From c023bfb750d74052663dde3e341318b7ca1e1a16 Mon Sep 17 00:00:00 2001 From: Sergej Schumilo Date: Tue, 22 Feb 2022 19:35:16 +0100 Subject: [PATCH] bug fix: don't reuse ram_offset as physical address to register PF in snapshot blocklist (breaks memory access and shared memory if address is above 0x0C0000000) --- nyx/memory_access.c | 29 ++++++++++++++--------------- 1 file changed, 14 insertions(+), 15 deletions(-) diff --git a/nyx/memory_access.c b/nyx/memory_access.c index e5e4bcdf30..ad6dfec8d5 100644 --- a/nyx/memory_access.c +++ b/nyx/memory_access.c @@ -167,13 +167,13 @@ bool remap_payload_slot(uint64_t phys_addr, uint32_t slot, CPUState *cpu){ uint32_t i = slot; - phys_addr = address_to_ram_offset(phys_addr); + uint64_t phys_addr_ram_offset = address_to_ram_offset(phys_addr); QLIST_FOREACH_RCU(block, &ram_list.blocks, next) { if(!memcmp(block->idstr, "pc.ram", 6)){ /* TODO: put assert calls here */ - munmap((void*)(((uint64_t)block->host) + phys_addr), x86_64_PAGE_SIZE); - mmap((void*)(((uint64_t)block->host) + phys_addr), 0x1000, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_FIXED, GET_GLOBAL_STATE()->shared_payload_buffer_fd, (i*x86_64_PAGE_SIZE)); + munmap((void*)(((uint64_t)block->host) + phys_addr_ram_offset), x86_64_PAGE_SIZE); + mmap((void*)(((uint64_t)block->host) + phys_addr_ram_offset), 0x1000, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_FIXED, GET_GLOBAL_STATE()->shared_payload_buffer_fd, (i*x86_64_PAGE_SIZE)); //printf("MMUNMAP: %d\n", munmap((void*)(((uint64_t)block->host) + phys_addr), x86_64_PAGE_SIZE)); //printf("MMAP: %p\n", mmap((void*)(((uint64_t)block->host) + phys_addr), 0x1000, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_FIXED, GET_GLOBAL_STATE()->shared_payload_buffer_fd, (i*x86_64_PAGE_SIZE))); @@ -205,9 +205,8 @@ bool remap_slot(uint64_t addr, uint32_t slot, CPUState *cpu, int fd, uint64_t sh fprintf(stderr, "[QEMU-Nyx] Check if the buffer is present in the guest's memory...\n"); exit(1); } - - phys_addr = address_to_ram_offset(phys_addr); } + uint64_t phys_addr_ram_offset = address_to_ram_offset(phys_addr); //printf("phys_addr -> %lx\n", phys_addr); @@ -216,8 +215,8 @@ bool remap_slot(uint64_t addr, uint32_t slot, CPUState *cpu, int fd, uint64_t sh QLIST_FOREACH_RCU(block, &ram_list.blocks, next) { if(!memcmp(block->idstr, "pc.ram", 6)){ /* TODO: put assert calls here */ - munmap((void*)(((uint64_t)block->host) + phys_addr), x86_64_PAGE_SIZE); - mmap((void*)(((uint64_t)block->host) + phys_addr), 0x1000, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_FIXED, fd, (i*x86_64_PAGE_SIZE)); + munmap((void*)(((uint64_t)block->host) + phys_addr_ram_offset), x86_64_PAGE_SIZE); + mmap((void*)(((uint64_t)block->host) + phys_addr_ram_offset), 0x1000, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_FIXED, fd, (i*x86_64_PAGE_SIZE)); //printf("MMUNMAP: %d\n", munmap((void*)(((uint64_t)block->host) + phys_addr), x86_64_PAGE_SIZE)); //printf("MMAP: %p\n", mmap((void*)(((uint64_t)block->host) + phys_addr), 0x1000, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_FIXED, fd, (i*x86_64_PAGE_SIZE))); @@ -239,14 +238,14 @@ bool remap_payload_slot_protected(uint64_t phys_addr, uint32_t slot, CPUState *c uint32_t i = slot; - phys_addr = address_to_ram_offset(phys_addr); + uint64_t phys_addr_ram_offset = address_to_ram_offset(phys_addr); QLIST_FOREACH_RCU(block, &ram_list.blocks, next) { if(!memcmp(block->idstr, "pc.ram", 6)){ /* TODO: put assert calls here */ - munmap((void*)(((uint64_t)block->host) + phys_addr), x86_64_PAGE_SIZE); - mmap((void*)(((uint64_t)block->host) + phys_addr), 0x1000, PROT_READ , MAP_SHARED | MAP_FIXED, GET_GLOBAL_STATE()->shared_payload_buffer_fd, (i*x86_64_PAGE_SIZE)); + munmap((void*)(((uint64_t)block->host) + phys_addr_ram_offset), x86_64_PAGE_SIZE); + mmap((void*)(((uint64_t)block->host) + phys_addr_ram_offset), 0x1000, PROT_READ , MAP_SHARED | MAP_FIXED, GET_GLOBAL_STATE()->shared_payload_buffer_fd, (i*x86_64_PAGE_SIZE)); //printf("MMUNMAP: %d\n", munmap((void*)(((uint64_t)block->host) + phys_addr), x86_64_PAGE_SIZE)); //printf("MMAP: %p\n", mmap((void*)(((uint64_t)block->host) + phys_addr), 0x1000, PROT_READ , MAP_SHARED | MAP_FIXED, GET_GLOBAL_STATE()->shared_payload_buffer_fd, (i*x86_64_PAGE_SIZE))); @@ -296,28 +295,28 @@ bool remap_payload_buffer(uint64_t virt_guest_addr, CPUState *cpu){ assert(phys_addr != INVALID_ADDRESS); - phys_addr = address_to_ram_offset(phys_addr); + uint64_t phys_addr_ram_offset = address_to_ram_offset(phys_addr); QLIST_FOREACH_RCU(block, &ram_list.blocks, next) { if(!memcmp(block->idstr, "pc.ram", 6)){ //printf("MMUNMAP: %d\n", munmap((void*)(((uint64_t)block->host) + phys_addr), x86_64_PAGE_SIZE)); - if(munmap((void*)(((uint64_t)block->host) + phys_addr), x86_64_PAGE_SIZE) == -1){ + if(munmap((void*)(((uint64_t)block->host) + phys_addr_ram_offset), x86_64_PAGE_SIZE) == -1){ fprintf(stderr, "munmap failed!\n"); //exit(1); assert(false); } //printf("MMAP: %lx\n", mmap((void*)(((uint64_t)block->host) + phys_addr), 0x1000, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_FIXED, shared_payload_buffer_fd, (i*x86_64_PAGE_SIZE))); - if(mmap((void*)(((uint64_t)block->host) + phys_addr), 0x1000, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_FIXED, GET_GLOBAL_STATE()->shared_payload_buffer_fd, (i*x86_64_PAGE_SIZE)) == MAP_FAILED){ + if(mmap((void*)(((uint64_t)block->host) + phys_addr_ram_offset), 0x1000, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_FIXED, GET_GLOBAL_STATE()->shared_payload_buffer_fd, (i*x86_64_PAGE_SIZE)) == MAP_FAILED){ fprintf(stderr, "mmap failed!\n"); //exit(1); assert(false); } - memset((block->host) + phys_addr, 0xab, 0x1000); + memset((block->host) + phys_addr_ram_offset, 0xab, 0x1000); if(GET_GLOBAL_STATE()->protect_payload_buffer){ - mprotect((block->host) + phys_addr, 0x1000, PROT_READ); + mprotect((block->host) + phys_addr_ram_offset, 0x1000, PROT_READ); } fast_reload_blacklist_page(get_fast_reload_snapshot(), phys_addr);