ensure Nyx command handler support is more CPU agnostic (#3153) #3167
Conversation
|
thank you for the PR. since nyx is specific to x86 targets, i used x86 registers to make sure it is the same as in the nyx api. the libafl qemu api is meant to be architecture agnostic (and is using is there any specific reason you need the nyx api for the |
|
I've never used Nyx. Seeing #3153 tagged as a I need more clarity on your question about the Nyx API for the The default in the example is currently Sounds like there's a better way that may avoid unnecessarily broadening CPU architecture support via feature where it's not meaningful. I'm tracking you there. I do believe it's good to further decouple CPU architecture/register specifics from the Nyx command handler, regardless of limited range of support within Nyx. I will test this with a proper |
|
can we merge this? |
| let nyx_backdoor = qemu.read_reg(Regs::Rax)? as c_uint; | ||
| let cmd_id = qemu.read_reg(Regs::Rbx)? as c_uint; | ||
| let nyx_backdoor = qemu.read_reg(arch_regs_map[ExitArgs::Ret])? as c_uint; | ||
| let cmd_id = qemu.read_reg(arch_regs_map[ExitArgs::Cmd])? as c_uint; |
There was a problem hiding this comment.
LibAFL/libafl_qemu/src/arch/x86_64.rs
Line 45 in f16ddf2
Cmd is not Rbx (should it be?)
There was a problem hiding this comment.
Good call out!
Short answer for Nyx; yes. There are other changes needed though; e.g. depend upon Nyx support actually being built (disabled by default in CI/Docker builds, etc already). I no longer think this is the best abstraction to rely upon.
I confirmed that this should be more agnostic; hypercall macros defined in the Nyx packer differentiate between x86 and x86_64 (and of course, emitted code for guests). If I understand correctly, EAX/RAX will vary based on usage of kAFL vs others with and without Intel-PT but changes when trying to avoid collisions with VMware, etc. The Nyx packer code handles more and the code I patched would really be the most common config. The "subcommand" relevant to Nyx appears to be in EBX/RBX and is just a byte, based on the GCC asm modifiers.
I've produced a full Nyx test environment by dual-booting an Intel Core i7 10th Gen. This gets me everything I need; Intel-PT, etc. Everything builds. IIRC I encountered some test failures in other places but had to context switch.
This week, I will prioritize revisiting this PR and can expand further.
There was a problem hiding this comment.
I consider this PR to be fix to #3153
for that purpose this PR is ready to merge?
There was a problem hiding this comment.
this was written with only the x64 intel pt usecase indeed, so i'd expect to see issues in another scenario.
the nyx packer always uses [er]ax to detect a nyx hypercall and [er]bx / [er]cx for the arguments.
i don't mind supporting more things that the x64 intel pt mode, but i think it's important we keep the same behavior as the original nyx API, otherwise it makes the main use of this command handler useless.
the original intention was to be able to support nyx targets without having to touch them.
if you have time to revisit the pr it would be appreciated
There was a problem hiding this comment.
then this file should be disabled for i386 right?
There was a problem hiding this comment.
Maybe use the fix for i386 for people that want/need it, and use the current register assignments for 64 bit?
There was a problem hiding this comment.
but romain said it's gonna work only with amd64
There was a problem hiding this comment.
btw now without the restriction of CI runner. i386, arm can be added to CI
Description
Straightforward fix ensuring the Nyx command handler uses the local
arch_regs_mapviaget_exit_arch_regs(). This is to determine the correctRetandCmdCPU registers for the guest architecture, respectively.No build errors after overriding the guest CPU architecture in
Cargo.toml, as described (i386). Same build result when reverting back toarm. Still, must test to be sure.Checklist
./scripts/precommit.shand addressed all commentsi386QEMU guest