david.venhoff/QEMU-Nyx-fork
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
73,582 Commits 1 Branch 0 Tags
Commit Graph

119 Commits

Author SHA1 Message Date
Sergej Schumilo
108fa3baf9 fix starved bug in vanilla kvm mode (caused by reading of uninitialized memory) 2022-05-11 18:00:12 +02:00
Steffen Schulz
d4ba169bea Remove superfluous printf 
Extra printf just spams the console on startup..
 2022-05-11 18:00:11 +02:00
Steffen Schulz
9e56f6731e fix timeout detection to only reset on VM reset 
reset_timeout_detection() is already called at end of NEXT_PAYLOAD
handler to properly re-init the timer on every new execution.

Remove the additional call in synchronization_lock() which prevents
proper timeout on targets that do a lot of hprintf().

Also remove extra call in synchronization_lock_timeout_found() which
really just seems to be a duplicate with no observable effect.

To reproduce, run a harness that uses hprintf() in infinite loop. It
will take longer due to execute due to userland overhead but should
eventually return with aux_buffer/runtime similar to configured timeout.
 2022-05-11 18:00:11 +02:00
Steffen Schulz
35809c5207 cleanup timeout_detection 2022-05-11 18:00:11 +02:00
Steffen Schulz
a2ee5ef587 fix runtime_usec wraparound in aux_buffer 
To reproduce the issue, launch fast running harness with aux_buffer->timeout_usec=0 and timeout_sec=1
 2022-05-11 18:00:11 +02:00
Sergej Schumilo
2c3b7a7873 fix oobs read (in shadow_memory_read_page_frame) 2022-04-18 19:24:58 +02:00
Sergej Schumilo
72a95d8bfb improve shadow_memory_read_physical_memory() 
this patch removes several limitations (size & alignment)
 2022-04-09 06:50:19 +02:00
Sergej Schumilo
758e65871b update NYX_HOST_VERSION 2022-04-07 10:58:16 +02:00
Sergej Schumilo
164f449a02 fix several compiler warnings 2022-04-07 10:52:30 +02:00
Sergej Schumilo
ea4bdcd6d9
Merge pull request #7 from c01db33f/qemu-nyx-4.2.0 
Reimplemented x86_64 page table walking code.
 2022-04-07 07:09:14 +02:00
Mark Brand
e7f63f4401 Reimplemented x86_64 page table walking code. 2022-03-18 10:31:38 +01:00
Sergej Schumilo
8e8f6e5b2b uncomment several fprintfs in state_reallocation 2022-02-23 10:28:44 +01:00
Sergej Schumilo
1f675b053a fix crash notifier injection 
Decide which crash notifier (32bit or 64bit) to inject, based on the
current memory mode instead of the current CPU mode. Otherwise, in the
case of a 32bit loader running on a 64bit operating system, the wrong
notifier code will be injected.
 2022-02-23 10:26:02 +01:00
Sergej Schumilo
b95d6b9236 fix a global oob read 
Use an additional constant to specifiy the size of the crash notifier
code in 32 bit mode (submit_panic / submit_kasan).
 2022-02-23 08:55:00 +01:00
Sergej Schumilo
09d7d437b7
Merge branch 'qemu-nyx-4.2.0-dev-intel' into staging-upstream-3 2022-02-22 23:25:52 +01:00
Sergej Schumilo
c023bfb750 bug fix: don't reuse ram_offset as physical address 
to register PF in snapshot blocklist
(breaks memory access and shared memory if address is above 0x0C0000000)
 2022-02-22 19:35:16 +01:00
Steffen Schulz
29f06964a9 fix hprintf EOL handling 
All other uses of misc buffer do not include 0 byte in length..
 2022-02-11 10:45:30 -08:00
Steffen Schulz
c1d29a2399 sharedir: allow reading anything stored or linked from sharedir 
In particular, we want to allow symlinks to external resources..
 2022-02-11 10:45:30 -08:00
Steffen Schulz
6b4661a758 dump_file hypercall: support mkstemps() template with suffix 2022-02-11 10:45:30 -08:00
Steffen Schulz
a572984289 virtio snapshot restore 
virtio-blk still fails for usermode fuzzing
 2022-02-11 10:45:30 -08:00
Steffen Schulz
96aac23864 move alt_bitmap implementation to redqueen_trace.c 
alt_bitmap is only relevant in redqueen_trace mode, when libxdc does not
produce a bitmap on its own..
 2022-02-11 10:45:30 -08:00
Steffen Schulz
f348dcfc23 redqueen_trace: disable unless 'edge_cb_trace' option is provided 
Both, the legacy 'redqueen' trace via libxdc callback as well as new
dump_pt trace option are now toggled with aux-buffer trace_mode option.

This new qemu cmdline option allows to re-enable the old trace method,
or even use both trace methods at the same time.
 2022-02-11 10:45:30 -08:00
Steffen Schulz
84f1a1b67b move dump_pt logic to trace_dump.c, enable via aux_buffer 2022-02-11 10:45:30 -08:00
Steffen Schulz
7b9bd18dc3 refactor 'redqueen trace' to separate redqueen_trace.c 2022-02-11 10:45:30 -08:00
Steffen Schulz
d81b846608 dump_file: check for NULL filename, support mkstemp() template 2022-02-11 10:45:30 -08:00
Steffen Schulz
68f74353b2 record worker_id in state and report via KAFL_HYPERCALL_GET_HOST_CONFIG 
Modifies elements of host_config_t - update guest agent struct!
 2022-02-11 10:45:30 -08:00
Steffen Schulz
24e6f39e1c fix pt_dump feature (append on VMexit, truncate on new execution) 2022-02-11 10:45:30 -08:00
Steffen Schulz
56bc5571be dump_pt: create-open & truncate output file on each execution 
Previous implementation only opened the file once.
 2022-02-11 10:45:30 -08:00
Steffen Schulz
5c24050a64 page_cache: use file lock also for read access 
Without this there may be a risk of reading partially written
files...doesn't seem to happen in practice though?
 2022-02-11 10:45:30 -08:00
Steffen Schulz
b899572377 page_cache: auto-create workdir files or resume based on existing files 
- relieve frontend from having to create these files
- perhaps add some checks for resuming from existing page_cache files
 2022-02-11 10:45:30 -08:00
Steffen Schulz
6b008a1be4 error checking on payload remap + other 2022-02-11 10:45:30 -08:00
Steffen Schulz
f32d1cb3b7 add alt_bitmap for use in trace mode, truncate trace file on new exec 
libxdc does not create a bitmap in trace mode
This patch lets qemu create the bitmap instead

Note that the bitmap not compatible with libxdc bitmap since the trace
callback behavior is different.
 2022-02-11 10:45:30 -08:00
Steffen Schulz
0b6ec2cf72 kafl_dump_file: cleanups + select random filename if none provided 2022-02-11 10:45:30 -08:00
Steffen Schulz
7dbb64e7c2 compile-time option to restore kAFL style full edge traces 2022-02-11 10:45:30 -08:00
Steffen Schulz
81dbc38d46 print error on invalid hget(), minor bugfix for QEMU_PR_PRINTF enable 2022-02-11 10:45:30 -08:00
Steffen Schulz
169b084df5 report KVM_EXIT_SHUTDOWN and UNKNOWN_ERROR as panic events 2022-02-11 10:45:30 -08:00
Steffen Schulz
c12c6bd70d starved: signal if guest was reading beyond end of payload 2022-02-11 10:45:30 -08:00
Steffen Schulz
95742719f5 use 32bit kasan/panic notifier payload when on 32bit 2022-02-08 23:38:20 +01:00
Steffen Schulz
35c4f356ab patch KASAN hypercall back in 2022-02-08 23:38:20 +01:00
Sergej Schumilo
c2c69cfc52 abort if a configuration was not set or received 
(via GET_HOST / SET_AGENT) or if either was executed twice
 2022-01-21 20:23:52 +01:00
Sergej Schumilo
6ca723cb84 exit after nyx_abort() has been called if the frontend continues 
to send data
 2022-01-21 20:20:13 +01:00
Sergej Schumilo
586d46c86f bug fix: don't remap more guest page frames from 
the input buffer than required in case the input buffer size is
smaller than the initial value
 2022-01-21 18:11:32 +01:00
Sergej Schumilo
7af65d1fdc add various improvements: 
- root snapshot serialization / deserialization
	- abort if specific hypercalls are called during fuzzing
	- ignore requests to disable write protection
 2022-01-20 03:43:12 +01:00
Sergej Schumilo
b5798ba95a add missing free() call in interface.c 2022-01-20 03:29:17 +01:00
Sergej Schumilo
42d434e28f add several improvements: 
- Intel PT page dump feature works now
- size of input and bitmap buffers are configurable
- new aux buffer layout
- various bug fixes
 2022-01-18 10:10:04 +01:00
Sergej Schumilo
39a646fb4c update configuration hypercalls 2022-01-11 04:22:34 +01:00
Sergej Schumilo
17bf3b6fd6 cleanup in hypercall.c 2022-01-11 04:21:55 +01:00
Sergej Schumilo
44e819cd10 update aux buffer 2022-01-11 04:21:41 +01:00
Sergej Schumilo
1d77722270 improve x86-64 page walker and add helper functions to resize inter-VM shared memory mappings 2022-01-11 04:17:49 +01:00
Sergej Schumilo
dd9f586327 disable unused hypercalls 2022-01-11 04:16:34 +01:00