From e99b9da6585504a8333f2846a61de487f94d3476 Mon Sep 17 00:00:00 2001 From: Romain Malmain Date: Thu, 11 Apr 2024 14:52:11 +0200 Subject: [PATCH] Add tcg_env to backdoor callback (#58) * Add tcg_env to backdoor callback. Remove useless backslashes. * update self-hosted to qemu-specific runner (#57) * Change parameter order in backdoor * Revert "Revert "Implement user-space QEMU ASAN (#45)" (#56)" (#59) This reverts commit 821ad471430360c4eed644d07d59f0d603ef23f6. --------- Co-authored-by: Andrea Fioraldi --- accel/tcg/translator.c | 20 +++--------- libafl_extras/hook.c | 72 ++++++++++++++++++++++-------------------- libafl_extras/hook.h | 4 +-- 3 files changed, 44 insertions(+), 52 deletions(-) diff --git a/accel/tcg/translator.c b/accel/tcg/translator.c index 7afd06d468..b75530da13 100644 --- a/accel/tcg/translator.c +++ b/accel/tcg/translator.c @@ -220,21 +220,11 @@ void translator_loop(CPUState *cpu, TranslationBlock *tb, int *max_insns, struct libafl_backdoor_hook* bhk = libafl_backdoor_hooks; while (bhk) { TCGv_i64 tmp0 = tcg_constant_i64(bhk->data); -#if TARGET_LONG_BITS == 32 - TCGv_i32 tmp1 = tcg_constant_i32(db->pc_next); - TCGTemp *tmp2[2] = { tcgv_i64_temp(tmp0), tcgv_i32_temp(tmp1) }; -#else - TCGv_i64 tmp1 = tcg_constant_i64(db->pc_next); - TCGTemp *tmp2[2] = { tcgv_i64_temp(tmp0), tcgv_i64_temp(tmp1) }; -#endif - // tcg_gen_callN(bhk->exec, NULL, 2, tmp2); - tcg_gen_callN(&bhk->helper_info, NULL, tmp2); -#if TARGET_LONG_BITS == 32 - tcg_temp_free_i32(tmp1); -#else - tcg_temp_free_i64(tmp1); -#endif - tcg_temp_free_i64(tmp0); + TCGv tmp2 = tcg_constant_tl(db->pc_next); + TCGTemp *args[3] = { tcgv_i64_temp(tmp0), tcgv_ptr_temp(tcg_env), tcgv_tl_temp(tmp2) }; + + tcg_gen_callN(&bhk->helper_info, NULL, args); + bhk = bhk->next; } diff --git a/libafl_extras/hook.c b/libafl_extras/hook.c index c13552a2b4..aed279b746 100644 --- a/libafl_extras/hook.c +++ b/libafl_extras/hook.c @@ -157,17 +157,19 @@ int libafl_qemu_remove_##name##_hook(size_t num) \ return 0; \ } - static TCGHelperInfo libafl_exec_backdoor_hook_info = { - .func = NULL, .name = "libafl_exec_backdoor_hook", \ - .flags = dh_callflag(void), \ - .typemask = dh_typemask(void, 0) | dh_typemask(i64, 1) | dh_typemask(tl, 2) + .func = NULL, .name = "libafl_exec_backdoor_hook", + .flags = dh_callflag(void), + .typemask = dh_typemask(void, 0) + | dh_typemask(env, 1) + | dh_typemask(i64, 2) + | dh_typemask(tl, 3) }; struct libafl_backdoor_hook* libafl_backdoor_hooks; size_t libafl_backdoor_hooks_num = 0; -size_t libafl_add_backdoor_hook(void (*exec)(uint64_t data, target_ulong pc), +size_t libafl_add_backdoor_hook(void (*exec)(uint64_t data, CPUArchState* cpu, target_ulong pc), uint64_t data) { struct libafl_backdoor_hook* hook = calloc(sizeof(struct libafl_backdoor_hook), 1); @@ -186,8 +188,8 @@ size_t libafl_add_backdoor_hook(void (*exec)(uint64_t data, target_ulong pc), GEN_REMOVE_HOOK(backdoor) static TCGHelperInfo libafl_exec_edge_hook_info = { - .func = NULL, .name = "libafl_exec_edge_hook", \ - .flags = dh_callflag(void), \ + .func = NULL, .name = "libafl_exec_edge_hook", + .flags = dh_callflag(void), .typemask = dh_typemask(void, 0) | dh_typemask(i64, 1) | dh_typemask(i64, 2) }; @@ -285,54 +287,54 @@ bool libafl_qemu_block_hook_set_jit(size_t num, size_t (*jit)(uint64_t data, uin } static TCGHelperInfo libafl_exec_read_hook1_info = { - .func = NULL, .name = "libafl_exec_read_hook1", \ - .flags = dh_callflag(void), \ + .func = NULL, .name = "libafl_exec_read_hook1", + .flags = dh_callflag(void), .typemask = dh_typemask(void, 0) | dh_typemask(i64, 1) | dh_typemask(i64, 2) | dh_typemask(tl, 3) }; static TCGHelperInfo libafl_exec_read_hook2_info = { - .func = NULL, .name = "libafl_exec_read_hook2", \ - .flags = dh_callflag(void), \ + .func = NULL, .name = "libafl_exec_read_hook2", + .flags = dh_callflag(void), .typemask = dh_typemask(void, 0) | dh_typemask(i64, 1) | dh_typemask(i64, 2) | dh_typemask(tl, 3) }; static TCGHelperInfo libafl_exec_read_hook4_info = { - .func = NULL, .name = "libafl_exec_read_hook4", \ - .flags = dh_callflag(void), \ + .func = NULL, .name = "libafl_exec_read_hook4", + .flags = dh_callflag(void), .typemask = dh_typemask(void, 0) | dh_typemask(i64, 1) | dh_typemask(i64, 2) | dh_typemask(tl, 3) }; static TCGHelperInfo libafl_exec_read_hook8_info = { - .func = NULL, .name = "libafl_exec_read_hook8", \ - .flags = dh_callflag(void), \ + .func = NULL, .name = "libafl_exec_read_hook8", + .flags = dh_callflag(void), .typemask = dh_typemask(void, 0) | dh_typemask(i64, 1) | dh_typemask(i64, 2) | dh_typemask(tl, 3) }; static TCGHelperInfo libafl_exec_read_hookN_info = { - .func = NULL, .name = "libafl_exec_read_hookN", \ - .flags = dh_callflag(void), \ + .func = NULL, .name = "libafl_exec_read_hookN", + .flags = dh_callflag(void), .typemask = dh_typemask(void, 0) | dh_typemask(i64, 1) | dh_typemask(i64, 2) | dh_typemask(tl, 3) | dh_typemask(i64, 4) }; static TCGHelperInfo libafl_exec_write_hook1_info = { - .func = NULL, .name = "libafl_exec_write_hook1", \ - .flags = dh_callflag(void), \ + .func = NULL, .name = "libafl_exec_write_hook1", + .flags = dh_callflag(void), .typemask = dh_typemask(void, 0) | dh_typemask(i64, 1) | dh_typemask(i64, 2) | dh_typemask(tl, 3) }; static TCGHelperInfo libafl_exec_write_hook2_info = { - .func = NULL, .name = "libafl_exec_write_hook2", \ - .flags = dh_callflag(void), \ + .func = NULL, .name = "libafl_exec_write_hook2", + .flags = dh_callflag(void), .typemask = dh_typemask(void, 0) | dh_typemask(i64, 1) | dh_typemask(i64, 2) | dh_typemask(tl, 3) }; static TCGHelperInfo libafl_exec_write_hook4_info = { - .func = NULL, .name = "libafl_exec_write_hook4", \ - .flags = dh_callflag(void), \ + .func = NULL, .name = "libafl_exec_write_hook4", + .flags = dh_callflag(void), .typemask = dh_typemask(void, 0) | dh_typemask(i64, 1) | dh_typemask(i64, 2) | dh_typemask(tl, 3) }; static TCGHelperInfo libafl_exec_write_hook8_info = { - .func = NULL, .name = "libafl_exec_write_hook8", \ - .flags = dh_callflag(void), \ + .func = NULL, .name = "libafl_exec_write_hook8", + .flags = dh_callflag(void), .typemask = dh_typemask(void, 0) | dh_typemask(i64, 1) | dh_typemask(i64, 2) | dh_typemask(tl, 3) }; static TCGHelperInfo libafl_exec_write_hookN_info = { - .func = NULL, .name = "libafl_exec_write_hookN", \ - .flags = dh_callflag(void), \ + .func = NULL, .name = "libafl_exec_write_hookN", + .flags = dh_callflag(void), .typemask = dh_typemask(void, 0) | dh_typemask(i64, 1) | dh_typemask(i64, 2) | dh_typemask(tl, 3) | dh_typemask(i64, 4) }; @@ -505,26 +507,26 @@ void libafl_gen_write(TCGTemp *addr, MemOpIdx oi) } static TCGHelperInfo libafl_exec_cmp_hook1_info = { - .func = NULL, .name = "libafl_exec_cmp_hook1", \ - .flags = dh_callflag(void), \ + .func = NULL, .name = "libafl_exec_cmp_hook1", + .flags = dh_callflag(void), .typemask = dh_typemask(void, 0) | dh_typemask(i64, 1) | dh_typemask(i64, 2) | dh_typemask(tl, 3) | dh_typemask(tl, 4) }; static TCGHelperInfo libafl_exec_cmp_hook2_info = { - .func = NULL, .name = "libafl_exec_cmp_hook2", \ - .flags = dh_callflag(void), \ + .func = NULL, .name = "libafl_exec_cmp_hook2", + .flags = dh_callflag(void), .typemask = dh_typemask(void, 0) | dh_typemask(i64, 1) | dh_typemask(i64, 2) | dh_typemask(tl, 3) | dh_typemask(tl, 4) }; static TCGHelperInfo libafl_exec_cmp_hook4_info = { - .func = NULL, .name = "libafl_exec_cmp_hook4", \ - .flags = dh_callflag(void), \ + .func = NULL, .name = "libafl_exec_cmp_hook4", + .flags = dh_callflag(void), .typemask = dh_typemask(void, 0) | dh_typemask(i64, 1) | dh_typemask(i64, 2) | dh_typemask(tl, 3) | dh_typemask(tl, 4) }; static TCGHelperInfo libafl_exec_cmp_hook8_info = { - .func = NULL, .name = "libafl_exec_cmp_hook8", \ - .flags = dh_callflag(void), \ + .func = NULL, .name = "libafl_exec_cmp_hook8", + .flags = dh_callflag(void), .typemask = dh_typemask(void, 0) | dh_typemask(i64, 1) | dh_typemask(i64, 2) | dh_typemask(i64, 3) | dh_typemask(i64, 4) }; diff --git a/libafl_extras/hook.h b/libafl_extras/hook.h index 57081cd5df..453d85cc73 100644 --- a/libafl_extras/hook.h +++ b/libafl_extras/hook.h @@ -41,7 +41,7 @@ int libafl_qemu_remove_hook(size_t num, int invalidate); struct libafl_hook* libafl_search_hook(target_ulong addr); struct libafl_backdoor_hook { - void (*exec)(uint64_t data, target_ulong pc); + void (*exec)(uint64_t data, CPUArchState* cpu, target_ulong pc); uint64_t data; size_t num; TCGHelperInfo helper_info; @@ -50,7 +50,7 @@ struct libafl_backdoor_hook { extern struct libafl_backdoor_hook* libafl_backdoor_hooks; -size_t libafl_add_backdoor_hook(void (*exec)(uint64_t data, target_ulong pc), +size_t libafl_add_backdoor_hook(void (*exec)(uint64_t data, CPUArchState* cpu, target_ulong pc), uint64_t data); int libafl_qemu_remove_backdoor_hook(size_t num, int invalidate);