1*71d33794SRowan Hart /* 2*71d33794SRowan Hart * SPDX-License-Identifier: GPL-2.0-or-later 3*71d33794SRowan Hart * 4*71d33794SRowan Hart * This plugin patches instructions matching a pattern to a different 5*71d33794SRowan Hart * instruction as they execute 6*71d33794SRowan Hart * 7*71d33794SRowan Hart */ 8*71d33794SRowan Hart 9*71d33794SRowan Hart #include "glib.h" 10*71d33794SRowan Hart #include "glibconfig.h" 11*71d33794SRowan Hart 12*71d33794SRowan Hart #include <qemu-plugin.h> 13*71d33794SRowan Hart #include <string.h> 14*71d33794SRowan Hart #include <stdio.h> 15*71d33794SRowan Hart 16*71d33794SRowan Hart QEMU_PLUGIN_EXPORT int qemu_plugin_version = QEMU_PLUGIN_VERSION; 17*71d33794SRowan Hart 18*71d33794SRowan Hart static bool use_hwaddr; 19*71d33794SRowan Hart static GByteArray *target_data; 20*71d33794SRowan Hart static GByteArray *patch_data; 21*71d33794SRowan Hart 22*71d33794SRowan Hart /** 23*71d33794SRowan Hart * Parse a string of hexadecimal digits into a GByteArray. The string must be 24*71d33794SRowan Hart * even length 25*71d33794SRowan Hart */ 26*71d33794SRowan Hart static GByteArray *str_to_bytes(const char *str) 27*71d33794SRowan Hart { 28*71d33794SRowan Hart size_t len = strlen(str); 29*71d33794SRowan Hart 30*71d33794SRowan Hart if (len == 0 || len % 2 != 0) { 31*71d33794SRowan Hart return NULL; 32*71d33794SRowan Hart } 33*71d33794SRowan Hart 34*71d33794SRowan Hart GByteArray *bytes = g_byte_array_new(); 35*71d33794SRowan Hart char byte[3] = {0}; 36*71d33794SRowan Hart guint8 value = 0; 37*71d33794SRowan Hart 38*71d33794SRowan Hart for (size_t i = 0; i < len; i += 2) { 39*71d33794SRowan Hart byte[0] = str[i]; 40*71d33794SRowan Hart byte[1] = str[i + 1]; 41*71d33794SRowan Hart value = (guint8)g_ascii_strtoull(byte, NULL, 16); 42*71d33794SRowan Hart g_byte_array_append(bytes, &value, 1); 43*71d33794SRowan Hart } 44*71d33794SRowan Hart 45*71d33794SRowan Hart return bytes; 46*71d33794SRowan Hart } 47*71d33794SRowan Hart 48*71d33794SRowan Hart static void patch_hwaddr(unsigned int vcpu_index, void *userdata) 49*71d33794SRowan Hart { 50*71d33794SRowan Hart uintptr_t addr = (uintptr_t) userdata; 51*71d33794SRowan Hart g_autoptr(GString) str = g_string_new(NULL); 52*71d33794SRowan Hart g_string_printf(str, "patching: @0x%" 53*71d33794SRowan Hart PRIxPTR "\n", 54*71d33794SRowan Hart addr); 55*71d33794SRowan Hart qemu_plugin_outs(str->str); 56*71d33794SRowan Hart 57*71d33794SRowan Hart enum qemu_plugin_hwaddr_operation_result result = 58*71d33794SRowan Hart qemu_plugin_write_memory_hwaddr(addr, patch_data); 59*71d33794SRowan Hart 60*71d33794SRowan Hart 61*71d33794SRowan Hart if (result != QEMU_PLUGIN_HWADDR_OPERATION_OK) { 62*71d33794SRowan Hart g_autoptr(GString) errmsg = g_string_new(NULL); 63*71d33794SRowan Hart g_string_printf(errmsg, "Failed to write memory: %d\n", result); 64*71d33794SRowan Hart qemu_plugin_outs(errmsg->str); 65*71d33794SRowan Hart return; 66*71d33794SRowan Hart } 67*71d33794SRowan Hart 68*71d33794SRowan Hart GByteArray *read_data = g_byte_array_new(); 69*71d33794SRowan Hart 70*71d33794SRowan Hart result = qemu_plugin_read_memory_hwaddr(addr, read_data, 71*71d33794SRowan Hart patch_data->len); 72*71d33794SRowan Hart 73*71d33794SRowan Hart qemu_plugin_outs("Reading memory...\n"); 74*71d33794SRowan Hart 75*71d33794SRowan Hart if (result != QEMU_PLUGIN_HWADDR_OPERATION_OK) { 76*71d33794SRowan Hart g_autoptr(GString) errmsg = g_string_new(NULL); 77*71d33794SRowan Hart g_string_printf(errmsg, "Failed to read memory: %d\n", result); 78*71d33794SRowan Hart qemu_plugin_outs(errmsg->str); 79*71d33794SRowan Hart return; 80*71d33794SRowan Hart } 81*71d33794SRowan Hart 82*71d33794SRowan Hart if (memcmp(patch_data->data, read_data->data, patch_data->len) != 0) { 83*71d33794SRowan Hart qemu_plugin_outs("Failed to read back written data\n"); 84*71d33794SRowan Hart } 85*71d33794SRowan Hart 86*71d33794SRowan Hart qemu_plugin_outs("Success!\n"); 87*71d33794SRowan Hart 88*71d33794SRowan Hart return; 89*71d33794SRowan Hart } 90*71d33794SRowan Hart 91*71d33794SRowan Hart static void patch_vaddr(unsigned int vcpu_index, void *userdata) 92*71d33794SRowan Hart { 93*71d33794SRowan Hart uintptr_t addr = (uintptr_t) userdata; 94*71d33794SRowan Hart uint64_t hwaddr = 0; 95*71d33794SRowan Hart if (!qemu_plugin_translate_vaddr(addr, &hwaddr)) { 96*71d33794SRowan Hart qemu_plugin_outs("Failed to translate vaddr\n"); 97*71d33794SRowan Hart return; 98*71d33794SRowan Hart } 99*71d33794SRowan Hart g_autoptr(GString) str = g_string_new(NULL); 100*71d33794SRowan Hart g_string_printf(str, "patching: @0x%" 101*71d33794SRowan Hart PRIxPTR " hw: @0x%" PRIx64 "\n", 102*71d33794SRowan Hart addr, hwaddr); 103*71d33794SRowan Hart qemu_plugin_outs(str->str); 104*71d33794SRowan Hart 105*71d33794SRowan Hart qemu_plugin_outs("Writing memory (vaddr)...\n"); 106*71d33794SRowan Hart 107*71d33794SRowan Hart if (!qemu_plugin_write_memory_vaddr(addr, patch_data)) { 108*71d33794SRowan Hart qemu_plugin_outs("Failed to write memory\n"); 109*71d33794SRowan Hart return; 110*71d33794SRowan Hart } 111*71d33794SRowan Hart 112*71d33794SRowan Hart qemu_plugin_outs("Reading memory (vaddr)...\n"); 113*71d33794SRowan Hart 114*71d33794SRowan Hart g_autoptr(GByteArray) read_data = g_byte_array_new(); 115*71d33794SRowan Hart 116*71d33794SRowan Hart if (!qemu_plugin_read_memory_vaddr(addr, read_data, patch_data->len)) { 117*71d33794SRowan Hart qemu_plugin_outs("Failed to read memory\n"); 118*71d33794SRowan Hart return; 119*71d33794SRowan Hart } 120*71d33794SRowan Hart 121*71d33794SRowan Hart if (memcmp(patch_data->data, read_data->data, patch_data->len) != 0) { 122*71d33794SRowan Hart qemu_plugin_outs("Failed to read back written data\n"); 123*71d33794SRowan Hart } 124*71d33794SRowan Hart 125*71d33794SRowan Hart qemu_plugin_outs("Success!\n"); 126*71d33794SRowan Hart 127*71d33794SRowan Hart return; 128*71d33794SRowan Hart } 129*71d33794SRowan Hart 130*71d33794SRowan Hart /* 131*71d33794SRowan Hart * Callback on translation of a translation block. 132*71d33794SRowan Hart */ 133*71d33794SRowan Hart static void vcpu_tb_trans_cb(qemu_plugin_id_t id, struct qemu_plugin_tb *tb) 134*71d33794SRowan Hart { 135*71d33794SRowan Hart g_autoptr(GByteArray) insn_data = g_byte_array_new(); 136*71d33794SRowan Hart uintptr_t addr = 0; 137*71d33794SRowan Hart 138*71d33794SRowan Hart for (size_t i = 0; i < qemu_plugin_tb_n_insns(tb); i++) { 139*71d33794SRowan Hart struct qemu_plugin_insn *insn = qemu_plugin_tb_get_insn(tb, i); 140*71d33794SRowan Hart uint64_t vaddr = qemu_plugin_insn_vaddr(insn); 141*71d33794SRowan Hart 142*71d33794SRowan Hart if (use_hwaddr) { 143*71d33794SRowan Hart uint64_t hwaddr = 0; 144*71d33794SRowan Hart if (!qemu_plugin_translate_vaddr(vaddr, &hwaddr)) { 145*71d33794SRowan Hart qemu_plugin_outs("Failed to translate vaddr\n"); 146*71d33794SRowan Hart continue; 147*71d33794SRowan Hart } 148*71d33794SRowan Hart /* 149*71d33794SRowan Hart * As we cannot emulate 64 bit systems on 32 bit hosts we 150*71d33794SRowan Hart * should never see the top bits set, hence we can safely 151*71d33794SRowan Hart * cast to uintptr_t. 152*71d33794SRowan Hart */ 153*71d33794SRowan Hart g_assert(hwaddr <= UINTPTR_MAX); 154*71d33794SRowan Hart addr = (uintptr_t) hwaddr; 155*71d33794SRowan Hart } else { 156*71d33794SRowan Hart g_assert(vaddr <= UINTPTR_MAX); 157*71d33794SRowan Hart addr = (uintptr_t) vaddr; 158*71d33794SRowan Hart } 159*71d33794SRowan Hart 160*71d33794SRowan Hart g_byte_array_set_size(insn_data, qemu_plugin_insn_size(insn)); 161*71d33794SRowan Hart qemu_plugin_insn_data(insn, insn_data->data, insn_data->len); 162*71d33794SRowan Hart 163*71d33794SRowan Hart if (insn_data->len >= target_data->len && 164*71d33794SRowan Hart !memcmp(insn_data->data, target_data->data, 165*71d33794SRowan Hart MIN(target_data->len, insn_data->len))) { 166*71d33794SRowan Hart if (use_hwaddr) { 167*71d33794SRowan Hart qemu_plugin_register_vcpu_tb_exec_cb(tb, patch_hwaddr, 168*71d33794SRowan Hart QEMU_PLUGIN_CB_NO_REGS, 169*71d33794SRowan Hart (void *) addr); 170*71d33794SRowan Hart } else { 171*71d33794SRowan Hart qemu_plugin_register_vcpu_tb_exec_cb(tb, patch_vaddr, 172*71d33794SRowan Hart QEMU_PLUGIN_CB_NO_REGS, 173*71d33794SRowan Hart (void *) addr); 174*71d33794SRowan Hart } 175*71d33794SRowan Hart } 176*71d33794SRowan Hart } 177*71d33794SRowan Hart } 178*71d33794SRowan Hart 179*71d33794SRowan Hart static void usage(void) 180*71d33794SRowan Hart { 181*71d33794SRowan Hart fprintf(stderr, "Usage: <lib>,target=<bytes>,patch=<new_bytes>" 182*71d33794SRowan Hart "[,use_hwaddr=true|false]"); 183*71d33794SRowan Hart } 184*71d33794SRowan Hart 185*71d33794SRowan Hart /* 186*71d33794SRowan Hart * Called when the plugin is installed 187*71d33794SRowan Hart */ 188*71d33794SRowan Hart QEMU_PLUGIN_EXPORT int qemu_plugin_install(qemu_plugin_id_t id, 189*71d33794SRowan Hart const qemu_info_t *info, int argc, 190*71d33794SRowan Hart char **argv) 191*71d33794SRowan Hart { 192*71d33794SRowan Hart 193*71d33794SRowan Hart use_hwaddr = true; 194*71d33794SRowan Hart target_data = NULL; 195*71d33794SRowan Hart patch_data = NULL; 196*71d33794SRowan Hart 197*71d33794SRowan Hart if (argc > 4) { 198*71d33794SRowan Hart usage(); 199*71d33794SRowan Hart return -1; 200*71d33794SRowan Hart } 201*71d33794SRowan Hart 202*71d33794SRowan Hart for (size_t i = 0; i < argc; i++) { 203*71d33794SRowan Hart char *opt = argv[i]; 204*71d33794SRowan Hart g_auto(GStrv) tokens = g_strsplit(opt, "=", 2); 205*71d33794SRowan Hart if (g_strcmp0(tokens[0], "use_hwaddr") == 0) { 206*71d33794SRowan Hart if (!qemu_plugin_bool_parse(tokens[0], tokens[1], &use_hwaddr)) { 207*71d33794SRowan Hart fprintf(stderr, 208*71d33794SRowan Hart "Failed to parse boolean argument use_hwaddr\n"); 209*71d33794SRowan Hart return -1; 210*71d33794SRowan Hart } 211*71d33794SRowan Hart } else if (g_strcmp0(tokens[0], "target") == 0) { 212*71d33794SRowan Hart target_data = str_to_bytes(tokens[1]); 213*71d33794SRowan Hart if (!target_data) { 214*71d33794SRowan Hart fprintf(stderr, 215*71d33794SRowan Hart "Failed to parse target bytes.\n"); 216*71d33794SRowan Hart return -1; 217*71d33794SRowan Hart } 218*71d33794SRowan Hart } else if (g_strcmp0(tokens[0], "patch") == 0) { 219*71d33794SRowan Hart patch_data = str_to_bytes(tokens[1]); 220*71d33794SRowan Hart if (!patch_data) { 221*71d33794SRowan Hart fprintf(stderr, "Failed to parse patch bytes.\n"); 222*71d33794SRowan Hart return -1; 223*71d33794SRowan Hart } 224*71d33794SRowan Hart } else { 225*71d33794SRowan Hart fprintf(stderr, "Unknown argument: %s\n", tokens[0]); 226*71d33794SRowan Hart usage(); 227*71d33794SRowan Hart return -1; 228*71d33794SRowan Hart } 229*71d33794SRowan Hart } 230*71d33794SRowan Hart 231*71d33794SRowan Hart if (!target_data) { 232*71d33794SRowan Hart fprintf(stderr, "target argument is required\n"); 233*71d33794SRowan Hart usage(); 234*71d33794SRowan Hart return -1; 235*71d33794SRowan Hart } 236*71d33794SRowan Hart 237*71d33794SRowan Hart if (!patch_data) { 238*71d33794SRowan Hart fprintf(stderr, "patch argument is required\n"); 239*71d33794SRowan Hart usage(); 240*71d33794SRowan Hart return -1; 241*71d33794SRowan Hart } 242*71d33794SRowan Hart 243*71d33794SRowan Hart if (target_data->len != patch_data->len) { 244*71d33794SRowan Hart fprintf(stderr, "Target and patch data must be the same length\n"); 245*71d33794SRowan Hart return -1; 246*71d33794SRowan Hart } 247*71d33794SRowan Hart 248*71d33794SRowan Hart qemu_plugin_register_vcpu_tb_trans_cb(id, vcpu_tb_trans_cb); 249*71d33794SRowan Hart 250*71d33794SRowan Hart return 0; 251*71d33794SRowan Hart } 252