From 2fb4dcc9c10e100beedbbc223c2a9762bc45403e Mon Sep 17 00:00:00 2001 From: Alexander Potapenko Date: Tue, 23 Jul 2024 14:17:26 +0200 Subject: executor: arm64: sys/linux: introduce syzos API Allow guest payload to call syzos API functions. The available calls are enumerated by SYZOS_API_* constants, and have a form of: struct api_call { uint64 call; uint64 struct_size; /* arbitrary call-related data here */ }; Complex instruction sequences are too easy to break, so most of the time fuzzer won't be able to efficiently mutate them. We replace kvm_text_arm64 with a sequence of `struct api_call`, making it possible to intermix assembly instructions (SYZOS_API_CODE) with higher-level constructs. Right now the supported calls are: - SYZOS_API_UEXIT - abort from KVM_RUN (1 argument: exit code, uint64) - SYZOS_API_CODE - execute an ARM64 assembly blob (1 argument: inline array of int32's) --- sys/linux/dev_kvm.txt | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) (limited to 'sys') diff --git a/sys/linux/dev_kvm.txt b/sys/linux/dev_kvm.txt index bcc4edec8..98554e303 100644 --- a/sys/linux/dev_kvm.txt +++ b/sys/linux/dev_kvm.txt @@ -232,12 +232,32 @@ kvm_text_x86_64 { size len[text, intptr] } +# Unlike on other architectures, ARM64 text is a sequence of commands, each starting with +# the call number and the command length. kvm_text_arm64 { typ const[0, intptr] - text ptr[in, text[arm64]] - size len[text, intptr] + text ptr[in, array[syzos_api_call, 1:32]] + size bytesize[text, int64] +} + +syzos_api_uexit { + call const[0, int64] + size bytesize[parent, int64] + exit_code intptr } +syzos_api_code { + call const[1, int64] + size bytesize[parent, int64] + insns text[arm64] + ret const[0xd65f03c0, int32] +} [packed] + +syzos_api_call [ + uexit syzos_api_uexit + code syzos_api_code +] [varlen] + kvm_text_ppc64 { typ const[0, intptr] text ptr[in, text[ppc64]] -- cgit mrf-deployment