fix(virtq): we gonna need a bigger boat

andreiltd · andreiltd · commit 5f485de49f80 · 2026-04-10T17:47:28.000+02:00
Move FXSAVE buffer to the middle of scratch to avoid overwriting live
page tables that are copied to the beginning of scratch when
update_scratch_bookkeeping is called
diff --git a/fuzz/fuzz_targets/guest_trace.rs b/fuzz/fuzz_targets/guest_trace.rs
@@ -69,8 +69,8 @@ impl<'a> Arbitrary<'a> for FuzzInput {
 fuzz_target!(
     init: {
         let mut cfg = SandboxConfiguration::default();
-        // In local tests, 256 KiB seemed sufficient for deep recursion
-        cfg.set_scratch_size(256 * 1024);
+        // In local tests, 512 KiB seemed sufficient for deep recursion
+        cfg.set_scratch_size(512 * 1024);
         let path = simple_guest_for_fuzzing_as_string().expect("Guest Binary Missing");
         let u_sbox = UninitializedSandbox::new(
             GuestBinary::FilePath(path),
diff --git a/src/hyperlight_host/src/hypervisor/hyperlight_vm/x86_64.rs b/src/hyperlight_host/src/hypervisor/hyperlight_vm/x86_64.rs
@@ -2125,18 +2125,20 @@ mod tests {
         }
 
         /// Creates VM with guest code that: dirtys FPU (if flag==0), does FXSAVE to buffer, sets flag=1.
-        /// Uses scratch region after rings for FXSAVE buffer.
+        /// Uses a scratch region area for the FXSAVE buffer.
         fn hyperlight_vm_with_mem_mgr_fxsave() -> FxsaveTestContext {
             use iced_x86::code_asm::*;
 
             // Compute fixed addresses for FXSAVE buffer and flag.
-            // We use the page-table area in scratch after rings as a
-            // convenient 512-byte aligned buffer for FXSAVE.
+            // Place the buffer at halfway through scratch: well past
+            // the rings and page tables at the start, and well below
+            // the stack and scratch-top metadata at the end.
             let config: SandboxConfiguration = Default::default();
             let layout = SandboxMemoryLayout::new(config, 512, 4096, None).unwrap();
-            let fxsave_offset = layout.get_pt_base_scratch_offset();
-            let fxsave_gva = hyperlight_common::layout::scratch_base_gva(config.get_scratch_size())
-                + fxsave_offset as u64;
+            let scratch_size = config.get_scratch_size();
+            let fxsave_offset = (scratch_size / 2) & !0xFFF; // page-aligned
+            let fxsave_gva =
+                hyperlight_common::layout::scratch_base_gva(scratch_size) + fxsave_offset as u64;
             let flag_gva = fxsave_gva + 512;
 
             let mut a = CodeAssembler::new(64).unwrap();
