From e6a175800f1d9e20aeb7ed35ea2b3fc627049e8f Mon Sep 17 00:00:00 2001 From: Alexey Kardashevskiy Date: Thu, 8 Jul 2021 19:19:18 +1000 Subject: pkg/ifuzz/powerpc: add some RTAS fuzzing RunTime Abstraction Services (RTAS) is an API used by the Linux powerpc/pseries platform to talk to the hypervisor. Under KVM, this is implemented as a custom hypercall (which we have support for) and an in memory array of parameters. The hypercall is H_RTAS and its only parameter is a pointer to the mentioned array. The vast majority of RTAS calls are handled normally by QEMU and only a handful by KVM. This adds fuzzing of 4 RTAS calls. This uses a chunk from main 256MB RAM for parameters. The parameters are big endian hence "<<24" for the token. To allow more targeted fuzzing, use iset.GenerateInt(). Signed-off-by: Alexey Kardashevskiy --- executor/common_kvm_ppc64.h | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) (limited to 'executor/common_kvm_ppc64.h') diff --git a/executor/common_kvm_ppc64.h b/executor/common_kvm_ppc64.h index a000cb3b5..287d7a7b3 100644 --- a/executor/common_kvm_ppc64.h +++ b/executor/common_kvm_ppc64.h @@ -90,6 +90,16 @@ struct kvm_text { uintptr_t size; }; +static int kvmppc_define_rtas_kernel_token(int vmfd, unsigned token, const char* func) +{ + struct kvm_rtas_token_args args; + + args.token = token; + strncpy(args.name, func, sizeof(args.name) - 1); + + return ioctl(vmfd, KVM_PPC_RTAS_DEFINE_TOKEN, &args); +} + static int kvmppc_get_one_reg(int cpufd, uint64 id, void* target) { struct kvm_one_reg reg = {.id = id, .addr = (uintptr_t)target}; @@ -373,6 +383,13 @@ static long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long ioctl(vmfd, KVM_ENABLE_CAP, &cap); } + // Only a few of many RTAS calls are actually in the KVM and the rest + // are handled in QEMU, enable the KVM handling for those 4 here. + kvmppc_define_rtas_kernel_token(vmfd, 1, "ibm,set-xive"); + kvmppc_define_rtas_kernel_token(vmfd, 2, "ibm,get-xive"); + kvmppc_define_rtas_kernel_token(vmfd, 3, "ibm,int-on"); + kvmppc_define_rtas_kernel_token(vmfd, 4, "ibm,int-off"); + dump_text(host_mem, regs.pc, 8, debug_inst_opcode); dump_text(host_mem, BOOK3S_INTERRUPT_DECREMENTER, 16, debug_inst_opcode); -- cgit mrf-deployment