoint,
/// Failed to create MSR entries for KVM
#[error("Failed to create MSR entries for KVM")]
CreateMsrEntries,
/// Attempted to read an invalid address for a coverage breakpoint
#[error("Attempted to read an invalid address for a coverage breakpoint")]
InvalidCoverageBreakpoint,
/// Coverage breakpoint original byte failed to match in FuzzVm
#[error("Coverage breakpoint original byte failed to match in FuzzVm")]
CoverageBreakpointIncorrectCache,
/// Breakpoint hook not set for the address
#[error("A breakpoint hook was not set for the address")]
BreakpointHookNotSet(VirtAddr, Option<String>),
/// Found an error when executing a VM
#[error("Found an error when executing a VM")]
FailedToExecuteVm(kvm_ioctls::Error),
/// Caught an unknown breakpoint
#[error("UnknownBreakpoint_{0:x?}_{1:x?}")]
UnknownBreakpoint(VirtAddr, Cr3),
/// Call to `sysconf` failed
#[error("Call to sysconf failed")]
SysconfFailed(nix::errno::Errno),
/// Fuzzer breakpoint was not found in the symbols
#[error("Fuzzer breakpoint was not found in symbols: {0}+{1:#x}")]
FuzzerBreakpointNotFound(&'static str, u64),
/// Symbol breakpoints are not implemented for Redqueen breakpoints
#[error("Symbol breakpoints are not implemented for Redqueen breakpoints")]
SymbolBreakpointsNotImplForRedqueen,
}
/// Reasons for [`FuzzVm`] exits. These are the `Copy` [`VcpuExit`] types so that fuzzers
/// can modify VM state during exits.
#[derive(Debug, Copy, Clone)]
#[repr(u8)]
pub enum FuzzVmExit {
/// Corresponds to VpuExit::Unknown.
Unknown = 0,
/// Corresponds to VcpuExit::Exception.
Exception = 1,
/// Corresponds to VcpuExit::Hypercall.
Hypercall = 2,
/// Corresponds to VcpuExit::Debug.
Debug(Exception) = 3,
/// Corresponds to VcpuExit::Hlt.
Hlt = 4,
// /// Corresponds to VcpuExit::IrqWindowOpen.
// IrqWindowOpen,
/// Corresponds to VcpuExit::Shutdown.
Shutdown = 5,
// /// Corresponds to VcpuExit::FailEntry.
// FailEntry(u64, u32) = 200,
// /// Corresponds to VcpuExit::Intr.
// Intr,
// /// Corresponds to VcpuExit::SetTpr.
// SetTpr,
// /// Corresponds to VcpuExit::TprAccess.
// TprAccess,
// /// Corresponds to VcpuExit::S390Sieic.
// S390Sieic,
// /// Corresponds to VcpuExit::S390Reset.
// S390Reset,
// /// Corresponds to VcpuExit::Dcr.
// Dcr,
// /// Corresponds to VcpuExit::Nmi.
// Nmi,
/// Corresponds to VcpuExit::InternalError.
InternalError = 6,
// /// Corresponds to VcpuExit::Osi.
// Osi,
// /// Corresponds to VcpuExit::PaprHcall.
// PaprHcall,
// /// Corresponds to VcpuExit::S390Ucontrol.
// S390Ucontrol,
// /// Corresponds to VcpuExit::Watchdog.
// Watchdog,
// /// Corresponds to VcpuExit::S390Tsch.
// S390Tsch,
// /// Corresponds to VcpuExit::Epr.
// Epr,
// /// Corresponds to VcpuExit::SystemEvent.
// SystemEvent(u32 /* type */, u64 /* flags */),
// /// Corresponds to VcpuExit::S390Stsi.
// S390Stsi,
// /// Corresponds to VcpuExit::IoapicEoi.
// IoapicEoi(u8 /* vector */),
// /// Corresponds to VcpuExit::Hyperv.
// Hyperv,
/// Corresponds to VcpuExit::IoIn
IoIn(u16 /* port */) = 7,
/// Corresponds to VcpuExit::IoOut
IoOut(u16 /* port */) = 8,
/// A coverage breakpoint was hit
CoverageBreakpoint(u64) = 9,
/// A crash breakpoint was hit
CrashBreakpoint(u64) = 10,
/// A reset breakpoint was hit
ResetBreakpoint(u64) = 11,
/// A force_sig_fault breakpoint was hit
ForceSigFaultBreakpoint(Signal) = 12,
/// EFAULT (errno 14) was triggered
BadAddress(u64) = 13,
/// Console write was triggered
ConsoleWriteBreakpoint = 14,
/// Breakpoint hit from __die
KernelDieBreakpoint = 15,
/// KASAN Out of bounds READ
KasanRead {
/// IP of the crashing location
ip: u64,
/// Size of the out of bouunds read
size: u64,
/// Addresses accessed out of bounds
addr: u64,
} = 16,
/// KASAN Out of bounds WRITE
KasanWrite {
/// IP of the crashing location
ip: u64,
/// Size of the out of bouunds read
size: u64,
/// Addresses accessed out of bounds
addr: u64,
} = 17,
/// VM exited due to a symbol that should immediately return
ImmediateReturn = 18,
/// Breakpoint from a Debug exception
Breakpoint(u64) = 19,
/// Debug VmExit with a Debug exception
DebugException = 20,
/// Original exit was handled, continue execution
Continue = 21,
/// FindModuleNameAndOffset
FindModuleNameAndOffset = 22,
/// ConsoleWrite symbol breakpoint
ConsoleWrite = 23,
/// LogStore breakpoint
LogStore = 24,
/// A read instruction was run against the given MMIO address.
MmioRead = 25,
/// A write instruction was run against the given MMIO address.
MmioWrite = 26,
/// Unimplemented VmExit
Unimpl = 27,
/// Special case for ForceSigFault(Trap)
Trap = 28,
/// Timer has expired
TimerElapsed = 29,
/// Total number of FuzzVmExit
COUNT = 32,
}
impl FuzzVmExit {
/// Get the ID of the vmexit
#[must_use]
pub fn id(&self) -> usize {
core::intrinsics::discriminant_value(self) as usize
}
/// Get the name of a specific `FuzzVmExit` id
#[must_use]
pub fn name(val: usize) -> &'static str {
match val {
0 => "Unknown",
1 => "Exception",
2 => "Hypercall",
3 => "Debug(Exception Unknown)",
4 => "Hlt",
5 => "Shutdown",
6 => "InternalError",
7 => "IoIn",
8 => "IoOut",
9 => "CoverageBreakpoint",
10 => "CrashBreakpoint",
11 => "ResetBreakpoint",
12 => "ForceSigFaultBreakpoint",
13 => "BadAddress",
14 => "ConsoleWriteBreakpoint",
15 => "KernelDieBreakpoint",
16 => "KasanRead",
17 => "KasanWrite",
18 => "ImmediateReturn",
19 => "Breakpoint",
20 => "DebugException",
21 => "Continue",
22 => "FindModuleNameAndOffset",
23 => "ConsoleWrite",
24 => "LogStore",
25 => "MmioRead",
26 => "MmioWrite",
27 => "Unimpl",
28 => "Trap",
29 => "TimerElapse",
_ => "?UnknownFuzzVmExit?",
}
}
}
impl From<VcpuExit<'_>> for FuzzVmExit {
fn from(val: VcpuExit) -> Self {
match val {
VcpuExit::Unknown => FuzzVmExit::Unknown,
VcpuExit::Exception => FuzzVmExit::Exception,
VcpuExit::Hypercall => FuzzVmExit::Hypercall,
VcpuExit::Debug(exception) => match exception.exception.into() {
Exception::Breakpoint => FuzzVmExit::Breakpoint(exception.pc),
Exception::Debug => FuzzVmExit::DebugException,
_ => FuzzVmExit::Debug(exception.exception.into()),
},
VcpuExit::Hlt => FuzzVmExit::Hlt,
// VcpuExit::IrqWindowOpen => FuzzVmExit::IrqWindowOpen,
VcpuExit::Shutdown => FuzzVmExit::Shutdown,
// VcpuExit::FailEntry(a, b) => FuzzVmExit::FailEntry(a, b),
// VcpuExit::Intr => FuzzVmExit::Intr,
// VcpuExit::SetTpr => FuzzVmExit::SetTpr,
// VcpuExit::TprAccess => FuzzVmExit::TprAccess,
// VcpuExit::S390Sieic => FuzzVmExit::S390Sieic,
// VcpuExit::S390Reset => FuzzVmExit::S390Reset,
// VcpuExit::Dcr => FuzzVmExit::Dcr,
// VcpuExit::Nmi => FuzzVmExit::Nmi,
VcpuExit::InternalError => FuzzVmExit::InternalError,
// VcpuExit::Osi => FuzzVmExit::Osi,
// VcpuExit::PaprHcall => FuzzVmExit::PaprHcall,
// VcpuExit::S390Ucontrol => FuzzVmExit::S390Ucontrol,
// VcpuExit::Watchdog => FuzzVmExit::Watchdog,
// VcpuExit::S390Tsch => FuzzVmExit::S390Tsch,
// VcpuExit::Epr => FuzzVmExit::Epr,
// VcpuExit::SystemEvent(type_, flags) => FuzzVmExit::SystemEvent(type_, flags),
// VcpuExit::S390Stsi => FuzzVmExit::S390Stsi,
// VcpuExit::IoapicEoi(vector) => FuzzVmExit::IoapicEoi(vector),
// VcpuExit::Hyperv => FuzzVmExit::Hyperv,
VcpuExit::IoIn(port, _bytes) => {
FuzzVmExit::IoIn(port)
// panic!("IoIn: Port: {:#x} bytes: {:x?}\n", port, bytes);
}
VcpuExit::IoOut(port, _bytes) => {
FuzzVmExit::IoOut(port)
// panic!("IoOut: Port: {:#x} bytes: {:x?}\n", port, bytes);
}
VcpuExit::MmioRead(..) => FuzzVmExit::MmioRead,
VcpuExit::MmioWrite(..) => FuzzVmExit::MmioWrite,
_ => {
log::warn!("Unhandled vmexit: {val:?}");
println!("Unhandled vmexit: {val:?}");
FuzzVmExit::Unimpl
}
}
}
}
/// Cycle counts while executing `.run()` for a VM
#[derive(Default, Debug, Copy, Clone)]
pub struct VmRunPerf {
/// Number of cycles, as measured by `rdtsc`, spent executing in the VM
pub in_vm: u64,
/// Number of cycles, as measured by `rdtsc`, spent executing before the vcpu.run()
/// call
pub pre_run_vm: u64,
/// Number of cycles, as measured by `rdtsc`, spent executing after the vcpu.run()
/// call
pub post_run_vm: u64,
}
/// Cycle counts while resetting guest state
#[derive(Default, Debug, Copy, Clone)]
pub struct GuestResetPerf {
/// Amount of time spent during restoring guest memory found by KVM
pub reset_guest_memory_restore: u64,
/// Amount of time spent during resetting dirty pages set by a fuzzer
pub reset_guest_memory_custom: u64,
/// Amount of time spent clearing the dirty page bits
pub reset_guest_memory_clear: u64,
/// Amount of time spent during gathering dirty logs from KVM
pub get_dirty_logs: u64,
/// Number of pages restored
pub restored_pages: u32,
/// Amount of time during running `fuzzvm.init_guest`
pub init_guest: InitGuestPerf,
/// Amount of time during running `fuzzer.apply_fuzzer_breakpoint`
pub apply_fuzzer_breakpoints: u64,
/// Amount of time during running `fuzzer.apply_reset_breakpoint`
pub apply_reset_breakpoints: u64,
/// Amount of time during running `fuzzer.apply_coverage_breakpoint`
pub apply_coverage_breakpoints: u64,
/// Amount of time during running `fuzzer.init_vm`
pub init_vm: u64,
}
/// Cycle counts while initialzing the guest
#[derive(Default, Debug, Copy, Clone)]
pub struct InitGuestPerf {
/// Amount of time during running `fuzzvm.init_guest` restoring registers
pub regs: u64,
/// Amount of time during running `fuzzvm.init_guest` restoring sregs
pub sregs: u64,
/// Amount of time during running `fuzzvm.init_guest` restoring fpu
pub fpu: u64,
/// Amount of time during running `fuzzvm.init_guest` restoring MSRs
pub msrs: u64,
/// Amount of time during running `fuzzvm.init_guest` restoring debug registers
pub debug_regs: u64,
}
/// Lightweight VM used for fuzzing a memory snapshot
#[allow(clippy::struct_excessive_bools)]
pub struct FuzzVm<'a, FUZZER: Fuzzer> {
/// The core id of the core running this VM
#[allow(dead_code)]
pub core_id: u64,
/// Underlying VM from KVM
pub vm: &'a VmFd,
/// The CPU for this VM
pub vcpu: VcpuFd,
/// Current register state in the VM
regs: kvm_regs,
/// Current sreg state in the VM
pub sregs: kvm_sregs,
// /// Current fpu state in the VM
// fpu: kvm_fpu,
/// Current VCPU events from KVM
pub vcpu_events: kvm_vcpu_events,
/// Random number generator
pub rng: Rng,
// /// Current debug register state in the VM
// pub debug_regs: kvm_debugregs,
/// Underlying physical memory for this VM
pub memory: Memory,
/// Original CPU state used to reset the VM
pub vbcpu: VbCpu,
/// Is single step enabled for the guest
pub single_step: bool,
/// Breakpoints currently set in the VM keyed with their original byte to potentially
/// restore after it has been hit. The value in this map is the index into the
/// various breakpoint arrays. This DOES NOT contain coverage breakpoints.
pub breakpoints: BTreeMap<(VirtAddr, Cr3), usize>,
/// Original bytes for breakpoints in the VM indexed by the value in
/// `self.breakpoints`.
pub breakpoint_original_bytes: Vec<Option<u8>>,
/// List of type of breakpoints
pub breakpoint_types: Vec<BreakpointType>,
/// Potential callbacks executed when the breakpoint at the index in triggered
pub breakpoint_hooks: Vec<BreakpointHook<FUZZER>>,
/// Cached breakpoints that have had symbols resolved in order to avoid looking up
/// symbols each iteration
#[allow(clippy::type_complexity)]
pub fuzzer_breakpoint_cache: Option<Vec<(VirtAddr, Cr3, BreakpointType, HookFn<FUZZER>)>>,
/// If set, will enable single step for the next instruction. After the instruction
/// is executed, will write a `0xcc` at the given [`VirtAddr`] to reset a breakpoint.
pub restore_breakpoint: Option<(VirtAddr, Cr3)>,
/// Clean snapshot buffer to restore the dirty pages from
pub clean_snapshot: u64,
/// Memory regions backing this VM (used for deleting the regions to reset the memory
/// on VM reset)
pub memory_regions: [kvm_userspace_memory_region; 3],
/// Number of pages in the memory region indexed by slot
pub number_of_pages: [u32; 3],
// /// Number of retired instructions that will cause the next VMExit
// pub instrs_next_exit: u64,
// /// Number of instructions executed as counted by `FIXED_CTR0` (the retired
// /// instructions counter)
// pub instructions_executed: u64,
/// Maximum number of retired instructions before causing a VM Exit.
pub polling_interval: u64,
/// Current set of single shot breakpoints set that, when hit, add the address to the
/// coverage database. This is an Option to enable a `.take()` to avoid a
/// `&mut self ` collision when applying then breakpoints
pub coverage_breakpoints: Option<BTreeMap<VirtAddr, u8>>,
/// Signifies if this VM will exit on syscalls. Handles whether
/// `EferFlags::SYSTEM_CALL_EXTENSIONS` is enabled.
pub exit_on_syscall: bool,
/// Breakpoints that, if hit, signify a crash or reset in the guest. This is an
/// Option to enable a `.take()` to avoid a `&mut self ` collision when applying then
/// breakpoints
pub reset_breakpoints: Option<BTreeMap<(VirtAddr, Cr3), ResetBreakpointType>>,
/// List of symbols available in this VM
pub symbols: &'a Option<VecDeque<Symbol>>,
/// Start time of the current fuzz case, used to determine if the VM should be timed
/// out
pub start_time: Instant,
/// Reusable allocations to get the dirty bitmaps for each memory memory
pub dirty_bitmaps: [Vec<u64>; 3],
/// Temp scratch buffer to collect guest memory physical pages that is not
/// reallocated each reset
pub scratch_reset_buffer: Vec<u64>,
/// Data written to the console
pub console_output: Vec<u8>,
/// The general purpose registers are dirtied and need to be updated on next entry
pub dirtied_registers: bool,
/// Packets sent out by the VM
pub sent_packets: Vec<Vec<u8>>,
/// Emulated filesystem
pub filesystem: Option<FileSystem>,
/// Fuzzer configuration
pub config: Config,
/// Collection of unwinders used to attempt to unwind the stack
pub unwinders: Option<StackUnwinders>,
/// Set of redqueen rules used for cmp analysis (our RedQueen implementation)
#[cfg(feature = "redqueen")]
pub redqueen_rules: BTreeMap<u64, BTreeSet<RedqueenRule>>,
}
impl<'a, FUZZER: Fuzzer> FuzzVm<'a, FUZZER> {
/// Create a [`FuzzVm`] using the given [`VmFd`] and snapshot registers from
/// [`VbCpu`] with a memory backing at address `memory_backing`
///
/// # Errors
///
/// * If KVM fails to return valid regs, sregs, fpu, debug regs, or vcpu events
/// * If the given APIC base isn't `APIC_BASE`
/// * If the guest fails to initialize properly
pub fn create(
core_id: u64,
fuzzer: &mut FUZZER,
vm: &'a VmFd,
virtualbox_cpu: &VbCpu,
cpuid: &CpuId,
snapshot_fd: i32,
clean_snapshot: u64,
coverage_breakpoints: Option<BTreeMap<VirtAddr, u8>>,
reset_breakpoints: Option<BTreeMap<(VirtAddr, Cr3), ResetBreakpointType>>,
symbols: &'a Option<VecDeque<Symbol>>,
config: Config,
unwinders: StackUnwinders,
#[cfg(feature = "redqueen")] redqueen_rules: BTreeMap<u64, BTreeSet<RedqueenRule>>,
) -> Result<Self> {
// Create a PIT2 timer
let pit_config = kvm_pit_config::default();
vm.create_pit2(pit_config)
.context(Error::FailedToCreatePIT2)?;
// Set the Task State Segment address to the default TSS base
vm.set_tss_address(TSS_BASE.try_into()?)?;
// Create the IRQ chip to enable the APIC for this VM
vm.create_irq_chip().context("Failed to create IRQCHIP")?;
// Allocate a CPU for this VM
let vcpu = vm.create_vcpu(0).context(Error::FailedToCreateVcpu)?;
// Only used for triggering polling coverage via retired instruction overflows.
// Currently disabled
// Init the APIC for this VM (enable NMI for retire instruction counter overflow)
crate::apic::init(&vcpu).context("Failed to init APIC")?;
// Set the MSRs available for this guest VM from the available MSRs in KVM
vcpu.set_cpuid2(cpuid).context("Failed to set CPUIDs")?;
// Set xcr0 to 7 to enable avx, sse, and x87
let mut xcrs = vcpu.get_xcrs()?;
xcrs.xcrs[0].xcr = 0x0;
xcrs.xcrs[0].value = 0x7;
vcpu.set_xcrs(&xcrs)?;
// Setup debug mode for the guest
let debug_struct = kvm_guest_debug {
control: KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP | KVM_GUESTDBG_SINGLESTEP,
pad: 0,
arch: kvm_guest_debug_arch {
debugreg: [0, 0, 0, 0, 0, 0, 0, 0x400],
},
};
// Enable guest mode in the guest
vcpu.set_guest_debug(&debug_struct)
.context("Failed to set guest debug mode")?;
// Create the memory backing for the guest VM using the existing snapshot
let mem_ptr = crate::create_guest_memory_backing(snapshot_fd)?;
// Sanity check only `syscall_whitelist` or `syscall_blacklist` is set and not
// both
if !fuzzer.syscall_blacklist().is_empty() {
assert!(
fuzzer.syscall_whitelist().is_empty(),
"Syscall blacklist and whitelist set"
);
}
if !fuzzer.syscall_whitelist().is_empty() {
assert!(
fuzzer.syscall_blacklist().is_empty(),
"Syscall blacklist and whitelist set"
);
}
// Check if the fuzzer is requesting to handle any syscalls
let exit_on_syscall =
!fuzzer.syscall_whitelist().is_empty() || !fuzzer.syscall_blacklist().is_empty();
// Create the overall FuzzVm struct
let mut fuzzvm = Self {
core_id,
regs: vcpu.get_regs()?,
sregs: vcpu.get_sregs()?,
// fpu: vcpu.get_fpu()?,
// debug_regs: vcpu.get_debug_regs()?,
vcpu_events: vcpu.get_vcpu_events()?,
rng: Rng::new(),
single_step: false,
memory: Memory::from_addr(mem_ptr as u64),
vm,
vcpu,
vbcpu: *virtualbox_cpu,
breakpoints: BTreeMap::new(),
breakpoint_original_bytes: Vec::new(),
breakpoint_types: Vec::new(),
breakpoint_hooks: Vec::new(),
fuzzer_breakpoint_cache: None,
restore_breakpoint: None,
clean_snapshot,
memory_regions: [
kvm_userspace_memory_region::default(),
kvm_userspace_memory_region::default(),
kvm_userspace_memory_region::default(),
],
number_of_pages: [0; 3],
// instrs_next_exit: 0,
// instructions_executed: 0,
polling_interval: 0,
coverage_breakpoints,
exit_on_syscall,
reset_breakpoints,
symbols,
start_time: Instant::now(),
dirty_bitmaps: [Vec::new(), Vec::new(), Vec::new()],
scratch_reset_buffer: Vec::new(),
console_output: Vec::new(),
dirtied_registers: false,
sent_packets: Vec::new(),
filesystem: None,
config,
#[cfg(feature = "redqueen")]
redqueen_rules,
unwinders: Some(unwinders),
};
// Pre-write all of the coverage breakpoints into the memory for the VM. The
// "clean snapshot" memory also has the coverage breakpoints pre-written so
// during reset, the breakpoints are already in place.
let cr3 = Cr3(virtualbox_cpu.cr3);
if let Some(cov_bps) = fuzzvm.coverage_breakpoints.take() {
for (addr, byte) in &cov_bps {
if let Ok(curr_byte) = fuzzvm.read::<u8>(*addr, cr3) {
// Sanity check the original memory and the coverage breakpoint original
// bytes match
ensure!(*byte == curr_byte, Error::CoverageBreakpointIncorrectCache);
// Write the breakpoint into the VM memory
fuzzvm.write_bytes(*addr, cr3, &[0xcc])?;
}
}
fuzzvm.coverage_breakpoints = Some(cov_bps);
}
// Calculate the kernel CR3 based on the instrutions from the single step of
// the kernel
//
// 0x00007ffff7eac249 0x00000000ba693000 | libc-2.31.so!__getpid+0x9 | syscall
// 0xffffffffa6200010 0x00000000ba693000 | entry_SYSCALL_64+0x0 | swapgs
// 0xffffffffa6200013 0x00000000ba693000 | entry_SYSCALL_64+0x3 | mov qword ptr gs:[0x6014], rsp
// 0xffffffffa620001c 0x00000000ba693000 | entry_SYSCALL_64+0xc | nop
// 0xffffffffa620001e 0x00000000ba693000 | entry_SYSCALL_64+0xe | mov rsp, cr3
// 0xffffffffa6200021 0x00000000ba693000 | entry_SYSCALL_64+0x11 | bts rsp, 0x3f
// 0xffffffffa6200026 0x00000000ba693000 | entry_SYSCALL_64+0x16 | and rsp, 0xffffffffffffe7ff
// 0xffffffffa620002d 0x00000000ba693000 | entry_SYSCALL_64+0x1d | mov cr3, rsp
let kern_cr3 = Cr3(cr3.0 & 0xffff_ffff_ffff_e7ff);
// Initialize the used physical pages in order to allocate new physical pages if
// needed
fuzzvm.memory.identify_used_phys_pages(&[cr3, kern_cr3]);
// Init the guest memory backing
fuzzvm.init_guest_memory_backing()?;
// Sanity check values in the vbcpu
// fuzzvm.sanity_check_vbcpu()?;
// Initialize guest using vbcpu
fuzzvm.init_guest()?;
// New reset breakpoints that are given by the target-specific fuzzer
let mut new_reset_bps = BTreeMap::new();
// Add the fuzzer specific reset and crash breakpoints if any are requested,
// translating any symbols if requested
for (fuzzer_bps, reset_type) in [
(fuzzer.reset_breakpoints(), ResetBreakpointType::Reset),
(fuzzer.crash_breakpoints(), ResetBreakpointType::Crash),
] {
let Some(fuzzer_bps) = fuzzer_bps else {
continue;
};
for breakpoint in fuzzer_bps {
match breakpoint {
BreakpointLookup::Address(virt_addr, cr3) => {
new_reset_bps.insert((*virt_addr, *cr3), reset_type);
}
BreakpointLookup::SymbolOffset(symbol, offset) => {
if let Some((virt_addr, cr3)) = fuzzvm.get_symbol_address(symbol) {
new_reset_bps.insert((virt_addr.offset(*offset), cr3), reset_type);
} else {
// Given symbol was not found. Lookup symbols that contain the given symbol
// to display as possible symbols that we do know about
let possibles = fuzzvm.get_symbols_containing(symbol);
if !possibles.is_empty() {
// These are `println` instead of `log` so that the possibles can be printed
// to the screen even using the TUI.
eprintln!("Symbol was not found: {symbol}. Did you mean one of the following?");
log::info!("Symbol was not found: {symbol}. Did you mean one of the following?");
for p in possibles {
eprintln!(" - {p}");
log::info!(" - {p}");
}
}
return Err(Error::FuzzerBreakpointNotFound(symbol, *offset).into());
}
}
}
}
}
// Remove all reset breakpoints from the coverage breakpoints if they exist
// Reset breakpoints take precedence over the coverage breakpoints since they
// are used to signal resets or crashes
if let Some(ref mut cov_bps) = fuzzvm.coverage_breakpoints {
for (addr, _cr3) in new_reset_bps.keys() {
cov_bps.remove(addr);
}
}
// Add all of the reset/crash breakpoints given by the fuzzer
if let Some(ref mut reset_bps) = fuzzvm.reset_breakpoints {
reset_bps.append(&mut new_reset_bps);
}
// Init the VM based on the given fuzzer
fuzzer.init_vm(&mut fuzzvm)?;
// Apply the breakpoints for the fuzzer
fuzzvm.apply_fuzzer_breakpoints(fuzzer)?;
// Apply the crashing breakpoints found in the symbols
fuzzvm.apply_reset_breakpoints()?;
// Initialize the filesystem with the files from the fuzzer
let mut filesystem = FileSystem::default();
fuzzer.init_files(&mut filesystem)?;
fuzzvm.filesystem = Some(filesystem);
// Add a breakpoint to LSTAR which is caught during `syscall` execution to
// determine if the fuzzer wants to handle the syscall or not
if fuzzvm.exit_on_syscall {
let lstar = VirtAddr(fuzzvm.vbcpu.msr_lstar);
fuzzvm.set_breakpoint(
lstar,
cr3,
BreakpointType::Repeated,
BreakpointMemory::NotDirty,
BreakpointHook::Func(|_, _, _| Ok(Execution::Continue)),
)?;
}
// Return the FuzzVm and the VcpuFd
Ok(fuzzvm)
}
/// Enable single step in the guest
///
/// # Example
///
/// ```
/// let mut fuzzvm = FuzzVm::create(..);
/// fuzzvm.enable_single_step();
/// ```
///
/// # Errors
///
/// * Restoring the guest MSRs fails
#[allow(dead_code)]
pub fn enable_single_step(&mut self) -> Result<()> {
/// Enable trap flag for the given [`FuzzVm`]
#[allow(clippy::unnecessary_wraps)]
fn enable_trap_flag<FUZZER: Fuzzer>(
fuzzvm: &mut FuzzVm<FUZZER>,
_input: &FUZZER::Input,
_fuzzer: &mut FUZZER,
) -> Result<Execution> {
let mut rflags = RFlags::from_bits_truncate(fuzzvm.rflags());
rflags.insert(RFlags::TRAP_FLAG);
fuzzvm.dirtied_registers = true;
Ok(Execution::Continue)
}
self.single_step = true;
// Since we don't have monitor trap flag access in KVM (without modifying KVM
// itself), we don't have single step access during an interrupt. To mitigate
// this, we set a breakpoint at each interrupt service routine and enable the
// trap flag if we are single stepping
if self.single_step {
for vector in 0..255 {
let addr = self.vbcpu.idtr_base + vector * std::mem::size_of::<IdtEntry>() as u64;
let entry = self.read::<IdtEntry>(VirtAddr(addr), self.cr3())?;
let isr = entry.isr();
self.set_breakpoint(
VirtAddr(isr),
self.cr3(),
BreakpointType::Repeated,
BreakpointMemory::NotDirty,
BreakpointHook::Func(enable_trap_flag),
)?;
}
}
Ok(())
}
/// Disable single step in the guest
///
/// # Example
///
/// ```
/// let mut fuzzvm = FuzzVm::create(..);
/// fuzzvm.disable_single_step();
/// ```
///
/// # Errors
///
/// * Restoring the guest MSRs fails
#[allow(dead_code)]
pub fn disable_single_step(&mut self) -> Result<()> {
self.single_step = false;
Ok(())
}
/// Get the current register state of the VM
///
/// # Example
///
/// ```
/// let mut fuzzvm = FuzzVm::create(..);
/// let rax = fuzzvm.regs().rax;
/// ```
#[must_use]
pub fn regs(&self) -> &kvm_regs {
&self.regs
}
/// Get the current register state of the VM
///
/// # Example
///
/// ```
/// let mut fuzzvm = FuzzVm::create(..);
/// let mut regs = fuzzvm.mut_regs();
/// regs.rax = 0xdead_beef;
/// ```
#[must_use]
pub fn regs_mut(&mut self) -> &mut kvm_regs {
&mut self.regs
}
/// Get the current special register state of the VM
///
/// # Example
///
/// ```
/// let mut fuzzvm = FuzzVm::create(..);
/// let cr0 = fuzzvm.sregs().cr0;
/// ```
#[must_use]
pub fn sregs(&self) -> &kvm_sregs {
&self.sregs
}
/// Get the current special register state of the VM
#[must_use]
pub fn _sregs_mut(&mut self) -> &mut kvm_sregs {
&mut self.sregs
}
/// Get the current special register state of the VM
///
/// # Example
///
/// ```
/// let mut fuzzvm = FuzzVm::create(..);
/// let dr6 = fuzzvm.debug_regs()?.dr6;
/// ```
///
/// # Errors
///
/// Failed to get debug registers from KVM
pub fn debug_regs(&self) -> Result<kvm_debugregs> {
Ok(self.vcpu.get_debug_regs()?)
}
/// Get the current `cr3` register in the VM (ignoring lower 12 bits)