[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Question] fuzz: double-fetches in a memory region map session
From: |
Li Qiuhao |
Subject: |
[Question] fuzz: double-fetches in a memory region map session |
Date: |
Fri, 13 Aug 2021 03:49:57 +0000 |
Hi Alex,
Recently I was reading the DMA call-back functions in the fuzzer. It seems
fuzz_dma_read_cb() is inserted into flatview_read_continue() and
address_space_map() to make the host read changed content between different
DMA actions.
My question is about address_space_map() -- How do we emulate double-fetch
bugs in the same map/unmap session? For example:
FOO *guest_foo = (FOO *) address_space_map(as, ...);
uint64_t size = guest_foo->size; // first fetch
if size > limit
goto error;
/* time window */
memcpy(dest, src, guest_foo->size); // double-fetch ?
error:
address_space_unmap(as, guest_foo, ...)
Thanks,
Qiuhao Li
- [Question] fuzz: double-fetches in a memory region map session,
Li Qiuhao <=