VirtualBox

source: vbox/trunk/src/VBox/VMM/VMMR3/PATMPatch.cpp@ 45530

Last change on this file since 45530 was 45485, checked in by vboxsync, 12 years ago
  • *: Where possible, drop the #ifdef VBOX_WITH_RAW_RING1 when EMIsRawRing1Enabled is used.
  • SELM: Don't shadow TSS.esp1/ss1 unless ring-1 compression is enabled (also fixed a log statement there).
  • SELM: selmGuestToShadowDesc should not push ring-1 selectors into ring-2 unless EMIsRawRing1Enabled() holds true.
  • REM: Don't set CPU_INTERRUPT_EXTERNAL_EXIT in helper_ltr() for now.
  • Property svn:eol-style set to native
  • Property svn:keywords set to Id Revision
File size: 52.9 KB
Line 
1/* $Id: PATMPatch.cpp 45485 2013-04-11 14:46:04Z vboxsync $ */
2/** @file
3 * PATMPatch - Dynamic Guest OS Instruction patches
4 *
5 * NOTE: CSAM assumes patch memory is never reused!!
6 */
7
8/*
9 * Copyright (C) 2006-2013 Oracle Corporation
10 *
11 * This file is part of VirtualBox Open Source Edition (OSE), as
12 * available from http://www.virtualbox.org. This file is free software;
13 * you can redistribute it and/or modify it under the terms of the GNU
14 * General Public License (GPL) as published by the Free Software
15 * Foundation, in version 2 as it comes in the "COPYING" file of the
16 * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
17 * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
18 */
19
20/*******************************************************************************
21* Header Files *
22*******************************************************************************/
23#define LOG_GROUP LOG_GROUP_PATM
24#include <VBox/vmm/patm.h>
25#include <VBox/vmm/stam.h>
26#include <VBox/vmm/pgm.h>
27#include <VBox/vmm/cpum.h>
28#include <VBox/vmm/mm.h>
29#include <VBox/vmm/em.h>
30#include <VBox/vmm/trpm.h>
31#include <VBox/param.h>
32#include <iprt/avl.h>
33#include "PATMInternal.h"
34#include <VBox/vmm/vm.h>
35#include <VBox/vmm/csam.h>
36
37#include <VBox/dbg.h>
38#include <VBox/err.h>
39#include <VBox/log.h>
40#include <iprt/assert.h>
41#include <iprt/asm.h>
42#include <iprt/string.h>
43#include <VBox/dis.h>
44#include <VBox/disopcode.h>
45
46#include <stdlib.h>
47#include <stdio.h>
48#include "PATMA.h"
49#include "PATMPatch.h"
50
51/* internal structure for passing more information about call fixups to patmPatchGenCode */
52typedef struct
53{
54 RTRCPTR pTargetGC;
55 RTRCPTR pCurInstrGC;
56 RTRCPTR pNextInstrGC;
57 RTRCPTR pReturnGC;
58} PATMCALLINFO, *PPATMCALLINFO;
59
60int patmPatchAddReloc32(PVM pVM, PPATCHINFO pPatch, uint8_t *pRelocHC, uint32_t uType, RTRCPTR pSource, RTRCPTR pDest)
61{
62 PRELOCREC pRec;
63
64 Assert(uType == FIXUP_ABSOLUTE || ((uType == FIXUP_REL_JMPTOPATCH || uType == FIXUP_REL_JMPTOGUEST) && pSource && pDest));
65
66 LogFlow(("patmPatchAddReloc32 type=%d pRelocGC=%RRv source=%RRv dest=%RRv\n", uType, pRelocHC - pVM->patm.s.pPatchMemGC + pVM->patm.s.pPatchMemGC , pSource, pDest));
67
68 pRec = (PRELOCREC)MMR3HeapAllocZ(pVM, MM_TAG_PATM_PATCH, sizeof(*pRec));
69 Assert(pRec);
70 pRec->Core.Key = (AVLPVKEY)pRelocHC;
71 pRec->pRelocPos = pRelocHC; /* @todo redundant. */
72 pRec->pSource = pSource;
73 pRec->pDest = pDest;
74 pRec->uType = uType;
75
76 bool ret = RTAvlPVInsert(&pPatch->FixupTree, &pRec->Core);
77 Assert(ret); NOREF(ret);
78 pPatch->nrFixups++;
79
80 return VINF_SUCCESS;
81}
82
83int patmPatchAddJump(PVM pVM, PPATCHINFO pPatch, uint8_t *pJumpHC, uint32_t offset, RTRCPTR pTargetGC, uint32_t opcode)
84{
85 PJUMPREC pRec;
86
87 pRec = (PJUMPREC)MMR3HeapAllocZ(pVM, MM_TAG_PATM_PATCH, sizeof(*pRec));
88 Assert(pRec);
89
90 pRec->Core.Key = (AVLPVKEY)pJumpHC;
91 pRec->pJumpHC = pJumpHC; /* @todo redundant. */
92 pRec->offDispl = offset;
93 pRec->pTargetGC = pTargetGC;
94 pRec->opcode = opcode;
95
96 bool ret = RTAvlPVInsert(&pPatch->JumpTree, &pRec->Core);
97 Assert(ret); NOREF(ret);
98 pPatch->nrJumpRecs++;
99
100 return VINF_SUCCESS;
101}
102
103#define PATCHGEN_PROLOG_NODEF(pVM, pPatch) \
104 pPB = PATCHCODE_PTR_HC(pPatch) + pPatch->uCurPatchOffset; \
105 \
106 if (pPB + 256 >= pVM->patm.s.pPatchMemHC + pVM->patm.s.cbPatchMem) \
107 { \
108 pVM->patm.s.fOutOfMemory = true; \
109 Assert(pPB + 256 >= pVM->patm.s.pPatchMemHC + pVM->patm.s.cbPatchMem); \
110 return VERR_NO_MEMORY; \
111 }
112
113#define PATCHGEN_PROLOG(pVM, pPatch) \
114 uint8_t *pPB; \
115 PATCHGEN_PROLOG_NODEF(pVM, pPatch);
116
117
118#define PATCHGEN_EPILOG(pPatch, size) \
119 Assert(size <= 640); \
120 pPatch->uCurPatchOffset += size;
121
122
123static uint32_t patmPatchGenCode(PVM pVM, PPATCHINFO pPatch, uint8_t *pPB, PPATCHASMRECORD pAsmRecord, RCPTRTYPE(uint8_t *) pReturnAddrGC, bool fGenJump,
124 PPATMCALLINFO pCallInfo = 0)
125{
126 uint32_t i, j;
127
128 Assert(fGenJump == false || pReturnAddrGC);
129 Assert(fGenJump == false || pAsmRecord->offJump);
130 Assert(pAsmRecord && pAsmRecord->size > sizeof(pAsmRecord->uReloc[0]));
131
132 // Copy the code block
133 memcpy(pPB, pAsmRecord->pFunction, pAsmRecord->size);
134
135 // Process all fixups
136 for (j=0,i=0;i<pAsmRecord->nrRelocs*2; i+=2)
137 {
138 for (;j<pAsmRecord->size;j++)
139 {
140 if (*(uint32_t*)&pPB[j] == pAsmRecord->uReloc[i])
141 {
142 RCPTRTYPE(uint32_t *) dest;
143
144#ifdef VBOX_STRICT
145 if (pAsmRecord->uReloc[i] == PATM_FIXUP)
146 Assert(pAsmRecord->uReloc[i+1] != 0);
147 else
148 Assert(pAsmRecord->uReloc[i+1] == 0);
149#endif
150
151 /**
152 * BE VERY CAREFUL WITH THESE FIXUPS. TAKE INTO ACCOUNT THAT PROBLEMS MAY ARISE WHEN RESTORING A SAVED STATE WITH
153 * A DIFFERENT HYPERVISOR LAYOUT.
154 */
155 switch (pAsmRecord->uReloc[i])
156 {
157 case PATM_VMFLAGS:
158 dest = pVM->patm.s.pGCStateGC + RT_OFFSETOF(PATMGCSTATE, uVMFlags);
159 break;
160
161 case PATM_PENDINGACTION:
162 dest = pVM->patm.s.pGCStateGC + RT_OFFSETOF(PATMGCSTATE, uPendingAction);
163 break;
164
165 case PATM_FIXUP:
166 /* Offset in uReloc[i+1] is from the base of the function. */
167 dest = (RTGCUINTPTR32)pVM->patm.s.pPatchMemGC + pAsmRecord->uReloc[i+1] + (RTGCUINTPTR32)(pPB - pVM->patm.s.pPatchMemHC);
168 break;
169#ifdef VBOX_WITH_STATISTICS
170 case PATM_ALLPATCHCALLS:
171 dest = pVM->patm.s.pGCStateGC + RT_OFFSETOF(PATMGCSTATE, uPatchCalls);
172 break;
173
174 case PATM_IRETEFLAGS:
175 dest = pVM->patm.s.pGCStateGC + RT_OFFSETOF(PATMGCSTATE, uIretEFlags);
176 break;
177
178 case PATM_IRETCS:
179 dest = pVM->patm.s.pGCStateGC + RT_OFFSETOF(PATMGCSTATE, uIretCS);
180 break;
181
182 case PATM_IRETEIP:
183 dest = pVM->patm.s.pGCStateGC + RT_OFFSETOF(PATMGCSTATE, uIretEIP);
184 break;
185
186 case PATM_PERPATCHCALLS:
187 dest = patmPatchQueryStatAddress(pVM, pPatch);
188 break;
189#endif
190 case PATM_STACKPTR:
191 dest = pVM->patm.s.pGCStateGC + RT_OFFSETOF(PATMGCSTATE, Psp);
192 break;
193
194 /* The first part of our PATM stack is used to store offsets of patch return addresses; the 2nd
195 * part to store the original return addresses.
196 */
197 case PATM_STACKBASE:
198 dest = pVM->patm.s.pGCStackGC;
199 break;
200
201 case PATM_STACKBASE_GUEST:
202 dest = pVM->patm.s.pGCStackGC + PATM_STACK_SIZE;
203 break;
204
205 case PATM_RETURNADDR: /* absolute guest address; no fixup required */
206 Assert(pCallInfo && pAsmRecord->uReloc[i] >= PATM_NO_FIXUP);
207 dest = pCallInfo->pReturnGC;
208 break;
209
210 case PATM_PATCHNEXTBLOCK: /* relative address of instruction following this block */
211 Assert(pCallInfo && pAsmRecord->uReloc[i] >= PATM_NO_FIXUP);
212
213 /** @note hardcoded assumption that we must return to the instruction following this block */
214 dest = (uintptr_t)pPB - (uintptr_t)pVM->patm.s.pPatchMemHC + pAsmRecord->size;
215 break;
216
217 case PATM_CALLTARGET: /* relative to patch address; no fixup required */
218 Assert(pCallInfo && pAsmRecord->uReloc[i] >= PATM_NO_FIXUP);
219
220 /* Address must be filled in later. (see patmr3SetBranchTargets) */
221 patmPatchAddJump(pVM, pPatch, &pPB[j-1], 1, pCallInfo->pTargetGC, OP_CALL);
222 dest = PATM_ILLEGAL_DESTINATION;
223 break;
224
225 case PATM_PATCHBASE: /* Patch GC base address */
226 dest = pVM->patm.s.pPatchMemGC;
227 break;
228
229 case PATM_CPUID_STD_PTR:
230 /* @todo dirty hack when correcting this fixup (state restore) */
231 dest = CPUMR3GetGuestCpuIdStdRCPtr(pVM);
232 break;
233
234 case PATM_CPUID_EXT_PTR:
235 /* @todo dirty hack when correcting this fixup (state restore) */
236 dest = CPUMR3GetGuestCpuIdExtRCPtr(pVM);
237 break;
238
239 case PATM_CPUID_CENTAUR_PTR:
240 /* @todo dirty hack when correcting this fixup (state restore) */
241 dest = CPUMR3GetGuestCpuIdCentaurRCPtr(pVM);
242 break;
243
244 case PATM_CPUID_DEF_PTR:
245 /* @todo dirty hack when correcting this fixup (state restore) */
246 dest = CPUMR3GetGuestCpuIdDefRCPtr(pVM);
247 break;
248
249 case PATM_CPUID_STD_MAX:
250 dest = CPUMGetGuestCpuIdStdMax(pVM);
251 break;
252
253 case PATM_CPUID_EXT_MAX:
254 dest = CPUMGetGuestCpuIdExtMax(pVM);
255 break;
256
257 case PATM_CPUID_CENTAUR_MAX:
258 dest = CPUMGetGuestCpuIdCentaurMax(pVM);
259 break;
260
261 case PATM_INTERRUPTFLAG:
262 dest = pVM->patm.s.pGCStateGC + RT_OFFSETOF(PATMGCSTATE, fPIF);
263 break;
264
265 case PATM_INHIBITIRQADDR:
266 dest = pVM->patm.s.pGCStateGC + RT_OFFSETOF(PATMGCSTATE, GCPtrInhibitInterrupts);
267 break;
268
269 case PATM_NEXTINSTRADDR:
270 Assert(pCallInfo);
271 /* pNextInstrGC can be 0 if several instructions, that inhibit irqs, follow each other */
272 dest = pCallInfo->pNextInstrGC;
273 break;
274
275 case PATM_CURINSTRADDR:
276 Assert(pCallInfo);
277 dest = pCallInfo->pCurInstrGC;
278 break;
279
280 case PATM_VM_FORCEDACTIONS:
281 /* @todo dirty assumptions when correcting this fixup during saved state loading. */
282 dest = pVM->pVMRC + RT_OFFSETOF(VM, aCpus[0].fLocalForcedActions);
283 break;
284
285 case PATM_TEMP_EAX:
286 dest = pVM->patm.s.pGCStateGC + RT_OFFSETOF(PATMGCSTATE, Restore.uEAX);
287 break;
288 case PATM_TEMP_ECX:
289 dest = pVM->patm.s.pGCStateGC + RT_OFFSETOF(PATMGCSTATE, Restore.uECX);
290 break;
291 case PATM_TEMP_EDI:
292 dest = pVM->patm.s.pGCStateGC + RT_OFFSETOF(PATMGCSTATE, Restore.uEDI);
293 break;
294 case PATM_TEMP_EFLAGS:
295 dest = pVM->patm.s.pGCStateGC + RT_OFFSETOF(PATMGCSTATE, Restore.eFlags);
296 break;
297 case PATM_TEMP_RESTORE_FLAGS:
298 dest = pVM->patm.s.pGCStateGC + RT_OFFSETOF(PATMGCSTATE, Restore.uFlags);
299 break;
300 case PATM_CALL_PATCH_TARGET_ADDR:
301 dest = pVM->patm.s.pGCStateGC + RT_OFFSETOF(PATMGCSTATE, GCCallPatchTargetAddr);
302 break;
303 case PATM_CALL_RETURN_ADDR:
304 dest = pVM->patm.s.pGCStateGC + RT_OFFSETOF(PATMGCSTATE, GCCallReturnAddr);
305 break;
306
307 /* Relative address of global patm lookup and call function. */
308 case PATM_LOOKUP_AND_CALL_FUNCTION:
309 {
310 RTRCPTR pInstrAfterCall = pVM->patm.s.pPatchMemGC + (RTGCUINTPTR32)(&pPB[j] + sizeof(RTRCPTR) - pVM->patm.s.pPatchMemHC);
311 Assert(pVM->patm.s.pfnHelperCallGC);
312 Assert(sizeof(uint32_t) == sizeof(RTRCPTR));
313
314 /* Relative value is target minus address of instruction after the actual call instruction. */
315 dest = pVM->patm.s.pfnHelperCallGC - pInstrAfterCall;
316 break;
317 }
318
319 case PATM_RETURN_FUNCTION:
320 {
321 RTRCPTR pInstrAfterCall = pVM->patm.s.pPatchMemGC + (RTGCUINTPTR32)(&pPB[j] + sizeof(RTRCPTR) - pVM->patm.s.pPatchMemHC);
322 Assert(pVM->patm.s.pfnHelperRetGC);
323 Assert(sizeof(uint32_t) == sizeof(RTRCPTR));
324
325 /* Relative value is target minus address of instruction after the actual call instruction. */
326 dest = pVM->patm.s.pfnHelperRetGC - pInstrAfterCall;
327 break;
328 }
329
330 case PATM_IRET_FUNCTION:
331 {
332 RTRCPTR pInstrAfterCall = pVM->patm.s.pPatchMemGC + (RTGCUINTPTR32)(&pPB[j] + sizeof(RTRCPTR) - pVM->patm.s.pPatchMemHC);
333 Assert(pVM->patm.s.pfnHelperIretGC);
334 Assert(sizeof(uint32_t) == sizeof(RTRCPTR));
335
336 /* Relative value is target minus address of instruction after the actual call instruction. */
337 dest = pVM->patm.s.pfnHelperIretGC - pInstrAfterCall;
338 break;
339 }
340
341 case PATM_LOOKUP_AND_JUMP_FUNCTION:
342 {
343 RTRCPTR pInstrAfterCall = pVM->patm.s.pPatchMemGC + (RTGCUINTPTR32)(&pPB[j] + sizeof(RTRCPTR) - pVM->patm.s.pPatchMemHC);
344 Assert(pVM->patm.s.pfnHelperJumpGC);
345 Assert(sizeof(uint32_t) == sizeof(RTRCPTR));
346
347 /* Relative value is target minus address of instruction after the actual call instruction. */
348 dest = pVM->patm.s.pfnHelperJumpGC - pInstrAfterCall;
349 break;
350 }
351
352 default:
353 dest = PATM_ILLEGAL_DESTINATION;
354 AssertRelease(0);
355 break;
356 }
357
358 *(RTRCPTR *)&pPB[j] = dest;
359 if (pAsmRecord->uReloc[i] < PATM_NO_FIXUP)
360 {
361 patmPatchAddReloc32(pVM, pPatch, &pPB[j], FIXUP_ABSOLUTE);
362 }
363 break;
364 }
365 }
366 Assert(j < pAsmRecord->size);
367 }
368 Assert(pAsmRecord->uReloc[i] == 0xffffffff);
369
370 /* Add the jump back to guest code (if required) */
371 if (fGenJump)
372 {
373 int32_t displ = pReturnAddrGC - (PATCHCODE_PTR_GC(pPatch) + pPatch->uCurPatchOffset + pAsmRecord->offJump - 1 + SIZEOF_NEARJUMP32);
374
375 /* Add lookup record for patch to guest address translation */
376 Assert(pPB[pAsmRecord->offJump - 1] == 0xE9);
377 patmR3AddP2GLookupRecord(pVM, pPatch, &pPB[pAsmRecord->offJump - 1], pReturnAddrGC, PATM_LOOKUP_PATCH2GUEST);
378
379 *(uint32_t *)&pPB[pAsmRecord->offJump] = displ;
380 patmPatchAddReloc32(pVM, pPatch, &pPB[pAsmRecord->offJump], FIXUP_REL_JMPTOGUEST,
381 PATCHCODE_PTR_GC(pPatch) + pPatch->uCurPatchOffset + pAsmRecord->offJump - 1 + SIZEOF_NEARJUMP32,
382 pReturnAddrGC);
383 }
384
385 // Calculate the right size of this patch block
386 if ((fGenJump && pAsmRecord->offJump) || (!fGenJump && !pAsmRecord->offJump))
387 {
388 return pAsmRecord->size;
389 }
390 else {
391 // if a jump instruction is present and we don't want one, then subtract SIZEOF_NEARJUMP32
392 return pAsmRecord->size - SIZEOF_NEARJUMP32;
393 }
394}
395
396/* Read bytes and check for overwritten instructions. */
397static int patmPatchReadBytes(PVM pVM, uint8_t *pDest, RTRCPTR pSrc, uint32_t cb)
398{
399 int rc = PGMPhysSimpleReadGCPtr(&pVM->aCpus[0], pDest, pSrc, cb);
400 AssertRCReturn(rc, rc);
401 /*
402 * Could be patched already; make sure this is checked!
403 */
404 for (uint32_t i=0;i<cb;i++)
405 {
406 uint8_t temp;
407
408 int rc2 = PATMR3QueryOpcode(pVM, pSrc+i, &temp);
409 if (RT_SUCCESS(rc2))
410 {
411 pDest[i] = temp;
412 }
413 else
414 break; /* no more */
415 }
416 return VINF_SUCCESS;
417}
418
419int patmPatchGenDuplicate(PVM pVM, PPATCHINFO pPatch, DISCPUSTATE *pCpu, RCPTRTYPE(uint8_t *) pCurInstrGC)
420{
421 int rc = VINF_SUCCESS;
422 PATCHGEN_PROLOG(pVM, pPatch);
423
424 uint32_t const cbInstrShutUpGcc = pCpu->cbInstr;
425 rc = patmPatchReadBytes(pVM, pPB, pCurInstrGC, cbInstrShutUpGcc);
426 AssertRC(rc);
427 PATCHGEN_EPILOG(pPatch, cbInstrShutUpGcc);
428 return rc;
429}
430
431int patmPatchGenIret(PVM pVM, PPATCHINFO pPatch, RTRCPTR pCurInstrGC, bool fSizeOverride)
432{
433 uint32_t size;
434 PATMCALLINFO callInfo;
435
436 PATCHGEN_PROLOG(pVM, pPatch);
437
438 AssertMsg(fSizeOverride == false, ("operand size override!!\n"));
439 callInfo.pCurInstrGC = pCurInstrGC;
440
441 if (EMIsRawRing1Enabled(pVM))
442 size = patmPatchGenCode(pVM, pPatch, pPB, &PATMIretRing1Record, 0, false, &callInfo);
443 else
444 size = patmPatchGenCode(pVM, pPatch, pPB, &PATMIretRecord, 0, false, &callInfo);
445
446 PATCHGEN_EPILOG(pPatch, size);
447 return VINF_SUCCESS;
448}
449
450int patmPatchGenCli(PVM pVM, PPATCHINFO pPatch)
451{
452 uint32_t size;
453 PATCHGEN_PROLOG(pVM, pPatch);
454
455 size = patmPatchGenCode(pVM, pPatch, pPB, &PATMCliRecord, 0, false);
456
457 PATCHGEN_EPILOG(pPatch, size);
458 return VINF_SUCCESS;
459}
460
461/*
462 * Generate an STI patch
463 */
464int patmPatchGenSti(PVM pVM, PPATCHINFO pPatch, RTRCPTR pCurInstrGC, RTRCPTR pNextInstrGC)
465{
466 PATMCALLINFO callInfo;
467 uint32_t size;
468
469 Log(("patmPatchGenSti at %RRv; next %RRv\n", pCurInstrGC, pNextInstrGC));
470 PATCHGEN_PROLOG(pVM, pPatch);
471 callInfo.pNextInstrGC = pNextInstrGC;
472 size = patmPatchGenCode(pVM, pPatch, pPB, &PATMStiRecord, 0, false, &callInfo);
473 PATCHGEN_EPILOG(pPatch, size);
474
475 return VINF_SUCCESS;
476}
477
478
479int patmPatchGenPopf(PVM pVM, PPATCHINFO pPatch, RCPTRTYPE(uint8_t *) pReturnAddrGC, bool fSizeOverride, bool fGenJumpBack)
480{
481 uint32_t size;
482 PATMCALLINFO callInfo;
483
484 PATCHGEN_PROLOG(pVM, pPatch);
485
486 callInfo.pNextInstrGC = pReturnAddrGC;
487
488 Log(("patmPatchGenPopf at %RRv\n", pReturnAddrGC));
489
490 /* Note: keep IOPL in mind when changing any of this!! (see comments in PATMA.asm, PATMPopf32Replacement) */
491 if (fSizeOverride == true)
492 {
493 Log(("operand size override!!\n"));
494 size = patmPatchGenCode(pVM, pPatch, pPB, (fGenJumpBack) ? &PATMPopf16Record : &PATMPopf16Record_NoExit , pReturnAddrGC, fGenJumpBack, &callInfo);
495 }
496 else
497 {
498 size = patmPatchGenCode(pVM, pPatch, pPB, (fGenJumpBack) ? &PATMPopf32Record : &PATMPopf32Record_NoExit, pReturnAddrGC, fGenJumpBack, &callInfo);
499 }
500
501 PATCHGEN_EPILOG(pPatch, size);
502 STAM_COUNTER_INC(&pVM->patm.s.StatGenPopf);
503 return VINF_SUCCESS;
504}
505
506int patmPatchGenPushf(PVM pVM, PPATCHINFO pPatch, bool fSizeOverride)
507{
508 uint32_t size;
509 PATCHGEN_PROLOG(pVM, pPatch);
510
511 if (fSizeOverride == true)
512 {
513 Log(("operand size override!!\n"));
514 size = patmPatchGenCode(pVM, pPatch, pPB, &PATMPushf16Record, 0, false);
515 }
516 else
517 {
518 size = patmPatchGenCode(pVM, pPatch, pPB, &PATMPushf32Record, 0, false);
519 }
520
521 PATCHGEN_EPILOG(pPatch, size);
522 return VINF_SUCCESS;
523}
524
525int patmPatchGenPushCS(PVM pVM, PPATCHINFO pPatch)
526{
527 uint32_t size;
528 PATCHGEN_PROLOG(pVM, pPatch);
529 size = patmPatchGenCode(pVM, pPatch, pPB, &PATMPushCSRecord, 0, false);
530 PATCHGEN_EPILOG(pPatch, size);
531 return VINF_SUCCESS;
532}
533
534int patmPatchGenLoop(PVM pVM, PPATCHINFO pPatch, RCPTRTYPE(uint8_t *) pTargetGC, uint32_t opcode, bool fSizeOverride)
535{
536 uint32_t size = 0;
537 PPATCHASMRECORD pPatchAsmRec;
538
539 PATCHGEN_PROLOG(pVM, pPatch);
540
541 switch (opcode)
542 {
543 case OP_LOOP:
544 pPatchAsmRec = &PATMLoopRecord;
545 break;
546 case OP_LOOPNE:
547 pPatchAsmRec = &PATMLoopNZRecord;
548 break;
549 case OP_LOOPE:
550 pPatchAsmRec = &PATMLoopZRecord;
551 break;
552 case OP_JECXZ:
553 pPatchAsmRec = &PATMJEcxRecord;
554 break;
555 default:
556 AssertMsgFailed(("PatchGenLoop: invalid opcode %d\n", opcode));
557 return VERR_INVALID_PARAMETER;
558 }
559 Assert(pPatchAsmRec->offSizeOverride && pPatchAsmRec->offRelJump);
560
561 Log(("PatchGenLoop %d jump %d to %08x offrel=%d\n", opcode, pPatch->nrJumpRecs, pTargetGC, pPatchAsmRec->offRelJump));
562
563 // Generate the patch code
564 size = patmPatchGenCode(pVM, pPatch, pPB, pPatchAsmRec, 0, false);
565
566 if (fSizeOverride)
567 {
568 pPB[pPatchAsmRec->offSizeOverride] = 0x66; // ecx -> cx or vice versa
569 }
570
571 *(RTRCPTR *)&pPB[pPatchAsmRec->offRelJump] = 0xDEADBEEF;
572
573 patmPatchAddJump(pVM, pPatch, &pPB[pPatchAsmRec->offRelJump - 1], 1, pTargetGC, opcode);
574
575 PATCHGEN_EPILOG(pPatch, size);
576 return VINF_SUCCESS;
577}
578
579int patmPatchGenRelJump(PVM pVM, PPATCHINFO pPatch, RCPTRTYPE(uint8_t *) pTargetGC, uint32_t opcode, bool fSizeOverride)
580{
581 uint32_t offset = 0;
582 PATCHGEN_PROLOG(pVM, pPatch);
583
584 // internal relative jumps from patch code to patch code; no relocation record required
585
586 Assert(PATMIsPatchGCAddr(pVM, pTargetGC) == false);
587
588 switch (opcode)
589 {
590 case OP_JO:
591 pPB[1] = 0x80;
592 break;
593 case OP_JNO:
594 pPB[1] = 0x81;
595 break;
596 case OP_JC:
597 pPB[1] = 0x82;
598 break;
599 case OP_JNC:
600 pPB[1] = 0x83;
601 break;
602 case OP_JE:
603 pPB[1] = 0x84;
604 break;
605 case OP_JNE:
606 pPB[1] = 0x85;
607 break;
608 case OP_JBE:
609 pPB[1] = 0x86;
610 break;
611 case OP_JNBE:
612 pPB[1] = 0x87;
613 break;
614 case OP_JS:
615 pPB[1] = 0x88;
616 break;
617 case OP_JNS:
618 pPB[1] = 0x89;
619 break;
620 case OP_JP:
621 pPB[1] = 0x8A;
622 break;
623 case OP_JNP:
624 pPB[1] = 0x8B;
625 break;
626 case OP_JL:
627 pPB[1] = 0x8C;
628 break;
629 case OP_JNL:
630 pPB[1] = 0x8D;
631 break;
632 case OP_JLE:
633 pPB[1] = 0x8E;
634 break;
635 case OP_JNLE:
636 pPB[1] = 0x8F;
637 break;
638
639 case OP_JMP:
640 /* If interrupted here, then jump to the target instruction. Used by PATM.cpp for jumping to known instructions. */
641 /* Add lookup record for patch to guest address translation */
642 patmR3AddP2GLookupRecord(pVM, pPatch, pPB, pTargetGC, PATM_LOOKUP_PATCH2GUEST);
643
644 pPB[0] = 0xE9;
645 break;
646
647 case OP_JECXZ:
648 case OP_LOOP:
649 case OP_LOOPNE:
650 case OP_LOOPE:
651 return patmPatchGenLoop(pVM, pPatch, pTargetGC, opcode, fSizeOverride);
652
653 default:
654 AssertMsg(0, ("Invalid jump opcode %d\n", opcode));
655 return VERR_PATCHING_REFUSED;
656 }
657 if (opcode != OP_JMP)
658 {
659 pPB[0] = 0xF;
660 offset += 2;
661 }
662 else offset++;
663
664 *(RTRCPTR *)&pPB[offset] = 0xDEADBEEF;
665
666 patmPatchAddJump(pVM, pPatch, pPB, offset, pTargetGC, opcode);
667
668 offset += sizeof(RTRCPTR);
669
670 PATCHGEN_EPILOG(pPatch, offset);
671 return VINF_SUCCESS;
672}
673
674/*
675 * Rewrite call to dynamic or currently unknown function (on-demand patching of function)
676 */
677int patmPatchGenCall(PVM pVM, PPATCHINFO pPatch, DISCPUSTATE *pCpu, RTRCPTR pCurInstrGC, RTRCPTR pTargetGC, bool fIndirect)
678{
679 PATMCALLINFO callInfo;
680 uint32_t offset;
681 uint32_t i, size;
682 int rc;
683
684 /** @note Don't check for IF=1 here. The ret instruction will do this. */
685 /** @note It's dangerous to do this for 'normal' patches. the jump target might be inside the generated patch jump. (seen this!) */
686
687 /* 1: Clear PATM interrupt flag on entry. */
688 rc = patmPatchGenClearPIF(pVM, pPatch, pCurInstrGC);
689 if (rc == VERR_NO_MEMORY)
690 return rc;
691 AssertRCReturn(rc, rc);
692
693 PATCHGEN_PROLOG(pVM, pPatch);
694 /* 2: We must push the target address onto the stack before appending the indirect call code. */
695
696 if (fIndirect)
697 {
698 Log(("patmPatchGenIndirectCall\n"));
699 Assert(pCpu->Param1.cb == 4);
700 Assert(OP_PARM_VTYPE(pCpu->pCurInstr->fParam1) != OP_PARM_J);
701
702 /* We push it onto the stack here, so the guest's context isn't ruined when this happens to cause
703 * a page fault. The assembly code restores the stack afterwards.
704 */
705 offset = 0;
706 /* include prefix byte to make sure we don't use the incorrect selector register. */
707 if (pCpu->fPrefix & DISPREFIX_SEG)
708 pPB[offset++] = DISQuerySegPrefixByte(pCpu);
709 pPB[offset++] = 0xFF; // push r/m32
710 pPB[offset++] = MAKE_MODRM(pCpu->ModRM.Bits.Mod, 6 /* group 5 */, pCpu->ModRM.Bits.Rm);
711 i = 2; /* standard offset of modrm bytes */
712 if (pCpu->fPrefix & DISPREFIX_OPSIZE)
713 i++; //skip operand prefix
714 if (pCpu->fPrefix & DISPREFIX_SEG)
715 i++; //skip segment prefix
716
717 rc = patmPatchReadBytes(pVM, &pPB[offset], (RTRCPTR)((RTGCUINTPTR32)pCurInstrGC + i), pCpu->cbInstr - i);
718 AssertRCReturn(rc, rc);
719 offset += (pCpu->cbInstr - i);
720 }
721 else
722 {
723 AssertMsg(PATMIsPatchGCAddr(pVM, pTargetGC) == false, ("Target is already a patch address (%RRv)?!?\n", pTargetGC));
724 Assert(pTargetGC);
725 Assert(OP_PARM_VTYPE(pCpu->pCurInstr->fParam1) == OP_PARM_J);
726
727 /** @todo wasting memory as the complex search is overkill and we need only one lookup slot... */
728
729 /* Relative call to patch code (patch to patch -> no fixup). */
730 Log(("PatchGenCall from %RRv (next=%RRv) to %RRv\n", pCurInstrGC, pCurInstrGC + pCpu->cbInstr, pTargetGC));
731
732 /* We push it onto the stack here, so the guest's context isn't ruined when this happens to cause
733 * a page fault. The assembly code restores the stack afterwards.
734 */
735 offset = 0;
736 pPB[offset++] = 0x68; // push %Iv
737 *(RTRCPTR *)&pPB[offset] = pTargetGC;
738 offset += sizeof(RTRCPTR);
739 }
740
741 /* align this block properly to make sure the jump table will not be misaligned. */
742 size = (RTHCUINTPTR)&pPB[offset] & 3;
743 if (size)
744 size = 4 - size;
745
746 for (i=0;i<size;i++)
747 {
748 pPB[offset++] = 0x90; /* nop */
749 }
750 PATCHGEN_EPILOG(pPatch, offset);
751
752 /* 3: Generate code to lookup address in our local cache; call hypervisor PATM code if it can't be located. */
753 PATCHGEN_PROLOG_NODEF(pVM, pPatch);
754 callInfo.pReturnGC = pCurInstrGC + pCpu->cbInstr;
755 callInfo.pTargetGC = (fIndirect) ? 0xDEADBEEF : pTargetGC;
756 size = patmPatchGenCode(pVM, pPatch, pPB, (fIndirect) ? &PATMCallIndirectRecord : &PATMCallRecord, 0, false, &callInfo);
757 PATCHGEN_EPILOG(pPatch, size);
758
759 /* Need to set PATM_INTERRUPTFLAG after the patched ret returns here. */
760 rc = patmPatchGenSetPIF(pVM, pPatch, pCurInstrGC);
761 if (rc == VERR_NO_MEMORY)
762 return rc;
763 AssertRCReturn(rc, rc);
764
765 STAM_COUNTER_INC(&pVM->patm.s.StatGenCall);
766 return VINF_SUCCESS;
767}
768
769/**
770 * Generate indirect jump to unknown destination
771 *
772 * @returns VBox status code.
773 * @param pVM Pointer to the VM.
774 * @param pPatch Patch record
775 * @param pCpu Disassembly state
776 * @param pCurInstrGC Current instruction address
777 */
778int patmPatchGenJump(PVM pVM, PPATCHINFO pPatch, DISCPUSTATE *pCpu, RTRCPTR pCurInstrGC)
779{
780 PATMCALLINFO callInfo;
781 uint32_t offset;
782 uint32_t i, size;
783 int rc;
784
785 /* 1: Clear PATM interrupt flag on entry. */
786 rc = patmPatchGenClearPIF(pVM, pPatch, pCurInstrGC);
787 if (rc == VERR_NO_MEMORY)
788 return rc;
789 AssertRCReturn(rc, rc);
790
791 PATCHGEN_PROLOG(pVM, pPatch);
792 /* 2: We must push the target address onto the stack before appending the indirect call code. */
793
794 Log(("patmPatchGenIndirectJump\n"));
795 Assert(pCpu->Param1.cb == 4);
796 Assert(OP_PARM_VTYPE(pCpu->pCurInstr->fParam1) != OP_PARM_J);
797
798 /* We push it onto the stack here, so the guest's context isn't ruined when this happens to cause
799 * a page fault. The assembly code restores the stack afterwards.
800 */
801 offset = 0;
802 /* include prefix byte to make sure we don't use the incorrect selector register. */
803 if (pCpu->fPrefix & DISPREFIX_SEG)
804 pPB[offset++] = DISQuerySegPrefixByte(pCpu);
805
806 pPB[offset++] = 0xFF; // push r/m32
807 pPB[offset++] = MAKE_MODRM(pCpu->ModRM.Bits.Mod, 6 /* group 5 */, pCpu->ModRM.Bits.Rm);
808 i = 2; /* standard offset of modrm bytes */
809 if (pCpu->fPrefix & DISPREFIX_OPSIZE)
810 i++; //skip operand prefix
811 if (pCpu->fPrefix & DISPREFIX_SEG)
812 i++; //skip segment prefix
813
814 rc = patmPatchReadBytes(pVM, &pPB[offset], (RTRCPTR)((RTGCUINTPTR32)pCurInstrGC + i), pCpu->cbInstr - i);
815 AssertRCReturn(rc, rc);
816 offset += (pCpu->cbInstr - i);
817
818 /* align this block properly to make sure the jump table will not be misaligned. */
819 size = (RTHCUINTPTR)&pPB[offset] & 3;
820 if (size)
821 size = 4 - size;
822
823 for (i=0;i<size;i++)
824 {
825 pPB[offset++] = 0x90; /* nop */
826 }
827 PATCHGEN_EPILOG(pPatch, offset);
828
829 /* 3: Generate code to lookup address in our local cache; call hypervisor PATM code if it can't be located. */
830 PATCHGEN_PROLOG_NODEF(pVM, pPatch);
831 callInfo.pReturnGC = pCurInstrGC + pCpu->cbInstr;
832 callInfo.pTargetGC = 0xDEADBEEF;
833 size = patmPatchGenCode(pVM, pPatch, pPB, &PATMJumpIndirectRecord, 0, false, &callInfo);
834 PATCHGEN_EPILOG(pPatch, size);
835
836 STAM_COUNTER_INC(&pVM->patm.s.StatGenJump);
837 return VINF_SUCCESS;
838}
839
840/**
841 * Generate return instruction
842 *
843 * @returns VBox status code.
844 * @param pVM Pointer to the VM.
845 * @param pPatch Patch structure
846 * @param pCpu Disassembly struct
847 * @param pCurInstrGC Current instruction pointer
848 *
849 */
850int patmPatchGenRet(PVM pVM, PPATCHINFO pPatch, DISCPUSTATE *pCpu, RCPTRTYPE(uint8_t *) pCurInstrGC)
851{
852 int size = 0, rc;
853 RTRCPTR pPatchRetInstrGC;
854
855 /* Remember start of this patch for below. */
856 pPatchRetInstrGC = PATCHCODE_PTR_GC(pPatch) + pPatch->uCurPatchOffset;
857
858 Log(("patmPatchGenRet %RRv\n", pCurInstrGC));
859
860 /** @note optimization: multiple identical ret instruction in a single patch can share a single patched ret. */
861 if ( pPatch->pTempInfo->pPatchRetInstrGC
862 && pPatch->pTempInfo->uPatchRetParam1 == (uint32_t)pCpu->Param1.uValue) /* nr of bytes popped off the stack should be identical of course! */
863 {
864 Assert(pCpu->pCurInstr->uOpcode == OP_RETN);
865 STAM_COUNTER_INC(&pVM->patm.s.StatGenRetReused);
866
867 return patmPatchGenPatchJump(pVM, pPatch, pCurInstrGC, pPatch->pTempInfo->pPatchRetInstrGC);
868 }
869
870 /* Jump back to the original instruction if IF is set again. */
871 Assert(!patmFindActivePatchByEntrypoint(pVM, pCurInstrGC));
872 rc = patmPatchGenCheckIF(pVM, pPatch, pCurInstrGC);
873 AssertRCReturn(rc, rc);
874
875 /* align this block properly to make sure the jump table will not be misaligned. */
876 PATCHGEN_PROLOG(pVM, pPatch);
877 size = (RTHCUINTPTR)pPB & 3;
878 if (size)
879 size = 4 - size;
880
881 for (int i=0;i<size;i++)
882 pPB[i] = 0x90; /* nop */
883 PATCHGEN_EPILOG(pPatch, size);
884
885 PATCHGEN_PROLOG_NODEF(pVM, pPatch);
886 size = patmPatchGenCode(pVM, pPatch, pPB, &PATMRetRecord, 0, false);
887 PATCHGEN_EPILOG(pPatch, size);
888
889 STAM_COUNTER_INC(&pVM->patm.s.StatGenRet);
890 /* Duplicate the ret or ret n instruction; it will use the PATM return address */
891 rc = patmPatchGenDuplicate(pVM, pPatch, pCpu, pCurInstrGC);
892
893 if (rc == VINF_SUCCESS)
894 {
895 pPatch->pTempInfo->pPatchRetInstrGC = pPatchRetInstrGC;
896 pPatch->pTempInfo->uPatchRetParam1 = pCpu->Param1.uValue;
897 }
898 return rc;
899}
900
901/**
902 * Generate all global patm functions
903 *
904 * @returns VBox status code.
905 * @param pVM Pointer to the VM.
906 * @param pPatch Patch structure
907 *
908 */
909int patmPatchGenGlobalFunctions(PVM pVM, PPATCHINFO pPatch)
910{
911 int size = 0;
912
913 pVM->patm.s.pfnHelperCallGC = PATCHCODE_PTR_GC(pPatch) + pPatch->uCurPatchOffset;
914 PATCHGEN_PROLOG(pVM, pPatch);
915 size = patmPatchGenCode(pVM, pPatch, pPB, &PATMLookupAndCallRecord, 0, false);
916 PATCHGEN_EPILOG(pPatch, size);
917
918 /* Round to next 8 byte boundary. */
919 pPatch->uCurPatchOffset = RT_ALIGN_32(pPatch->uCurPatchOffset, 8);
920
921 pVM->patm.s.pfnHelperRetGC = PATCHCODE_PTR_GC(pPatch) + pPatch->uCurPatchOffset;
922 PATCHGEN_PROLOG_NODEF(pVM, pPatch);
923 size = patmPatchGenCode(pVM, pPatch, pPB, &PATMRetFunctionRecord, 0, false);
924 PATCHGEN_EPILOG(pPatch, size);
925
926 /* Round to next 8 byte boundary. */
927 pPatch->uCurPatchOffset = RT_ALIGN_32(pPatch->uCurPatchOffset, 8);
928
929 pVM->patm.s.pfnHelperJumpGC = PATCHCODE_PTR_GC(pPatch) + pPatch->uCurPatchOffset;
930 PATCHGEN_PROLOG_NODEF(pVM, pPatch);
931 size = patmPatchGenCode(pVM, pPatch, pPB, &PATMLookupAndJumpRecord, 0, false);
932 PATCHGEN_EPILOG(pPatch, size);
933
934 /* Round to next 8 byte boundary. */
935 pPatch->uCurPatchOffset = RT_ALIGN_32(pPatch->uCurPatchOffset, 8);
936
937 pVM->patm.s.pfnHelperIretGC = PATCHCODE_PTR_GC(pPatch) + pPatch->uCurPatchOffset;
938 PATCHGEN_PROLOG_NODEF(pVM, pPatch);
939 size = patmPatchGenCode(pVM, pPatch, pPB, &PATMIretFunctionRecord, 0, false);
940 PATCHGEN_EPILOG(pPatch, size);
941
942 Log(("pfnHelperCallGC %RRv\n", pVM->patm.s.pfnHelperCallGC));
943 Log(("pfnHelperRetGC %RRv\n", pVM->patm.s.pfnHelperRetGC));
944 Log(("pfnHelperJumpGC %RRv\n", pVM->patm.s.pfnHelperJumpGC));
945 Log(("pfnHelperIretGC %RRv\n", pVM->patm.s.pfnHelperIretGC));
946
947 return VINF_SUCCESS;
948}
949
950/**
951 * Generate illegal instruction (int 3)
952 *
953 * @returns VBox status code.
954 * @param pVM Pointer to the VM.
955 * @param pPatch Patch structure
956 *
957 */
958int patmPatchGenIllegalInstr(PVM pVM, PPATCHINFO pPatch)
959{
960 PATCHGEN_PROLOG(pVM, pPatch);
961
962 pPB[0] = 0xCC;
963
964 PATCHGEN_EPILOG(pPatch, 1);
965 return VINF_SUCCESS;
966}
967
968/**
969 * Check virtual IF flag and jump back to original guest code if set
970 *
971 * @returns VBox status code.
972 * @param pVM Pointer to the VM.
973 * @param pPatch Patch structure
974 * @param pCurInstrGC Guest context pointer to the current instruction
975 *
976 */
977int patmPatchGenCheckIF(PVM pVM, PPATCHINFO pPatch, RTRCPTR pCurInstrGC)
978{
979 uint32_t size;
980
981 PATCHGEN_PROLOG(pVM, pPatch);
982
983 /* Add lookup record for patch to guest address translation */
984 patmR3AddP2GLookupRecord(pVM, pPatch, pPB, pCurInstrGC, PATM_LOOKUP_PATCH2GUEST);
985
986 /* Generate code to check for IF=1 before executing the call to the duplicated function. */
987 size = patmPatchGenCode(pVM, pPatch, pPB, &PATMCheckIFRecord, pCurInstrGC, true);
988
989 PATCHGEN_EPILOG(pPatch, size);
990 return VINF_SUCCESS;
991}
992
993/**
994 * Set PATM interrupt flag
995 *
996 * @returns VBox status code.
997 * @param pVM Pointer to the VM.
998 * @param pPatch Patch structure
999 * @param pInstrGC Corresponding guest instruction
1000 *
1001 */
1002int patmPatchGenSetPIF(PVM pVM, PPATCHINFO pPatch, RTRCPTR pInstrGC)
1003{
1004 PATCHGEN_PROLOG(pVM, pPatch);
1005
1006 /* Add lookup record for patch to guest address translation */
1007 patmR3AddP2GLookupRecord(pVM, pPatch, pPB, pInstrGC, PATM_LOOKUP_PATCH2GUEST);
1008
1009 int size = patmPatchGenCode(pVM, pPatch, pPB, &PATMSetPIFRecord, 0, false);
1010 PATCHGEN_EPILOG(pPatch, size);
1011 return VINF_SUCCESS;
1012}
1013
1014/**
1015 * Clear PATM interrupt flag
1016 *
1017 * @returns VBox status code.
1018 * @param pVM Pointer to the VM.
1019 * @param pPatch Patch structure
1020 * @param pInstrGC Corresponding guest instruction
1021 *
1022 */
1023int patmPatchGenClearPIF(PVM pVM, PPATCHINFO pPatch, RTRCPTR pInstrGC)
1024{
1025 PATCHGEN_PROLOG(pVM, pPatch);
1026
1027 /* Add lookup record for patch to guest address translation */
1028 patmR3AddP2GLookupRecord(pVM, pPatch, pPB, pInstrGC, PATM_LOOKUP_PATCH2GUEST);
1029
1030 int size = patmPatchGenCode(pVM, pPatch, pPB, &PATMClearPIFRecord, 0, false);
1031 PATCHGEN_EPILOG(pPatch, size);
1032 return VINF_SUCCESS;
1033}
1034
1035
1036/**
1037 * Clear PATM inhibit irq flag
1038 *
1039 * @returns VBox status code.
1040 * @param pVM Pointer to the VM.
1041 * @param pPatch Patch structure
1042 * @param pNextInstrGC Next guest instruction
1043 */
1044int patmPatchGenClearInhibitIRQ(PVM pVM, PPATCHINFO pPatch, RTRCPTR pNextInstrGC)
1045{
1046 int size;
1047 PATMCALLINFO callInfo;
1048
1049 PATCHGEN_PROLOG(pVM, pPatch);
1050
1051 Assert((pPatch->flags & (PATMFL_GENERATE_JUMPTOGUEST|PATMFL_DUPLICATE_FUNCTION)) != (PATMFL_GENERATE_JUMPTOGUEST|PATMFL_DUPLICATE_FUNCTION));
1052
1053 /* Add lookup record for patch to guest address translation */
1054 patmR3AddP2GLookupRecord(pVM, pPatch, pPB, pNextInstrGC, PATM_LOOKUP_PATCH2GUEST);
1055
1056 callInfo.pNextInstrGC = pNextInstrGC;
1057
1058 if (pPatch->flags & PATMFL_DUPLICATE_FUNCTION)
1059 size = patmPatchGenCode(pVM, pPatch, pPB, &PATMClearInhibitIRQContIF0Record, 0, false, &callInfo);
1060 else
1061 size = patmPatchGenCode(pVM, pPatch, pPB, &PATMClearInhibitIRQFaultIF0Record, 0, false, &callInfo);
1062
1063 PATCHGEN_EPILOG(pPatch, size);
1064 return VINF_SUCCESS;
1065}
1066
1067/**
1068 * Generate an interrupt handler entrypoint
1069 *
1070 * @returns VBox status code.
1071 * @param pVM Pointer to the VM.
1072 * @param pPatch Patch record
1073 * @param pIntHandlerGC IDT handler address
1074 *
1075 ** @todo must check if virtual IF is already cleared on entry!!!!!!!!!!!!!!!!!!!!!!!
1076 */
1077int patmPatchGenIntEntry(PVM pVM, PPATCHINFO pPatch, RTRCPTR pIntHandlerGC)
1078{
1079 int rc = VINF_SUCCESS;
1080
1081 if (!EMIsRawRing1Enabled(pVM)) /* direct passthru of interrupts is not allowed in the ring-1 support case as we can't
1082 deal with the ring-1/2 ambiguity in the patm asm code and we don't need it either as
1083 TRPMForwardTrap takes care of the details. */
1084 {
1085 uint32_t size;
1086 PATCHGEN_PROLOG(pVM, pPatch);
1087
1088 /* Add lookup record for patch to guest address translation */
1089 patmR3AddP2GLookupRecord(pVM, pPatch, pPB, pIntHandlerGC, PATM_LOOKUP_PATCH2GUEST);
1090
1091 /* Generate entrypoint for the interrupt handler (correcting CS in the interrupt stack frame) */
1092 size = patmPatchGenCode(pVM, pPatch, pPB,
1093 (pPatch->flags & PATMFL_INTHANDLER_WITH_ERRORCODE) ? &PATMIntEntryRecordErrorCode : &PATMIntEntryRecord,
1094 0, false);
1095
1096 PATCHGEN_EPILOG(pPatch, size);
1097 }
1098
1099 // Interrupt gates set IF to 0
1100 rc = patmPatchGenCli(pVM, pPatch);
1101 AssertRCReturn(rc, rc);
1102
1103 return rc;
1104}
1105
1106/**
1107 * Generate a trap handler entrypoint
1108 *
1109 * @returns VBox status code.
1110 * @param pVM Pointer to the VM.
1111 * @param pPatch Patch record
1112 * @param pTrapHandlerGC IDT handler address
1113 */
1114int patmPatchGenTrapEntry(PVM pVM, PPATCHINFO pPatch, RTRCPTR pTrapHandlerGC)
1115{
1116 uint32_t size;
1117
1118 Assert(!EMIsRawRing1Enabled(pVM));
1119
1120 PATCHGEN_PROLOG(pVM, pPatch);
1121
1122 /* Add lookup record for patch to guest address translation */
1123 patmR3AddP2GLookupRecord(pVM, pPatch, pPB, pTrapHandlerGC, PATM_LOOKUP_PATCH2GUEST);
1124
1125 /* Generate entrypoint for the trap handler (correcting CS in the interrupt stack frame) */
1126 size = patmPatchGenCode(pVM, pPatch, pPB,
1127 (pPatch->flags & PATMFL_TRAPHANDLER_WITH_ERRORCODE) ? &PATMTrapEntryRecordErrorCode : &PATMTrapEntryRecord,
1128 pTrapHandlerGC, true);
1129 PATCHGEN_EPILOG(pPatch, size);
1130
1131 return VINF_SUCCESS;
1132}
1133
1134#ifdef VBOX_WITH_STATISTICS
1135int patmPatchGenStats(PVM pVM, PPATCHINFO pPatch, RTRCPTR pInstrGC)
1136{
1137 uint32_t size;
1138
1139 PATCHGEN_PROLOG(pVM, pPatch);
1140
1141 /* Add lookup record for stats code -> guest handler. */
1142 patmR3AddP2GLookupRecord(pVM, pPatch, pPB, pInstrGC, PATM_LOOKUP_PATCH2GUEST);
1143
1144 /* Generate code to keep calling statistics for this patch */
1145 size = patmPatchGenCode(pVM, pPatch, pPB, &PATMStatsRecord, pInstrGC, false);
1146 PATCHGEN_EPILOG(pPatch, size);
1147
1148 return VINF_SUCCESS;
1149}
1150#endif
1151
1152/**
1153 * Debug register moves to or from general purpose registers
1154 * mov GPR, DRx
1155 * mov DRx, GPR
1156 *
1157 * @todo: if we ever want to support hardware debug registers natively, then
1158 * this will need to be changed!
1159 */
1160int patmPatchGenMovDebug(PVM pVM, PPATCHINFO pPatch, DISCPUSTATE *pCpu)
1161{
1162 int rc = VINF_SUCCESS;
1163 unsigned reg, mod, rm, dbgreg;
1164 uint32_t offset;
1165
1166 PATCHGEN_PROLOG(pVM, pPatch);
1167
1168 mod = 0; //effective address (only)
1169 rm = 5; //disp32
1170 if (pCpu->pCurInstr->fParam1 == OP_PARM_Dd)
1171 {
1172 Assert(0); // You not come here. Illegal!
1173
1174 // mov DRx, GPR
1175 pPB[0] = 0x89; //mov disp32, GPR
1176 Assert(pCpu->Param1.fUse & DISUSE_REG_DBG);
1177 Assert(pCpu->Param2.fUse & DISUSE_REG_GEN32);
1178
1179 dbgreg = pCpu->Param1.Base.idxDbgReg;
1180 reg = pCpu->Param2.Base.idxGenReg;
1181 }
1182 else
1183 {
1184 // mov GPR, DRx
1185 Assert(pCpu->Param1.fUse & DISUSE_REG_GEN32);
1186 Assert(pCpu->Param2.fUse & DISUSE_REG_DBG);
1187
1188 pPB[0] = 0x8B; // mov GPR, disp32
1189 reg = pCpu->Param1.Base.idxGenReg;
1190 dbgreg = pCpu->Param2.Base.idxDbgReg;
1191 }
1192
1193 pPB[1] = MAKE_MODRM(mod, reg, rm);
1194
1195 AssertReturn(dbgreg <= DISDREG_DR7, VERR_INVALID_PARAMETER);
1196 offset = RT_OFFSETOF(CPUMCTX, dr[dbgreg]);
1197
1198 *(RTRCPTR *)&pPB[2] = pVM->patm.s.pCPUMCtxGC + offset;
1199 patmPatchAddReloc32(pVM, pPatch, &pPB[2], FIXUP_ABSOLUTE);
1200
1201 PATCHGEN_EPILOG(pPatch, 2 + sizeof(RTRCPTR));
1202 return rc;
1203}
1204
1205/*
1206 * Control register moves to or from general purpose registers
1207 * mov GPR, CRx
1208 * mov CRx, GPR
1209 */
1210int patmPatchGenMovControl(PVM pVM, PPATCHINFO pPatch, DISCPUSTATE *pCpu)
1211{
1212 int rc = VINF_SUCCESS;
1213 int reg, mod, rm, ctrlreg;
1214 uint32_t offset;
1215
1216 PATCHGEN_PROLOG(pVM, pPatch);
1217
1218 mod = 0; //effective address (only)
1219 rm = 5; //disp32
1220 if (pCpu->pCurInstr->fParam1 == OP_PARM_Cd)
1221 {
1222 Assert(0); // You not come here. Illegal!
1223
1224 // mov CRx, GPR
1225 pPB[0] = 0x89; //mov disp32, GPR
1226 ctrlreg = pCpu->Param1.Base.idxCtrlReg;
1227 reg = pCpu->Param2.Base.idxGenReg;
1228 Assert(pCpu->Param1.fUse & DISUSE_REG_CR);
1229 Assert(pCpu->Param2.fUse & DISUSE_REG_GEN32);
1230 }
1231 else
1232 {
1233 // mov GPR, CRx
1234 Assert(pCpu->Param1.fUse & DISUSE_REG_GEN32);
1235 Assert(pCpu->Param2.fUse & DISUSE_REG_CR);
1236
1237 pPB[0] = 0x8B; // mov GPR, disp32
1238 reg = pCpu->Param1.Base.idxGenReg;
1239 ctrlreg = pCpu->Param2.Base.idxCtrlReg;
1240 }
1241
1242 pPB[1] = MAKE_MODRM(mod, reg, rm);
1243
1244 /// @todo: make this an array in the context structure
1245 switch (ctrlreg)
1246 {
1247 case DISCREG_CR0:
1248 offset = RT_OFFSETOF(CPUMCTX, cr0);
1249 break;
1250 case DISCREG_CR2:
1251 offset = RT_OFFSETOF(CPUMCTX, cr2);
1252 break;
1253 case DISCREG_CR3:
1254 offset = RT_OFFSETOF(CPUMCTX, cr3);
1255 break;
1256 case DISCREG_CR4:
1257 offset = RT_OFFSETOF(CPUMCTX, cr4);
1258 break;
1259 default: /* Shut up compiler warning. */
1260 AssertFailed();
1261 offset = 0;
1262 break;
1263 }
1264 *(RTRCPTR *)&pPB[2] = pVM->patm.s.pCPUMCtxGC + offset;
1265 patmPatchAddReloc32(pVM, pPatch, &pPB[2], FIXUP_ABSOLUTE);
1266
1267 PATCHGEN_EPILOG(pPatch, 2 + sizeof(RTRCPTR));
1268 return rc;
1269}
1270
1271/*
1272 * mov GPR, SS
1273 */
1274int patmPatchGenMovFromSS(PVM pVM, PPATCHINFO pPatch, DISCPUSTATE *pCpu, RTRCPTR pCurInstrGC)
1275{
1276 uint32_t size, offset;
1277
1278 Log(("patmPatchGenMovFromSS %RRv\n", pCurInstrGC));
1279
1280 Assert(pPatch->flags & PATMFL_CODE32);
1281
1282 PATCHGEN_PROLOG(pVM, pPatch);
1283 size = patmPatchGenCode(pVM, pPatch, pPB, &PATMClearPIFRecord, 0, false);
1284 PATCHGEN_EPILOG(pPatch, size);
1285
1286 /* push ss */
1287 PATCHGEN_PROLOG_NODEF(pVM, pPatch);
1288 offset = 0;
1289 if (pCpu->fPrefix & DISPREFIX_OPSIZE)
1290 pPB[offset++] = 0x66; /* size override -> 16 bits push */
1291 pPB[offset++] = 0x16;
1292 PATCHGEN_EPILOG(pPatch, offset);
1293
1294 /* checks and corrects RPL of pushed ss*/
1295 PATCHGEN_PROLOG_NODEF(pVM, pPatch);
1296 size = patmPatchGenCode(pVM, pPatch, pPB, &PATMMovFromSSRecord, 0, false);
1297 PATCHGEN_EPILOG(pPatch, size);
1298
1299 /* pop general purpose register */
1300 PATCHGEN_PROLOG_NODEF(pVM, pPatch);
1301 offset = 0;
1302 if (pCpu->fPrefix & DISPREFIX_OPSIZE)
1303 pPB[offset++] = 0x66; /* size override -> 16 bits pop */
1304 pPB[offset++] = 0x58 + pCpu->Param1.Base.idxGenReg;
1305 PATCHGEN_EPILOG(pPatch, offset);
1306
1307
1308 PATCHGEN_PROLOG_NODEF(pVM, pPatch);
1309 size = patmPatchGenCode(pVM, pPatch, pPB, &PATMSetPIFRecord, 0, false);
1310 PATCHGEN_EPILOG(pPatch, size);
1311
1312 return VINF_SUCCESS;
1313}
1314
1315
1316/**
1317 * Generate an sldt or str patch instruction
1318 *
1319 * @returns VBox status code.
1320 * @param pVM Pointer to the VM.
1321 * @param pPatch Patch record
1322 * @param pCpu Disassembly state
1323 * @param pCurInstrGC Guest instruction address
1324 */
1325int patmPatchGenSldtStr(PVM pVM, PPATCHINFO pPatch, DISCPUSTATE *pCpu, RTRCPTR pCurInstrGC)
1326{
1327 // sldt %Ew
1328 int rc = VINF_SUCCESS;
1329 uint32_t offset = 0;
1330 uint32_t i;
1331
1332 /** @todo segment prefix (untested) */
1333 Assert(pCpu->fPrefix == DISPREFIX_NONE || pCpu->fPrefix == DISPREFIX_OPSIZE);
1334
1335 PATCHGEN_PROLOG(pVM, pPatch);
1336
1337 if (pCpu->Param1.fUse == DISUSE_REG_GEN32 || pCpu->Param1.fUse == DISUSE_REG_GEN16)
1338 {
1339 /* Register operand */
1340 // 8B 15 [32 bits addr] mov edx, CPUMCTX.tr/ldtr
1341
1342 if (pCpu->fPrefix == DISPREFIX_OPSIZE)
1343 pPB[offset++] = 0x66;
1344
1345 pPB[offset++] = 0x8B; // mov destreg, CPUMCTX.tr/ldtr
1346 /* Modify REG part according to destination of original instruction */
1347 pPB[offset++] = MAKE_MODRM(0, pCpu->Param1.Base.idxGenReg, 5);
1348 if (pCpu->pCurInstr->uOpcode == OP_STR)
1349 {
1350 *(RTRCPTR *)&pPB[offset] = pVM->patm.s.pCPUMCtxGC + RT_OFFSETOF(CPUMCTX, tr);
1351 }
1352 else
1353 {
1354 *(RTRCPTR *)&pPB[offset] = pVM->patm.s.pCPUMCtxGC + RT_OFFSETOF(CPUMCTX, ldtr);
1355 }
1356 patmPatchAddReloc32(pVM, pPatch, &pPB[offset], FIXUP_ABSOLUTE);
1357 offset += sizeof(RTRCPTR);
1358 }
1359 else
1360 {
1361 /* Memory operand */
1362 //50 push eax
1363 //52 push edx
1364 //8D 15 48 7C 42 00 lea edx, dword ptr [dest]
1365 //66 A1 48 7C 42 00 mov ax, CPUMCTX.tr/ldtr
1366 //66 89 02 mov word ptr [edx],ax
1367 //5A pop edx
1368 //58 pop eax
1369
1370 pPB[offset++] = 0x50; // push eax
1371 pPB[offset++] = 0x52; // push edx
1372
1373 if (pCpu->fPrefix == DISPREFIX_SEG)
1374 {
1375 pPB[offset++] = DISQuerySegPrefixByte(pCpu);
1376 }
1377 pPB[offset++] = 0x8D; // lea edx, dword ptr [dest]
1378 // duplicate and modify modrm byte and additional bytes if present (e.g. direct address)
1379 pPB[offset++] = MAKE_MODRM(pCpu->ModRM.Bits.Mod, DISGREG_EDX , pCpu->ModRM.Bits.Rm);
1380
1381 i = 3; /* standard offset of modrm bytes */
1382 if (pCpu->fPrefix == DISPREFIX_OPSIZE)
1383 i++; //skip operand prefix
1384 if (pCpu->fPrefix == DISPREFIX_SEG)
1385 i++; //skip segment prefix
1386
1387 rc = patmPatchReadBytes(pVM, &pPB[offset], (RTRCPTR)((RTGCUINTPTR32)pCurInstrGC + i), pCpu->cbInstr - i);
1388 AssertRCReturn(rc, rc);
1389 offset += (pCpu->cbInstr - i);
1390
1391 pPB[offset++] = 0x66; // mov ax, CPUMCTX.tr/ldtr
1392 pPB[offset++] = 0xA1;
1393 if (pCpu->pCurInstr->uOpcode == OP_STR)
1394 {
1395 *(RTRCPTR *)&pPB[offset] = pVM->patm.s.pCPUMCtxGC + RT_OFFSETOF(CPUMCTX, tr);
1396 }
1397 else
1398 {
1399 *(RTRCPTR *)&pPB[offset] = pVM->patm.s.pCPUMCtxGC + RT_OFFSETOF(CPUMCTX, ldtr);
1400 }
1401 patmPatchAddReloc32(pVM, pPatch, &pPB[offset], FIXUP_ABSOLUTE);
1402 offset += sizeof(RTRCPTR);
1403
1404 pPB[offset++] = 0x66; // mov word ptr [edx],ax
1405 pPB[offset++] = 0x89;
1406 pPB[offset++] = 0x02;
1407
1408 pPB[offset++] = 0x5A; // pop edx
1409 pPB[offset++] = 0x58; // pop eax
1410 }
1411
1412 PATCHGEN_EPILOG(pPatch, offset);
1413
1414 return rc;
1415}
1416
1417/**
1418 * Generate an sgdt or sidt patch instruction
1419 *
1420 * @returns VBox status code.
1421 * @param pVM Pointer to the VM.
1422 * @param pPatch Patch record
1423 * @param pCpu Disassembly state
1424 * @param pCurInstrGC Guest instruction address
1425 */
1426int patmPatchGenSxDT(PVM pVM, PPATCHINFO pPatch, DISCPUSTATE *pCpu, RTRCPTR pCurInstrGC)
1427{
1428 int rc = VINF_SUCCESS;
1429 uint32_t offset = 0, offset_base, offset_limit;
1430 uint32_t i;
1431
1432 /* @todo segment prefix (untested) */
1433 Assert(pCpu->fPrefix == DISPREFIX_NONE);
1434
1435 // sgdt %Ms
1436 // sidt %Ms
1437
1438 switch (pCpu->pCurInstr->uOpcode)
1439 {
1440 case OP_SGDT:
1441 offset_base = RT_OFFSETOF(CPUMCTX, gdtr.pGdt);
1442 offset_limit = RT_OFFSETOF(CPUMCTX, gdtr.cbGdt);
1443 break;
1444
1445 case OP_SIDT:
1446 offset_base = RT_OFFSETOF(CPUMCTX, idtr.pIdt);
1447 offset_limit = RT_OFFSETOF(CPUMCTX, idtr.cbIdt);
1448 break;
1449
1450 default:
1451 return VERR_INVALID_PARAMETER;
1452 }
1453
1454//50 push eax
1455//52 push edx
1456//8D 15 48 7C 42 00 lea edx, dword ptr [dest]
1457//66 A1 48 7C 42 00 mov ax, CPUMCTX.gdtr.limit
1458//66 89 02 mov word ptr [edx],ax
1459//A1 48 7C 42 00 mov eax, CPUMCTX.gdtr.base
1460//89 42 02 mov dword ptr [edx+2],eax
1461//5A pop edx
1462//58 pop eax
1463
1464 PATCHGEN_PROLOG(pVM, pPatch);
1465 pPB[offset++] = 0x50; // push eax
1466 pPB[offset++] = 0x52; // push edx
1467
1468 if (pCpu->fPrefix == DISPREFIX_SEG)
1469 {
1470 pPB[offset++] = DISQuerySegPrefixByte(pCpu);
1471 }
1472 pPB[offset++] = 0x8D; // lea edx, dword ptr [dest]
1473 // duplicate and modify modrm byte and additional bytes if present (e.g. direct address)
1474 pPB[offset++] = MAKE_MODRM(pCpu->ModRM.Bits.Mod, DISGREG_EDX , pCpu->ModRM.Bits.Rm);
1475
1476 i = 3; /* standard offset of modrm bytes */
1477 if (pCpu->fPrefix == DISPREFIX_OPSIZE)
1478 i++; //skip operand prefix
1479 if (pCpu->fPrefix == DISPREFIX_SEG)
1480 i++; //skip segment prefix
1481 rc = patmPatchReadBytes(pVM, &pPB[offset], (RTRCPTR)((RTGCUINTPTR32)pCurInstrGC + i), pCpu->cbInstr - i);
1482 AssertRCReturn(rc, rc);
1483 offset += (pCpu->cbInstr - i);
1484
1485 pPB[offset++] = 0x66; // mov ax, CPUMCTX.gdtr.limit
1486 pPB[offset++] = 0xA1;
1487 *(RTRCPTR *)&pPB[offset] = pVM->patm.s.pCPUMCtxGC + offset_limit;
1488 patmPatchAddReloc32(pVM, pPatch, &pPB[offset], FIXUP_ABSOLUTE);
1489 offset += sizeof(RTRCPTR);
1490
1491 pPB[offset++] = 0x66; // mov word ptr [edx],ax
1492 pPB[offset++] = 0x89;
1493 pPB[offset++] = 0x02;
1494
1495 pPB[offset++] = 0xA1; // mov eax, CPUMCTX.gdtr.base
1496 *(RTRCPTR *)&pPB[offset] = pVM->patm.s.pCPUMCtxGC + offset_base;
1497 patmPatchAddReloc32(pVM, pPatch, &pPB[offset], FIXUP_ABSOLUTE);
1498 offset += sizeof(RTRCPTR);
1499
1500 pPB[offset++] = 0x89; // mov dword ptr [edx+2],eax
1501 pPB[offset++] = 0x42;
1502 pPB[offset++] = 0x02;
1503
1504 pPB[offset++] = 0x5A; // pop edx
1505 pPB[offset++] = 0x58; // pop eax
1506
1507 PATCHGEN_EPILOG(pPatch, offset);
1508
1509 return rc;
1510}
1511
1512/**
1513 * Generate a cpuid patch instruction
1514 *
1515 * @returns VBox status code.
1516 * @param pVM Pointer to the VM.
1517 * @param pPatch Patch record
1518 * @param pCurInstrGC Guest instruction address
1519 */
1520int patmPatchGenCpuid(PVM pVM, PPATCHINFO pPatch, RTRCPTR pCurInstrGC)
1521{
1522 uint32_t size;
1523 PATCHGEN_PROLOG(pVM, pPatch);
1524
1525 size = patmPatchGenCode(pVM, pPatch, pPB, &PATMCpuidRecord, 0, false);
1526
1527 PATCHGEN_EPILOG(pPatch, size);
1528 NOREF(pCurInstrGC);
1529 return VINF_SUCCESS;
1530}
1531
1532/**
1533 * Generate the jump from guest to patch code
1534 *
1535 * @returns VBox status code.
1536 * @param pVM Pointer to the VM.
1537 * @param pPatch Patch record
1538 * @param pTargetGC Guest target jump
1539 * @param fClearInhibitIRQs Clear inhibit irq flag
1540 */
1541int patmPatchGenJumpToGuest(PVM pVM, PPATCHINFO pPatch, RCPTRTYPE(uint8_t *) pReturnAddrGC, bool fClearInhibitIRQs)
1542{
1543 int rc = VINF_SUCCESS;
1544 uint32_t size;
1545
1546 if (fClearInhibitIRQs)
1547 {
1548 rc = patmPatchGenClearInhibitIRQ(pVM, pPatch, pReturnAddrGC);
1549 if (rc == VERR_NO_MEMORY)
1550 return rc;
1551 AssertRCReturn(rc, rc);
1552 }
1553
1554 PATCHGEN_PROLOG(pVM, pPatch);
1555
1556 /* Add lookup record for patch to guest address translation */
1557 patmR3AddP2GLookupRecord(pVM, pPatch, pPB, pReturnAddrGC, PATM_LOOKUP_PATCH2GUEST);
1558
1559 /* Generate code to jump to guest code if IF=1, else fault. */
1560 size = patmPatchGenCode(pVM, pPatch, pPB, &PATMJumpToGuest_IF1Record, pReturnAddrGC, true);
1561 PATCHGEN_EPILOG(pPatch, size);
1562
1563 return rc;
1564}
1565
1566/*
1567 * Relative jump from patch code to patch code (no fixup required)
1568 */
1569int patmPatchGenPatchJump(PVM pVM, PPATCHINFO pPatch, RTRCPTR pCurInstrGC, RCPTRTYPE(uint8_t *) pPatchAddrGC, bool fAddLookupRecord)
1570{
1571 int32_t displ;
1572 int rc = VINF_SUCCESS;
1573
1574 Assert(PATMIsPatchGCAddr(pVM, pPatchAddrGC));
1575 PATCHGEN_PROLOG(pVM, pPatch);
1576
1577 if (fAddLookupRecord)
1578 {
1579 /* Add lookup record for patch to guest address translation */
1580 patmR3AddP2GLookupRecord(pVM, pPatch, pPB, pCurInstrGC, PATM_LOOKUP_PATCH2GUEST);
1581 }
1582
1583 pPB[0] = 0xE9; //JMP
1584
1585 displ = pPatchAddrGC - (PATCHCODE_PTR_GC(pPatch) + pPatch->uCurPatchOffset + SIZEOF_NEARJUMP32);
1586
1587 *(uint32_t *)&pPB[1] = displ;
1588
1589 PATCHGEN_EPILOG(pPatch, SIZEOF_NEARJUMP32);
1590
1591 return rc;
1592}
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette