1*71d33794SRowan Hart /*
2*71d33794SRowan Hart * SPDX-License-Identifier: GPL-2.0-or-later
3*71d33794SRowan Hart *
4*71d33794SRowan Hart * This plugin patches instructions matching a pattern to a different
5*71d33794SRowan Hart * instruction as they execute
6*71d33794SRowan Hart *
7*71d33794SRowan Hart */
8*71d33794SRowan Hart
9*71d33794SRowan Hart #include "glib.h"
10*71d33794SRowan Hart #include "glibconfig.h"
11*71d33794SRowan Hart
12*71d33794SRowan Hart #include <qemu-plugin.h>
13*71d33794SRowan Hart #include <string.h>
14*71d33794SRowan Hart #include <stdio.h>
15*71d33794SRowan Hart
16*71d33794SRowan Hart QEMU_PLUGIN_EXPORT int qemu_plugin_version = QEMU_PLUGIN_VERSION;
17*71d33794SRowan Hart
18*71d33794SRowan Hart static bool use_hwaddr;
19*71d33794SRowan Hart static GByteArray *target_data;
20*71d33794SRowan Hart static GByteArray *patch_data;
21*71d33794SRowan Hart
22*71d33794SRowan Hart /**
23*71d33794SRowan Hart * Parse a string of hexadecimal digits into a GByteArray. The string must be
24*71d33794SRowan Hart * even length
25*71d33794SRowan Hart */
str_to_bytes(const char * str)26*71d33794SRowan Hart static GByteArray *str_to_bytes(const char *str)
27*71d33794SRowan Hart {
28*71d33794SRowan Hart size_t len = strlen(str);
29*71d33794SRowan Hart
30*71d33794SRowan Hart if (len == 0 || len % 2 != 0) {
31*71d33794SRowan Hart return NULL;
32*71d33794SRowan Hart }
33*71d33794SRowan Hart
34*71d33794SRowan Hart GByteArray *bytes = g_byte_array_new();
35*71d33794SRowan Hart char byte[3] = {0};
36*71d33794SRowan Hart guint8 value = 0;
37*71d33794SRowan Hart
38*71d33794SRowan Hart for (size_t i = 0; i < len; i += 2) {
39*71d33794SRowan Hart byte[0] = str[i];
40*71d33794SRowan Hart byte[1] = str[i + 1];
41*71d33794SRowan Hart value = (guint8)g_ascii_strtoull(byte, NULL, 16);
42*71d33794SRowan Hart g_byte_array_append(bytes, &value, 1);
43*71d33794SRowan Hart }
44*71d33794SRowan Hart
45*71d33794SRowan Hart return bytes;
46*71d33794SRowan Hart }
47*71d33794SRowan Hart
patch_hwaddr(unsigned int vcpu_index,void * userdata)48*71d33794SRowan Hart static void patch_hwaddr(unsigned int vcpu_index, void *userdata)
49*71d33794SRowan Hart {
50*71d33794SRowan Hart uintptr_t addr = (uintptr_t) userdata;
51*71d33794SRowan Hart g_autoptr(GString) str = g_string_new(NULL);
52*71d33794SRowan Hart g_string_printf(str, "patching: @0x%"
53*71d33794SRowan Hart PRIxPTR "\n",
54*71d33794SRowan Hart addr);
55*71d33794SRowan Hart qemu_plugin_outs(str->str);
56*71d33794SRowan Hart
57*71d33794SRowan Hart enum qemu_plugin_hwaddr_operation_result result =
58*71d33794SRowan Hart qemu_plugin_write_memory_hwaddr(addr, patch_data);
59*71d33794SRowan Hart
60*71d33794SRowan Hart
61*71d33794SRowan Hart if (result != QEMU_PLUGIN_HWADDR_OPERATION_OK) {
62*71d33794SRowan Hart g_autoptr(GString) errmsg = g_string_new(NULL);
63*71d33794SRowan Hart g_string_printf(errmsg, "Failed to write memory: %d\n", result);
64*71d33794SRowan Hart qemu_plugin_outs(errmsg->str);
65*71d33794SRowan Hart return;
66*71d33794SRowan Hart }
67*71d33794SRowan Hart
68*71d33794SRowan Hart GByteArray *read_data = g_byte_array_new();
69*71d33794SRowan Hart
70*71d33794SRowan Hart result = qemu_plugin_read_memory_hwaddr(addr, read_data,
71*71d33794SRowan Hart patch_data->len);
72*71d33794SRowan Hart
73*71d33794SRowan Hart qemu_plugin_outs("Reading memory...\n");
74*71d33794SRowan Hart
75*71d33794SRowan Hart if (result != QEMU_PLUGIN_HWADDR_OPERATION_OK) {
76*71d33794SRowan Hart g_autoptr(GString) errmsg = g_string_new(NULL);
77*71d33794SRowan Hart g_string_printf(errmsg, "Failed to read memory: %d\n", result);
78*71d33794SRowan Hart qemu_plugin_outs(errmsg->str);
79*71d33794SRowan Hart return;
80*71d33794SRowan Hart }
81*71d33794SRowan Hart
82*71d33794SRowan Hart if (memcmp(patch_data->data, read_data->data, patch_data->len) != 0) {
83*71d33794SRowan Hart qemu_plugin_outs("Failed to read back written data\n");
84*71d33794SRowan Hart }
85*71d33794SRowan Hart
86*71d33794SRowan Hart qemu_plugin_outs("Success!\n");
87*71d33794SRowan Hart
88*71d33794SRowan Hart return;
89*71d33794SRowan Hart }
90*71d33794SRowan Hart
patch_vaddr(unsigned int vcpu_index,void * userdata)91*71d33794SRowan Hart static void patch_vaddr(unsigned int vcpu_index, void *userdata)
92*71d33794SRowan Hart {
93*71d33794SRowan Hart uintptr_t addr = (uintptr_t) userdata;
94*71d33794SRowan Hart uint64_t hwaddr = 0;
95*71d33794SRowan Hart if (!qemu_plugin_translate_vaddr(addr, &hwaddr)) {
96*71d33794SRowan Hart qemu_plugin_outs("Failed to translate vaddr\n");
97*71d33794SRowan Hart return;
98*71d33794SRowan Hart }
99*71d33794SRowan Hart g_autoptr(GString) str = g_string_new(NULL);
100*71d33794SRowan Hart g_string_printf(str, "patching: @0x%"
101*71d33794SRowan Hart PRIxPTR " hw: @0x%" PRIx64 "\n",
102*71d33794SRowan Hart addr, hwaddr);
103*71d33794SRowan Hart qemu_plugin_outs(str->str);
104*71d33794SRowan Hart
105*71d33794SRowan Hart qemu_plugin_outs("Writing memory (vaddr)...\n");
106*71d33794SRowan Hart
107*71d33794SRowan Hart if (!qemu_plugin_write_memory_vaddr(addr, patch_data)) {
108*71d33794SRowan Hart qemu_plugin_outs("Failed to write memory\n");
109*71d33794SRowan Hart return;
110*71d33794SRowan Hart }
111*71d33794SRowan Hart
112*71d33794SRowan Hart qemu_plugin_outs("Reading memory (vaddr)...\n");
113*71d33794SRowan Hart
114*71d33794SRowan Hart g_autoptr(GByteArray) read_data = g_byte_array_new();
115*71d33794SRowan Hart
116*71d33794SRowan Hart if (!qemu_plugin_read_memory_vaddr(addr, read_data, patch_data->len)) {
117*71d33794SRowan Hart qemu_plugin_outs("Failed to read memory\n");
118*71d33794SRowan Hart return;
119*71d33794SRowan Hart }
120*71d33794SRowan Hart
121*71d33794SRowan Hart if (memcmp(patch_data->data, read_data->data, patch_data->len) != 0) {
122*71d33794SRowan Hart qemu_plugin_outs("Failed to read back written data\n");
123*71d33794SRowan Hart }
124*71d33794SRowan Hart
125*71d33794SRowan Hart qemu_plugin_outs("Success!\n");
126*71d33794SRowan Hart
127*71d33794SRowan Hart return;
128*71d33794SRowan Hart }
129*71d33794SRowan Hart
130*71d33794SRowan Hart /*
131*71d33794SRowan Hart * Callback on translation of a translation block.
132*71d33794SRowan Hart */
vcpu_tb_trans_cb(qemu_plugin_id_t id,struct qemu_plugin_tb * tb)133*71d33794SRowan Hart static void vcpu_tb_trans_cb(qemu_plugin_id_t id, struct qemu_plugin_tb *tb)
134*71d33794SRowan Hart {
135*71d33794SRowan Hart g_autoptr(GByteArray) insn_data = g_byte_array_new();
136*71d33794SRowan Hart uintptr_t addr = 0;
137*71d33794SRowan Hart
138*71d33794SRowan Hart for (size_t i = 0; i < qemu_plugin_tb_n_insns(tb); i++) {
139*71d33794SRowan Hart struct qemu_plugin_insn *insn = qemu_plugin_tb_get_insn(tb, i);
140*71d33794SRowan Hart uint64_t vaddr = qemu_plugin_insn_vaddr(insn);
141*71d33794SRowan Hart
142*71d33794SRowan Hart if (use_hwaddr) {
143*71d33794SRowan Hart uint64_t hwaddr = 0;
144*71d33794SRowan Hart if (!qemu_plugin_translate_vaddr(vaddr, &hwaddr)) {
145*71d33794SRowan Hart qemu_plugin_outs("Failed to translate vaddr\n");
146*71d33794SRowan Hart continue;
147*71d33794SRowan Hart }
148*71d33794SRowan Hart /*
149*71d33794SRowan Hart * As we cannot emulate 64 bit systems on 32 bit hosts we
150*71d33794SRowan Hart * should never see the top bits set, hence we can safely
151*71d33794SRowan Hart * cast to uintptr_t.
152*71d33794SRowan Hart */
153*71d33794SRowan Hart g_assert(hwaddr <= UINTPTR_MAX);
154*71d33794SRowan Hart addr = (uintptr_t) hwaddr;
155*71d33794SRowan Hart } else {
156*71d33794SRowan Hart g_assert(vaddr <= UINTPTR_MAX);
157*71d33794SRowan Hart addr = (uintptr_t) vaddr;
158*71d33794SRowan Hart }
159*71d33794SRowan Hart
160*71d33794SRowan Hart g_byte_array_set_size(insn_data, qemu_plugin_insn_size(insn));
161*71d33794SRowan Hart qemu_plugin_insn_data(insn, insn_data->data, insn_data->len);
162*71d33794SRowan Hart
163*71d33794SRowan Hart if (insn_data->len >= target_data->len &&
164*71d33794SRowan Hart !memcmp(insn_data->data, target_data->data,
165*71d33794SRowan Hart MIN(target_data->len, insn_data->len))) {
166*71d33794SRowan Hart if (use_hwaddr) {
167*71d33794SRowan Hart qemu_plugin_register_vcpu_tb_exec_cb(tb, patch_hwaddr,
168*71d33794SRowan Hart QEMU_PLUGIN_CB_NO_REGS,
169*71d33794SRowan Hart (void *) addr);
170*71d33794SRowan Hart } else {
171*71d33794SRowan Hart qemu_plugin_register_vcpu_tb_exec_cb(tb, patch_vaddr,
172*71d33794SRowan Hart QEMU_PLUGIN_CB_NO_REGS,
173*71d33794SRowan Hart (void *) addr);
174*71d33794SRowan Hart }
175*71d33794SRowan Hart }
176*71d33794SRowan Hart }
177*71d33794SRowan Hart }
178*71d33794SRowan Hart
usage(void)179*71d33794SRowan Hart static void usage(void)
180*71d33794SRowan Hart {
181*71d33794SRowan Hart fprintf(stderr, "Usage: <lib>,target=<bytes>,patch=<new_bytes>"
182*71d33794SRowan Hart "[,use_hwaddr=true|false]");
183*71d33794SRowan Hart }
184*71d33794SRowan Hart
185*71d33794SRowan Hart /*
186*71d33794SRowan Hart * Called when the plugin is installed
187*71d33794SRowan Hart */
qemu_plugin_install(qemu_plugin_id_t id,const qemu_info_t * info,int argc,char ** argv)188*71d33794SRowan Hart QEMU_PLUGIN_EXPORT int qemu_plugin_install(qemu_plugin_id_t id,
189*71d33794SRowan Hart const qemu_info_t *info, int argc,
190*71d33794SRowan Hart char **argv)
191*71d33794SRowan Hart {
192*71d33794SRowan Hart
193*71d33794SRowan Hart use_hwaddr = true;
194*71d33794SRowan Hart target_data = NULL;
195*71d33794SRowan Hart patch_data = NULL;
196*71d33794SRowan Hart
197*71d33794SRowan Hart if (argc > 4) {
198*71d33794SRowan Hart usage();
199*71d33794SRowan Hart return -1;
200*71d33794SRowan Hart }
201*71d33794SRowan Hart
202*71d33794SRowan Hart for (size_t i = 0; i < argc; i++) {
203*71d33794SRowan Hart char *opt = argv[i];
204*71d33794SRowan Hart g_auto(GStrv) tokens = g_strsplit(opt, "=", 2);
205*71d33794SRowan Hart if (g_strcmp0(tokens[0], "use_hwaddr") == 0) {
206*71d33794SRowan Hart if (!qemu_plugin_bool_parse(tokens[0], tokens[1], &use_hwaddr)) {
207*71d33794SRowan Hart fprintf(stderr,
208*71d33794SRowan Hart "Failed to parse boolean argument use_hwaddr\n");
209*71d33794SRowan Hart return -1;
210*71d33794SRowan Hart }
211*71d33794SRowan Hart } else if (g_strcmp0(tokens[0], "target") == 0) {
212*71d33794SRowan Hart target_data = str_to_bytes(tokens[1]);
213*71d33794SRowan Hart if (!target_data) {
214*71d33794SRowan Hart fprintf(stderr,
215*71d33794SRowan Hart "Failed to parse target bytes.\n");
216*71d33794SRowan Hart return -1;
217*71d33794SRowan Hart }
218*71d33794SRowan Hart } else if (g_strcmp0(tokens[0], "patch") == 0) {
219*71d33794SRowan Hart patch_data = str_to_bytes(tokens[1]);
220*71d33794SRowan Hart if (!patch_data) {
221*71d33794SRowan Hart fprintf(stderr, "Failed to parse patch bytes.\n");
222*71d33794SRowan Hart return -1;
223*71d33794SRowan Hart }
224*71d33794SRowan Hart } else {
225*71d33794SRowan Hart fprintf(stderr, "Unknown argument: %s\n", tokens[0]);
226*71d33794SRowan Hart usage();
227*71d33794SRowan Hart return -1;
228*71d33794SRowan Hart }
229*71d33794SRowan Hart }
230*71d33794SRowan Hart
231*71d33794SRowan Hart if (!target_data) {
232*71d33794SRowan Hart fprintf(stderr, "target argument is required\n");
233*71d33794SRowan Hart usage();
234*71d33794SRowan Hart return -1;
235*71d33794SRowan Hart }
236*71d33794SRowan Hart
237*71d33794SRowan Hart if (!patch_data) {
238*71d33794SRowan Hart fprintf(stderr, "patch argument is required\n");
239*71d33794SRowan Hart usage();
240*71d33794SRowan Hart return -1;
241*71d33794SRowan Hart }
242*71d33794SRowan Hart
243*71d33794SRowan Hart if (target_data->len != patch_data->len) {
244*71d33794SRowan Hart fprintf(stderr, "Target and patch data must be the same length\n");
245*71d33794SRowan Hart return -1;
246*71d33794SRowan Hart }
247*71d33794SRowan Hart
248*71d33794SRowan Hart qemu_plugin_register_vcpu_tb_trans_cb(id, vcpu_tb_trans_cb);
249*71d33794SRowan Hart
250*71d33794SRowan Hart return 0;
251*71d33794SRowan Hart }
252