On 210813 0349, Li Qiuhao wrote: > Hi Alex, > > Recently I was reading the DMA call-back functions in the fuzzer. It seems > fuzz_dma_read_cb() is inserted into flatview_read_continue() and > address_space_map() to make the host read changed content between different > DMA actions. > > My question is about address_space_map() -- How do we emulate double-fetch > bugs in the same map/unmap session? For example: >
Hi Qiuhao, Right now we don't. One strategy would be to use mprotect. When the code fetches data the first time, we get a SEGV, where we unprotect the page, write a pattern, and enable single-stepping. Then, after the single-step, re-protect the page, and disable single-step. On OSS-Fuzz, we disabled double-fetch detection, for now, as we did not want reproducers for normal-bugs to inadvertently contain double-fetches. To make the double-fetch detection useful for developers, we probably need to limit the double fetch capability to only fill the DMA regions twice, rather than 10 or 20 times. Then, in the report, we could give the call-stacks (from the SEGV handler, or dma_read hook) of the exact locations in the code that read from the same address twice. Thanks for your interest in this! -Alex > > FOO *guest_foo = (FOO *) address_space_map(as, ...); // mprotect in address_space_map hook // SEGV on the read. Un-mprotect, fill with pattern > uint64_t size = guest_foo->size; // first fetch // Single Step. Re-mprotect (or you could just immediately fill with a // new pattern) > if size > limit > goto error; > > /* time window */ > // SEGV > memcpy(dest, src, guest_foo->size); // double-fetch ? > > error: > address_space_unmap(as, guest_foo, ...) > > > Thanks, > Qiuhao Li
