Value parameter to generic hook

2021-10-01 16:46:26 +02:00 · 2021-10-01 16:46:26 +02:00 · 4e3982d812
commit 4e3982d812
parent f9898d7db4
2 changed files with 17 additions and 11 deletions
--- a/accel/tcg/translator.c
+++ b/accel/tcg/translator.c
@ -32,6 +32,7 @@ extern struct libafl_breakpoint* libafl_qemu_breakpoints;
 struct libafl_hook {
    target_ulong addr;
    void (*callback)(void);
+    uint64_t value;
    TCGHelperInfo helper_info;
    struct libafl_hook* next;
 };
@ -113,6 +114,17 @@ void translator_loop(const TranslatorOps *ops, DisasContextBase *db,

        //// --- Begin LibAFL code ---

+        struct libafl_hook* hk = libafl_qemu_hooks;
+        while (hk) {
+            if (hk->addr == db->pc_next) {
+                TCGv_i64 tmp0 = tcg_const_i64(hk->value);
+                TCGTemp *tmp1[1] = { tcgv_i64_temp(tmp0) };
+                tcg_gen_callN(hk->callback, NULL, 1, tmp1);
+                tcg_temp_free_i64(tmp0);
+            }
+            hk = hk->next;
+        }
+
        struct libafl_breakpoint* bp = libafl_qemu_breakpoints;
        while (bp) {
            if (bp->addr == db->pc_next) {
@ -121,14 +133,6 @@ void translator_loop(const TranslatorOps *ops, DisasContextBase *db,
            bp = bp->next;
        }

-        struct libafl_hook* hk = libafl_qemu_hooks;
-        while (hk) {
-            if (hk->addr == db->pc_next) {
-                tcg_gen_callN(hk->callback, NULL, 0, NULL);
-            }
-            hk = hk->next;
-        }
-
        //// --- End LibAFL code ---

        /* Disassemble one instruction.  The translate_insn hook should
--- a/cpu.c
+++ b/cpu.c
@ -56,6 +56,7 @@ struct libafl_breakpoint* libafl_qemu_breakpoints = NULL;
 struct libafl_hook {
    target_ulong addr;
    void (*callback)(void);
+    uint64_t value;
    TCGHelperInfo helper_info;
    struct libafl_hook* next;
 };
@ -71,7 +72,7 @@ int libafl_qemu_read_reg(int reg, uint8_t* val);
 int libafl_qemu_num_regs(void);
 int libafl_qemu_set_breakpoint(uint64_t addr);
 int libafl_qemu_remove_breakpoint(uint64_t addr);
-int libafl_qemu_insert_hook(uint64_t addr, void (*callback)(void));
+int libafl_qemu_set_hook(uint64_t addr, void (*callback)(void), uint64_t value);
 int libafl_qemu_remove_hook(uint64_t addr);

 int libafl_qemu_write_reg(int reg, uint8_t* val)
@ -162,7 +163,7 @@ int libafl_qemu_remove_breakpoint(uint64_t addr)
    return r;
 }

-int libafl_qemu_insert_hook(uint64_t addr, void (*callback)(void))
+int libafl_qemu_set_hook(uint64_t addr, void (*callback)(void), uint64_t value)
 {
    CPUState *cpu;

@ -174,10 +175,11 @@ int libafl_qemu_insert_hook(uint64_t addr, void (*callback)(void))
    struct libafl_hook* hk = malloc(sizeof(struct libafl_hook));
    hk->addr = pc;
    hk->callback = callback;
+    hk->value = value;
    hk->helper_info.func = callback;
    hk->helper_info.name = "libafl_hook";
    hk->helper_info.flags = dh_callflag(void);
-    hk->helper_info.typemask = dh_typemask(void, 0);
+    hk->helper_info.typemask = dh_typemask(void, 0) | dh_typemask(i64, 1);
    hk->next = libafl_qemu_hooks;
    libafl_qemu_hooks = hk;
    libafl_helper_table_add(&hk->helper_info);