kvm-nyx-6.0: ERROR: vmx_set_fdl_addr

[Wenzel]

When testing the new kvm-nyx-6.0 branch with kAFL, we realized that dmesg was spammed with this error message:

ERROR: vmx_set_fdl_addr ffffe000

Originated from arch/x86/kvm/vmx/vmx_fdl.c

The debian package can be found as a build artefact here:
https://github.com/IntelLabs/kafl.linux/actions/runs/3948787949

cc @schumilo, if you have any ideas regarding that code section and why this error message is being triggered, feel free !

[schumilo]

According to the output of the info mtree command in the QEMU console, there is an issue with a write memory access in the pc.bios region:

00000000fffc0000-00000000ffffffff (prio 0, rom): pc.bios

However, it appears that there is no region registered for that in the vmx_fdl kernel extension (and that's why we are seeing this error message).

So I guess, the easiest way to fix that, would be to simply get rid of the old vmx_fdl code and switch entirely to the dirty_ring code (even if both have minor but different performance characteristics). Since this is a 6.0 kernel, there should be full support for that. I will try to find some time for that over the weekend and prepare a patch for this. This will probably require some changes to both the KVM as well as QEMU codebase.

Great work, by the way! As soon as the problem is fixed, it would be awesome if we could get a PR to merge your 6.0 changes in our repo, too :)

[il-steffen]

cc @pa1gupta

[Wenzel]

hey, @schumilo did you find some time to have a look at this ?
How can we help you move this issue forward if you are in the middle of a patch ? 🙂

Thanks !

[schumilo]

With the following two patches, the old FDL code has been removed, and QEMU-Nyx now supports both FDL and dirty page ring as an in-kernel page tracker in PT mode to maintain some level of backward compatibility (before that, FDL was always required when KVM-Nyx is used).

The changes are expected to be compatible with older versions that still rely on FDL, as well as with vanilla kernels, but it is probably still a good idea to perform some additional tests.

I have not done any performance measurements yet, but I expect that there will be a minor difference in performance depending on the number of dirty pages. In some cases, FDL performance may be better, while in others, the dirty ring backend may perform faster.

Your feedback on the patches would be highly appreciated. If everything works as expected, I guess we can soon merge the changes into the main branches.

schumilo@e5f6798
schumilo/QEMU-Nyx@c9b3eb6

[Wenzel]

Hi @schumilo !

Thank you for posting the patches 😃 !
Just a quick feedback here, I tried to compile the new kernel , but it seems that you forgot to remove vmx_fdl.c from the build system, and it fails to compile:
https://github.com/IntelLabs/kafl.linux/actions/runs/4177304425/jobs/7234697866#step:9:896

I pushed a fix on my branch:
9bb53cc

Debian Package is available:
https://github.com/IntelLabs/kafl.linux/actions/runs/4177989906

I should be able to test them soon.

[Wenzel]

@schumilo I tested the patches, and kAFL works as expected, nothing to report in dmesg.
I think we are good to go 🙂

I guess we can get them merged upstream in QEMU-Nyx, and I will pull your latest changes in kafl.qemu kafl_stable branch.

BTW I still have 2 commits there that you might be interested to integrate:

• IntelLabs/kafl.qemu@d3d9043
• IntelLabs/kafl.qemu@facad37

These modifications were required to get a full static build of QEMU for the kAFL Docker image to be as clean and lightweight as possible:
https://github.com/IntelLabs/kAFL/blob/master/Dockerfile#L45

[Wenzel]

ping @schumilo 🙂
if you need more info, i'm available

[schumilo]

Merged 👍 : nyx-fuzz/QEMU-Nyx#49

[Wenzel]

Awesome ! 💯
Thank you 👍