diff options
| -rw-r--r-- | executor/common_kvm_amd64_syzos.h | 45 | ||||
| -rw-r--r-- | sys/linux/dev_kvm_amd64.txt | 7 |
2 files changed, 52 insertions, 0 deletions
diff --git a/executor/common_kvm_amd64_syzos.h b/executor/common_kvm_amd64_syzos.h index 655e83ce3..0e777872d 100644 --- a/executor/common_kvm_amd64_syzos.h +++ b/executor/common_kvm_amd64_syzos.h @@ -19,6 +19,7 @@ typedef enum { SYZOS_API_WRMSR = 30, SYZOS_API_RDMSR = 50, SYZOS_API_WR_CRN = 70, + SYZOS_API_WR_DRN = 110, SYZOS_API_STOP, // Must be the last one } syzos_api_id; @@ -59,6 +60,7 @@ static void guest_handle_cpuid(uint32 eax, uint32 ecx); static void guest_handle_wrmsr(uint64 reg, uint64 val); static void guest_handle_rdmsr(uint64 reg); static void guest_handle_wr_crn(struct api_call_2* cmd); +static void guest_handle_wr_drn(struct api_call_2* cmd); typedef enum { UEXIT_END = (uint64)-1, @@ -110,6 +112,10 @@ guest_main(uint64 size, uint64 cpu) guest_handle_wr_crn((struct api_call_2*)cmd); break; } + case SYZOS_API_WR_DRN: { + guest_handle_wr_drn((struct api_call_2*)cmd); + break; + } } addr += cmd->size; size -= cmd->size; @@ -203,3 +209,42 @@ GUEST_CODE static noinline void guest_handle_wr_crn(struct api_call_2* cmd) return; } } + +// Write to DRn debug register. +GUEST_CODE static noinline void guest_handle_wr_drn(struct api_call_2* cmd) +{ + uint64 value = cmd->args[1]; + volatile uint64 reg = cmd->args[0]; + if (reg == 0) { + asm volatile("movq %0, %%dr0" ::"r"(value) : "memory"); + return; + } + if (reg == 1) { + asm volatile("movq %0, %%dr1" ::"r"(value) : "memory"); + return; + } + if (reg == 2) { + asm volatile("movq %0, %%dr2" ::"r"(value) : "memory"); + return; + } + if (reg == 3) { + asm volatile("movq %0, %%dr3" ::"r"(value) : "memory"); + return; + } + if (reg == 4) { + asm volatile("movq %0, %%dr4" ::"r"(value) : "memory"); + return; + } + if (reg == 5) { + asm volatile("movq %0, %%dr5" ::"r"(value) : "memory"); + return; + } + if (reg == 6) { + asm volatile("movq %0, %%dr6" ::"r"(value) : "memory"); + return; + } + if (reg == 7) { + asm volatile("movq %0, %%dr7" ::"r"(value) : "memory"); + return; + } +} diff --git a/sys/linux/dev_kvm_amd64.txt b/sys/linux/dev_kvm_amd64.txt index 541fcaa02..351f55827 100644 --- a/sys/linux/dev_kvm_amd64.txt +++ b/sys/linux/dev_kvm_amd64.txt @@ -69,6 +69,12 @@ syzos_api_wr_crn { arg_value int64 } +# Depending on CR4.DE, registers DR4 and DR5 either alias DR6 and DR7, or generate an #UD. +syzos_api_wr_drn { + arg_reg int64[0:7] + arg_value int64 +} + syzos_api_call$x86 [ uexit syzos_api$x86[0, intptr] code syzos_api$x86[10, syzos_api_code$x86] @@ -76,6 +82,7 @@ syzos_api_call$x86 [ wrmsr syzos_api$x86[30, syzos_api_wrmsr] rdmsr syzos_api$x86[50, syzos_api_rdmsr] wr_crn syzos_api$x86[70, syzos_api_wr_crn] + wr_drn syzos_api$x86[110, syzos_api_wr_drn] ] [varlen] kvm_text_x86 [ |