executor: sys/linux: implement SYZOS_API_SET_IRQ_HANDLER

The new API call allows to initialize the handler with one of the
three possible values:
 - NULL (should cause a page fault)
 - dummy_null_handler (should call iret)
 - uexit_irq_handler (should perform guest_uexit(UEXIT_IRQ))

Also add a test for uexit_irq_handler()

Author: ramosian-glider

executor/common_kvm_amd64.h

@@ -256,18 +256,6 @@ struct kvm_syz_vm {
 #endif
 
 #if SYZ_EXECUTOR || __NR_syz_kvm_add_vcpu
-// See https://wiki.osdev.org/Interrupt_Descriptor_Table#Gate_Descriptor_2.
-struct idt_entry_64 {
-	uint16 offset_low;
-	uint16 selector;
-	// Interrupt Stack Table offset in bits 0..2
-	uint8 ist;
-	// Gate Type, P and DPL.
-	uint8 type_attr;
-	uint16 offset_mid;
-	uint32 offset_high;
-	uint32 reserved;
-} __attribute__((packed));
 
 #define EXECUTOR_FN_GUEST_ADDRESS(f) arch_executor_fn_guest_address((uintptr_t)(f), X86_SYZOS_ADDR_EXECUTOR_CODE)
 
@@ -1111,6 +1099,7 @@ static void install_syzos_got(void* host_got, size_t got_size)
 {
 	uint64* got = (uint64*)host_got;
 	got[SYZOS_GOT_X86_NULL_HANDLER] = EXECUTOR_FN_GUEST_ADDRESS(dummy_null_handler);
+	got[SYZOS_GOT_X86_UEXIT_HANDLER] = EXECUTOR_FN_GUEST_ADDRESS(uexit_irq_handler);
 }
 
 static void setup_vm(int vmfd, struct kvm_syz_vm* vm)

executor/common_kvm_amd64_syzos.h

@@ -22,11 +22,13 @@ typedef enum {
 	SYZOS_API_WR_DRN = 110,
 	SYZOS_API_IN_DX = 130,
 	SYZOS_API_OUT_DX = 170,
+	SYZOS_API_SET_IRQ_HANDLER = 190,
 	SYZOS_API_STOP, // Must be the last one
 } syzos_api_id;
 
 typedef enum {
 	SYZOS_GOT_X86_NULL_HANDLER,
+	SYZOS_GOT_X86_UEXIT_HANDLER,
 } syzos_got_records;
 
 struct api_call_header {
@@ -74,6 +76,7 @@ static void guest_handle_wr_crn(struct api_call_2* cmd);
 static void guest_handle_wr_drn(struct api_call_2* cmd);
 static void guest_handle_in_dx(struct api_call_2* cmd);
 static void guest_handle_out_dx(struct api_call_3* cmd);
+static void guest_handle_set_irq_handler(struct api_call_2* cmd);
 
 typedef enum {
 	UEXIT_END = (uint64)-1,
@@ -88,6 +91,12 @@ dummy_null_handler()
 	asm volatile("iretq");
 }
 
+__attribute__((naked)) GUEST_CODE static void uexit_irq_handler()
+{
+	guest_uexit(UEXIT_IRQ);
+	asm volatile("iretq");
+}
+
 // Main guest function that performs necessary setup and passes the control to the user-provided
 // payload.
 __attribute__((used))
@@ -144,6 +153,10 @@ guest_main(uint64 size, uint64 cpu)
 			guest_handle_out_dx((struct api_call_3*)cmd);
 			break;
 		}
+		case SYZOS_API_SET_IRQ_HANDLER: {
+			guest_handle_set_irq_handler((struct api_call_2*)cmd);
+			break;
+		}
 		}
 		addr += cmd->size;
 		size -= cmd->size;
@@ -326,3 +339,42 @@ GUEST_CODE static noinline void guest_handle_out_dx(struct api_call_3* cmd)
 		return;
 	}
 }
+
+// See https://wiki.osdev.org/Interrupt_Descriptor_Table#Gate_Descriptor_2.
+struct idt_entry_64 {
+	uint16 offset_low;
+	uint16 selector;
+	// Interrupt Stack Table offset in bits 0..2
+	uint8 ist;
+	// Gate Type, P and DPL.
+	uint8 type_attr;
+	uint16 offset_mid;
+	uint32 offset_high;
+	uint32 reserved;
+} __attribute__((packed));
+
+GUEST_CODE static void set_idt_gate(uint8 vector, void* handler_addr)
+{
+	volatile struct idt_entry_64* idt =
+	    (volatile struct idt_entry_64*)(X86_SYZOS_ADDR_VAR_IDT);
+	volatile struct idt_entry_64* idt_entry = &idt[vector];
+	uint64 handler = (uint64)handler_addr;
+	idt_entry->offset_low = (uint16)handler;
+	idt_entry->offset_mid = (uint16)(handler >> 16);
+	idt_entry->offset_high = (uint32)(handler >> 32);
+}
+
+GUEST_CODE static noinline void guest_handle_set_irq_handler(struct api_call_2* cmd)
+{
+	uint8 vector = (uint8)cmd->args[0];
+	uint64 type = cmd->args[1];
+	uint64 handler_addr = 0;
+	if (type == 1) {
+		volatile uint64* got = (volatile uint64*)X86_SYZOS_ADDR_GOT;
+		handler_addr = got[SYZOS_GOT_X86_NULL_HANDLER];
+	} else if (type == 2) {
+		volatile uint64* got = (volatile uint64*)X86_SYZOS_ADDR_GOT;
+		handler_addr = got[SYZOS_GOT_X86_UEXIT_HANDLER];
+	}
+	set_idt_gate(vector, (void*)handler_addr);
+}

sys/linux/dev_kvm_amd64.txt

@@ -89,16 +89,22 @@ syzos_api_out_dx {
 	arg_val		int64
 }
 
+syzos_api_set_irq_handler {
+	arg_vector		int64[0:255]
+	arg_handler_type	int64[0:2]
+}
+
 syzos_api_call$x86 [
-	uexit	syzos_api$x86[0, intptr]
-	code	syzos_api$x86[10, syzos_api_code$x86]
-	cpuid	syzos_api$x86[20, syzos_api_cpuid]
-	wrmsr	syzos_api$x86[30, syzos_api_wrmsr]
-	rdmsr	syzos_api$x86[50, syzos_api_rdmsr]
-	wr_crn	syzos_api$x86[70, syzos_api_wr_crn]
-	wr_drn	syzos_api$x86[110, syzos_api_wr_drn]
-	in_dx	syzos_api$x86[130, syzos_api_in_dx]
-	out_dx	syzos_api$x86[170, syzos_api_out_dx]
+	uexit		syzos_api$x86[0, intptr]
+	code		syzos_api$x86[10, syzos_api_code$x86]
+	cpuid		syzos_api$x86[20, syzos_api_cpuid]
+	wrmsr		syzos_api$x86[30, syzos_api_wrmsr]
+	rdmsr		syzos_api$x86[50, syzos_api_rdmsr]
+	wr_crn		syzos_api$x86[70, syzos_api_wr_crn]
+	wr_drn		syzos_api$x86[110, syzos_api_wr_drn]
+	in_dx		syzos_api$x86[130, syzos_api_in_dx]
+	out_dx		syzos_api$x86[170, syzos_api_out_dx]
+	set_irq_handler	syzos_api$x86[190, syzos_api_set_irq_handler]
 ] [varlen]
 
 kvm_text_x86 [

sys/linux/test/amd64-syz_kvm_set_irq_handler

@@ -0,0 +1,31 @@
+#
+# requires: arch=amd64 -threaded
+#
+r0 = openat$kvm(0, &AUTO='/dev/kvm\x00', 0x0, 0x0)
+r1 = ioctl$KVM_CREATE_VM(r0, AUTO, 0x0)
+r2 = syz_kvm_setup_syzos_vm$x86(r1, &(0x7f0000c00000/0x400000)=nil)
+#
+# Set a non-dummy IRQ handler for vector 0x80.
+#
+r3 = syz_kvm_add_vcpu$x86(r2, &AUTO={0x0, &AUTO=[@set_irq_handler={AUTO, AUTO, {0x80, 0x2}}, @uexit={AUTO, AUTO, 0xaaaa}], AUTO})
+r4 = ioctl$KVM_GET_VCPU_MMAP_SIZE(r0, AUTO)
+r5 = mmap$KVM_VCPU(&(0x7f0000009000/0x1000)=nil, r4, 0x3, 0x1, r3, 0x0)
+
+# Run till uexit(0xaaaa).
+#
+ioctl$KVM_RUN(r3, AUTO, 0x0)
+syz_kvm_assert_syzos_uexit$x86(r5, 0xaaaa)
+
+# Inject interrupt 0x80.
+#
+ioctl$KVM_INTERRUPT(r3, AUTO, &AUTO=0x80)
+ioctl$KVM_RUN(r3, AUTO, 0x0)
+
+# Ensure that the uexit code is UEXIT_IRQ.
+#
+syz_kvm_assert_syzos_uexit$x86(r5, 0xfffffffffffffffe)
+
+# Run till the end.
+#
+ioctl$KVM_RUN(r3, AUTO, 0x0)
+syz_kvm_assert_syzos_uexit$x86(r5, 0xffffffffffffffff)