All of lore.kernel.org
 help / color / mirror / Atom feed
* [Question] fuzz: double-fetches in a memory region map session
@ 2021-08-13  3:49 Li Qiuhao
  2021-08-13 10:50 ` Alexander Bulekov
  0 siblings, 1 reply; 3+ messages in thread
From: Li Qiuhao @ 2021-08-13  3:49 UTC (permalink / raw)
  To: QEMU Developers; +Cc: Alexander Bulekov

Hi Alex,

Recently I was reading the DMA call-back functions in the fuzzer. It seems
fuzz_dma_read_cb() is inserted into flatview_read_continue() and
address_space_map() to make the host read changed content between different
DMA actions.

My question is about address_space_map() -- How do we emulate double-fetch
bugs in the same map/unmap session? For example:


  FOO *guest_foo = (FOO *) address_space_map(as, ...);
  
  uint64_t size = guest_foo->size;    // first fetch
  if size > limit
    goto error;
  
  /* time window */
  
  memcpy(dest, src, guest_foo->size); // double-fetch ?
  
  error:
  address_space_unmap(as, guest_foo, ...)


Thanks,
  Qiuhao Li

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [Question] fuzz: double-fetches in a memory region map session
  2021-08-13  3:49 [Question] fuzz: double-fetches in a memory region map session Li Qiuhao
@ 2021-08-13 10:50 ` Alexander Bulekov
  2021-08-14  2:57   ` Qiuhao Li
  0 siblings, 1 reply; 3+ messages in thread
From: Alexander Bulekov @ 2021-08-13 10:50 UTC (permalink / raw)
  To: Li Qiuhao; +Cc: Darren Kenny, Bandan Das, QEMU Developers, Stefan Hajnoczi

On 210813 0349, Li Qiuhao wrote:
> Hi Alex,
> 
> Recently I was reading the DMA call-back functions in the fuzzer. It seems
> fuzz_dma_read_cb() is inserted into flatview_read_continue() and
> address_space_map() to make the host read changed content between different
> DMA actions.
> 
> My question is about address_space_map() -- How do we emulate double-fetch
> bugs in the same map/unmap session? For example:
> 

Hi Qiuhao,
Right now we don't. One strategy would be to use mprotect. When the code
fetches data the first time, we get a SEGV, where we unprotect the page,
write a pattern, and enable single-stepping. Then, after the
single-step, re-protect the page, and disable single-step.

On OSS-Fuzz, we disabled double-fetch detection, for now, as we did not
want reproducers for normal-bugs to inadvertently contain
double-fetches. To make the double-fetch detection useful for
developers, we probably need to limit the double fetch capability to
only fill the DMA regions twice, rather than 10 or 20 times. Then, in
the report, we could give the call-stacks (from the SEGV handler, or
dma_read hook) of the exact locations in the code that read from the
same address twice.

Thanks for your interest in this!
-Alex

> 
>   FOO *guest_foo = (FOO *) address_space_map(as, ...);

// mprotect in address_space_map hook   

// SEGV on the read. Un-mprotect, fill with pattern
>   uint64_t size = guest_foo->size;    // first fetch

// Single Step. Re-mprotect (or you could just immediately fill with a
// new pattern)

>   if size > limit
>     goto error;
>   
>   /* time window */
>   

// SEGV
>   memcpy(dest, src, guest_foo->size); // double-fetch ?
>   
>   error:
>   address_space_unmap(as, guest_foo, ...)
> 
> 
> Thanks,
>   Qiuhao Li


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [Question] fuzz: double-fetches in a memory region map session
  2021-08-13 10:50 ` Alexander Bulekov
@ 2021-08-14  2:57   ` Qiuhao Li
  0 siblings, 0 replies; 3+ messages in thread
From: Qiuhao Li @ 2021-08-14  2:57 UTC (permalink / raw)
  To: Alexander Bulekov
  Cc: Darren Kenny, Bandan Das, QEMU Developers, Stefan Hajnoczi

On Fri, 2021-08-13 at 06:50 -0400, Alexander Bulekov wrote:
> > 
> > My question is about address_space_map() -- How do we emulate double-
> > fetch
> > bugs in the same map/unmap session? For example:
> > 
> 
> Hi Qiuhao,
> Right now we don't. One strategy would be to use mprotect. When the
> code
> fetches data the first time, we get a SEGV, where we unprotect the
> page,
> write a pattern, and enable single-stepping. Then, after the
> single-step, re-protect the page, and disable single-step.
> 

Brilliant! I can always get a lot of inspiration from you :)

> On OSS-Fuzz, we disabled double-fetch detection, for now, as we did not
> want reproducers for normal-bugs to inadvertently contain
> double-fetches. To make the double-fetch detection useful for
> developers, we probably need to limit the double fetch capability to
> only fill the DMA regions twice, rather than 10 or 20 times. Then, in
> the report, we could give the call-stacks (from the SEGV handler, or
> dma_read hook) of the exact locations in the code that read from the
> same address twice.

Got it, this is indeed the most practical solution. I will try to
detect double-fetch bugs via pattern-based analysis [1]. But it may be
hard to write PoCs to convince and help developers fix bugs, and we
can't identify those bugs caused by the compiler [2] or preprocessor.

[1]
https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/wang-pengfei

[2]
https://www.voidsecurity.in/2018/08/from-compiler-optimization-to-code.html

Thanks,
  Qiuhao Li





^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2021-08-14  2:59 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-13  3:49 [Question] fuzz: double-fetches in a memory region map session Li Qiuhao
2021-08-13 10:50 ` Alexander Bulekov
2021-08-14  2:57   ` Qiuhao Li

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.