sys/linux: executor: implement SYZOS_API_WR_CRN on x86

ramosian-glider · ramosian-glider · commit 2e16ac1977e6 · 2025-07-24T12:46:04.000Z
Add a SYZOS call to write to one of the system registers
(CR0, CR2, CR3, CR4, CR8).
diff --git a/executor/common_kvm_amd64_syzos.h b/executor/common_kvm_amd64_syzos.h
@@ -28,6 +28,7 @@ typedef enum {
 	SYZOS_API_CPUID = 20,
 	SYZOS_API_WRMSR = 30,
 	SYZOS_API_RDMSR = 50,
+	SYZOS_API_WR_CRN = 70,
 	SYZOS_API_STOP, // Must be the last one
 } syzos_api_id;
 
@@ -67,6 +68,7 @@ static void guest_execute_code(uint8* insns, uint64 size);
 static void guest_handle_cpuid(uint32 eax, uint32 ecx);
 static void guest_handle_wrmsr(uint64 reg, uint64 val);
 static void guest_handle_rdmsr(uint64 reg);
+static void guest_handle_wr_crn(struct api_call_2* cmd);
 
 typedef enum {
 	UEXIT_END = (uint64)-1,
@@ -114,6 +116,10 @@ guest_main(uint64 size, uint64 cpu)
 			guest_handle_rdmsr(ccmd->arg);
 			break;
 		}
+		case SYZOS_API_WR_CRN: {
+			guest_handle_wr_crn((struct api_call_2*)cmd);
+			break;
+		}
 		}
 		addr += cmd->size;
 		size -= cmd->size;
@@ -174,3 +180,34 @@ GUEST_CODE static noinline void guest_handle_rdmsr(uint64 reg)
 	    : // No explicit clobbers.
 	);
 }
+
+// Write to CRn control register.
+GUEST_CODE static noinline void guest_handle_wr_crn(struct api_call_2* cmd)
+{
+	uint64 value = cmd->args[1];
+	switch (cmd->args[0]) {
+	case 0:
+		// Move value to CR0.
+		asm volatile("movq %0, %%cr0" ::"r"(value) : "memory");
+		break;
+	case 2:
+		// Move value to CR2.
+		asm volatile("movq %0, %%cr2" ::"r"(value) : "memory");
+		break;
+	case 3:
+		// Move value to CR3.
+		asm volatile("movq %0, %%cr3" ::"r"(value) : "memory");
+		break;
+	case 4:
+		// Move value to CR4.
+		asm volatile("movq %0, %%cr4" ::"r"(value) : "memory");
+		break;
+	case 8:
+		// Move value to CR8 (TPR - Task Priority Register).
+		asm volatile("movq %0, %%cr8" ::"r"(value) : "memory");
+		break;
+	default:
+		// Do nothing.
+		break;
+	}
+}
diff --git a/sys/linux/dev_kvm_amd64.txt b/sys/linux/dev_kvm_amd64.txt
@@ -59,12 +59,21 @@ syzos_api_rdmsr {
 	arg_reg	flags[msr_index, int64]
 }
 
+# CR1 and CR5-7 are reserved.
+x86_cr_reg_ids = 0, 2, 3, 4, 8
+
+syzos_api_wr_crn {
+	arg_reg		flags[x86_cr_reg_ids, int64]
+	arg_value	int64
+}
+
 syzos_api_call$x86 [
 	uexit	syzos_api$x86[0, intptr]
 	code	syzos_api$x86[10, syzos_api_code$x86]
 	cpuid	syzos_api$x86[20, syzos_api_cpuid]
 	wrmsr	syzos_api$x86[30, syzos_api_wrmsr]
 	rdmsr	syzos_api$x86[50, syzos_api_rdmsr]
+	wr_crn	syzos_api$x86[70, syzos_api_wr_crn]
 ] [varlen]
 
 kvm_text_x86 [
