PATMRC.cpp revision 7847c123aebebc6d3d5c1406619cfba1ab6457c1
/* $Id$ */
/** @file
* PATM - Dynamic Guest OS Patching Manager - Raw-mode Context.
*/
/*
* Copyright (C) 2006-2013 Oracle Corporation
*
* This file is part of VirtualBox Open Source Edition (OSE), as
* available from http://www.virtualbox.org. This file is free software;
* General Public License (GPL) as published by the Free Software
* Foundation, in version 2 as it comes in the "COPYING" file of the
* VirtualBox OSE distribution. VirtualBox OSE is distributed in the
* hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
*/
/*******************************************************************************
* Header Files *
*******************************************************************************/
#define LOG_GROUP LOG_GROUP_PATM
#ifdef VBOX_WITH_IEM
#endif
#include "PATMInternal.h"
#include "PATMA.h"
#include <VBox/disopcode.h>
/**
* \#PF Virtual Handler callback for Guest access a page monitored by PATM
*
* @returns VBox status code (appropriate for trap handling and GC return).
* @param pVM Pointer to the VM.
* @param uErrorCode CPU Error code.
* @param pRegFrame Trap register frame.
* @param pvFault The fault address (cr2).
* @param pvRange The base address of the handled virtual range.
* @param offRange The offset of the access into this range.
* (If it's a EIP range this is the EIP, if not it's pvFault.)
*/
VMMRCDECL(int) PATMGCMonitorPage(PVM pVM, RTGCUINT uErrorCode, PCPUMCTXCORE pRegFrame, RTGCPTR pvFault, RTGCPTR pvRange, uintptr_t offRange)
{
return VINF_PATM_CHECK_PATCH_PAGE;
}
/**
* Checks if the write is located on a page with was patched before.
* (if so, then we are not allowed to turn on r/w)
*
* @returns VBox status
* @param pVM Pointer to the VM.
* @param pRegFrame CPU context
* @param GCPtr GC pointer to write address
* @param cbWrite Nr of bytes to write
*
*/
VMMRC_INT_DECL(int) PATMRCHandleWriteToPatchPage(PVM pVM, PCPUMCTXCORE pRegFrame, RTRCPTR GCPtr, uint32_t cbWrite)
{
/* Quick boundary check */
)
return VERR_PATCH_NOT_FOUND;
pPatchPage = (PPATMPATCHPAGE)RTAvloU32Get(CTXSUFF(&pVM->patm.s.PatchLookupTree)->PatchTreeByPage, (AVLOU32KEY)pWritePageStart);
if ( !pPatchPage
&& pWritePageStart != pWritePageEnd
)
{
pPatchPage = (PPATMPATCHPAGE)RTAvloU32Get(CTXSUFF(&pVM->patm.s.PatchLookupTree)->PatchTreeByPage, (AVLOU32KEY)pWritePageEnd);
}
#ifdef LOG_ENABLED
if (pPatchPage)
Log(("PATMGCHandleWriteToPatchPage: Found page %RRv for write to %RRv %d bytes (page low:high %RRv:%RRv\n", pPatchPage->Core.Key, GCPtr, cbWrite, pPatchPage->pLowestAddrGC, pPatchPage->pHighestAddrGC));
#endif
if (pPatchPage)
{
{
/* This part of the page was not patched; try to emulate the instruction. */
if (rc == VINF_SUCCESS)
{
return VINF_SUCCESS;
}
}
/* Increase the invalid write counter for each patch that's registered for that page. */
{
pPatch->cInvalidWrites++;
}
return VINF_EM_RAW_EMULATE_INSTR;
}
return VERR_PATCH_NOT_FOUND;
}
/**
* Checks if the illegal instruction was caused by a patched instruction
*
* @returns VBox status
*
* @param pVM Pointer to the VM.
* @param pCtxCore The relevant core context.
*/
{
int rc;
/* Very important check -> otherwise we have a security leak. */
AssertReturn(!pRegFrame->eflags.Bits.u1VM && (pRegFrame->ss.Sel & X86_SEL_RPL) <= (EMIsRawRing1Enabled(pVM) ? 2U : 1U),
/* OP_ILLUD2 in PATM generated code? */
{
LogFlow(("PATMRC: Pending action %x at %x\n", CTXSUFF(pVM->patm.s.pGCState)->uPendingAction, pRegFrame->eip));
/* Private PATM interface (@todo hack due to lack of anything generic). */
/* Parameters:
* eax = Pending action (currently PATM_ACTION_LOOKUP_ADDRESS)
* ecx = PATM_ACTION_MAGIC
*/
)
{
{
{
/* Parameters:
* edx = GC address to find
* edi = PATCHJUMPTABLE ptr
*/
AssertMsg(!pRegFrame->edi || PATMIsPatchGCAddr(pVM, pRegFrame->edi), ("edi = %x\n", pRegFrame->edi));
if (pRec)
{
{
if (rc == VINF_SUCCESS)
{
return VINF_SUCCESS;
}
AssertFailed();
}
else
{
return VINF_SUCCESS;
}
}
else
{
/* Check first before trying to generate a function/trampoline patch. */
{
return VINF_SUCCESS;
}
return VINF_PATM_DUPLICATE_FUNCTION;
}
}
/* Parameters:
* edi = GC address to jump to
*/
/* Change EIP to the guest address the patch would normally jump to after setting IF. */
Assert(pVM->patm.s.CTXSUFF(pGCState)->Restore.uFlags == (PATM_RESTORE_EAX|PATM_RESTORE_ECX|PATM_RESTORE_EDI));
/* We are no longer executing PATM code; set PIF again. */
/* The caller will call trpmGCExitTrap, which will dispatch pending interrupts for us. */
return VINF_SUCCESS;
/* Parameters:
* edi = GC address to jump to
*/
Assert(pVM->patm.s.CTXSUFF(pGCState)->Restore.uFlags == (PATM_RESTORE_EAX|PATM_RESTORE_ECX|PATM_RESTORE_EDI));
/* Change EIP to the guest address of the iret. */
/* We are no longer executing PATM code; set PIF again. */
return VINF_PATM_PENDING_IRQ_AFTER_IRET;
case PATM_ACTION_DO_V86_IRET:
{
if (RT_SUCCESS(rc))
{
/* We are no longer executing PATM code; set PIF again. */
/* does not return */
}
else
return rc;
}
#ifdef DEBUG
case PATM_ACTION_LOG_CLI:
Log(("PATMRC: CLI at %x (current IF=%d iopl=%d)\n", pRegFrame->eip, !!(pVM->patm.s.CTXSUFF(pGCState)->uVMFlags & X86_EFL_IF), X86_EFL_GET_IOPL(pVM->patm.s.CTXSUFF(pGCState)->uVMFlags) ));
return VINF_SUCCESS;
case PATM_ACTION_LOG_STI:
Log(("PATMRC: STI at %x (current IF=%d iopl=%d)\n", pRegFrame->eip, !!(pVM->patm.s.CTXSUFF(pGCState)->uVMFlags & X86_EFL_IF), X86_EFL_GET_IOPL(pVM->patm.s.CTXSUFF(pGCState)->uVMFlags) ));
return VINF_SUCCESS;
case PATM_ACTION_LOG_POPF_IF1:
Log(("PATMRC: POPF setting IF at %x (current IF=%d iopl=%d)\n", pRegFrame->eip, !!(pVM->patm.s.CTXSUFF(pGCState)->uVMFlags & X86_EFL_IF), X86_EFL_GET_IOPL(pVM->patm.s.CTXSUFF(pGCState)->uVMFlags)));
return VINF_SUCCESS;
case PATM_ACTION_LOG_POPF_IF0:
Log(("PATMRC: POPF at %x (current IF=%d iopl=%d)\n", pRegFrame->eip, !!(pVM->patm.s.CTXSUFF(pGCState)->uVMFlags & X86_EFL_IF), X86_EFL_GET_IOPL(pVM->patm.s.CTXSUFF(pGCState)->uVMFlags)));
return VINF_SUCCESS;
case PATM_ACTION_LOG_PUSHF:
Log(("PATMRC: PUSHF at %x (current IF=%d iopl=%d)\n", pRegFrame->eip, !!(pVM->patm.s.CTXSUFF(pGCState)->uVMFlags & X86_EFL_IF), X86_EFL_GET_IOPL(pVM->patm.s.CTXSUFF(pGCState)->uVMFlags) ));
return VINF_SUCCESS;
case PATM_ACTION_LOG_IF1:
return VINF_SUCCESS;
case PATM_ACTION_LOG_IRET:
{
if (rc == VINF_SUCCESS)
{
if ( (uEFlags & X86_EFL_VM)
{
if (uEFlags & X86_EFL_VM)
{
if (rc == VINF_SUCCESS)
{
Log(("PATMRC: IRET->VM stack frame: return address %04X:%x eflags=%08x ss:esp=%04X:%x\n", selCS, eip, uEFlags, selSS, esp));
Log(("PATMRC: IRET->VM stack frame: DS=%04X ES=%04X FS=%04X GS=%04X\n", selDS, selES, selFS, selGS));
}
}
else
Log(("PATMRC: IRET stack frame: return address %04X:%x eflags=%08x ss:esp=%04X:%x\n", selCS, eip, uEFlags, selSS, esp));
}
else
}
Log(("PATMRC: IRET from %x (IF->1) current eflags=%x\n", pRegFrame->eip, pVM->patm.s.CTXSUFF(pGCState)->uVMFlags));
return VINF_SUCCESS;
}
{
if (rc == VINF_SUCCESS)
{
if ( (uEFlags & X86_EFL_VM)
{
if (uEFlags & X86_EFL_VM)
{
if (rc == VINF_SUCCESS)
{
Log(("PATMRC: GATE->VM stack frame: return address %04X:%x eflags=%08x ss:esp=%04X:%x\n", selCS, eip, uEFlags, selSS, esp));
Log(("PATMRC: GATE->VM stack frame: DS=%04X ES=%04X FS=%04X GS=%04X\n", selDS, selES, selFS, selGS));
}
}
else
Log(("PATMRC: GATE stack frame: return address %04X:%x eflags=%08x ss:esp=%04X:%x\n", selCS, eip, uEFlags, selSS, esp));
}
else
}
return VINF_SUCCESS;
}
case PATM_ACTION_LOG_RET:
Log(("PATMRC: RET from %x to %x ESP=%x iopl=%d\n", pRegFrame->eip, pRegFrame->edx, pRegFrame->ebx, X86_EFL_GET_IOPL(pVM->patm.s.CTXSUFF(pGCState)->uVMFlags)));
return VINF_SUCCESS;
case PATM_ACTION_LOG_CALL:
Log(("PATMRC: CALL to %RRv return addr %RRv ESP=%x iopl=%d\n", pVM->patm.s.CTXSUFF(pGCState)->GCCallPatchTargetAddr, pVM->patm.s.CTXSUFF(pGCState)->GCCallReturnAddr, pRegFrame->edx, X86_EFL_GET_IOPL(pVM->patm.s.CTXSUFF(pGCState)->uVMFlags)));
return VINF_SUCCESS;
#endif
default:
AssertFailed();
break;
}
}
else
AssertFailed();
}
AssertMsgFailed(("Unexpected OP_ILLUD2 in patch code at %x (pending action %x)!!!!\n", pRegFrame->eip, CTXSUFF(pVM->patm.s.pGCState)->uPendingAction));
return VINF_EM_RAW_EMULATE_INSTR;
}
/**
* Checks if the int 3 was caused by a patched instruction
*
* @returns Strict VBox status, includes all statuses that
* EMInterpretInstructionDisasState and
* @retval VINF_SUCCESS
* @retval VINF_PATM_PATCH_INT3
* @retval VINF_EM_RAW_EMULATE_INSTR
*
* @param pVM Pointer to the VM.
* @param pCtxCore The relevant core context.
*/
{
int rc;
/* Int 3 in PATM generated code? (most common case) */
{
/* Note! Hardcoded assumption about it being a single byte int 3 instruction. */
return VINF_PATM_PATCH_INT3;
}
/** @todo could use simple caching here to speed things up. */
pRec = (PPATMPATCHREC)RTAvloU32Get(&CTXSUFF(pVM->patm.s.PatchLookupTree)->PatchTree, (AVLOU32KEY)(pRegFrame->eip - 1)); /* eip is pointing to the instruction *after* 'int 3' already */
{
{
/* This is a special cli block that was turned into an int 3 patch. We jump to the generated code manually. */
return VINF_SUCCESS;
}
{
/* eip is pointing to the instruction *after* 'int 3' already */
Log(("PATMHandleInt3PatchTrap found int3 for %s at %x\n", patmGetInstructionString(pRec->patch.opcode, 0), pRegFrame->eip));
{
case OP_CPUID:
case OP_IRET:
#ifdef VBOX_WITH_RAW_RING1
case OP_SMSW:
case OP_MOV: /* mov xx, CS */
#endif
break;
case OP_STR:
case OP_SGDT:
case OP_SLDT:
case OP_SIDT:
case OP_LSL:
case OP_LAR:
#ifndef VBOX_WITH_RAW_RING1
case OP_SMSW:
#endif
case OP_VERW:
case OP_VERR:
default:
return VINF_EM_RAW_EMULATE_INSTR;
}
if (enmCpuMode != DISCPUMODE_32BIT)
{
AssertFailed();
return VINF_EM_RAW_EMULATE_INSTR;
}
#ifdef VBOX_WITH_IEM
#else
if (RT_FAILURE(rc))
{
return VINF_EM_RAW_EMULATE_INSTR;
}
#endif
if (RT_FAILURE(rc))
{
return VINF_EM_RAW_EMULATE_INSTR;
}
return rc;
}
}
return VERR_PATCH_NOT_FOUND;
}