Update pri_taint hypercall for LAVA - Just dwarf2 fix now

Author: AndrewQuijano

panda/plugins/dwarf2/dwarf2.cpp

@@ -51,7 +51,7 @@ This was designed primarily for Python use cases:
 MAGIC = 0x12345678
 @panda.hypercall(MAGIC)
 def hypercall(cpu):
-    print("Hello from my hypercall!"
+    print("Hello from my hypercall!")
 
 ```
 
@@ -64,7 +64,7 @@ It's much easier to handle this from Python, but here's an example of how you mi
 #include <panda/plugin.h>
 #include <hypercaller/hypercaller.h>
 
-hypercall_t* register_hypercall;
+register_hypercall_t register_hypercall;
 
 void my_hypercall(CPUState *cpu) {
     printf("Hello from my hypercall!\n");
@@ -76,7 +76,7 @@ bool init_plugin(void *self) {
       panda_require("hypercaller");
       hypercaller = panda_get_plugin_by_name("hypercaller");
     }
-    register_hypercall = (hypercall_t*)dlsym(hypercaller, "register_hypercall");
+    register_hypercall_t register_hypercall = (register_hypercall_t) dlsym(hypercaller, "register_hypercall");
     register_hypercall(0x12345678, my_hypercall);
     return true;
 }

panda/plugins/hypercaller/README.md

@@ -6,6 +6,7 @@
 // files in this directory that contain subsections like this one.
 
 typedef void (*hypercall_t)(CPUState *cpu);
+typedef void (*register_hypercall_t)(uint32_t, hypercall_t);
 void register_hypercall(uint32_t magic, hypercall_t);
 void unregister_hypercall(uint32_t magic);
 

panda/plugins/hypercaller/hypercaller.h

@@ -1806,12 +1806,9 @@ void on_library_load(CPUState *cpu, target_ulong pc, char *guest_lib_name, targe
 int mod_check_count = 0;
 bool main_exec_initialized = false;
 #define MOD_CHECK_FREQ 1000
-bool ensure_main_exec_initialized(CPUState *cpu) {
-    //if (!correct_asid(cpu)) return;
-    OsiProc *p = get_current_process(cpu);
+bool ensure_main_exec_initialized(CPUState *cpu, OsiProc *p) {
     GArray *libs = NULL;
     libs = get_mappings(cpu, p);
-    free_osiproc(p);
     if (!libs)
         return false;
 
@@ -2314,8 +2311,8 @@ void handle_asid_change(CPUState *cpu, target_ulong asid, OsiProc *p) {
         monitored_asid.insert(current_asid);
         printf ("monitoring asid %x\n", current_asid);
     }
-    if (correct_asid(cpu) && !main_exec_initialized){
-        main_exec_initialized = ensure_main_exec_initialized(cpu);
+    if (correct_asid(cpu) && !main_exec_initialized) {
+        main_exec_initialized = ensure_main_exec_initialized(cpu, p);
     }
     //free_osiproc(p);
 

panda/plugins/pri_dwarf/pri_dwarf.cpp

@@ -15,6 +15,7 @@
 #include "callstack_instr/callstack_instr.h"
 
 extern "C" {
+#include <hypercaller/hypercaller.h>
 
 #include "panda/rr/rr_log.h"
 #include "panda/plog.h"
@@ -37,14 +38,14 @@ extern "C" {
 bool init_plugin(void *);
 void uninit_plugin(void *);
 
-int get_loglevel() ;
+int get_loglevel();
 void set_loglevel(int new_loglevel);
 }
 
 const char *global_src_filename = NULL;
 uint64_t global_src_linenum;
 unsigned global_ast_loc_id;
-uint64_t global_funcaddr;
+// uint64_t global_funcaddr;
 bool debug = false;
 
 #define dprintf(...) if (debug) { printf(__VA_ARGS__); fflush(stdout); }
@@ -97,11 +98,18 @@ void print_membytes(CPUState *env, target_ulong a, target_ulong len) {
     printf("}");
 }
 
+struct args {
+    CPUState *cpu;
+    const char *src_filename;
+    uint64_t src_linenum;
+    unsigned ast_loc_id;
+    // uint64_t funcaddr;
+};
+
 // max length of strnlen or taint query
 #define LAVA_TAINT_QUERY_MAX_LEN (target_ulong)64ULL
-#if defined(TARGET_I386)
+#if defined(TARGET_I386) || defined(TARGET_ARM)
 void lava_taint_query(target_ulong buf, LocType loc_t, target_ulong buf_len, const char *astnodename) {
-    
     dprintf("[pri_taint] Attempt to lava_taint_query\n");
 
     // can't do a taint query if it is not a valid register (loc) or if
@@ -115,20 +123,24 @@ void lava_taint_query(target_ulong buf, LocType loc_t, target_ulong buf_len, con
         dprintf("[pri_taint] The Location is either error OR constant. Shouldn't happen based on pfun()\n");
         return;
     }
-    if (!pandalog || !taint2_enabled() || taint2_num_labels_applied() == 0) {
-        dprintf("[pri_taint] No Panda log, Taint2 not enabled, or No taint2 num labeled applied\n");
+    if (!pandalog || !taint2_enabled()) {
+        dprintf("[pri_taint] No Panda log or Taint2 not enabled\n");
         return;
     }
+    if (taint2_num_labels_applied() == 0) {
+        // see taint_api.cpp
+        dprintf("[pri_taint] No taint2 num labeled applied\n");
+    }
     dprintf("[pri_taint] OK, Seems like I can Lava Taint! LFG!\n");
 
     CPUState *cpu = first_cpu;
-    CPUArchState *env = (CPUArchState *)cpu->env_ptr;
+    CPUArchState *env = (CPUArchState *) cpu -> env_ptr;
     bool is_strnlen = ((int) buf_len == -1);
-    hwaddr phys = loc_t == LocMem ? panda_virt_to_phys(cpu, buf) : 0;
-    ram_addr_t RamOffset = RAM_ADDR_INVALID;
+    extern ram_addr_t ram_size;
+    target_ulong phys = loc_t == LocMem ? panda_virt_to_phys(cpu, buf) : 0;
 
-    if (phys == (hwaddr) -1 
-        || PandaPhysicalAddressToRamOffset(&RamOffset, phys, false) != MEMTX_OK) {
+    if (phys == -1 || phys > ram_size) {
+        dprintf("[pri_taint] The physical address is invalid\n");
         return;
     }
 
@@ -163,7 +175,7 @@ void lava_taint_query(target_ulong buf, LocType loc_t, target_ulong buf_len, con
     // is there *any* taint on this extent
     uint32_t num_tainted = 0;
     for (uint32_t i = 0; i < len; i++) {
-        Addr a = loc_t == LocMem ? make_maddr(RamOffset + i) : make_greg(buf, i); /* HACK: presumes for the same physical page ram_addr_t(x + i) == ram_addr_t(x) + i */
+        Addr a = loc_t == LocMem ? make_maddr(phys + i) : make_greg(buf, i);
         if (taint2_query(a)) {
             num_tainted++;
         }
@@ -185,7 +197,7 @@ void lava_taint_query(target_ulong buf, LocType loc_t, target_ulong buf_len, con
     // this is just a snippet.  we dont want to write 1M buffer
     if (loc_t == LocMem) {
         for (int i = 0; i < len; i++) {
-            panda_physical_memory_rw(phys + i, (uint8_t *)&data[i], 1, false);
+            panda_physical_memory_read(phys + i, (uint8_t *)&data[i], 1);
         }
     } else {
         for (int i = 0; i < len; i++) {
@@ -199,8 +211,8 @@ void lava_taint_query(target_ulong buf, LocType loc_t, target_ulong buf_len, con
     // 2. iterate over the bytes in the extent and pandalog detailed info about taint
     std::vector<Panda__TaintQuery *> tq;
     for (uint32_t offset = 0; offset < len; offset++) {
-        // uint32_t pa_indexed = phys + offset;
-        Addr a = loc_t == LocMem ? make_maddr(RamOffset + offset) : make_greg(buf, offset); /* HACK: presumes for the same physical page ram_addr_t(x + i) == ram_addr_t(x) + i */
+        uint32_t pa_indexed = phys + offset;
+        Addr a = loc_t == LocMem ? make_maddr(pa_indexed) : make_greg(buf, offset);
         if (taint2_query(a)) {
             if (loc_t == LocMem) {
                 dprintf("\"%s\" @ 0x" TARGET_FMT_lx " is tainted\n", astnodename, buf + offset);
@@ -231,16 +243,7 @@ void lava_taint_query(target_ulong buf, LocType loc_t, target_ulong buf_len, con
         pandalog_taint_query_free(ptq);
     }
 }
-#endif
-struct args {
-    CPUState *cpu;
-    const char *src_filename;
-    uint64_t src_linenum;
-    unsigned ast_loc_id;
-    uint64_t funcaddr;
-};
 
-#if defined(TARGET_I386)
 void pfun(void *var_ty_void, const char *var_nm, LocType loc_t, target_ulong loc, void *in_args) {
     if (!taint2_enabled()) {
         dprintf("[pri_taint] Taint2 was not enabled (pfun called)\n");  
@@ -255,7 +258,9 @@ void pfun(void *var_ty_void, const char *var_nm, LocType loc_t, target_ulong loc
             return;
         }
     }
+
     const char *var_ty = dwarf2_type_to_string((DwarfVarType *) var_ty_void);
+
     // restore args
     struct args *args = (struct args *) in_args;
     CPUState *pfun_cpu = args->cpu;
@@ -264,7 +269,7 @@ void pfun(void *var_ty_void, const char *var_nm, LocType loc_t, target_ulong loc
     global_src_filename = args->src_filename;
     global_src_linenum = args->src_linenum;
     global_ast_loc_id = args->ast_loc_id;
-    global_funcaddr = args->funcaddr;
+    // global_funcaddr = args->funcaddr;
     //target_ulong guest_dword;
     //std::string ty_string = std::string(var_ty);
     //size_t num_derefs = std::count(ty_string.begin(), ty_string.end(), '*');
@@ -289,23 +294,9 @@ void pfun(void *var_ty_void, const char *var_nm, LocType loc_t, target_ulong loc
         default:
             assert(1==0);
     }
-    // free(si);
-}
-/*
-void on_line_change(CPUState *cpu, target_ulong pc, const char *file_Name, const char *funct_name, unsigned long long lno){
-    if (taint2_enabled()){
-        struct args args = {cpu, file_Name, lno, 0};
-        //printf("[%s] %s(), ln: %4lld, pc @ 0x%x\n",file_Name, funct_name,lno,pc);
-        pri_funct_livevar_iter(cpu, pc, (liveVarCB) pfun, (void *)&args);
-        //pri_all_livevar_iter(cpu, pc, (liveVarCB) pfun, (void *)&args);
-    }
-}
-void on_fn_start(CPUState *cpu, target_ulong pc, const char *file_Name, const char *funct_name, unsigned long long lno){
-    struct args args = {cpu, file_Name, lno, 0};
-    dprintf("fn-start: %s() [%s], ln: %4lld, pc @ 0x" TARGET_FMT_lx "\n",funct_name,file_Name,lno,pc);
-    pri_funct_livevar_iter(cpu, pc, (liveVarCB) pfun, (void *)&args);
 }
 
+/*
 // Trace logging in the level of source code
 void hypercall_log_trace(unsigned ast_loc_id) {
     Panda__LogEntry ple = PANDA__LOG_ENTRY__INIT;
@@ -315,37 +306,54 @@ void hypercall_log_trace(unsigned ast_loc_id) {
     pandalog_write_entry(&ple);
 }
 */
-#ifdef TARGET_I386
+
 // Support all features of label and query program
-void i386_hypercall_callback(CPUState *cpu) {
+void lava_hypercall(CPUState *cpu) {
     dprintf("[pri_taint] Calling lava hypercall!\n");
-    
     CPUArchState *env = (CPUArchState*) cpu->env_ptr;
     if (taint2_enabled()) {
         // LAVA Hypercall
-        #ifdef TARGET_X86_64
-            target_ulong addr = panda_virt_to_phys(cpu, env->regs[R_EDI]);
-        #else
+        #if defined(TARGET_ARM) && !defined(TARGET_AARCH64)
+            target_ulong addr = panda_virt_to_phys(cpu, env->regs[0]);
+        #elif defined(TARGET_ARM) && defined(TARGET_AARCH64)
+            target_ulong addr = panda_virt_to_phys(cpu, env->xregs[0]);
+        #elif defined(TARGET_I386) && !defined(TARGET_X86_64)
             target_ulong addr = panda_virt_to_phys(cpu, env->regs[R_EBX]);
+        #elif defined(TARGET_I386) && defined(TARGET_X86_64)
+            target_ulong addr = panda_virt_to_phys(cpu, env->regs[R_EDI]);
         #endif
-        
+
         if ((int) addr == -1) {
-            #ifdef TARGET_X86_64
+            #if defined(TARGET_ARM) && !defined(TARGET_AARCH64)
                 dprintf("[pri_taint] panda hypercall with ptr to invalid PandaHypercallStruct: vaddr=0x%x paddr=0x%x\n",
-                    (uint32_t) env->regs[R_EDI], (uint32_t) addr);
-            #else
+                    (uint32_t) env->regs[0], (uint32_t) addr);
+            #elif defined(TARGET_ARM) && defined(TARGET_AARCH64)
+                dprintf("[pri_taint] panda hypercall with ptr to invalid PandaHypercallStruct: vaddr=0x%lx paddr=0x%lx\n",
+                    (uint64_t) env->xregs[0], (uint64_t) addr);
+            #elif defined(TARGET_I386) && !defined(TARGET_X86_64)
                 dprintf("[pri_taint] panda hypercall with ptr to invalid PandaHypercallStruct: vaddr=0x%x paddr=0x%x\n",
                     (uint32_t) env->regs[R_EBX], (uint32_t) addr);
+            #elif defined(TARGET_I386) && defined(TARGET_X86_64)
+                dprintf("[pri_taint] panda hypercall with ptr to invalid PandaHypercallStruct: vaddr=0x%lx paddr=0x%lx\n",
+                    (uint64_t) env->regs[R_EDI], (uint64_t) addr);
             #endif
         }
         else if (pandalog) {
             dprintf("[pri_taint] Hypercall is OK and Panda Log is set\n");  
             PandaHypercallStruct phs;
-            panda_virtual_memory_read(cpu, env->regs[R_EAX], (uint8_t *) &phs, sizeof(phs));
+            #if defined(TARGET_ARM) && !defined(TARGET_AARCH64)
+                panda_virtual_memory_read(cpu, env->regs[0], (uint8_t *) &phs, sizeof(phs));
+            #elif defined(TARGET_ARM) && defined(TARGET_AARCH64)
+                panda_virtual_memory_read(cpu, env->xregs[0], (uint8_t *) &phs, sizeof(phs));
+            #elif defined(TARGET_I386) && !defined(TARGET_X86_64)
+                panda_virtual_memory_read(cpu, env->regs[R_EBX], (uint8_t *) &phs, sizeof(phs));
+            #elif defined(TARGET_I386) && defined(TARGET_X86_64)
+                panda_virtual_memory_read(cpu, env->regs[R_EDI], (uint8_t *) &phs, sizeof(phs));
+            #endif
 
             // To be used for chaff bugs?
-            uint64_t funcaddr = 0;
-            panda_virtual_memory_read(cpu, phs.info, (uint8_t*)&funcaddr, sizeof(target_ulong));
+            // uint64_t funcaddr = 0;
+            // panda_virtual_memory_read(cpu, phs.info, (uint8_t*)&funcaddr, sizeof(target_ulong));
             // if the phs action is a pri_query point, see
             // lava/include/pirate_mark_lava.h
             if (phs.action == 13) {
@@ -359,7 +367,8 @@ void i386_hypercall_callback(CPUState *cpu) {
                     dprintf("[pri_taint] panda hypercall: [%s], "
                             "ln: %4ld, pc @ 0x" TARGET_FMT_lx "\n",
                             info.filename,
-                            info.line_number,pc);
+                            info.line_number, pc);
+
                     // Calls 'pri_funct_livevar_iter' in pri.c, which calls 'on_funct_livevar_iter'
                     // In Dwarf2, the function 'on_funct_livevar_iter' is mapped to 'dwarf_funct_livevar_iter'
                     // This is passing the function 'pfun' to 'pri_funct_livevar_iter', which is called at the end
@@ -368,6 +377,7 @@ void i386_hypercall_callback(CPUState *cpu) {
                 else {
                     dprintf("[pri_taint] pri_get_pc_src_info has failed: %d != 0.\n", rc);
                 }
+                // hypercall_log_trace(phs.src_filename);
             }
             else {
                 dprintf("[pri_taint] Invalid action value in PHS struct: %d != 13.\n", phs.action);  
@@ -380,71 +390,43 @@ void i386_hypercall_callback(CPUState *cpu) {
     else {
         dprintf("[pri_taint] taint2 is not enabled (hypercall)\n");
     }
-    return ret;
 }
-#endif // TARGET_I386
-
-
-bool guest_hypercall_callback(CPUState *cpu) {
-#ifdef TARGET_I386
-    return i386_hypercall_callback(cpu);
 #endif
 
-#ifdef TARGET_ARM
-    // not implemented for now
-    //arm_hypercall_callback(cpu);
-#endif
-
-    return false;
-}
-#endif
-/*
-void on_taint_change(Addr a, uint64_t size){
-    uint32_t num_tainted = 0;
-    for (uint32_t i=0; i<size; i++){
-        a.off = i;
-        num_tainted += (taint2_query(a) != 0);
-    }
-    if (num_tainted > 0) {
-        printf("In taint change!\n");
-    }
-}
-*/
 bool init_plugin(void *self) {
-
-#if defined(TARGET_I386)
+#if defined(TARGET_I386) || defined(TARGET_ARM)
     panda_arg_list *args = panda_get_args("pri_taint");
     debug = panda_parse_bool_opt(args, "debug", "enable debug output"); 
 
     panda_require("callstack_instr");
     assert(init_callstack_instr_api());
     panda_require("pri");
     assert(init_pri_api());
-    panda_require("dwarf2");
-    assert(init_dwarf2_api());
     panda_require("taint2");
     assert(init_taint2_api());
-
-    panda_cb pcb;
-    pcb.guest_hypercall = guest_hypercall_callback;
-    panda_register_callback(self, PANDA_CB_GUEST_HYPERCALL, pcb);
-    printf("[pri_taint] This plugin is activated!\n");
+    panda_require("dwarf2"); 
+    assert(init_dwarf2_api());
 
     // If taint isn't already enabled, turn it on.
     if (!taint2_enabled()) {
         printf("[pri_taint] enabling taint now!\n");
         taint2_enable_taint();
     }
+
+    panda_require("hypercaller");
+    void * hypercaller = panda_get_plugin_by_name("hypercaller");
+    register_hypercall_t register_hypercall = (register_hypercall_t) dlsym(hypercaller, "register_hypercall");
+    register_hypercall(LAVA_MAGIC, lava_hypercall);
+
+    printf("[pri_taint] This plugin is activated!\n");
     return true;
 #else
-    printf("[pri_taint] This plugin is only supported on x86\n");
+    printf("[pri_taint] This plugin is only supported on x86 or ARM\n");
     return false;
-    //taint2_track_taint_state();
 #endif
 }
 
-
-
 void uninit_plugin(void *self) {
+    // You don't need to unregister the hypercall!
+    printf("[pri_taint] Unloading plugin complete!\n");
 }
-