[PATCH fuzzer v1] Added the --ignore-sigill option for AFL fuzzing

[PATCH fuzzer v1] Added the --ignore-sigill option for AFL fuzzing

[Sam Caccavale]

As of now, the x86_instruction_emulator will execute opcodes
belonging to CPU extensions that the host may not have.
Specifying --ignore-sigill when running afl-harness will ignore
all SIG_ILL including those generated by the above issue.
---
 .../fuzz/x86_instruction_emulator/afl-harness.c | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/tools/fuzz/x86_instruction_emulator/afl-harness.c b/tools/fuzz/x86_instruction_emulator/afl-harness.c
--- a/tools/fuzz/x86_instruction_emulator/afl-harness.c
+++ b/tools/fuzz/x86_instruction_emulator/afl-harness.c
@@ -1,4 +1,5 @@
 #include <assert.h>
+#include <signal.h>
 #include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -8,11 +9,17 @@
 
 static uint8_t input[INPUT_SIZE];
 
+void SIGILL_handler(int signo) {
+    printf("Exiting due to executing an unsupported opcdode.\n");
+    exit(0);
+}
+
 int main(int argc, char **argv)
 {
     size_t size;
     FILE *fp = NULL;
     int max, count;
+    struct sigaction sa, osa;
 
     setbuf(stdin, NULL);
     setbuf(stdout, NULL);
@@ -20,9 +27,11 @@ int main(int argc, char **argv)
     while ( 1 )
     {
         enum {
+            IGNORE_SIGILL,
             OPT_MIN_SIZE,
         };
         static const struct option lopts[] = {
+            { "ignore-sigill", no_argument, NULL, IGNORE_SIGILL },
             { "min-input-size", no_argument, NULL, OPT_MIN_SIZE },
             { 0, 0, 0, 0 }
         };
@@ -33,13 +42,19 @@ int main(int argc, char **argv)
 
         switch ( c )
         {
+        case IGNORE_SIGILL:
+            sa.sa_flags = 0;
+            sa.sa_handler = SIGILL_handler;
+            sigaction(SIGILL, &sa, &osa);
+            break;
+
         case OPT_MIN_SIZE:
             printf("%u\n", fuzz_minimal_input_size());
             exit(0);
             break;
 
         case '?':
-            printf("Usage: %s $FILE [$FILE...] | [--min-input-size]\n", argv[0]);
+            printf("Usage: %s $FILE [$FILE...] [--ignore-sigill] | [--min-input-size]\n", argv[0]);
             exit(-1);
             break;
 
-- 
2.17.1




Amazon Development Center Germany GmbH
Krausenstr. 38
10117 Berlin
Geschaeftsfuehrer: Christian Schlaeger, Ralf Herbrich
Ust-ID: DE 289 237 879
Eingetragen am Amtsgericht Charlottenburg HRB 149173 B



_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

[Xen-devel] [PATCH fuzzer v1] Added the --ignore-sigill option for AFL fuzzing

[Sam Caccavale]

As of now, the x86_instruction_emulator will execute opcodes
belonging to CPU extensions that the host may not have.
Specifying --ignore-sigill when running afl-harness will ignore
all SIG_ILL including those generated by the above issue.
---
 .../fuzz/x86_instruction_emulator/afl-harness.c | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/tools/fuzz/x86_instruction_emulator/afl-harness.c b/tools/fuzz/x86_instruction_emulator/afl-harness.c
--- a/tools/fuzz/x86_instruction_emulator/afl-harness.c
+++ b/tools/fuzz/x86_instruction_emulator/afl-harness.c
@@ -1,4 +1,5 @@
 #include <assert.h>
+#include <signal.h>
 #include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -8,11 +9,17 @@
 
 static uint8_t input[INPUT_SIZE];
 
+void SIGILL_handler(int signo) {
+    printf("Exiting due to executing an unsupported opcdode.\n");
+    exit(0);
+}
+
 int main(int argc, char **argv)
 {
     size_t size;
     FILE *fp = NULL;
     int max, count;
+    struct sigaction sa, osa;
 
     setbuf(stdin, NULL);
     setbuf(stdout, NULL);
@@ -20,9 +27,11 @@ int main(int argc, char **argv)
     while ( 1 )
     {
         enum {
+            IGNORE_SIGILL,
             OPT_MIN_SIZE,
         };
         static const struct option lopts[] = {
+            { "ignore-sigill", no_argument, NULL, IGNORE_SIGILL },
             { "min-input-size", no_argument, NULL, OPT_MIN_SIZE },
             { 0, 0, 0, 0 }
         };
@@ -33,13 +42,19 @@ int main(int argc, char **argv)
 
         switch ( c )
         {
+        case IGNORE_SIGILL:
+            sa.sa_flags = 0;
+            sa.sa_handler = SIGILL_handler;
+            sigaction(SIGILL, &sa, &osa);
+            break;
+
         case OPT_MIN_SIZE:
             printf("%u\n", fuzz_minimal_input_size());
             exit(0);
             break;
 
         case '?':
-            printf("Usage: %s $FILE [$FILE...] | [--min-input-size]\n", argv[0]);
+            printf("Usage: %s $FILE [$FILE...] [--ignore-sigill] | [--min-input-size]\n", argv[0]);
             exit(-1);
             break;
 
-- 
2.17.1




Amazon Development Center Germany GmbH
Krausenstr. 38
10117 Berlin
Geschaeftsfuehrer: Christian Schlaeger, Ralf Herbrich
Ust-ID: DE 289 237 879
Eingetragen am Amtsgericht Charlottenburg HRB 149173 B



_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [PATCH fuzzer v1] Added the --ignore-sigill option for AFL fuzzing

[Andrew Cooper]

On 18/04/2019 16:02, Sam Caccavale wrote:
> As of now, the x86_instruction_emulator will execute opcodes
> belonging to CPU extensions that the host may not have.
> Specifying --ignore-sigill when running afl-harness will ignore
> all SIG_ILL including those generated by the above issue.

Which instructions?  We specifically didn't add a SIG_ILL handler in the
first place to catch mistakes like this so we can fix them.

We've got protection in place so such a mistake isn't an XSA any more,
but it is still an error we'd like to fix in the emulator.

~Andrew

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [Xen-devel] [PATCH fuzzer v1] Added the --ignore-sigill option for AFL fuzzing

[Andrew Cooper]

On 18/04/2019 16:02, Sam Caccavale wrote:
> As of now, the x86_instruction_emulator will execute opcodes
> belonging to CPU extensions that the host may not have.
> Specifying --ignore-sigill when running afl-harness will ignore
> all SIG_ILL including those generated by the above issue.

Which instructions?  We specifically didn't add a SIG_ILL handler in the
first place to catch mistakes like this so we can fix them.

We've got protection in place so such a mistake isn't an XSA any more,
but it is still an error we'd like to fix in the emulator.

~Andrew

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [PATCH fuzzer v1] Added the --ignore-sigill option for AFL fuzzing

[Caccavale, Samuel]

My mistake, I'm currently unable to reproduce the ~100 crashes 
AFL found while fuzzing the master branch, on the current staging 
branch.  It seems some staged patch has since addressed this.

If it is of any interest, most of the crashes came from AVX512 
instructions.

Sorry and thanks,
Sam
________________________________________
From: Andrew Cooper <andrew.cooper3@citrix.com>
Sent: Thursday, April 18, 2019 6:18 PM
To: Sam Caccavale; xen-devel@lists.xenproject.org
Cc: Jan Beulich; Doebel, Bjoern; Woodhouse, David; Martin Mazein; Pohlack, Martin; Wieczorkiewicz, Pawel; Manthey, Norbert
Subject: Re: [PATCH fuzzer v1] Added the --ignore-sigill option for AFL fuzzing

On 18/04/2019 16:02, Sam Caccavale wrote:
> As of now, the x86_instruction_emulator will execute opcodes
> belonging to CPU extensions that the host may not have.
> Specifying --ignore-sigill when running afl-harness will ignore
> all SIG_ILL including those generated by the above issue.

Which instructions?  We specifically didn't add a SIG_ILL handler in the
first place to catch mistakes like this so we can fix them.

We've got protection in place so such a mistake isn't an XSA any more,
but it is still an error we'd like to fix in the emulator.

~Andrew

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [Xen-devel] [PATCH fuzzer v1] Added the --ignore-sigill option for AFL fuzzing

[Caccavale, Samuel]

My mistake, I'm currently unable to reproduce the ~100 crashes 
AFL found while fuzzing the master branch, on the current staging 
branch.  It seems some staged patch has since addressed this.

If it is of any interest, most of the crashes came from AVX512 
instructions.

Sorry and thanks,
Sam
________________________________________
From: Andrew Cooper <andrew.cooper3@citrix.com>
Sent: Thursday, April 18, 2019 6:18 PM
To: Sam Caccavale; xen-devel@lists.xenproject.org
Cc: Jan Beulich; Doebel, Bjoern; Woodhouse, David; Martin Mazein; Pohlack, Martin; Wieczorkiewicz, Pawel; Manthey, Norbert
Subject: Re: [PATCH fuzzer v1] Added the --ignore-sigill option for AFL fuzzing

On 18/04/2019 16:02, Sam Caccavale wrote:
> As of now, the x86_instruction_emulator will execute opcodes
> belonging to CPU extensions that the host may not have.
> Specifying --ignore-sigill when running afl-harness will ignore
> all SIG_ILL including those generated by the above issue.

Which instructions?  We specifically didn't add a SIG_ILL handler in the
first place to catch mistakes like this so we can fix them.

We've got protection in place so such a mistake isn't an XSA any more,
but it is still an error we'd like to fix in the emulator.

~Andrew

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [PATCH fuzzer v1] Added the --ignore-sigill option for AFL fuzzing

[Andrew Cooper]

On 23/04/2019 10:10, Caccavale, Samuel wrote:
> My mistake, I'm currently unable to reproduce the ~100 crashes 
> AFL found while fuzzing the master branch, on the current staging 
> branch.  It seems some staged patch has since addressed this.
>
> If it is of any interest, most of the crashes came from AVX512 
> instructions.
>
> Sorry and thanks,

Not a problem in the slightest.

Are you saying that current staging resolves all the crashed you'd
found?  If not, please do report them.

~Andrew

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [Xen-devel] [PATCH fuzzer v1] Added the --ignore-sigill option for AFL fuzzing

[Andrew Cooper]

On 23/04/2019 10:10, Caccavale, Samuel wrote:
> My mistake, I'm currently unable to reproduce the ~100 crashes 
> AFL found while fuzzing the master branch, on the current staging 
> branch.  It seems some staged patch has since addressed this.
>
> If it is of any interest, most of the crashes came from AVX512 
> instructions.
>
> Sorry and thanks,

Not a problem in the slightest.

Are you saying that current staging resolves all the crashed you'd
found?  If not, please do report them.

~Andrew

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [PATCH fuzzer v1] Added the --ignore-sigill option for AFL fuzzing

[Caccavale, Samuel]

Yes.  Current staging resolves all of the SIG-ILL related crashes.

Tangentially I have ~1000 crashes which fail the `ctxt->regs->r(ip) == orig_ip'
assert at x86_emulate/x86_emulate.c:9862 when compiling afl-harness statically
with afl-clang-fast.  They do not reproduce when compiled dynamically or
compiled in any way with afl-gcc.

I will look into these and open a new email chain if this is a problem with Xen,
though it looks like an afl or llvm issue.  If you have any insight then please
let me know.

Best,
Sam Caccavale
________________________________________
From: Andrew Cooper <andrew.cooper3@citrix.com>
Sent: Tuesday, April 23, 2019 12:02 PM
To: Caccavale, Samuel; Sam Caccavale; xen-devel@lists.xenproject.org
Cc: Jan Beulich; Doebel, Bjoern; Woodhouse, David; Martin Mazein; Pohlack, Martin; Wieczorkiewicz, Pawel; Manthey, Norbert
Subject: Re: [PATCH fuzzer v1] Added the --ignore-sigill option for AFL fuzzing

On 23/04/2019 10:10, Caccavale, Samuel wrote:
> My mistake, I'm currently unable to reproduce the ~100 crashes
> AFL found while fuzzing the master branch, on the current staging
> branch.  It seems some staged patch has since addressed this.
>
> If it is of any interest, most of the crashes came from AVX512
> instructions.
>
> Sorry and thanks,

Not a problem in the slightest.

Are you saying that current staging resolves all the crashed you'd
found?  If not, please do report them.

~Andrew

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [Xen-devel] [PATCH fuzzer v1] Added the --ignore-sigill option for AFL fuzzing

[Caccavale, Samuel]

Yes.  Current staging resolves all of the SIG-ILL related crashes.

Tangentially I have ~1000 crashes which fail the `ctxt->regs->r(ip) == orig_ip'
assert at x86_emulate/x86_emulate.c:9862 when compiling afl-harness statically
with afl-clang-fast.  They do not reproduce when compiled dynamically or
compiled in any way with afl-gcc.

I will look into these and open a new email chain if this is a problem with Xen,
though it looks like an afl or llvm issue.  If you have any insight then please
let me know.

Best,
Sam Caccavale
________________________________________
From: Andrew Cooper <andrew.cooper3@citrix.com>
Sent: Tuesday, April 23, 2019 12:02 PM
To: Caccavale, Samuel; Sam Caccavale; xen-devel@lists.xenproject.org
Cc: Jan Beulich; Doebel, Bjoern; Woodhouse, David; Martin Mazein; Pohlack, Martin; Wieczorkiewicz, Pawel; Manthey, Norbert
Subject: Re: [PATCH fuzzer v1] Added the --ignore-sigill option for AFL fuzzing

On 23/04/2019 10:10, Caccavale, Samuel wrote:
> My mistake, I'm currently unable to reproduce the ~100 crashes
> AFL found while fuzzing the master branch, on the current staging
> branch.  It seems some staged patch has since addressed this.
>
> If it is of any interest, most of the crashes came from AVX512
> instructions.
>
> Sorry and thanks,

Not a problem in the slightest.

Are you saying that current staging resolves all the crashed you'd
found?  If not, please do report them.

~Andrew

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [PATCH fuzzer v1] Added the --ignore-sigill option for AFL fuzzing

[Andrew Cooper]

On 23/04/2019 11:12, Caccavale, Samuel wrote:
> Yes.  Current staging resolves all of the SIG-ILL related crashes.
>
> Tangentially I have ~1000 crashes which fail the `ctxt->regs->r(ip) == orig_ip'
> assert at x86_emulate/x86_emulate.c:9862 when compiling afl-harness statically
> with afl-clang-fast.  They do not reproduce when compiled dynamically or
> compiled in any way with afl-gcc.
>
> I will look into these and open a new email chain if this is a problem with Xen,
> though it looks like an afl or llvm issue.  If you have any insight then please
> let me know.

Hmm - that is curious.

My gut feelings are either a compiler issue (the switch statement is a
monster, and there is a lot of complicated asm()), or that
afl-clang-fast has found an optimisation which decided that a piece of
logic is dead, and has taken it out.

That particular assert is checking that when x86_emulate() return
X86EMUL_EXCEPTION, RIP doesn't move, i.e. has fault semantics, which is
required by the higher level logic.  I'd try tracing one specific crash
case through the different harness binaries and see where their
execution diverges.

~Andrew

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [Xen-devel] [PATCH fuzzer v1] Added the --ignore-sigill option for AFL fuzzing

[Andrew Cooper]

On 23/04/2019 11:12, Caccavale, Samuel wrote:
> Yes.  Current staging resolves all of the SIG-ILL related crashes.
>
> Tangentially I have ~1000 crashes which fail the `ctxt->regs->r(ip) == orig_ip'
> assert at x86_emulate/x86_emulate.c:9862 when compiling afl-harness statically
> with afl-clang-fast.  They do not reproduce when compiled dynamically or
> compiled in any way with afl-gcc.
>
> I will look into these and open a new email chain if this is a problem with Xen,
> though it looks like an afl or llvm issue.  If you have any insight then please
> let me know.

Hmm - that is curious.

My gut feelings are either a compiler issue (the switch statement is a
monster, and there is a lot of complicated asm()), or that
afl-clang-fast has found an optimisation which decided that a piece of
logic is dead, and has taken it out.

That particular assert is checking that when x86_emulate() return
X86EMUL_EXCEPTION, RIP doesn't move, i.e. has fault semantics, which is
required by the higher level logic.  I'd try tracing one specific crash
case through the different harness binaries and see where their
execution diverges.

~Andrew

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel