Fix backdoor hook

accel/tcg/translator.c

@@ -219,22 +219,22 @@ void translator_loop(CPUState *cpu, TranslationBlock *tb, int *max_insns,
                     if (backdoor == 0x44) {
                         struct libafl_backdoor_hook* bhk = libafl_backdoor_hooks;
                         while (bhk) {
-                            TCGv_i64 tmp1 = tcg_constant_i64(bhk->data);
+                            TCGv_i64 tmp0 = tcg_constant_i64(bhk->data);
 #if TARGET_LONG_BITS == 32
-                            TCGv_i32 tmp0 = tcg_constant_i32(db->pc_next);
+                            TCGv_i32 tmp1 = tcg_constant_i32(db->pc_next);
-                            TCGTemp *tmp2[2] = { tcgv_i32_temp(tmp0), tcgv_i64_temp(tmp1) };
+                            TCGTemp *tmp2[2] = { tcgv_i64_temp(tmp0), tcgv_i32_temp(tmp1) };
 #else
-                            TCGv_i64 tmp0 = tcg_constant_i64(db->pc_next);
+                            TCGv_i64 tmp1 = tcg_constant_i64(db->pc_next);
                             TCGTemp *tmp2[2] = { tcgv_i64_temp(tmp0), tcgv_i64_temp(tmp1) };
 #endif
                             // tcg_gen_callN(bhk->exec, NULL, 2, tmp2);
                             tcg_gen_callN(&bhk->helper_info, NULL, tmp2);
 #if TARGET_LONG_BITS == 32
-                            tcg_temp_free_i32(tmp0);
+                            tcg_temp_free_i32(tmp1);
 #else
-                            tcg_temp_free_i64(tmp0);
-#endif
                             tcg_temp_free_i64(tmp1);
+#endif
+                            tcg_temp_free_i64(tmp0);
                             bhk = bhk->next;
                         }
 

libafl_extras/hook.c

@@ -161,13 +161,13 @@ int libafl_qemu_remove_##name##_hook(size_t num) \
 static TCGHelperInfo libafl_exec_backdoor_hook_info = {
     .func = NULL, .name = "libafl_exec_backdoor_hook", \
     .flags = dh_callflag(void), \
-    .typemask = dh_typemask(void, 0) | dh_typemask(tl, 1) | dh_typemask(i64, 2)
+    .typemask = dh_typemask(void, 0) | dh_typemask(i64, 1) | dh_typemask(tl, 2)
 };
 
 struct libafl_backdoor_hook* libafl_backdoor_hooks;
 size_t libafl_backdoor_hooks_num = 0;
 
-size_t libafl_add_backdoor_hook(void (*exec)(target_ulong id, uint64_t data),
+size_t libafl_add_backdoor_hook(void (*exec)(uint64_t data, target_ulong pc),
                                 uint64_t data)
 {
     struct libafl_backdoor_hook* hook = calloc(sizeof(struct libafl_backdoor_hook), 1);

libafl_extras/hook.h

@@ -41,7 +41,7 @@ int libafl_qemu_remove_hook(size_t num, int invalidate);
 struct libafl_hook* libafl_search_hook(target_ulong addr);
 
 struct libafl_backdoor_hook {
-    void (*exec)(target_ulong pc, uint64_t data);
+    void (*exec)(uint64_t data, target_ulong pc);
     uint64_t data;
     size_t num;
     TCGHelperInfo helper_info;
@@ -50,7 +50,7 @@ struct libafl_backdoor_hook {
 
 extern struct libafl_backdoor_hook* libafl_backdoor_hooks;
 
-size_t libafl_add_backdoor_hook(void (*exec)(target_ulong pc, uint64_t data),
+size_t libafl_add_backdoor_hook(void (*exec)(uint64_t data, target_ulong pc),
                                 uint64_t data);
 int libafl_qemu_remove_backdoor_hook(size_t num, int invalidate);