xref: /xen-4.10.0-shim-comet/tools/fuzz/x86_instruction_emulator/fuzz-emul.c

84 static int maybe_fail(struct x86_emulate_ctxt *ctxt,  in maybe_fail()  argument
87     struct fuzz_state *s = ctxt->data;  in maybe_fail()
115         x86_emul_pagefault(0, 0, ctxt);  in maybe_fail()
120 static int data_read(struct x86_emulate_ctxt *ctxt,  in data_read()  argument
124     struct fuzz_state *s = ctxt->data;  in data_read()
136             x86_emul_hw_exception(13, 0, ctxt);  in data_read()
142         rc = maybe_fail(ctxt, why, true);  in data_read()
162     struct x86_emulate_ctxt *ctxt)  in fuzz_read()  argument
166         assert(ctxt->addr_size == 64 || !(offset >> 32));  in fuzz_read()
176                (ctxt->lma ? offset <= 0x10007 : !(offset >> 16)));  in fuzz_read()
178     return data_read(ctxt, seg, "read", p_data, bytes);  in fuzz_read()
185     struct x86_emulate_ctxt *ctxt)  in fuzz_read_io()  argument
187     return data_read(ctxt, x86_seg_none, "read_io", val, bytes);  in fuzz_read_io()
195     struct x86_emulate_ctxt *ctxt)  in fuzz_insn_fetch()  argument
200     if ( ctxt->addr_size < 64 && (offset >> 32) )  in fuzz_insn_fetch()
202         x86_emul_hw_exception(13, 0, ctxt);  in fuzz_insn_fetch()
213         return maybe_fail(ctxt, "insn_fetch", true);  in fuzz_insn_fetch()
216     return data_read(ctxt, seg, "insn_fetch", p_data, bytes);  in fuzz_insn_fetch()
219 static int _fuzz_rep_read(struct x86_emulate_ctxt *ctxt,  in _fuzz_rep_read()  argument
225     rc = data_read(ctxt, x86_seg_none, why, &bytes_read, sizeof(bytes_read));  in _fuzz_rep_read()
246 static int _fuzz_rep_write(struct x86_emulate_ctxt *ctxt,  in _fuzz_rep_write()  argument
249     int rc = maybe_fail(ctxt, why, true);  in _fuzz_rep_write()
273     struct x86_emulate_ctxt *ctxt)  in fuzz_rep_ins()  argument
276     assert(ctxt->addr_size == 64 || !(dst_offset >> 32));  in fuzz_rep_ins()
278     return _fuzz_rep_read(ctxt, "rep_ins", reps);  in fuzz_rep_ins()
288     struct x86_emulate_ctxt *ctxt)  in fuzz_rep_movs()  argument
292     assert(ctxt->addr_size == 64 || !((src_offset | dst_offset) >> 32));  in fuzz_rep_movs()
294     return _fuzz_rep_read(ctxt, "rep_movs", reps);  in fuzz_rep_movs()
303     struct x86_emulate_ctxt *ctxt)  in fuzz_rep_outs()  argument
306     assert(ctxt->addr_size == 64 || !(src_offset >> 32));  in fuzz_rep_outs()
308     return _fuzz_rep_write(ctxt, "rep_outs", reps);  in fuzz_rep_outs()
317     struct x86_emulate_ctxt *ctxt)  in fuzz_rep_stos()  argument
324     assert(ctxt->addr_size == 64 || !(offset >> 32));  in fuzz_rep_stos()
326     return _fuzz_rep_write(ctxt, "rep_stos", reps);  in fuzz_rep_stos()
334     struct x86_emulate_ctxt *ctxt)  in fuzz_write()  argument
338     assert(ctxt->addr_size == 64 || !(offset >> 32));  in fuzz_write()
340     return maybe_fail(ctxt, "write", true);  in fuzz_write()
349     struct x86_emulate_ctxt *ctxt)  in fuzz_cmpxchg()  argument
356         assert(ctxt->addr_size == 64 || !(offset >> 32));  in fuzz_cmpxchg()
360     return maybe_fail(ctxt, "cmpxchg", true);  in fuzz_cmpxchg()
366     struct x86_emulate_ctxt *ctxt)  in fuzz_invlpg()  argument
370     assert(ctxt->addr_size == 64 || !(offset >> 32));  in fuzz_invlpg()
372     return maybe_fail(ctxt, "invlpg", false);  in fuzz_invlpg()
376     struct x86_emulate_ctxt *ctxt)  in fuzz_wbinvd()  argument
378     return maybe_fail(ctxt, "wbinvd", true);  in fuzz_wbinvd()
385     struct x86_emulate_ctxt *ctxt)  in fuzz_write_io()  argument
387     return maybe_fail(ctxt, "write_io", true);  in fuzz_write_io()
393     struct x86_emulate_ctxt *ctxt)  in fuzz_read_segment()  argument
395     const struct fuzz_state *s = ctxt->data;  in fuzz_read_segment()
408     struct x86_emulate_ctxt *ctxt)  in fuzz_write_segment()  argument
410     struct fuzz_state *s = ctxt->data;  in fuzz_write_segment()
416     rc = maybe_fail(ctxt, "write_segment", true);  in fuzz_write_segment()
427     struct x86_emulate_ctxt *ctxt)  in fuzz_read_cr()  argument
429     const struct fuzz_state *s = ctxt->data;  in fuzz_read_cr()
443     struct x86_emulate_ctxt *ctxt)  in fuzz_write_cr()  argument
445     struct fuzz_state *s = ctxt->data;  in fuzz_write_cr()
452     rc = maybe_fail(ctxt, "write_cr", true);  in fuzz_write_cr()
488     struct x86_emulate_ctxt *ctxt)  in fuzz_read_msr()  argument
490     const struct fuzz_state *s = ctxt->data;  in fuzz_read_msr()
503         return data_read(ctxt, x86_seg_none, "read_msr", val, sizeof(*val));  in fuzz_read_msr()
525     x86_emul_hw_exception(13, 0, ctxt);  in fuzz_read_msr()
532     struct x86_emulate_ctxt *ctxt)  in fuzz_write_msr()  argument
534     struct fuzz_state *s = ctxt->data;  in fuzz_write_msr()
539     rc = maybe_fail(ctxt, "write_msr", true);  in fuzz_write_msr()
559     x86_emul_hw_exception(13, 0, ctxt);  in fuzz_write_msr()
601 static void dump_state(struct x86_emulate_ctxt *ctxt)  in dump_state()  argument
603     struct fuzz_state *s = ctxt->data;  in dump_state()
605     struct cpu_user_regs *regs = ctxt->regs;  in dump_state()
609     printf("addr / sp size: %d / %d\n", ctxt->addr_size, ctxt->sp_size);  in dump_state()
616     fuzz_read_msr(MSR_EFER, &val, ctxt);  in dump_state()
620 static bool long_mode_active(struct x86_emulate_ctxt *ctxt)  in long_mode_active()  argument
624     if ( fuzz_read_msr(MSR_EFER, &val, ctxt) != X86EMUL_OKAY )  in long_mode_active()
630 static bool in_longmode(struct x86_emulate_ctxt *ctxt)  in in_longmode()  argument
632     const struct fuzz_state *s = ctxt->data;  in in_longmode()
635     return long_mode_active(ctxt) && c->segments[x86_seg_cs].l;  in in_longmode()
638 static void set_sizes(struct x86_emulate_ctxt *ctxt)  in set_sizes()  argument
640     struct fuzz_state *s = ctxt->data;  in set_sizes()
643     ctxt->lma = long_mode_active(ctxt);  in set_sizes()
645     if ( in_longmode(ctxt) )  in set_sizes()
646         ctxt->addr_size = ctxt->sp_size = 64;  in set_sizes()
649         ctxt->addr_size = c->segments[x86_seg_cs].db ? 32 : 16;  in set_sizes()
650         ctxt->sp_size   = c->segments[x86_seg_ss].db ? 32 : 16;  in set_sizes()
710 static void disable_hooks(struct x86_emulate_ctxt *ctxt)  in disable_hooks()  argument
712     struct fuzz_state *s = ctxt->data;  in disable_hooks()
761 static void sanitize_input(struct x86_emulate_ctxt *ctxt)  in sanitize_input()  argument
763     struct fuzz_state *s = ctxt->data;  in sanitize_input()
787     if ( long_mode_active(ctxt) )  in sanitize_input()
814     struct x86_emulate_ctxt ctxt = {  in LLVMFuzzerTestOneInput()  local
842     sanitize_input(&ctxt);  in LLVMFuzzerTestOneInput()
844     disable_hooks(&ctxt);  in LLVMFuzzerTestOneInput()
850         set_sizes(&ctxt);  in LLVMFuzzerTestOneInput()
851         dump_state(&ctxt);  in LLVMFuzzerTestOneInput()
853         rc = x86_emulate(&ctxt, &state.ops);  in LLVMFuzzerTestOneInput()

Last Index update Sun Aug 20 00:18:20 CST 2023