Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Port I/O assertion in bochscpu causing client to crash #213

Open
wumb0 opened this issue Sep 13, 2024 · 4 comments
Open

Port I/O assertion in bochscpu causing client to crash #213

wumb0 opened this issue Sep 13, 2024 · 4 comments

Comments

@wumb0
Copy link
Contributor

wumb0 commented Sep 13, 2024

Hello! Just documenting this here because I ran into it while fuzzing a driver: port IO (in/out instructions) under bochs cause the fuzz client to crash due to a debug assertion in yrp604/bochscpu.

Assertion failed: false, file cabi/devices-cabi.cc, line 7

Which points to this file that just hardcodes an assert(false):
https://github.com/yrp604/bochscpu/blob/5182099c74816c06d7ad4240b5ccf1fe60ca975a/cabi/devices-cabi.cc#L7

I don't really expect you to do anything about it, since it's not in your code, but I wanted to put it here just so others know it's something they might run into. Port I/O emulation is probably outside the scope of this project, but it would be nice to have a way to at least gracefully recover if port I/O is encountered in the target code, instead of crashing the client completely.

I'll noodle on a fix, but might submit a PR over at bochscpu to allow port I/O hooks or something. Open to suggestions.
@wumb0 wumb0 changed the title PCI Port I/O assertion in bochscpu causing client to crash Sep 13, 2024
@0vercl0k
Copy link
Owner

Hello,

Thanks for doing that, really appreciate it 🙏🏽

Adding @yrp604 who might have ideas on 'would not crashing be a good idea' / what to do in those situations.

Cheers

@yrp604
Copy link

yrp604 commented Sep 24, 2024

Apologies for forgetting about this.

I've pushed a small, untested sample patch here:

yrp604/bochscpu@7dd2df8
and
yrp604/bochscpu-build@9a6dccc

Basic idea is simple, instead of aborting we just call out to the existing inp2/outp hooks and let them handle the calls. Looking at https://github.com/bochs-emu/Bochs/blob/3ca671ca808cf0d586ebf2d4021d734e4a2142d0/bochs/iodev/devices.cc#L1052 I don't see a ton of other state we should need to update on the bochs side to keep things consistent here.

This should allow a plugin author to adjust the system state as desired during in/out calls, along with modifying the values that get returned. The ergonomics of this at the moment need improvement -- if a user doesn't specify this hook I'd like to find a nice way to abort if these callbacks are triggered.

Obviously we could do the same thing with the inp callback instead of only covering inp2 if needed.

Can you give this (or an approach like this) a try to see if it addresses your use case?

@wumb0
Copy link
Contributor Author

wumb0 commented Sep 30, 2024

Giving it a shot today. I'll post a PR for the hooks.

@wumb0 wumb0 mentioned this issue Oct 1, 2024
Closed
@0vercl0k
Copy link
Owner

0vercl0k commented Nov 3, 2024

Circling back on this - @wumb0 did you get a chance to try out @yrp604's patch?

Cheers

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@0vercl0k @wumb0 @yrp604