Hi Alex,
Recently I was reading the DMA call-back functions in the fuzzer. It seems
fuzz_dma_read_cb() is inserted into flatview_read_continue() and
address_space_map() to make the host read changed content between different
DMA actions.
My question is about address_space_map() -- How do we emulate double-fetch
bugs in the same map/unmap session? For example:
FOO *guest_foo = (FOO *) address_space_map(as, ...);
uint64_t size = guest_foo->size; // first fetch
if size > limit
goto error;
/* time window */
memcpy(dest, src, guest_foo->size); // double-fetch ?
error:
address_space_unmap(as, guest_foo, ...)
Thanks,
Qiuhao Li
