1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
|
// Copyright 2025 syzkaller project authors. All rights reserved.
// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
// This file provides guest code running inside the AMD64 KVM.
#include "kvm.h"
#include <linux/kvm.h>
#include <stdbool.h>
// Host will map the code in this section into the guest address space.
#define GUEST_CODE __attribute__((section("guest")))
// Prevent function inlining. This attribute is applied to every guest_handle_* function,
// making sure they remain small so that the compiler does not attempt to be too clever
// (e.g. generate switch tables).
#define noinline __attribute__((noinline))
// Start/end of the guest section.
extern char *__start_guest, *__stop_guest;
// Compilers will eagerly try to transform the switch statement in guest_main()
// into a jump table, unless the cases are sparse enough.
// We use prime numbers multiplied by 10 to prevent this behavior.
// Remember these constants must match those in sys/linux/dev_kvm_amd64.txt.
typedef enum {
SYZOS_API_UEXIT = 0,
SYZOS_API_CODE = 10,
SYZOS_API_CPUID = 20,
SYZOS_API_WRMSR = 30,
SYZOS_API_RDMSR = 50,
SYZOS_API_STOP, // Must be the last one
} syzos_api_id;
struct api_call_header {
uint64 call;
uint64 size;
};
struct api_call_uexit {
struct api_call_header header;
uint64 exit_code;
};
struct api_call_code {
struct api_call_header header;
uint8 insns[];
};
struct api_call_cpuid {
struct api_call_header header;
uint32 eax;
uint32 ecx;
};
struct api_call_1 {
struct api_call_header header;
uint64 arg;
};
struct api_call_2 {
struct api_call_header header;
uint64 args[2];
};
static void guest_uexit(uint64 exit_code);
static void guest_execute_code(uint8* insns, uint64 size);
static void guest_handle_cpuid(uint32 eax, uint32 ecx);
static void guest_handle_wrmsr(uint64 reg, uint64 val);
static void guest_handle_rdmsr(uint64 reg);
typedef enum {
UEXIT_END = (uint64)-1,
UEXIT_IRQ = (uint64)-2,
UEXIT_ASSERT = (uint64)-3,
} uexit_code;
// Main guest function that performs necessary setup and passes the control to the user-provided
// payload.
__attribute__((used))
GUEST_CODE static void
guest_main(uint64 size, uint64 cpu)
{
uint64 addr = X86_ADDR_USER_CODE + cpu * KVM_PAGE_SIZE;
while (size >= sizeof(struct api_call_header)) {
struct api_call_header* cmd = (struct api_call_header*)addr;
if (cmd->call >= SYZOS_API_STOP)
return;
if (cmd->size > size)
return;
switch (cmd->call) {
case SYZOS_API_UEXIT: {
struct api_call_uexit* ucmd = (struct api_call_uexit*)cmd;
guest_uexit(ucmd->exit_code);
break;
}
case SYZOS_API_CODE: {
struct api_call_code* ccmd = (struct api_call_code*)cmd;
guest_execute_code(ccmd->insns, cmd->size - sizeof(struct api_call_header));
break;
}
case SYZOS_API_CPUID: {
struct api_call_cpuid* ccmd = (struct api_call_cpuid*)cmd;
guest_handle_cpuid(ccmd->eax, ccmd->ecx);
break;
}
case SYZOS_API_WRMSR: {
struct api_call_2* ccmd = (struct api_call_2*)cmd;
guest_handle_wrmsr(ccmd->args[0], ccmd->args[1]);
break;
}
case SYZOS_API_RDMSR: {
struct api_call_1* ccmd = (struct api_call_1*)cmd;
guest_handle_rdmsr(ccmd->arg);
break;
}
}
addr += cmd->size;
size -= cmd->size;
};
guest_uexit((uint64)-1);
}
GUEST_CODE static noinline void guest_execute_code(uint8* insns, uint64 size)
{
volatile void (*fn)() = (volatile void (*)())insns;
fn();
}
// Perform a userspace exit that can be handled by the host.
// The host returns from ioctl(KVM_RUN) with kvm_run.exit_reason=KVM_EXIT_MMIO,
// and can handle the call depending on the data passed as exit code.
GUEST_CODE static noinline void guest_uexit(uint64 exit_code)
{
volatile uint64* ptr = (volatile uint64*)X86_ADDR_UEXIT;
*ptr = exit_code;
}
GUEST_CODE static noinline void guest_handle_cpuid(uint32 eax, uint32 ecx)
{
asm volatile(
"cpuid\n"
: // Currently ignore outputs
: "a"(eax), "c"(ecx)
: "rbx", "rdx");
}
// Write val into an MSR register reg.
GUEST_CODE static noinline void guest_handle_wrmsr(uint64 reg, uint64 val)
{
// The wrmsr instruction takes its arguments in specific registers:
// edx:eax contains the 64-bit value to write, ecx contains the MSR address.
asm volatile(
"wrmsr"
:
: "c"(reg),
"a"((uint32)val),
"d"((uint32)(val >> 32))
: "memory");
}
// Read an MSR register, ignore the result.
GUEST_CODE static noinline void guest_handle_rdmsr(uint64 reg)
{
uint32 low = 0, high = 0;
// The rdmsr instruction takes the MSR address in ecx.
// It puts the lower 32 bits of the MSR value into eax, and the upper.
// 32 bits of the MSR value into edx.
asm volatile(
"rdmsr"
: "=a"(low),
"=d"(high)
: "c"(reg)
: // No explicit clobbers.
);
}
|
