VirtualBox

source: vbox/trunk/src/VBox/VMM/VMMRC/PATMRC.cpp@ 36701

Last change on this file since 36701 was 35346, checked in by vboxsync, 14 years ago

VMM reorg: Moving the public include files from include/VBox to include/VBox/vmm.

  • Property svn:eol-style set to native
  • Property svn:keywords set to Id
File size: 23.0 KB
Line 
1/* $Id: PATMRC.cpp 35346 2010-12-27 16:13:13Z vboxsync $ */
2/** @file
3 * PATM - Dynamic Guest OS Patching Manager - Guest Context
4 */
5
6/*
7 * Copyright (C) 2006-2007 Oracle Corporation
8 *
9 * This file is part of VirtualBox Open Source Edition (OSE), as
10 * available from http://www.virtualbox.org. This file is free software;
11 * you can redistribute it and/or modify it under the terms of the GNU
12 * General Public License (GPL) as published by the Free Software
13 * Foundation, in version 2 as it comes in the "COPYING" file of the
14 * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15 * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16 */
17
18
19/*******************************************************************************
20* Header Files *
21*******************************************************************************/
22#define LOG_GROUP LOG_GROUP_PATM
23#include <VBox/vmm/cpum.h>
24#include <VBox/vmm/stam.h>
25#include <VBox/vmm/patm.h>
26#include <VBox/vmm/pgm.h>
27#include <VBox/vmm/mm.h>
28#include <VBox/sup.h>
29#include <VBox/vmm/mm.h>
30#include <VBox/param.h>
31#include <iprt/avl.h>
32#include "PATMInternal.h"
33#include "PATMA.h"
34#include <VBox/vmm/vm.h>
35#include <VBox/dbg.h>
36#include <VBox/dis.h>
37#include <VBox/disopcode.h>
38#include <VBox/vmm/em.h>
39#include <VBox/err.h>
40#include <VBox/vmm/selm.h>
41#include <VBox/log.h>
42#include <iprt/assert.h>
43#include <iprt/asm.h>
44#include <iprt/string.h>
45
46
47/**
48 * \#PF Virtual Handler callback for Guest access a page monitored by PATM
49 *
50 * @returns VBox status code (appropriate for trap handling and GC return).
51 * @param pVM VM Handle.
52 * @param uErrorCode CPU Error code.
53 * @param pRegFrame Trap register frame.
54 * @param pvFault The fault address (cr2).
55 * @param pvRange The base address of the handled virtual range.
56 * @param offRange The offset of the access into this range.
57 * (If it's a EIP range this is the EIP, if not it's pvFault.)
58 */
59VMMRCDECL(int) PATMGCMonitorPage(PVM pVM, RTGCUINT uErrorCode, PCPUMCTXCORE pRegFrame, RTGCPTR pvFault, RTGCPTR pvRange, uintptr_t offRange)
60{
61 pVM->patm.s.pvFaultMonitor = (RTRCPTR)(RTRCUINTPTR)pvFault;
62 return VINF_PATM_CHECK_PATCH_PAGE;
63}
64
65
66/**
67 * Checks if the write is located on a page with was patched before.
68 * (if so, then we are not allowed to turn on r/w)
69 *
70 * @returns VBox status
71 * @param pVM The VM to operate on.
72 * @param pRegFrame CPU context
73 * @param GCPtr GC pointer to write address
74 * @param cbWrite Nr of bytes to write
75 *
76 */
77VMMRCDECL(int) PATMGCHandleWriteToPatchPage(PVM pVM, PCPUMCTXCORE pRegFrame, RTRCPTR GCPtr, uint32_t cbWrite)
78{
79 RTGCUINTPTR pWritePageStart, pWritePageEnd;
80 PPATMPATCHPAGE pPatchPage;
81
82 /* Quick boundary check */
83 if ( PAGE_ADDRESS(GCPtr) < PAGE_ADDRESS(pVM->patm.s.pPatchedInstrGCLowest)
84 || PAGE_ADDRESS(GCPtr) > PAGE_ADDRESS(pVM->patm.s.pPatchedInstrGCHighest)
85 )
86 return VERR_PATCH_NOT_FOUND;
87
88 STAM_PROFILE_ADV_START(&pVM->patm.s.StatPatchWriteDetect, a);
89
90 pWritePageStart = (RTRCUINTPTR)GCPtr & PAGE_BASE_GC_MASK;
91 pWritePageEnd = ((RTRCUINTPTR)GCPtr + cbWrite - 1) & PAGE_BASE_GC_MASK;
92
93 pPatchPage = (PPATMPATCHPAGE)RTAvloU32Get(CTXSUFF(&pVM->patm.s.PatchLookupTree)->PatchTreeByPage, (AVLOU32KEY)pWritePageStart);
94 if ( !pPatchPage
95 && pWritePageStart != pWritePageEnd
96 )
97 {
98 pPatchPage = (PPATMPATCHPAGE)RTAvloU32Get(CTXSUFF(&pVM->patm.s.PatchLookupTree)->PatchTreeByPage, (AVLOU32KEY)pWritePageEnd);
99 }
100
101#ifdef LOG_ENABLED
102 if (pPatchPage)
103 Log(("PATMGCHandleWriteToPatchPage: Found page %RRv for write to %RRv %d bytes (page low:high %RRv:%RRv\n", pPatchPage->Core.Key, GCPtr, cbWrite, pPatchPage->pLowestAddrGC, pPatchPage->pHighestAddrGC));
104#endif
105
106 if (pPatchPage)
107 {
108 if ( pPatchPage->pLowestAddrGC > (RTRCPTR)((RTRCUINTPTR)GCPtr + cbWrite - 1)
109 || pPatchPage->pHighestAddrGC < (RTRCPTR)GCPtr)
110 {
111 /* This part of the page was not patched; try to emulate the instruction. */
112 uint32_t cb;
113
114 LogFlow(("PATMHandleWriteToPatchPage: Interpret %x accessing %RRv\n", pRegFrame->eip, GCPtr));
115 int rc = EMInterpretInstruction(pVM, VMMGetCpu0(pVM), pRegFrame, (RTGCPTR)(RTRCUINTPTR)GCPtr, &cb);
116 if (rc == VINF_SUCCESS)
117 {
118 STAM_COUNTER_INC(&pVM->patm.s.StatPatchWriteInterpreted);
119 STAM_PROFILE_ADV_STOP(&pVM->patm.s.StatPatchWriteDetect, a);
120 return VINF_SUCCESS;
121 }
122 STAM_COUNTER_INC(&pVM->patm.s.StatPatchWriteInterpretedFailed);
123 }
124 R3PTRTYPE(PPATCHINFO) *paPatch = (R3PTRTYPE(PPATCHINFO) *)MMHyperR3ToRC(pVM, pPatchPage->aPatch);
125
126 /* Increase the invalid write counter for each patch that's registered for that page. */
127 for (uint32_t i=0;i<pPatchPage->cCount;i++)
128 {
129 PPATCHINFO pPatch = (PPATCHINFO)MMHyperR3ToRC(pVM, paPatch[i]);
130
131 pPatch->cInvalidWrites++;
132 }
133
134 STAM_PROFILE_ADV_STOP(&pVM->patm.s.StatPatchWriteDetect, a);
135 return VINF_EM_RAW_EMULATE_INSTR;
136 }
137
138 STAM_PROFILE_ADV_STOP(&pVM->patm.s.StatPatchWriteDetect, a);
139 return VERR_PATCH_NOT_FOUND;
140}
141
142
143/**
144 * Checks if the illegal instruction was caused by a patched instruction
145 *
146 * @returns VBox status
147 *
148 * @param pVM The VM handle.
149 * @param pCtxCore The relevant core context.
150 */
151VMMDECL(int) PATMGCHandleIllegalInstrTrap(PVM pVM, PCPUMCTXCORE pRegFrame)
152{
153 PPATMPATCHREC pRec;
154 int rc;
155
156 /* Very important check -> otherwise we have a security leak. */
157 AssertReturn(!pRegFrame->eflags.Bits.u1VM && (pRegFrame->ss & X86_SEL_RPL) == 1, VERR_ACCESS_DENIED);
158 Assert(PATMIsPatchGCAddr(pVM, pRegFrame->eip));
159
160 /* OP_ILLUD2 in PATM generated code? */
161 if (CTXSUFF(pVM->patm.s.pGCState)->uPendingAction)
162 {
163 LogFlow(("PATMGC: Pending action %x at %x\n", CTXSUFF(pVM->patm.s.pGCState)->uPendingAction, pRegFrame->eip));
164
165 /* Private PATM interface (@todo hack due to lack of anything generic). */
166 /* Parameters:
167 * eax = Pending action (currently PATM_ACTION_LOOKUP_ADDRESS)
168 * ecx = PATM_ACTION_MAGIC
169 */
170 if ( (pRegFrame->eax & CTXSUFF(pVM->patm.s.pGCState)->uPendingAction)
171 && pRegFrame->ecx == PATM_ACTION_MAGIC
172 )
173 {
174 CTXSUFF(pVM->patm.s.pGCState)->uPendingAction = 0;
175
176 switch (pRegFrame->eax)
177 {
178 case PATM_ACTION_LOOKUP_ADDRESS:
179 {
180 /* Parameters:
181 * edx = GC address to find
182 * edi = PATCHJUMPTABLE ptr
183 */
184 AssertMsg(!pRegFrame->edi || PATMIsPatchGCAddr(pVM, pRegFrame->edi), ("edx = %x\n", pRegFrame->edi));
185
186 Log(("PATMGC: lookup %x jump table=%x\n", pRegFrame->edx, pRegFrame->edi));
187
188 pRec = PATMQueryFunctionPatch(pVM, (RTRCPTR)(pRegFrame->edx));
189 if (pRec)
190 {
191 if (pRec->patch.uState == PATCH_ENABLED)
192 {
193 RTGCUINTPTR pRelAddr = pRec->patch.pPatchBlockOffset; /* make it relative */
194 rc = PATMAddBranchToLookupCache(pVM, (RTRCPTR)pRegFrame->edi, (RTRCPTR)pRegFrame->edx, pRelAddr);
195 if (rc == VINF_SUCCESS)
196 {
197 Log(("Patch block %RRv called as function\n", pRec->patch.pPrivInstrGC));
198 pRec->patch.flags |= PATMFL_CODE_REFERENCED;
199
200 pRegFrame->eip += PATM_ILLEGAL_INSTR_SIZE;
201 pRegFrame->eax = pRelAddr;
202 STAM_COUNTER_INC(&pVM->patm.s.StatFunctionFound);
203 return VINF_SUCCESS;
204 }
205 AssertFailed();
206 }
207 else
208 {
209 pRegFrame->eip += PATM_ILLEGAL_INSTR_SIZE;
210 pRegFrame->eax = 0; /* make it fault */
211 STAM_COUNTER_INC(&pVM->patm.s.StatFunctionNotFound);
212 return VINF_SUCCESS;
213 }
214 }
215 else
216 {
217 /* Check first before trying to generate a function/trampoline patch. */
218 if (pVM->patm.s.fOutOfMemory)
219 {
220 pRegFrame->eip += PATM_ILLEGAL_INSTR_SIZE;
221 pRegFrame->eax = 0; /* make it fault */
222 STAM_COUNTER_INC(&pVM->patm.s.StatFunctionNotFound);
223 return VINF_SUCCESS;
224 }
225 STAM_COUNTER_INC(&pVM->patm.s.StatFunctionNotFound);
226 return VINF_PATM_DUPLICATE_FUNCTION;
227 }
228 }
229
230 case PATM_ACTION_DISPATCH_PENDING_IRQ:
231 /* Parameters:
232 * edi = GC address to jump to
233 */
234 Log(("PATMGC: Dispatch pending interrupt; eip=%x->%x\n", pRegFrame->eip, pRegFrame->edi));
235
236 /* Change EIP to the guest address the patch would normally jump to after setting IF. */
237 pRegFrame->eip = pRegFrame->edi;
238
239 Assert(pVM->patm.s.CTXSUFF(pGCState)->Restore.uFlags == (PATM_RESTORE_EAX|PATM_RESTORE_ECX|PATM_RESTORE_EDI));
240 Assert(pVM->patm.s.CTXSUFF(pGCState)->fPIF == 0);
241
242 pRegFrame->eax = pVM->patm.s.CTXSUFF(pGCState)->Restore.uEAX;
243 pRegFrame->ecx = pVM->patm.s.CTXSUFF(pGCState)->Restore.uECX;
244 pRegFrame->edi = pVM->patm.s.CTXSUFF(pGCState)->Restore.uEDI;
245
246 pVM->patm.s.CTXSUFF(pGCState)->Restore.uFlags = 0;
247
248 /* We are no longer executing PATM code; set PIF again. */
249 pVM->patm.s.CTXSUFF(pGCState)->fPIF = 1;
250
251 STAM_COUNTER_INC(&pVM->patm.s.StatCheckPendingIRQ);
252
253 /* The caller will call trpmGCExitTrap, which will dispatch pending interrupts for us. */
254 return VINF_SUCCESS;
255
256 case PATM_ACTION_PENDING_IRQ_AFTER_IRET:
257 /* Parameters:
258 * edi = GC address to jump to
259 */
260 Log(("PATMGC: Dispatch pending interrupt (iret); eip=%x->%x\n", pRegFrame->eip, pRegFrame->edi));
261 Assert(pVM->patm.s.CTXSUFF(pGCState)->Restore.uFlags == (PATM_RESTORE_EAX|PATM_RESTORE_ECX|PATM_RESTORE_EDI));
262 Assert(pVM->patm.s.CTXSUFF(pGCState)->fPIF == 0);
263
264 /* Change EIP to the guest address of the iret. */
265 pRegFrame->eip = pRegFrame->edi;
266
267 pRegFrame->eax = pVM->patm.s.CTXSUFF(pGCState)->Restore.uEAX;
268 pRegFrame->ecx = pVM->patm.s.CTXSUFF(pGCState)->Restore.uECX;
269 pRegFrame->edi = pVM->patm.s.CTXSUFF(pGCState)->Restore.uEDI;
270 pVM->patm.s.CTXSUFF(pGCState)->Restore.uFlags = 0;
271
272 /* We are no longer executing PATM code; set PIF again. */
273 pVM->patm.s.CTXSUFF(pGCState)->fPIF = 1;
274
275 return VINF_PATM_PENDING_IRQ_AFTER_IRET;
276
277 case PATM_ACTION_DO_V86_IRET:
278 {
279 Log(("PATMGC: Do iret to V86 code; eip=%x\n", pRegFrame->eip));
280 Assert(pVM->patm.s.CTXSUFF(pGCState)->Restore.uFlags == (PATM_RESTORE_EAX|PATM_RESTORE_ECX));
281 Assert(pVM->patm.s.CTXSUFF(pGCState)->fPIF == 0);
282
283 pRegFrame->eax = pVM->patm.s.CTXSUFF(pGCState)->Restore.uEAX;
284 pRegFrame->ecx = pVM->patm.s.CTXSUFF(pGCState)->Restore.uECX;
285 pVM->patm.s.CTXSUFF(pGCState)->Restore.uFlags = 0;
286
287 rc = EMInterpretIret(pVM, VMMGetCpu0(pVM), pRegFrame);
288 if (RT_SUCCESS(rc))
289 {
290 STAM_COUNTER_INC(&pVM->patm.s.StatEmulIret);
291
292 /* We are no longer executing PATM code; set PIF again. */
293 pVM->patm.s.CTXSUFF(pGCState)->fPIF = 1;
294 PGMRZDynMapReleaseAutoSet(VMMGetCpu0(pVM));
295 CPUMGCCallV86Code(pRegFrame);
296 /* does not return */
297 }
298 else
299 STAM_COUNTER_INC(&pVM->patm.s.StatEmulIretFailed);
300 return rc;
301 }
302
303#ifdef DEBUG
304 case PATM_ACTION_LOG_CLI:
305 Log(("PATMGC: CLI at %x (current IF=%d iopl=%d)\n", pRegFrame->eip, !!(pVM->patm.s.CTXSUFF(pGCState)->uVMFlags & X86_EFL_IF), X86_EFL_GET_IOPL(pVM->patm.s.CTXSUFF(pGCState)->uVMFlags) ));
306 pRegFrame->eip += PATM_ILLEGAL_INSTR_SIZE;
307 return VINF_SUCCESS;
308
309 case PATM_ACTION_LOG_STI:
310 Log(("PATMGC: STI at %x (current IF=%d iopl=%d)\n", pRegFrame->eip, !!(pVM->patm.s.CTXSUFF(pGCState)->uVMFlags & X86_EFL_IF), X86_EFL_GET_IOPL(pVM->patm.s.CTXSUFF(pGCState)->uVMFlags) ));
311 pRegFrame->eip += PATM_ILLEGAL_INSTR_SIZE;
312 return VINF_SUCCESS;
313
314 case PATM_ACTION_LOG_POPF_IF1:
315 Log(("PATMGC: POPF setting IF at %x (current IF=%d iopl=%d)\n", pRegFrame->eip, !!(pVM->patm.s.CTXSUFF(pGCState)->uVMFlags & X86_EFL_IF), X86_EFL_GET_IOPL(pVM->patm.s.CTXSUFF(pGCState)->uVMFlags)));
316 pRegFrame->eip += PATM_ILLEGAL_INSTR_SIZE;
317 return VINF_SUCCESS;
318
319 case PATM_ACTION_LOG_POPF_IF0:
320 Log(("PATMGC: POPF at %x (current IF=%d iopl=%d)\n", pRegFrame->eip, !!(pVM->patm.s.CTXSUFF(pGCState)->uVMFlags & X86_EFL_IF), X86_EFL_GET_IOPL(pVM->patm.s.CTXSUFF(pGCState)->uVMFlags)));
321 pRegFrame->eip += PATM_ILLEGAL_INSTR_SIZE;
322 return VINF_SUCCESS;
323
324 case PATM_ACTION_LOG_PUSHF:
325 Log(("PATMGC: PUSHF at %x (current IF=%d iopl=%d)\n", pRegFrame->eip, !!(pVM->patm.s.CTXSUFF(pGCState)->uVMFlags & X86_EFL_IF), X86_EFL_GET_IOPL(pVM->patm.s.CTXSUFF(pGCState)->uVMFlags) ));
326 pRegFrame->eip += PATM_ILLEGAL_INSTR_SIZE;
327 return VINF_SUCCESS;
328
329 case PATM_ACTION_LOG_IF1:
330 Log(("PATMGC: IF=1 escape from %x\n", pRegFrame->eip));
331 pRegFrame->eip += PATM_ILLEGAL_INSTR_SIZE;
332 return VINF_SUCCESS;
333
334 case PATM_ACTION_LOG_IRET:
335 {
336 char *pIretFrame = (char *)pRegFrame->edx;
337 uint32_t eip, selCS, uEFlags;
338
339 rc = MMGCRamRead(pVM, &eip, pIretFrame, 4);
340 rc |= MMGCRamRead(pVM, &selCS, pIretFrame + 4, 4);
341 rc |= MMGCRamRead(pVM, &uEFlags, pIretFrame + 8, 4);
342 if (rc == VINF_SUCCESS)
343 {
344 if ( (uEFlags & X86_EFL_VM)
345 || (selCS & X86_SEL_RPL) == 3)
346 {
347 uint32_t selSS, esp;
348
349 rc |= MMGCRamRead(pVM, &esp, pIretFrame + 12, 4);
350 rc |= MMGCRamRead(pVM, &selSS, pIretFrame + 16, 4);
351
352 if (uEFlags & X86_EFL_VM)
353 {
354 uint32_t selDS, selES, selFS, selGS;
355 rc = MMGCRamRead(pVM, &selES, pIretFrame + 20, 4);
356 rc |= MMGCRamRead(pVM, &selDS, pIretFrame + 24, 4);
357 rc |= MMGCRamRead(pVM, &selFS, pIretFrame + 28, 4);
358 rc |= MMGCRamRead(pVM, &selGS, pIretFrame + 32, 4);
359 if (rc == VINF_SUCCESS)
360 {
361 Log(("PATMGC: IRET->VM stack frame: return address %04X:%x eflags=%08x ss:esp=%04X:%x\n", selCS, eip, uEFlags, selSS, esp));
362 Log(("PATMGC: IRET->VM stack frame: DS=%04X ES=%04X FS=%04X GS=%04X\n", selDS, selES, selFS, selGS));
363 }
364 }
365 else
366 Log(("PATMGC: IRET stack frame: return address %04X:%x eflags=%08x ss:esp=%04X:%x\n", selCS, eip, uEFlags, selSS, esp));
367 }
368 else
369 Log(("PATMGC: IRET stack frame: return address %04X:%x eflags=%08x\n", selCS, eip, uEFlags));
370 }
371 Log(("PATMGC: IRET from %x (IF->1) current eflags=%x\n", pRegFrame->eip, pVM->patm.s.CTXSUFF(pGCState)->uVMFlags));
372 pRegFrame->eip += PATM_ILLEGAL_INSTR_SIZE;
373 return VINF_SUCCESS;
374 }
375
376 case PATM_ACTION_LOG_GATE_ENTRY:
377 {
378 char *pIretFrame = (char *)pRegFrame->edx;
379 uint32_t eip, selCS, uEFlags;
380
381 rc = MMGCRamRead(pVM, &eip, pIretFrame, 4);
382 rc |= MMGCRamRead(pVM, &selCS, pIretFrame + 4, 4);
383 rc |= MMGCRamRead(pVM, &uEFlags, pIretFrame + 8, 4);
384 if (rc == VINF_SUCCESS)
385 {
386 if ( (uEFlags & X86_EFL_VM)
387 || (selCS & X86_SEL_RPL) == 3)
388 {
389 uint32_t selSS, esp;
390
391 rc |= MMGCRamRead(pVM, &esp, pIretFrame + 12, 4);
392 rc |= MMGCRamRead(pVM, &selSS, pIretFrame + 16, 4);
393
394 if (uEFlags & X86_EFL_VM)
395 {
396 uint32_t selDS, selES, selFS, selGS;
397 rc = MMGCRamRead(pVM, &selES, pIretFrame + 20, 4);
398 rc |= MMGCRamRead(pVM, &selDS, pIretFrame + 24, 4);
399 rc |= MMGCRamRead(pVM, &selFS, pIretFrame + 28, 4);
400 rc |= MMGCRamRead(pVM, &selGS, pIretFrame + 32, 4);
401 if (rc == VINF_SUCCESS)
402 {
403 Log(("PATMGC: GATE->VM stack frame: return address %04X:%x eflags=%08x ss:esp=%04X:%x\n", selCS, eip, uEFlags, selSS, esp));
404 Log(("PATMGC: GATE->VM stack frame: DS=%04X ES=%04X FS=%04X GS=%04X\n", selDS, selES, selFS, selGS));
405 }
406 }
407 else
408 Log(("PATMGC: GATE stack frame: return address %04X:%x eflags=%08x ss:esp=%04X:%x\n", selCS, eip, uEFlags, selSS, esp));
409 }
410 else
411 Log(("PATMGC: GATE stack frame: return address %04X:%x eflags=%08x\n", selCS, eip, uEFlags));
412 }
413 pRegFrame->eip += PATM_ILLEGAL_INSTR_SIZE;
414 return VINF_SUCCESS;
415 }
416
417 case PATM_ACTION_LOG_RET:
418 Log(("PATMGC: RET from %x to %x ESP=%x iopl=%d\n", pRegFrame->eip, pRegFrame->edx, pRegFrame->ebx, X86_EFL_GET_IOPL(pVM->patm.s.CTXSUFF(pGCState)->uVMFlags)));
419 pRegFrame->eip += PATM_ILLEGAL_INSTR_SIZE;
420 return VINF_SUCCESS;
421
422 case PATM_ACTION_LOG_CALL:
423 Log(("PATMGC: CALL to %RRv return addr %RRv ESP=%x iopl=%d\n", pVM->patm.s.CTXSUFF(pGCState)->GCCallPatchTargetAddr, pVM->patm.s.CTXSUFF(pGCState)->GCCallReturnAddr, pRegFrame->edx, X86_EFL_GET_IOPL(pVM->patm.s.CTXSUFF(pGCState)->uVMFlags)));
424 pRegFrame->eip += PATM_ILLEGAL_INSTR_SIZE;
425 return VINF_SUCCESS;
426#endif
427 default:
428 AssertFailed();
429 break;
430 }
431 }
432 else
433 AssertFailed();
434 CTXSUFF(pVM->patm.s.pGCState)->uPendingAction = 0;
435 }
436 AssertMsgFailed(("Unexpected OP_ILLUD2 in patch code at %x (pending action %x)!!!!\n", pRegFrame->eip, CTXSUFF(pVM->patm.s.pGCState)->uPendingAction));
437 return VINF_EM_RAW_EMULATE_INSTR;
438}
439
440/**
441 * Checks if the int 3 was caused by a patched instruction
442 *
443 * @returns VBox status
444 *
445 * @param pVM The VM handle.
446 * @param pCtxCore The relevant core context.
447 */
448VMMDECL(int) PATMHandleInt3PatchTrap(PVM pVM, PCPUMCTXCORE pRegFrame)
449{
450 PPATMPATCHREC pRec;
451 int rc;
452
453 AssertReturn(!pRegFrame->eflags.Bits.u1VM && (pRegFrame->ss & X86_SEL_RPL) == 1, VERR_ACCESS_DENIED);
454
455 /* Int 3 in PATM generated code? (most common case) */
456 if (PATMIsPatchGCAddr(pVM, pRegFrame->eip))
457 {
458 /* @note hardcoded assumption about it being a single byte int 3 instruction. */
459 pRegFrame->eip--;
460 return VINF_PATM_PATCH_INT3;
461 }
462
463 /** @todo could use simple caching here to speed things up. */
464 pRec = (PPATMPATCHREC)RTAvloU32Get(&CTXSUFF(pVM->patm.s.PatchLookupTree)->PatchTree, (AVLOU32KEY)(pRegFrame->eip - 1)); /* eip is pointing to the instruction *after* 'int 3' already */
465 if (pRec && pRec->patch.uState == PATCH_ENABLED)
466 {
467 if (pRec->patch.flags & PATMFL_INT3_REPLACEMENT_BLOCK)
468 {
469 Assert(pRec->patch.opcode == OP_CLI);
470 /* This is a special cli block that was turned into an int 3 patch. We jump to the generated code manually. */
471 pRegFrame->eip = (uint32_t)PATCHCODE_PTR_GC(&pRec->patch);
472 STAM_COUNTER_INC(&pVM->patm.s.StatInt3BlockRun);
473 return VINF_SUCCESS;
474 }
475 else
476 if (pRec->patch.flags & PATMFL_INT3_REPLACEMENT)
477 {
478 uint32_t size, cbOp;
479 DISCPUSTATE cpu;
480
481 /* eip is pointing to the instruction *after* 'int 3' already */
482 pRegFrame->eip = pRegFrame->eip - 1;
483
484 PATM_STAT_RUN_INC(&pRec->patch);
485
486 Log(("PATMHandleInt3PatchTrap found int3 for %s at %x\n", patmGetInstructionString(pRec->patch.opcode, 0), pRegFrame->eip));
487
488 switch(pRec->patch.opcode)
489 {
490 case OP_CPUID:
491 case OP_IRET:
492 break;
493
494 case OP_STR:
495 case OP_SGDT:
496 case OP_SLDT:
497 case OP_SIDT:
498 case OP_LSL:
499 case OP_LAR:
500 case OP_SMSW:
501 case OP_VERW:
502 case OP_VERR:
503 default:
504 PATM_STAT_FAULT_INC(&pRec->patch);
505 pRec->patch.cTraps++;
506 return VINF_EM_RAW_EMULATE_INSTR;
507 }
508
509 cpu.mode = SELMGetCpuModeFromSelector(pVM, pRegFrame->eflags, pRegFrame->cs, 0);
510 if(cpu.mode != CPUMODE_32BIT)
511 {
512 AssertFailed();
513 return VINF_EM_RAW_EMULATE_INSTR;
514 }
515 rc = DISCoreOne(&cpu, (uintptr_t)&pRec->patch.aPrivInstr[0], &cbOp);
516 if (RT_FAILURE(rc))
517 {
518 Log(("DISCoreOne failed with %Rrc\n", rc));
519 PATM_STAT_FAULT_INC(&pRec->patch);
520 pRec->patch.cTraps++;
521 return VINF_EM_RAW_EMULATE_INSTR;
522 }
523
524 rc = EMInterpretInstructionCPU(pVM, VMMGetCpu0(pVM), &cpu, pRegFrame, 0 /* not relevant here */,
525 EMCODETYPE_SUPERVISOR, &size);
526 if (rc != VINF_SUCCESS)
527 {
528 Log(("EMInterpretInstructionCPU failed with %Rrc\n", rc));
529 PATM_STAT_FAULT_INC(&pRec->patch);
530 pRec->patch.cTraps++;
531 return VINF_EM_RAW_EMULATE_INSTR;
532 }
533
534 pRegFrame->eip += cpu.opsize;
535 return VINF_SUCCESS;
536 }
537 }
538 return VERR_PATCH_NOT_FOUND;
539}
540
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette