blob: a5a7a1a0c4659a9abd6f60f32384e31e737aede5 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
|
// Copyright 2024 syzkaller project authors. All rights reserved.
// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
// This file provides guest code running inside the ARM64 KVM.
#include "kvm.h"
// Host will map the code in this section into the guest address space.
#define GUEST_CODE __attribute__((section("guest")))
// Start/end of the guest section.
extern char *__start_guest, *__stop_guest;
typedef enum {
SYZOS_API_UEXIT,
SYZOS_API_CODE,
SYZOS_API_STOP, // Must be the last one
} syzos_api_id;
struct api_call_header {
uint64 call;
uint64 size;
};
struct api_call_uexit {
struct api_call_header header;
uint64 exit_code;
};
struct api_call_code {
struct api_call_header header;
uint32 insns[];
};
static void guest_uexit(uint64 exit_code);
static void guest_execute_code(uint32* insns, uint64 size);
// Main guest function that performs necessary setup and passes the control to the user-provided
// payload.
GUEST_CODE static void guest_main(uint64 size)
{
uint64 addr = ARM64_ADDR_USER_CODE;
while (size >= sizeof(struct api_call_header)) {
struct api_call_header* cmd = (struct api_call_header*)addr;
if (cmd->call >= SYZOS_API_STOP)
return;
if (cmd->size > size)
return;
switch (cmd->call) {
case SYZOS_API_UEXIT: {
struct api_call_uexit* ucmd = (struct api_call_uexit*)cmd;
guest_uexit(ucmd->exit_code);
break;
}
case SYZOS_API_CODE: {
struct api_call_code* ccmd = (struct api_call_code*)cmd;
guest_execute_code(ccmd->insns, cmd->size - sizeof(struct api_call_header));
break;
}
}
addr += cmd->size;
size -= cmd->size;
};
guest_uexit((uint64)-1);
}
GUEST_CODE static void guest_execute_code(uint32* insns, uint64 size)
{
volatile void (*fn)() = (volatile void (*)())insns;
fn();
}
// Perform a userspace exit that can be handled by the host.
// The host returns from ioctl(KVM_RUN) with kvm_run.exit_reason=KVM_EXIT_MMIO,
// and can handle the call depending on the data passed as exit code.
GUEST_CODE static void guest_uexit(uint64 exit_code)
{
volatile uint64* ptr = (volatile uint64*)ARM64_ADDR_UEXIT;
*ptr = exit_code;
}
|
