Add tcg_env to backdoor callback (#58)

* Add tcg_env to backdoor callback.
Remove useless backslashes.

* update self-hosted to qemu-specific runner (#57)

* Change parameter order in backdoor

* Revert "Revert "Implement user-space QEMU ASAN (#45)" (#56)" (#59)

This reverts commit 821ad471430360c4eed644d07d59f0d603ef23f6.

---------

Co-authored-by: Andrea Fioraldi <andreafioraldi@gmail.com>

accel/tcg/translator.c

@@ -220,21 +220,11 @@ void translator_loop(CPUState *cpu, TranslationBlock *tb, int *max_insns,
                         struct libafl_backdoor_hook* bhk = libafl_backdoor_hooks;
                         while (bhk) {
                             TCGv_i64 tmp0 = tcg_constant_i64(bhk->data);
-#if TARGET_LONG_BITS == 32
-                            TCGv_i32 tmp1 = tcg_constant_i32(db->pc_next);
-                            TCGTemp *tmp2[2] = { tcgv_i64_temp(tmp0), tcgv_i32_temp(tmp1) };
-#else
-                            TCGv_i64 tmp1 = tcg_constant_i64(db->pc_next);
-                            TCGTemp *tmp2[2] = { tcgv_i64_temp(tmp0), tcgv_i64_temp(tmp1) };
-#endif
-                            // tcg_gen_callN(bhk->exec, NULL, 2, tmp2);
-                            tcg_gen_callN(&bhk->helper_info, NULL, tmp2);
-#if TARGET_LONG_BITS == 32
-                            tcg_temp_free_i32(tmp1);
-#else
-                            tcg_temp_free_i64(tmp1);
-#endif
-                            tcg_temp_free_i64(tmp0);
+                            TCGv tmp2 = tcg_constant_tl(db->pc_next);
+                            TCGTemp *args[3] = { tcgv_i64_temp(tmp0), tcgv_ptr_temp(tcg_env), tcgv_tl_temp(tmp2) };
+
+                            tcg_gen_callN(&bhk->helper_info, NULL, args);
+
                             bhk = bhk->next;
                         }
 

libafl_extras/hook.c

@@ -157,17 +157,19 @@ int libafl_qemu_remove_##name##_hook(size_t num) \
     return  0; \
 }
 
-
 static TCGHelperInfo libafl_exec_backdoor_hook_info = {
-    .func = NULL, .name = "libafl_exec_backdoor_hook", \
-    .flags = dh_callflag(void), \
-    .typemask = dh_typemask(void, 0) | dh_typemask(i64, 1) | dh_typemask(tl, 2)
+    .func = NULL, .name = "libafl_exec_backdoor_hook",
+    .flags = dh_callflag(void),
+    .typemask = dh_typemask(void, 0)
+                | dh_typemask(env, 1)
+                | dh_typemask(i64, 2)
+                | dh_typemask(tl, 3)
 };
 
 struct libafl_backdoor_hook* libafl_backdoor_hooks;
 size_t libafl_backdoor_hooks_num = 0;
 
-size_t libafl_add_backdoor_hook(void (*exec)(uint64_t data, target_ulong pc),
+size_t libafl_add_backdoor_hook(void (*exec)(uint64_t data, CPUArchState* cpu, target_ulong pc),
                                 uint64_t data)
 {
     struct libafl_backdoor_hook* hook = calloc(sizeof(struct libafl_backdoor_hook), 1);
@@ -186,8 +188,8 @@ size_t libafl_add_backdoor_hook(void (*exec)(uint64_t data, target_ulong pc),
 GEN_REMOVE_HOOK(backdoor)
 
 static TCGHelperInfo libafl_exec_edge_hook_info = {
-    .func = NULL, .name = "libafl_exec_edge_hook", \
-    .flags = dh_callflag(void), \
+    .func = NULL, .name = "libafl_exec_edge_hook",
+    .flags = dh_callflag(void),
     .typemask = dh_typemask(void, 0) | dh_typemask(i64, 1) | dh_typemask(i64, 2)
 };
 
@@ -285,54 +287,54 @@ bool libafl_qemu_block_hook_set_jit(size_t num, size_t (*jit)(uint64_t data, uin
 }
 
 static TCGHelperInfo libafl_exec_read_hook1_info = {
-    .func = NULL, .name = "libafl_exec_read_hook1", \
-    .flags = dh_callflag(void), \
+    .func = NULL, .name = "libafl_exec_read_hook1",
+    .flags = dh_callflag(void),
     .typemask = dh_typemask(void, 0) | dh_typemask(i64, 1) | dh_typemask(i64, 2) | dh_typemask(tl, 3)
 };
 static TCGHelperInfo libafl_exec_read_hook2_info = {
-    .func = NULL, .name = "libafl_exec_read_hook2", \
-    .flags = dh_callflag(void), \
+    .func = NULL, .name = "libafl_exec_read_hook2",
+    .flags = dh_callflag(void),
     .typemask = dh_typemask(void, 0) | dh_typemask(i64, 1) | dh_typemask(i64, 2) | dh_typemask(tl, 3)
 };
 static TCGHelperInfo libafl_exec_read_hook4_info = {
-    .func = NULL, .name = "libafl_exec_read_hook4", \
-    .flags = dh_callflag(void), \
+    .func = NULL, .name = "libafl_exec_read_hook4",
+    .flags = dh_callflag(void),
     .typemask = dh_typemask(void, 0) | dh_typemask(i64, 1) | dh_typemask(i64, 2) | dh_typemask(tl, 3)
 };
 static TCGHelperInfo libafl_exec_read_hook8_info = {
-    .func = NULL, .name = "libafl_exec_read_hook8", \
-    .flags = dh_callflag(void), \
+    .func = NULL, .name = "libafl_exec_read_hook8",
+    .flags = dh_callflag(void),
     .typemask = dh_typemask(void, 0) | dh_typemask(i64, 1) | dh_typemask(i64, 2) | dh_typemask(tl, 3)
 };
 static TCGHelperInfo libafl_exec_read_hookN_info = {
-    .func = NULL, .name = "libafl_exec_read_hookN", \
-    .flags = dh_callflag(void), \
+    .func = NULL, .name = "libafl_exec_read_hookN",
+    .flags = dh_callflag(void),
     .typemask = dh_typemask(void, 0) | dh_typemask(i64, 1) | dh_typemask(i64, 2)
                 | dh_typemask(tl, 3) | dh_typemask(i64, 4)
 };
 static TCGHelperInfo libafl_exec_write_hook1_info = {
-    .func = NULL, .name = "libafl_exec_write_hook1", \
-    .flags = dh_callflag(void), \
+    .func = NULL, .name = "libafl_exec_write_hook1",
+    .flags = dh_callflag(void),
     .typemask = dh_typemask(void, 0) | dh_typemask(i64, 1) | dh_typemask(i64, 2) | dh_typemask(tl, 3)
 };
 static TCGHelperInfo libafl_exec_write_hook2_info = {
-    .func = NULL, .name = "libafl_exec_write_hook2", \
-    .flags = dh_callflag(void), \
+    .func = NULL, .name = "libafl_exec_write_hook2",
+    .flags = dh_callflag(void),
     .typemask = dh_typemask(void, 0) | dh_typemask(i64, 1) | dh_typemask(i64, 2) | dh_typemask(tl, 3)
 };
 static TCGHelperInfo libafl_exec_write_hook4_info = {
-    .func = NULL, .name = "libafl_exec_write_hook4", \
-    .flags = dh_callflag(void), \
+    .func = NULL, .name = "libafl_exec_write_hook4",
+    .flags = dh_callflag(void),
     .typemask = dh_typemask(void, 0) | dh_typemask(i64, 1) | dh_typemask(i64, 2) | dh_typemask(tl, 3)
 };
 static TCGHelperInfo libafl_exec_write_hook8_info = {
-    .func = NULL, .name = "libafl_exec_write_hook8", \
-    .flags = dh_callflag(void), \
+    .func = NULL, .name = "libafl_exec_write_hook8",
+    .flags = dh_callflag(void),
     .typemask = dh_typemask(void, 0) | dh_typemask(i64, 1) | dh_typemask(i64, 2) | dh_typemask(tl, 3)
 };
 static TCGHelperInfo libafl_exec_write_hookN_info = {
-    .func = NULL, .name = "libafl_exec_write_hookN", \
-    .flags = dh_callflag(void), \
+    .func = NULL, .name = "libafl_exec_write_hookN",
+    .flags = dh_callflag(void),
     .typemask = dh_typemask(void, 0) | dh_typemask(i64, 1) | dh_typemask(i64, 2)
                 | dh_typemask(tl, 3) | dh_typemask(i64, 4)
 };
@@ -505,26 +507,26 @@ void libafl_gen_write(TCGTemp *addr, MemOpIdx oi)
 }
 
 static TCGHelperInfo libafl_exec_cmp_hook1_info = {
-    .func = NULL, .name = "libafl_exec_cmp_hook1", \
-    .flags = dh_callflag(void), \
+    .func = NULL, .name = "libafl_exec_cmp_hook1",
+    .flags = dh_callflag(void),
     .typemask = dh_typemask(void, 0) | dh_typemask(i64, 1)
     | dh_typemask(i64, 2) | dh_typemask(tl, 3) | dh_typemask(tl, 4)
 };
 static TCGHelperInfo libafl_exec_cmp_hook2_info = {
-    .func = NULL, .name = "libafl_exec_cmp_hook2", \
-    .flags = dh_callflag(void), \
+    .func = NULL, .name = "libafl_exec_cmp_hook2",
+    .flags = dh_callflag(void),
     .typemask = dh_typemask(void, 0) | dh_typemask(i64, 1)
     | dh_typemask(i64, 2) | dh_typemask(tl, 3) | dh_typemask(tl, 4)
 };
 static TCGHelperInfo libafl_exec_cmp_hook4_info = {
-    .func = NULL, .name = "libafl_exec_cmp_hook4", \
-    .flags = dh_callflag(void), \
+    .func = NULL, .name = "libafl_exec_cmp_hook4",
+    .flags = dh_callflag(void),
     .typemask = dh_typemask(void, 0) | dh_typemask(i64, 1)
     | dh_typemask(i64, 2) | dh_typemask(tl, 3) | dh_typemask(tl, 4)
 };
 static TCGHelperInfo libafl_exec_cmp_hook8_info = {
-    .func = NULL, .name = "libafl_exec_cmp_hook8", \
-    .flags = dh_callflag(void), \
+    .func = NULL, .name = "libafl_exec_cmp_hook8",
+    .flags = dh_callflag(void),
     .typemask = dh_typemask(void, 0) | dh_typemask(i64, 1)
     | dh_typemask(i64, 2) | dh_typemask(i64, 3) | dh_typemask(i64, 4)
 };

libafl_extras/hook.h

@@ -41,7 +41,7 @@ int libafl_qemu_remove_hook(size_t num, int invalidate);
 struct libafl_hook* libafl_search_hook(target_ulong addr);
 
 struct libafl_backdoor_hook {
-    void (*exec)(uint64_t data, target_ulong pc);
+    void (*exec)(uint64_t data, CPUArchState* cpu, target_ulong pc);
     uint64_t data;
     size_t num;
     TCGHelperInfo helper_info;
@@ -50,7 +50,7 @@ struct libafl_backdoor_hook {
 
 extern struct libafl_backdoor_hook* libafl_backdoor_hooks;
 
-size_t libafl_add_backdoor_hook(void (*exec)(uint64_t data, target_ulong pc),
+size_t libafl_add_backdoor_hook(void (*exec)(uint64_t data, CPUArchState* cpu, target_ulong pc),
                                 uint64_t data);
 int libafl_qemu_remove_backdoor_hook(size_t num, int invalidate);