1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  * x86 decoder sanity test - based on test_get_insn.c
4  *
5  * Copyright (C) IBM Corporation, 2009
6  * Copyright (C) Hitachi, Ltd., 2011
7  */
8 
9 #include <stdlib.h>
10 #include <stdio.h>
11 #include <string.h>
12 #include <assert.h>
13 #include <unistd.h>
14 #include <sys/types.h>
15 #include <sys/stat.h>
16 #include <fcntl.h>
17 #include <asm/insn.h>
18 #include <inat.c>
19 #include <insn.c>
20 
21 /*
22  * Test of instruction analysis against tampering.
23  * Feed random binary to instruction decoder and ensure not to
24  * access out-of-instruction-buffer.
25  */
26 
27 #define DEFAULT_MAX_ITER	10000
28 #define INSN_NOP 0x90
29 
30 static const char	*prog;		/* Program name */
31 static int		verbose;	/* Verbosity */
32 static int		x86_64;		/* x86-64 bit mode flag */
33 static unsigned int	seed;		/* Random seed */
34 static unsigned long	iter_start;	/* Start of iteration number */
35 static unsigned long	iter_end = DEFAULT_MAX_ITER;	/* End of iteration number */
36 static FILE		*input_file;	/* Input file name */
37 
usage(const char * err)38 static void usage(const char *err)
39 {
40 	if (err)
41 		fprintf(stderr, "%s: Error: %s\n\n", prog, err);
42 	fprintf(stderr, "Usage: %s [-y|-n|-v] [-s seed[,no]] [-m max] [-i input]\n", prog);
43 	fprintf(stderr, "\t-y	64bit mode\n");
44 	fprintf(stderr, "\t-n	32bit mode\n");
45 	fprintf(stderr, "\t-v	Verbosity(-vv dumps any decoded result)\n");
46 	fprintf(stderr, "\t-s	Give a random seed (and iteration number)\n");
47 	fprintf(stderr, "\t-m	Give a maximum iteration number\n");
48 	fprintf(stderr, "\t-i	Give an input file with decoded binary\n");
49 	exit(1);
50 }
51 
dump_field(FILE * fp,const char * name,const char * indent,struct insn_field * field)52 static void dump_field(FILE *fp, const char *name, const char *indent,
53 		       struct insn_field *field)
54 {
55 	fprintf(fp, "%s.%s = {\n", indent, name);
56 	fprintf(fp, "%s\t.value = %d, bytes[] = {%x, %x, %x, %x},\n",
57 		indent, field->value, field->bytes[0], field->bytes[1],
58 		field->bytes[2], field->bytes[3]);
59 	fprintf(fp, "%s\t.got = %d, .nbytes = %d},\n", indent,
60 		field->got, field->nbytes);
61 }
62 
dump_insn(FILE * fp,struct insn * insn)63 static void dump_insn(FILE *fp, struct insn *insn)
64 {
65 	fprintf(fp, "Instruction = {\n");
66 	dump_field(fp, "prefixes", "\t",	&insn->prefixes);
67 	dump_field(fp, "rex_prefix", "\t",	&insn->rex_prefix);
68 	dump_field(fp, "vex_prefix", "\t",	&insn->vex_prefix);
69 	dump_field(fp, "opcode", "\t",		&insn->opcode);
70 	dump_field(fp, "modrm", "\t",		&insn->modrm);
71 	dump_field(fp, "sib", "\t",		&insn->sib);
72 	dump_field(fp, "displacement", "\t",	&insn->displacement);
73 	dump_field(fp, "immediate1", "\t",	&insn->immediate1);
74 	dump_field(fp, "immediate2", "\t",	&insn->immediate2);
75 	fprintf(fp, "\t.attr = %x, .opnd_bytes = %d, .addr_bytes = %d,\n",
76 		insn->attr, insn->opnd_bytes, insn->addr_bytes);
77 	fprintf(fp, "\t.length = %d, .x86_64 = %d, .kaddr = %p}\n",
78 		insn->length, insn->x86_64, insn->kaddr);
79 }
80 
dump_stream(FILE * fp,const char * msg,unsigned long nr_iter,unsigned char * insn_buff,struct insn * insn)81 static void dump_stream(FILE *fp, const char *msg, unsigned long nr_iter,
82 			unsigned char *insn_buff, struct insn *insn)
83 {
84 	int i;
85 
86 	fprintf(fp, "%s:\n", msg);
87 
88 	dump_insn(fp, insn);
89 
90 	fprintf(fp, "You can reproduce this with below command(s);\n");
91 
92 	/* Input a decoded instruction sequence directly */
93 	fprintf(fp, " $ echo ");
94 	for (i = 0; i < MAX_INSN_SIZE; i++)
95 		fprintf(fp, " %02x", insn_buff[i]);
96 	fprintf(fp, " | %s -i -\n", prog);
97 
98 	if (!input_file) {
99 		fprintf(fp, "Or \n");
100 		/* Give a seed and iteration number */
101 		fprintf(fp, " $ %s -s 0x%x,%lu\n", prog, seed, nr_iter);
102 	}
103 }
104 
init_random_seed(void)105 static void init_random_seed(void)
106 {
107 	int fd;
108 
109 	fd = open("/dev/urandom", O_RDONLY);
110 	if (fd < 0)
111 		goto fail;
112 
113 	if (read(fd, &seed, sizeof(seed)) != sizeof(seed))
114 		goto fail;
115 
116 	close(fd);
117 	return;
118 fail:
119 	usage("Failed to open /dev/urandom");
120 }
121 
122 /* Read given instruction sequence from the input file */
read_next_insn(unsigned char * insn_buff)123 static int read_next_insn(unsigned char *insn_buff)
124 {
125 	char buf[256]  = "", *tmp;
126 	int i;
127 
128 	tmp = fgets(buf, ARRAY_SIZE(buf), input_file);
129 	if (tmp == NULL || feof(input_file))
130 		return 0;
131 
132 	for (i = 0; i < MAX_INSN_SIZE; i++) {
133 		insn_buff[i] = (unsigned char)strtoul(tmp, &tmp, 16);
134 		if (*tmp != ' ')
135 			break;
136 	}
137 
138 	return i;
139 }
140 
generate_insn(unsigned char * insn_buff)141 static int generate_insn(unsigned char *insn_buff)
142 {
143 	int i;
144 
145 	if (input_file)
146 		return read_next_insn(insn_buff);
147 
148 	/* Fills buffer with random binary up to MAX_INSN_SIZE */
149 	for (i = 0; i < MAX_INSN_SIZE - 1; i += 2)
150 		*(unsigned short *)(&insn_buff[i]) = random() & 0xffff;
151 
152 	while (i < MAX_INSN_SIZE)
153 		insn_buff[i++] = random() & 0xff;
154 
155 	return i;
156 }
157 
parse_args(int argc,char ** argv)158 static void parse_args(int argc, char **argv)
159 {
160 	int c;
161 	char *tmp = NULL;
162 	int set_seed = 0;
163 
164 	prog = argv[0];
165 	while ((c = getopt(argc, argv, "ynvs:m:i:")) != -1) {
166 		switch (c) {
167 		case 'y':
168 			x86_64 = 1;
169 			break;
170 		case 'n':
171 			x86_64 = 0;
172 			break;
173 		case 'v':
174 			verbose++;
175 			break;
176 		case 'i':
177 			if (strcmp("-", optarg) == 0)
178 				input_file = stdin;
179 			else
180 				input_file = fopen(optarg, "r");
181 			if (!input_file)
182 				usage("Failed to open input file");
183 			break;
184 		case 's':
185 			seed = (unsigned int)strtoul(optarg, &tmp, 0);
186 			if (*tmp == ',') {
187 				optarg = tmp + 1;
188 				iter_start = strtoul(optarg, &tmp, 0);
189 			}
190 			if (*tmp != '\0' || tmp == optarg)
191 				usage("Failed to parse seed");
192 			set_seed = 1;
193 			break;
194 		case 'm':
195 			iter_end = strtoul(optarg, &tmp, 0);
196 			if (*tmp != '\0' || tmp == optarg)
197 				usage("Failed to parse max_iter");
198 			break;
199 		default:
200 			usage(NULL);
201 		}
202 	}
203 
204 	/* Check errors */
205 	if (iter_end < iter_start)
206 		usage("Max iteration number must be bigger than iter-num");
207 
208 	if (set_seed && input_file)
209 		usage("Don't use input file (-i) with random seed (-s)");
210 
211 	/* Initialize random seed */
212 	if (!input_file) {
213 		if (!set_seed)	/* No seed is given */
214 			init_random_seed();
215 		srand(seed);
216 	}
217 }
218 
main(int argc,char ** argv)219 int main(int argc, char **argv)
220 {
221 	int insns = 0, ret;
222 	struct insn insn;
223 	int errors = 0;
224 	unsigned long i;
225 	unsigned char insn_buff[MAX_INSN_SIZE * 2];
226 
227 	parse_args(argc, argv);
228 
229 	/* Prepare stop bytes with NOPs */
230 	memset(insn_buff + MAX_INSN_SIZE, INSN_NOP, MAX_INSN_SIZE);
231 
232 	for (i = 0; i < iter_end; i++) {
233 		if (generate_insn(insn_buff) <= 0)
234 			break;
235 
236 		if (i < iter_start)	/* Skip to given iteration number */
237 			continue;
238 
239 		/* Decode an instruction */
240 		ret = insn_decode(&insn, insn_buff, sizeof(insn_buff),
241 				  x86_64 ? INSN_MODE_64 : INSN_MODE_32);
242 
243 		if (insn.next_byte <= insn.kaddr ||
244 		    insn.kaddr + MAX_INSN_SIZE < insn.next_byte) {
245 			/* Access out-of-range memory */
246 			dump_stream(stderr, "Error: Found an access violation", i, insn_buff, &insn);
247 			errors++;
248 		} else if (verbose && ret < 0)
249 			dump_stream(stdout, "Info: Found an undecodable input", i, insn_buff, &insn);
250 		else if (verbose >= 2)
251 			dump_insn(stdout, &insn);
252 		insns++;
253 	}
254 
255 	fprintf((errors) ? stderr : stdout,
256 		"%s: %s: decoded and checked %d %s instructions with %d errors (seed:0x%x)\n",
257 		prog,
258 		(errors) ? "Failure" : "Success",
259 		insns,
260 		(input_file) ? "given" : "random",
261 		errors,
262 		seed);
263 
264 	return errors ? 1 : 0;
265 }
266