1 | // SPDX-License-Identifier: GPL-2.0-or-later |
2 | /* |
3 | * x86 decoder sanity test - based on test_get_insn.c |
4 | * |
5 | * Copyright (C) IBM Corporation, 2009 |
6 | * Copyright (C) Hitachi, Ltd., 2011 |
7 | */ |
8 | |
9 | #include <stdlib.h> |
10 | #include <stdio.h> |
11 | #include <string.h> |
12 | #include <assert.h> |
13 | #include <unistd.h> |
14 | #include <sys/types.h> |
15 | #include <sys/stat.h> |
16 | #include <fcntl.h> |
17 | #include <asm/insn.h> |
18 | #include <inat.c> |
19 | #include <insn.c> |
20 | |
21 | /* |
22 | * Test of instruction analysis against tampering. |
23 | * Feed random binary to instruction decoder and ensure not to |
24 | * access out-of-instruction-buffer. |
25 | */ |
26 | |
27 | #define DEFAULT_MAX_ITER 10000 |
28 | #define INSN_NOP 0x90 |
29 | |
30 | static const char *prog; /* Program name */ |
31 | static int verbose; /* Verbosity */ |
32 | static int x86_64; /* x86-64 bit mode flag */ |
33 | static unsigned int seed; /* Random seed */ |
34 | static unsigned long iter_start; /* Start of iteration number */ |
35 | static unsigned long iter_end = DEFAULT_MAX_ITER; /* End of iteration number */ |
36 | static FILE *input_file; /* Input file name */ |
37 | |
38 | static void usage(const char *err) |
39 | { |
40 | if (err) |
41 | fprintf(stderr, format: "%s: Error: %s\n\n" , prog, err); |
42 | fprintf(stderr, format: "Usage: %s [-y|-n|-v] [-s seed[,no]] [-m max] [-i input]\n" , prog); |
43 | fprintf(stderr, format: "\t-y 64bit mode\n" ); |
44 | fprintf(stderr, format: "\t-n 32bit mode\n" ); |
45 | fprintf(stderr, format: "\t-v Verbosity(-vv dumps any decoded result)\n" ); |
46 | fprintf(stderr, format: "\t-s Give a random seed (and iteration number)\n" ); |
47 | fprintf(stderr, format: "\t-m Give a maximum iteration number\n" ); |
48 | fprintf(stderr, format: "\t-i Give an input file with decoded binary\n" ); |
49 | exit(status: 1); |
50 | } |
51 | |
52 | static void dump_field(FILE *fp, const char *name, const char *indent, |
53 | struct insn_field *field) |
54 | { |
55 | fprintf(stream: fp, format: "%s.%s = {\n" , indent, name); |
56 | fprintf(stream: fp, format: "%s\t.value = %d, bytes[] = {%x, %x, %x, %x},\n" , |
57 | indent, field->value, field->bytes[0], field->bytes[1], |
58 | field->bytes[2], field->bytes[3]); |
59 | fprintf(stream: fp, format: "%s\t.got = %d, .nbytes = %d},\n" , indent, |
60 | field->got, field->nbytes); |
61 | } |
62 | |
63 | static void dump_insn(FILE *fp, struct insn *insn) |
64 | { |
65 | fprintf(stream: fp, format: "Instruction = {\n" ); |
66 | dump_field(fp, name: "prefixes" , indent: "\t" , field: &insn->prefixes); |
67 | dump_field(fp, name: "rex_prefix" , indent: "\t" , field: &insn->rex_prefix); |
68 | dump_field(fp, name: "vex_prefix" , indent: "\t" , field: &insn->vex_prefix); |
69 | dump_field(fp, name: "opcode" , indent: "\t" , field: &insn->opcode); |
70 | dump_field(fp, name: "modrm" , indent: "\t" , field: &insn->modrm); |
71 | dump_field(fp, name: "sib" , indent: "\t" , field: &insn->sib); |
72 | dump_field(fp, name: "displacement" , indent: "\t" , field: &insn->displacement); |
73 | dump_field(fp, name: "immediate1" , indent: "\t" , field: &insn->immediate1); |
74 | dump_field(fp, name: "immediate2" , indent: "\t" , field: &insn->immediate2); |
75 | fprintf(stream: fp, format: "\t.attr = %x, .opnd_bytes = %d, .addr_bytes = %d,\n" , |
76 | insn->attr, insn->opnd_bytes, insn->addr_bytes); |
77 | fprintf(stream: fp, format: "\t.length = %d, .x86_64 = %d, .kaddr = %p}\n" , |
78 | insn->length, insn->x86_64, insn->kaddr); |
79 | } |
80 | |
81 | static void dump_stream(FILE *fp, const char *msg, unsigned long nr_iter, |
82 | unsigned char *insn_buff, struct insn *insn) |
83 | { |
84 | int i; |
85 | |
86 | fprintf(stream: fp, format: "%s:\n" , msg); |
87 | |
88 | dump_insn(fp, insn); |
89 | |
90 | fprintf(stream: fp, format: "You can reproduce this with below command(s);\n" ); |
91 | |
92 | /* Input a decoded instruction sequence directly */ |
93 | fprintf(stream: fp, format: " $ echo " ); |
94 | for (i = 0; i < MAX_INSN_SIZE; i++) |
95 | fprintf(stream: fp, format: " %02x" , insn_buff[i]); |
96 | fprintf(stream: fp, format: " | %s -i -\n" , prog); |
97 | |
98 | if (!input_file) { |
99 | fprintf(stream: fp, format: "Or \n" ); |
100 | /* Give a seed and iteration number */ |
101 | fprintf(stream: fp, format: " $ %s -s 0x%x,%lu\n" , prog, seed, nr_iter); |
102 | } |
103 | } |
104 | |
105 | static void init_random_seed(void) |
106 | { |
107 | int fd; |
108 | |
109 | fd = open(file: "/dev/urandom" , O_RDONLY); |
110 | if (fd < 0) |
111 | goto fail; |
112 | |
113 | if (read(fd: fd, buf: &seed, nbytes: sizeof(seed)) != sizeof(seed)) |
114 | goto fail; |
115 | |
116 | close(fd: fd); |
117 | return; |
118 | fail: |
119 | usage(err: "Failed to open /dev/urandom" ); |
120 | } |
121 | |
122 | /* Read given instruction sequence from the input file */ |
123 | static int read_next_insn(unsigned char *insn_buff) |
124 | { |
125 | char buf[256] = "" , *tmp; |
126 | int i; |
127 | |
128 | tmp = fgets(s: buf, n: ARRAY_SIZE(buf), stream: input_file); |
129 | if (tmp == NULL || feof(stream: input_file)) |
130 | return 0; |
131 | |
132 | for (i = 0; i < MAX_INSN_SIZE; i++) { |
133 | insn_buff[i] = (unsigned char)strtoul(nptr: tmp, endptr: &tmp, base: 16); |
134 | if (*tmp != ' ') |
135 | break; |
136 | } |
137 | |
138 | return i; |
139 | } |
140 | |
141 | static int generate_insn(unsigned char *insn_buff) |
142 | { |
143 | int i; |
144 | |
145 | if (input_file) |
146 | return read_next_insn(insn_buff); |
147 | |
148 | /* Fills buffer with random binary up to MAX_INSN_SIZE */ |
149 | for (i = 0; i < MAX_INSN_SIZE - 1; i += 2) |
150 | *(unsigned short *)(&insn_buff[i]) = random() & 0xffff; |
151 | |
152 | while (i < MAX_INSN_SIZE) |
153 | insn_buff[i++] = random() & 0xff; |
154 | |
155 | return i; |
156 | } |
157 | |
158 | static void parse_args(int argc, char **argv) |
159 | { |
160 | int c; |
161 | char *tmp = NULL; |
162 | int set_seed = 0; |
163 | |
164 | prog = argv[0]; |
165 | while ((c = getopt(argc: argc, argv: argv, shortopts: "ynvs:m:i:" )) != -1) { |
166 | switch (c) { |
167 | case 'y': |
168 | x86_64 = 1; |
169 | break; |
170 | case 'n': |
171 | x86_64 = 0; |
172 | break; |
173 | case 'v': |
174 | verbose++; |
175 | break; |
176 | case 'i': |
177 | if (strcmp(s1: "-" , s2: optarg) == 0) |
178 | input_file = stdin; |
179 | else |
180 | input_file = fopen(filename: optarg, modes: "r" ); |
181 | if (!input_file) |
182 | usage(err: "Failed to open input file" ); |
183 | break; |
184 | case 's': |
185 | seed = (unsigned int)strtoul(nptr: optarg, endptr: &tmp, base: 0); |
186 | if (*tmp == ',') { |
187 | optarg = tmp + 1; |
188 | iter_start = strtoul(nptr: optarg, endptr: &tmp, base: 0); |
189 | } |
190 | if (*tmp != '\0' || tmp == optarg) |
191 | usage(err: "Failed to parse seed" ); |
192 | set_seed = 1; |
193 | break; |
194 | case 'm': |
195 | iter_end = strtoul(nptr: optarg, endptr: &tmp, base: 0); |
196 | if (*tmp != '\0' || tmp == optarg) |
197 | usage(err: "Failed to parse max_iter" ); |
198 | break; |
199 | default: |
200 | usage(NULL); |
201 | } |
202 | } |
203 | |
204 | /* Check errors */ |
205 | if (iter_end < iter_start) |
206 | usage(err: "Max iteration number must be bigger than iter-num" ); |
207 | |
208 | if (set_seed && input_file) |
209 | usage(err: "Don't use input file (-i) with random seed (-s)" ); |
210 | |
211 | /* Initialize random seed */ |
212 | if (!input_file) { |
213 | if (!set_seed) /* No seed is given */ |
214 | init_random_seed(); |
215 | srand(seed: seed); |
216 | } |
217 | } |
218 | |
219 | int main(int argc, char **argv) |
220 | { |
221 | int insns = 0, ret; |
222 | struct insn insn; |
223 | int errors = 0; |
224 | unsigned long i; |
225 | unsigned char insn_buff[MAX_INSN_SIZE * 2]; |
226 | |
227 | parse_args(argc, argv); |
228 | |
229 | /* Prepare stop bytes with NOPs */ |
230 | memset(s: insn_buff + MAX_INSN_SIZE, INSN_NOP, n: MAX_INSN_SIZE); |
231 | |
232 | for (i = 0; i < iter_end; i++) { |
233 | if (generate_insn(insn_buff: insn_buff) <= 0) |
234 | break; |
235 | |
236 | if (i < iter_start) /* Skip to given iteration number */ |
237 | continue; |
238 | |
239 | /* Decode an instruction */ |
240 | ret = insn_decode(&insn, insn_buff, sizeof(insn_buff), |
241 | x86_64 ? INSN_MODE_64 : INSN_MODE_32); |
242 | |
243 | if (insn.next_byte <= insn.kaddr || |
244 | insn.kaddr + MAX_INSN_SIZE < insn.next_byte) { |
245 | /* Access out-of-range memory */ |
246 | dump_stream(stderr, msg: "Error: Found an access violation" , nr_iter: i, insn_buff: insn_buff, insn: &insn); |
247 | errors++; |
248 | } else if (verbose && ret < 0) |
249 | dump_stream(stdout, msg: "Info: Found an undecodable input" , nr_iter: i, insn_buff: insn_buff, insn: &insn); |
250 | else if (verbose >= 2) |
251 | dump_insn(stdout, insn: &insn); |
252 | insns++; |
253 | } |
254 | |
255 | fprintf(stream: (errors) ? stderr : stdout, |
256 | format: "%s: %s: decoded and checked %d %s instructions with %d errors (seed:0x%x)\n" , |
257 | prog, |
258 | (errors) ? "Failure" : "Success" , |
259 | insns, |
260 | (input_file) ? "given" : "random" , |
261 | errors, |
262 | seed); |
263 | |
264 | return errors ? 1 : 0; |
265 | } |
266 | |