From 4e3982d812b2a737c547c8c37ee93f30a78b46cc Mon Sep 17 00:00:00 2001
From: Andrea Fioraldi <andreafioraldi@gmail.com>
Date: Fri, 1 Oct 2021 16:46:26 +0200
Subject: [PATCH] Value parameter to generic hook

---
 accel/tcg/translator.c | 20 ++++++++++++--------
 cpu.c                  |  8 +++++---
 2 files changed, 17 insertions(+), 11 deletions(-)

diff --git a/accel/tcg/translator.c b/accel/tcg/translator.c
index 5b3a454482..33763a6c8b 100644
--- a/accel/tcg/translator.c
+++ b/accel/tcg/translator.c
@@ -32,6 +32,7 @@ extern struct libafl_breakpoint* libafl_qemu_breakpoints;
 struct libafl_hook {
     target_ulong addr;
     void (*callback)(void);
+    uint64_t value;
     TCGHelperInfo helper_info;
     struct libafl_hook* next;
 };
@@ -113,6 +114,17 @@ void translator_loop(const TranslatorOps *ops, DisasContextBase *db,
 
         //// --- Begin LibAFL code ---
 
+        struct libafl_hook* hk = libafl_qemu_hooks;
+        while (hk) {
+            if (hk->addr == db->pc_next) {
+                TCGv_i64 tmp0 = tcg_const_i64(hk->value);
+                TCGTemp *tmp1[1] = { tcgv_i64_temp(tmp0) };
+                tcg_gen_callN(hk->callback, NULL, 1, tmp1);
+                tcg_temp_free_i64(tmp0);
+            }
+            hk = hk->next;
+        }
+
         struct libafl_breakpoint* bp = libafl_qemu_breakpoints;
         while (bp) {
             if (bp->addr == db->pc_next) {
@@ -121,14 +133,6 @@ void translator_loop(const TranslatorOps *ops, DisasContextBase *db,
             bp = bp->next;
         }
 
-        struct libafl_hook* hk = libafl_qemu_hooks;
-        while (hk) {
-            if (hk->addr == db->pc_next) {
-                tcg_gen_callN(hk->callback, NULL, 0, NULL);
-            }
-            hk = hk->next;
-        }
-
         //// --- End LibAFL code ---
 
         /* Disassemble one instruction.  The translate_insn hook should
diff --git a/cpu.c b/cpu.c
index d171a0c51f..ff2e69315f 100644
--- a/cpu.c
+++ b/cpu.c
@@ -56,6 +56,7 @@ struct libafl_breakpoint* libafl_qemu_breakpoints = NULL;
 struct libafl_hook {
     target_ulong addr;
     void (*callback)(void);
+    uint64_t value;
     TCGHelperInfo helper_info;
     struct libafl_hook* next;
 };
@@ -71,7 +72,7 @@ int libafl_qemu_read_reg(int reg, uint8_t* val);
 int libafl_qemu_num_regs(void);
 int libafl_qemu_set_breakpoint(uint64_t addr);
 int libafl_qemu_remove_breakpoint(uint64_t addr);
-int libafl_qemu_insert_hook(uint64_t addr, void (*callback)(void));
+int libafl_qemu_set_hook(uint64_t addr, void (*callback)(void), uint64_t value);
 int libafl_qemu_remove_hook(uint64_t addr);
 
 int libafl_qemu_write_reg(int reg, uint8_t* val)
@@ -162,7 +163,7 @@ int libafl_qemu_remove_breakpoint(uint64_t addr)
     return r;
 }
 
-int libafl_qemu_insert_hook(uint64_t addr, void (*callback)(void))
+int libafl_qemu_set_hook(uint64_t addr, void (*callback)(void), uint64_t value)
 {
     CPUState *cpu;
 
@@ -174,10 +175,11 @@ int libafl_qemu_insert_hook(uint64_t addr, void (*callback)(void))
     struct libafl_hook* hk = malloc(sizeof(struct libafl_hook));
     hk->addr = pc;
     hk->callback = callback;
+    hk->value = value;
     hk->helper_info.func = callback;
     hk->helper_info.name = "libafl_hook";
     hk->helper_info.flags = dh_callflag(void);
-    hk->helper_info.typemask = dh_typemask(void, 0);
+    hk->helper_info.typemask = dh_typemask(void, 0) | dh_typemask(i64, 1);
     hk->next = libafl_qemu_hooks;
     libafl_qemu_hooks = hk;
     libafl_helper_table_add(&hk->helper_info);