On 08/25/2011 07:27 PM, Marcelo Tosatti wrote:
On Mon, Aug 22, 2011 at 04:41:09PM +0300, Avi Kivity wrote: > The x86 emulator is directly exposed to guest code; therefore it is part > of the directly exposed attack surface. To reduce the risk of > vulnerabilities, this patch adds a fuzz test that runs random instructions > through the emulator. A vulnerability will usually result in an oops. > > + for (i = 0; i< NR_VCPU_REGS; ++i) > + ctxt->regs[i] = randlong(); > + r = x86_decode_insn(ctxt, NULL, 0); It could rerun N times instructions that have been decoded successfully. This would increase the chance of testing the code path for that (class of) instruction.
Good idea. I'll keep N small (20?) so that we fuzz the decoder as well.
Also fuzzing from an actual guest is useful to test the real backend functions. What problem did you encounter? The new testsuite scheme seems a good fit for that (with the exception of being locked to 32-bit mode).
Mostly that I forgot it exists. Other issues are that it's harder to force random values through it - though I could allocate a couple GB and fill it with random values. We also lose the ability to test inputs to callbacks (not that I do much of that here).
I'll try it out. -- I have a truly marvellous patch that fixes the bug which this signature is too narrow to contain. -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
