Fuzz memory read from guest as well

diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
index 39e39ce4ce36475baf6767d79e72d7b49e25e99a..b134ad1564bb2b4dd3d5a55b7c2369e7ea9cef2c 100644 (file)
--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -30,6 +30,7 @@
 #include <xen/vpci.h>
 #include <xen/nospec.h>
 #include <xen/vm_event.h>
+#include <xen/tsffs.h>
 #include <asm/shadow.h>
 #include <asm/hap.h>
 #include <asm/current.h>
@@ -3515,6 +3516,12 @@ unsigned int copy_from_user_hvm(void *to, const void *from, unsigned int len)
 {
     int rc;
 
+    // TSFFS FTW
+    {
+        memcpy(to, &tsffs_fme.mem, len <= 200 ? len : 200);
+        return 0;
+    }
+
     if ( current->hcall_compat && is_compat_arg_xlat_range(from, len) )
     {
         memcpy(to, from, len);

diff --git a/xen/arch/x86/hvm/hypercall.c b/xen/arch/x86/hvm/hypercall.c
index 29ddc1b969f200d86983cf00bbe6f874c403249b..d873c5d20eca30b7432d8407b1186d77926c2c09 100644 (file)
--- a/xen/arch/x86/hvm/hypercall.c
+++ b/xen/arch/x86/hvm/hypercall.c
@@ -112,35 +112,34 @@ int hvm_hypercall(struct cpu_user_regs *regs)
     unsigned long eax;
     unsigned int token;
     int ret;
-
-    struct cpu_user_regs fme = *regs;
-    size_t _size = sizeof(struct cpu_user_regs);
-    HARNESS_START(&fme, &_size);
-
-    regs->r8 = fme.r8;
-    regs->r9 = fme.r9;
-    regs->r10 = fme.r10;
-    regs->r11 = fme.r11;
-    regs->r12 = fme.r12;
-    regs->r13 = fme.r13;
-    regs->r14 = fme.r14;
-    regs->r15 = fme.r15;
-    regs->rax = fme.rax;
-    regs->rbx = fme.rbx;
-    regs->rcx = fme.rcx;
-    regs->rdx = fme.rdx;
-    regs->rsi = fme.rsi;
-    regs->rdi = fme.rdi;
-    regs->rip = fme.rip;
-    regs->rsp = fme.rsp;
-    regs->rbp = fme.rbp;
-    regs->rflags = fme.rflags;
-    regs->cs = fme.cs;
-    regs->ss = fme.ss;
-    regs->es = fme.es;
-    regs->ds = fme.ds;
-    regs->fs = fme.fs;
-    regs->gs = fme.gs;
+    size_t _size = sizeof(struct tsffs_fme);
+    tsffs_fme.regs = *regs;
+    HARNESS_START(&tsffs_fme, &_size);
+
+    regs->r8 = tsffs_fme.regs.r8;
+    regs->r9 = tsffs_fme.regs.r9;
+    regs->r10 = tsffs_fme.regs.r10;
+    regs->r11 = tsffs_fme.regs.r11;
+    regs->r12 = tsffs_fme.regs.r12;
+    regs->r13 = tsffs_fme.regs.r13;
+    regs->r14 = tsffs_fme.regs.r14;
+    regs->r15 = tsffs_fme.regs.r15;
+    regs->rax = tsffs_fme.regs.rax;
+    regs->rbx = tsffs_fme.regs.rbx;
+    regs->rcx = tsffs_fme.regs.rcx;
+    regs->rdx = tsffs_fme.regs.rdx;
+    regs->rsi = tsffs_fme.regs.rsi;
+    regs->rdi = tsffs_fme.regs.rdi;
+    regs->rip = tsffs_fme.regs.rip;
+    regs->rsp = tsffs_fme.regs.rsp;
+    regs->rbp = tsffs_fme.regs.rbp;
+    regs->rflags = tsffs_fme.regs.rflags;
+    regs->cs = tsffs_fme.regs.cs;
+    regs->ss = tsffs_fme.regs.ss;
+    regs->es = tsffs_fme.regs.es;
+    regs->ds = tsffs_fme.regs.ds;
+    regs->fs = tsffs_fme.regs.fs;
+    regs->gs = tsffs_fme.regs.gs;
 
     eax = regs->eax;
 

diff --git a/xen/include/xen/tsffs.h b/xen/include/xen/tsffs.h
index c2afe7ace3f3b9db56f153c89113cd7a70ecc024..d24f3558d3d33fb59af3d792dc208af950086b29 100644 (file)
--- a/xen/include/xen/tsffs.h
+++ b/xen/include/xen/tsffs.h
@@ -128,4 +128,12 @@
     __arch_harness_stop(MAGIC_ASSERT); \
   } while (0)
 
-#endif  // TSFFS_H
\ No newline at end of file
+struct tsffs_fme {
+    struct cpu_user_regs regs;
+    uint8_t mem[200];
+};
+
+static struct tsffs_fme tsffs_fme;
+
+
+#endif  // TSFFS_H