VirtualBox

source: vbox/trunk/src/VBox/VMM/PATM/PATM.cpp@ 24436

Last change on this file since 24436 was 23107, checked in by vboxsync, 15 years ago

Backed out 52463

  • Property svn:eol-style set to native
  • Property svn:keywords set to Id
File size: 243.4 KB
Line 
1/* $Id: PATM.cpp 23107 2009-09-17 16:19:58Z vboxsync $ */
2/** @file
3 * PATM - Dynamic Guest OS Patching Manager
4 *
5 * NOTE: Never ever reuse patch memory!!
6 */
7
8/*
9 * Copyright (C) 2006-2007 Sun Microsystems, Inc.
10 *
11 * This file is part of VirtualBox Open Source Edition (OSE), as
12 * available from http://www.virtualbox.org. This file is free software;
13 * you can redistribute it and/or modify it under the terms of the GNU
14 * General Public License (GPL) as published by the Free Software
15 * Foundation, in version 2 as it comes in the "COPYING" file of the
16 * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
17 * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
18 *
19 * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa
20 * Clara, CA 95054 USA or visit http://www.sun.com if you need
21 * additional information or have any questions.
22 */
23
24/*******************************************************************************
25* Header Files *
26*******************************************************************************/
27#define LOG_GROUP LOG_GROUP_PATM
28#include <VBox/patm.h>
29#include <VBox/stam.h>
30#include <VBox/pgm.h>
31#include <VBox/cpum.h>
32#include <VBox/cpumdis.h>
33#include <VBox/iom.h>
34#include <VBox/sup.h>
35#include <VBox/mm.h>
36#include <VBox/ssm.h>
37#include <VBox/pdm.h>
38#include <VBox/trpm.h>
39#include <VBox/cfgm.h>
40#include <VBox/param.h>
41#include <VBox/selm.h>
42#include <iprt/avl.h>
43#include "PATMInternal.h"
44#include "PATMPatch.h"
45#include <VBox/vm.h>
46#include <VBox/csam.h>
47
48#include <VBox/dbg.h>
49#include <VBox/err.h>
50#include <VBox/log.h>
51#include <iprt/assert.h>
52#include <iprt/asm.h>
53#include <VBox/dis.h>
54#include <VBox/disopcode.h>
55
56#include <iprt/string.h>
57#include "PATMA.h"
58
59//#define PATM_REMOVE_PATCH_ON_TOO_MANY_TRAPS
60//#define PATM_DISABLE_ALL
61
62/*******************************************************************************
63* Internal Functions *
64*******************************************************************************/
65
66static int patmDisableUnusablePatch(PVM pVM, RTRCPTR pInstrGC, RTRCPTR pConflictAddr, PPATCHINFO pPatch);
67static int patmActivateInt3Patch(PVM pVM, PPATCHINFO pPatch);
68static int patmDeactivateInt3Patch(PVM pVM, PPATCHINFO pPatch);
69
70#ifdef LOG_ENABLED // keep gcc quiet
71static bool patmIsCommonIDTHandlerPatch(PVM pVM, RTRCPTR pInstrGC);
72#endif
73#ifdef VBOX_WITH_STATISTICS
74static const char *PATMPatchType(PVM pVM, PPATCHINFO pPatch);
75static void patmResetStat(PVM pVM, void *pvSample);
76static void patmPrintStat(PVM pVM, void *pvSample, char *pszBuf, size_t cchBuf);
77#endif
78
79#define patmPatchHCPtr2PatchGCPtr(pVM, pHC) (pVM->patm.s.pPatchMemGC + (pHC - pVM->patm.s.pPatchMemHC))
80#define patmPatchGCPtr2PatchHCPtr(pVM, pGC) (pVM->patm.s.pPatchMemHC + (pGC - pVM->patm.s.pPatchMemGC))
81
82static int patmReinit(PVM pVM);
83static DECLCALLBACK(int) RelocatePatches(PAVLOU32NODECORE pNode, void *pParam);
84
85#ifdef VBOX_WITH_DEBUGGER
86static DECLCALLBACK(int) DisableAllPatches(PAVLOU32NODECORE pNode, void *pVM);
87static DECLCALLBACK(int) patmr3CmdOn(PCDBGCCMD pCmd, PDBGCCMDHLP pCmdHlp, PVM pVM, PCDBGCVAR paArgs, unsigned cArgs, PDBGCVAR pResult);
88static DECLCALLBACK(int) patmr3CmdOff(PCDBGCCMD pCmd, PDBGCCMDHLP pCmdHlp, PVM pVM, PCDBGCVAR paArgs, unsigned cArgs, PDBGCVAR pResult);
89
90/** Command descriptors. */
91static const DBGCCMD g_aCmds[] =
92{
93 /* pszCmd, cArgsMin, cArgsMax, paArgDesc, cArgDescs, pResultDesc, fFlags, pfnHandler pszSyntax, ....pszDescription */
94 { "patmon", 0, 0, NULL, 0, NULL, 0, patmr3CmdOn, "", "Enable patching." },
95 { "patmoff", 0, 0, NULL, 0, NULL, 0, patmr3CmdOff, "", "Disable patching." },
96};
97#endif
98
99/* Don't want to break saved states, so put it here as a global variable. */
100static unsigned int cIDTHandlersDisabled = 0;
101
102/**
103 * Initializes the PATM.
104 *
105 * @returns VBox status code.
106 * @param pVM The VM to operate on.
107 */
108VMMR3DECL(int) PATMR3Init(PVM pVM)
109{
110 int rc;
111
112 Log(("PATMR3Init: Patch record size %d\n", sizeof(PATCHINFO)));
113
114 /* These values can't change as they are hardcoded in patch code (old saved states!) */
115 AssertCompile(VMCPU_FF_TIMER == RT_BIT_32(2));
116 AssertCompile(VM_FF_REQUEST == VMCPU_FF_REQUEST);
117 AssertCompile(VMCPU_FF_INTERRUPT_APIC == RT_BIT_32(0));
118 AssertCompile(VMCPU_FF_INTERRUPT_PIC == RT_BIT_32(1));
119
120 AssertReleaseMsg(PATMInterruptFlag == (VMCPU_FF_INTERRUPT_APIC | VMCPU_FF_INTERRUPT_PIC | VMCPU_FF_TIMER | VMCPU_FF_REQUEST),
121 ("Interrupt flags out of sync!! PATMInterruptFlag=%#x expected %#x. broken assembler?\n", PATMInterruptFlag, VMCPU_FF_INTERRUPT_APIC | VMCPU_FF_INTERRUPT_PIC | VMCPU_FF_TIMER | VMCPU_FF_REQUEST));
122
123 /* Allocate patch memory and GC patch state memory. */
124 pVM->patm.s.cbPatchMem = PATCH_MEMORY_SIZE;
125 /* Add another page in case the generated code is much larger than expected. */
126 /** @todo bad safety precaution */
127 rc = MMR3HyperAllocOnceNoRel(pVM, PATCH_MEMORY_SIZE + PAGE_SIZE + PATM_STACK_TOTAL_SIZE + PAGE_SIZE + PATM_STAT_MEMSIZE, PAGE_SIZE, MM_TAG_PATM, (void **)&pVM->patm.s.pPatchMemHC);
128 if (RT_FAILURE(rc))
129 {
130 Log(("MMHyperAlloc failed with %Rrc\n", rc));
131 return rc;
132 }
133 pVM->patm.s.pPatchMemGC = MMHyperR3ToRC(pVM, pVM->patm.s.pPatchMemHC);
134
135 /* PATM stack page for call instruction execution. (2 parts: one for our private stack and one to store the original return address */
136 pVM->patm.s.pGCStackHC = (RTRCPTR *)(pVM->patm.s.pPatchMemHC + PATCH_MEMORY_SIZE + PAGE_SIZE);
137 pVM->patm.s.pGCStackGC = MMHyperR3ToRC(pVM, pVM->patm.s.pGCStackHC);
138
139 /*
140 * Hypervisor memory for GC status data (read/write)
141 *
142 * Note1: This is non-critical data; if trashed by the guest, then it will only cause problems for itself
143 * Note2: This doesn't really belong here, but we need access to it for relocation purposes
144 *
145 */
146 Assert(sizeof(PATMGCSTATE) < PAGE_SIZE); /** @note hardcoded dependencies on this exist. */
147 pVM->patm.s.pGCStateHC = (PPATMGCSTATE)((uint8_t *)pVM->patm.s.pGCStackHC + PATM_STACK_TOTAL_SIZE);
148 pVM->patm.s.pGCStateGC = MMHyperR3ToRC(pVM, pVM->patm.s.pGCStateHC);
149
150 /* Hypervisor memory for patch statistics */
151 pVM->patm.s.pStatsHC = (PSTAMRATIOU32)((uint8_t *)pVM->patm.s.pGCStateHC + PAGE_SIZE);
152 pVM->patm.s.pStatsGC = MMHyperR3ToRC(pVM, pVM->patm.s.pStatsHC);
153
154 /* Memory for patch lookup trees. */
155 rc = MMHyperAlloc(pVM, sizeof(*pVM->patm.s.PatchLookupTreeHC), 0, MM_TAG_PATM, (void **)&pVM->patm.s.PatchLookupTreeHC);
156 AssertRCReturn(rc, rc);
157 pVM->patm.s.PatchLookupTreeGC = MMHyperR3ToRC(pVM, pVM->patm.s.PatchLookupTreeHC);
158
159#ifdef RT_ARCH_AMD64 /* see patmReinit(). */
160 /* Check CFGM option. */
161 rc = CFGMR3QueryBool(CFGMR3GetRoot(pVM), "PATMEnabled", &pVM->fPATMEnabled);
162 if (RT_FAILURE(rc))
163# ifdef PATM_DISABLE_ALL
164 pVM->fPATMEnabled = false;
165# else
166 pVM->fPATMEnabled = true;
167# endif
168#endif
169
170 rc = patmReinit(pVM);
171 AssertRC(rc);
172 if (RT_FAILURE(rc))
173 return rc;
174
175 /*
176 * Register save and load state notificators.
177 */
178 rc = SSMR3RegisterInternal(pVM, "PATM", 0, PATM_SSM_VERSION, sizeof(pVM->patm.s) + PATCH_MEMORY_SIZE + PAGE_SIZE + PATM_STACK_TOTAL_SIZE + PAGE_SIZE,
179 NULL, NULL, NULL,
180 NULL, patmR3Save, NULL,
181 NULL, patmR3Load, NULL);
182 AssertRCReturn(rc, rc);
183
184#ifdef VBOX_WITH_DEBUGGER
185 /*
186 * Debugger commands.
187 */
188 static bool fRegisteredCmds = false;
189 if (!fRegisteredCmds)
190 {
191 int rc = DBGCRegisterCommands(&g_aCmds[0], RT_ELEMENTS(g_aCmds));
192 if (RT_SUCCESS(rc))
193 fRegisteredCmds = true;
194 }
195#endif
196
197#ifdef VBOX_WITH_STATISTICS
198 STAM_REG(pVM, &pVM->patm.s.StatNrOpcodeRead, STAMTYPE_COUNTER, "/PATM/OpcodeBytesRead", STAMUNIT_OCCURENCES, "The number of opcode bytes read by the recompiler.");
199 STAM_REG(pVM, &pVM->patm.s.StatPATMMemoryUsed,STAMTYPE_COUNTER, "/PATM/MemoryUsed", STAMUNIT_OCCURENCES, "The amount of hypervisor heap used for patches.");
200 STAM_REG(pVM, &pVM->patm.s.StatDisabled, STAMTYPE_COUNTER, "/PATM/Patch/Disabled", STAMUNIT_OCCURENCES, "Number of times patches were disabled.");
201 STAM_REG(pVM, &pVM->patm.s.StatEnabled, STAMTYPE_COUNTER, "/PATM/Patch/Enabled", STAMUNIT_OCCURENCES, "Number of times patches were enabled.");
202 STAM_REG(pVM, &pVM->patm.s.StatDirty, STAMTYPE_COUNTER, "/PATM/Patch/Dirty", STAMUNIT_OCCURENCES, "Number of times patches were marked dirty.");
203 STAM_REG(pVM, &pVM->patm.s.StatUnusable, STAMTYPE_COUNTER, "/PATM/Patch/Unusable", STAMUNIT_OCCURENCES, "Number of unusable patches (conflicts).");
204 STAM_REG(pVM, &pVM->patm.s.StatInstalled, STAMTYPE_COUNTER, "/PATM/Patch/Installed", STAMUNIT_OCCURENCES, "Number of installed patches.");
205 STAM_REG(pVM, &pVM->patm.s.StatInt3Callable, STAMTYPE_COUNTER, "/PATM/Patch/Int3Callable", STAMUNIT_OCCURENCES, "Number of cli patches turned into int3 patches.");
206
207 STAM_REG(pVM, &pVM->patm.s.StatInt3BlockRun, STAMTYPE_COUNTER, "/PATM/Patch/Run/Int3", STAMUNIT_OCCURENCES, "Number of times an int3 block patch was executed.");
208 STAMR3RegisterF(pVM, &pVM->patm.s.pGCStateHC->uPatchCalls, STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_OCCURENCES, NULL, "/PATM/Patch/Run/Normal");
209
210 STAM_REG(pVM, &pVM->patm.s.StatInstalledFunctionPatches, STAMTYPE_COUNTER, "/PATM/Patch/Installed/Function", STAMUNIT_OCCURENCES, "Number of installed function duplication patches.");
211 STAM_REG(pVM, &pVM->patm.s.StatInstalledTrampoline, STAMTYPE_COUNTER, "/PATM/Patch/Installed/Trampoline", STAMUNIT_OCCURENCES, "Number of installed trampoline patches.");
212 STAM_REG(pVM, &pVM->patm.s.StatInstalledJump, STAMTYPE_COUNTER, "/PATM/Patch/Installed/Jump", STAMUNIT_OCCURENCES, "Number of installed jump patches.");
213
214 STAM_REG(pVM, &pVM->patm.s.StatOverwritten, STAMTYPE_COUNTER, "/PATM/Patch/Overwritten", STAMUNIT_OCCURENCES, "Number of overwritten patches.");
215 STAM_REG(pVM, &pVM->patm.s.StatFixedConflicts,STAMTYPE_COUNTER, "/PATM/Patch/ConflictFixed", STAMUNIT_OCCURENCES, "Number of fixed conflicts.");
216 STAM_REG(pVM, &pVM->patm.s.StatFlushed, STAMTYPE_COUNTER, "/PATM/Patch/Flushed", STAMUNIT_OCCURENCES, "Number of flushes of pages with patch jumps.");
217 STAM_REG(pVM, &pVM->patm.s.StatMonitored, STAMTYPE_COUNTER, "/PATM/Patch/Monitored", STAMUNIT_OCCURENCES, "Number of patches in monitored patch pages.");
218 STAM_REG(pVM, &pVM->patm.s.StatPageBoundaryCrossed, STAMTYPE_COUNTER, "/PATM/Patch/BoundaryCross", STAMUNIT_OCCURENCES, "Number of refused patches due to patch jump crossing page boundary.");
219
220 STAM_REG(pVM, &pVM->patm.s.StatHandleTrap, STAMTYPE_PROFILE, "/PATM/HandleTrap", STAMUNIT_TICKS_PER_CALL, "Profiling of PATMR3HandleTrap");
221 STAM_REG(pVM, &pVM->patm.s.StatPushTrap, STAMTYPE_COUNTER, "/PATM/HandleTrap/PushWP", STAMUNIT_OCCURENCES, "Number of traps due to monitored stack pages.");
222
223 STAM_REG(pVM, &pVM->patm.s.StatSwitchBack, STAMTYPE_COUNTER, "/PATM/SwitchBack", STAMUNIT_OCCURENCES, "Switch back to original guest code when IF=1 & executing PATM instructions");
224 STAM_REG(pVM, &pVM->patm.s.StatSwitchBackFail,STAMTYPE_COUNTER, "/PATM/SwitchBackFail", STAMUNIT_OCCURENCES, "Failed switch back to original guest code when IF=1 & executing PATM instructions");
225
226 STAM_REG(pVM, &pVM->patm.s.StatDuplicateREQFailed, STAMTYPE_COUNTER, "/PATM/Function/DupREQ/Failed", STAMUNIT_OCCURENCES, "Nr of failed PATMR3DuplicateFunctionRequest calls");
227 STAM_REG(pVM, &pVM->patm.s.StatDuplicateREQSuccess, STAMTYPE_COUNTER, "/PATM/Function/DupREQ/Success", STAMUNIT_OCCURENCES, "Nr of successful PATMR3DuplicateFunctionRequest calls");
228 STAM_REG(pVM, &pVM->patm.s.StatDuplicateUseExisting,STAMTYPE_COUNTER, "/PATM/Function/DupREQ/UseExist", STAMUNIT_OCCURENCES, "Nr of successful PATMR3DuplicateFunctionRequest calls when using an existing patch");
229
230 STAM_REG(pVM, &pVM->patm.s.StatFunctionLookupInsert, STAMTYPE_COUNTER, "/PATM/Function/Lookup/Insert", STAMUNIT_OCCURENCES, "Nr of successful function address insertions");
231 STAM_REG(pVM, &pVM->patm.s.StatFunctionLookupReplace, STAMTYPE_COUNTER, "/PATM/Function/Lookup/Replace", STAMUNIT_OCCURENCES, "Nr of successful function address replacements");
232 STAM_REG(pVM, &pVM->patm.s.StatU32FunctionMaxSlotsUsed, STAMTYPE_U32_RESET,"/PATM/Function/Lookup/MaxSlots", STAMUNIT_OCCURENCES, "Maximum nr of lookup slots used in all call patches");
233
234 STAM_REG(pVM, &pVM->patm.s.StatFunctionFound, STAMTYPE_COUNTER, "/PATM/Function/Found", STAMUNIT_OCCURENCES, "Nr of successful function patch lookups in GC");
235 STAM_REG(pVM, &pVM->patm.s.StatFunctionNotFound, STAMTYPE_COUNTER, "/PATM/Function/NotFound", STAMUNIT_OCCURENCES, "Nr of failed function patch lookups in GC");
236
237 STAM_REG(pVM, &pVM->patm.s.StatPatchWrite, STAMTYPE_PROFILE, "/PATM/Write/Handle", STAMUNIT_TICKS_PER_CALL, "Profiling of PATMR3PatchWrite");
238 STAM_REG(pVM, &pVM->patm.s.StatPatchWriteDetect, STAMTYPE_PROFILE, "/PATM/Write/Detect", STAMUNIT_TICKS_PER_CALL, "Profiling of PATMIsWriteToPatchPage");
239 STAM_REG(pVM, &pVM->patm.s.StatPatchWriteInterpreted, STAMTYPE_COUNTER, "/PATM/Write/Interpreted/Success", STAMUNIT_OCCURENCES, "Nr of interpreted patch writes.");
240 STAM_REG(pVM, &pVM->patm.s.StatPatchWriteInterpretedFailed, STAMTYPE_COUNTER, "/PATM/Write/Interpreted/Failed", STAMUNIT_OCCURENCES, "Nr of failed interpreted patch writes.");
241
242 STAM_REG(pVM, &pVM->patm.s.StatPatchRefreshSuccess, STAMTYPE_COUNTER, "/PATM/Refresh/Success", STAMUNIT_OCCURENCES, "Successful patch refreshes");
243 STAM_REG(pVM, &pVM->patm.s.StatPatchRefreshFailed, STAMTYPE_COUNTER, "/PATM/Refresh/Failure", STAMUNIT_OCCURENCES, "Failed patch refreshes");
244
245 STAM_REG(pVM, &pVM->patm.s.StatPatchPageInserted, STAMTYPE_COUNTER, "/PATM/Page/Inserted", STAMUNIT_OCCURENCES, "Nr of inserted guest pages that were patched");
246 STAM_REG(pVM, &pVM->patm.s.StatPatchPageRemoved, STAMTYPE_COUNTER, "/PATM/Page/Removed", STAMUNIT_OCCURENCES, "Nr of removed guest pages that were patched");
247
248 STAM_REG(pVM, &pVM->patm.s.StatInstrDirty, STAMTYPE_COUNTER, "/PATM/Instr/Dirty/Detected", STAMUNIT_OCCURENCES, "Number of times instructions were marked dirty.");
249 STAM_REG(pVM, &pVM->patm.s.StatInstrDirtyGood, STAMTYPE_COUNTER, "/PATM/Instr/Dirty/Corrected", STAMUNIT_OCCURENCES, "Number of times instructions were marked dirty and corrected later on.");
250 STAM_REG(pVM, &pVM->patm.s.StatInstrDirtyBad, STAMTYPE_COUNTER, "/PATM/Instr/Dirty/Failed", STAMUNIT_OCCURENCES, "Number of times instructions were marked dirty and we were not able to correct them.");
251
252 STAM_REG(pVM, &pVM->patm.s.StatSysEnter, STAMTYPE_COUNTER, "/PATM/Emul/SysEnter", STAMUNIT_OCCURENCES, "Number of times sysenter was emulated.");
253 STAM_REG(pVM, &pVM->patm.s.StatSysExit, STAMTYPE_COUNTER, "/PATM/Emul/SysExit" , STAMUNIT_OCCURENCES, "Number of times sysexit was emulated.");
254 STAM_REG(pVM, &pVM->patm.s.StatEmulIret, STAMTYPE_COUNTER, "/PATM/Emul/Iret/Success", STAMUNIT_OCCURENCES, "Number of times iret was emulated.");
255 STAM_REG(pVM, &pVM->patm.s.StatEmulIretFailed, STAMTYPE_COUNTER, "/PATM/Emul/Iret/Failed", STAMUNIT_OCCURENCES, "Number of times iret was emulated.");
256
257 STAM_REG(pVM, &pVM->patm.s.StatGenRet, STAMTYPE_COUNTER, "/PATM/Gen/Ret" , STAMUNIT_OCCURENCES, "Number of generated ret instructions.");
258 STAM_REG(pVM, &pVM->patm.s.StatGenRetReused, STAMTYPE_COUNTER, "/PATM/Gen/RetReused" , STAMUNIT_OCCURENCES, "Number of reused ret instructions.");
259 STAM_REG(pVM, &pVM->patm.s.StatGenCall, STAMTYPE_COUNTER, "/PATM/Gen/Call", STAMUNIT_OCCURENCES, "Number of generated call instructions.");
260 STAM_REG(pVM, &pVM->patm.s.StatGenJump, STAMTYPE_COUNTER, "/PATM/Gen/Jmp" , STAMUNIT_OCCURENCES, "Number of generated indirect jump instructions.");
261 STAM_REG(pVM, &pVM->patm.s.StatGenPopf, STAMTYPE_COUNTER, "/PATM/Gen/Popf" , STAMUNIT_OCCURENCES, "Number of generated popf instructions.");
262
263 STAM_REG(pVM, &pVM->patm.s.StatCheckPendingIRQ, STAMTYPE_COUNTER, "/PATM/GC/CheckIRQ" , STAMUNIT_OCCURENCES, "Number of traps that ask to check for pending irqs.");
264#endif /* VBOX_WITH_STATISTICS */
265
266 Log(("PATMCallRecord.size %d\n", PATMCallRecord.size));
267 Log(("PATMCallIndirectRecord.size %d\n", PATMCallIndirectRecord.size));
268 Log(("PATMRetRecord.size %d\n", PATMRetRecord.size));
269 Log(("PATMJumpIndirectRecord.size %d\n", PATMJumpIndirectRecord.size));
270 Log(("PATMPopf32Record.size %d\n", PATMPopf32Record.size));
271 Log(("PATMIretRecord.size %d\n", PATMIretRecord.size));
272 Log(("PATMStiRecord.size %d\n", PATMStiRecord.size));
273 Log(("PATMCheckIFRecord.size %d\n", PATMCheckIFRecord.size));
274
275 return rc;
276}
277
278/**
279 * Finalizes HMA page attributes.
280 *
281 * @returns VBox status code.
282 * @param pVM The VM handle.
283 */
284VMMR3DECL(int) PATMR3InitFinalize(PVM pVM)
285{
286 /* The GC state, stack and statistics must be read/write for the guest (supervisor only of course). */
287 int rc = PGMMapSetPage(pVM, pVM->patm.s.pGCStateGC, PAGE_SIZE, X86_PTE_P | X86_PTE_A | X86_PTE_D | X86_PTE_RW);
288 if (RT_FAILURE(rc))
289 Log(("PATMR3InitFinalize: PGMMapSetPage failed with %Rrc!!\n", rc));
290
291 rc = PGMMapSetPage(pVM, pVM->patm.s.pGCStackGC, PATM_STACK_TOTAL_SIZE, X86_PTE_P | X86_PTE_A | X86_PTE_D | X86_PTE_RW);
292 if (RT_FAILURE(rc))
293 Log(("PATMR3InitFinalize: PGMMapSetPage failed with %Rrc!!\n", rc));
294
295 rc = PGMMapSetPage(pVM, pVM->patm.s.pStatsGC, PATM_STAT_MEMSIZE, X86_PTE_P | X86_PTE_A | X86_PTE_D | X86_PTE_RW);
296 if (RT_FAILURE(rc))
297 Log(("PATMR3InitFinalize: PGMMapSetPage failed with %Rrc!!\n", rc));
298
299 return rc;
300}
301
302/**
303 * (Re)initializes PATM
304 *
305 * @param pVM The VM.
306 */
307static int patmReinit(PVM pVM)
308{
309 int rc;
310
311 /*
312 * Assert alignment and sizes.
313 */
314 AssertRelease(!(RT_OFFSETOF(VM, patm.s) & 31));
315 AssertRelease(sizeof(pVM->patm.s) <= sizeof(pVM->patm.padding));
316
317 /*
318 * Setup any fixed pointers and offsets.
319 */
320 pVM->patm.s.offVM = RT_OFFSETOF(VM, patm);
321
322#ifndef RT_ARCH_AMD64 /* would be nice if this was changed everywhere. was driving me crazy on AMD64. */
323#ifndef PATM_DISABLE_ALL
324 pVM->fPATMEnabled = true;
325#endif
326#endif
327
328 Assert(pVM->patm.s.pGCStateHC);
329 memset(pVM->patm.s.pGCStateHC, 0, PAGE_SIZE);
330 AssertReleaseMsg(pVM->patm.s.pGCStateGC, ("Impossible! MMHyperHC2GC(%p) failed!\n", pVM->patm.s.pGCStateGC));
331
332 Log(("Patch memory allocated at %p - %RRv\n", pVM->patm.s.pPatchMemHC, pVM->patm.s.pPatchMemGC));
333 pVM->patm.s.pGCStateHC->uVMFlags = X86_EFL_IF;
334
335 Assert(pVM->patm.s.pGCStackHC);
336 memset(pVM->patm.s.pGCStackHC, 0, PAGE_SIZE);
337 AssertReleaseMsg(pVM->patm.s.pGCStackGC, ("Impossible! MMHyperHC2GC(%p) failed!\n", pVM->patm.s.pGCStackGC));
338 pVM->patm.s.pGCStateHC->Psp = PATM_STACK_SIZE;
339 pVM->patm.s.pGCStateHC->fPIF = 1; /* PATM Interrupt Flag */
340
341 Assert(pVM->patm.s.pStatsHC);
342 memset(pVM->patm.s.pStatsHC, 0, PATM_STAT_MEMSIZE);
343 AssertReleaseMsg(pVM->patm.s.pStatsGC, ("Impossible! MMHyperHC2GC(%p) failed!\n", pVM->patm.s.pStatsGC));
344
345 Assert(pVM->patm.s.pPatchMemHC);
346 Assert(pVM->patm.s.pPatchMemGC = MMHyperR3ToRC(pVM, pVM->patm.s.pPatchMemHC));
347 memset(pVM->patm.s.pPatchMemHC, 0, PATCH_MEMORY_SIZE);
348 AssertReleaseMsg(pVM->patm.s.pPatchMemGC, ("Impossible! MMHyperHC2GC(%p) failed!\n", pVM->patm.s.pPatchMemHC));
349
350 /* Needed for future patching of sldt/sgdt/sidt/str etc. */
351 pVM->patm.s.pCPUMCtxGC = VM_RC_ADDR(pVM, CPUMQueryGuestCtxPtr(VMMGetCpu(pVM)));
352
353 Assert(pVM->patm.s.PatchLookupTreeHC);
354 Assert(pVM->patm.s.PatchLookupTreeGC == MMHyperR3ToRC(pVM, pVM->patm.s.PatchLookupTreeHC));
355
356 /*
357 * (Re)Initialize PATM structure
358 */
359 Assert(!pVM->patm.s.PatchLookupTreeHC->PatchTree);
360 Assert(!pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr);
361 Assert(!pVM->patm.s.PatchLookupTreeHC->PatchTreeByPage);
362 pVM->patm.s.offPatchMem = 16; /* don't start with zero here */
363 pVM->patm.s.uCurrentPatchIdx = 1; /* Index zero is a dummy */
364 pVM->patm.s.pvFaultMonitor = 0;
365 pVM->patm.s.deltaReloc = 0;
366
367 /* Lowest and highest patched instruction */
368 pVM->patm.s.pPatchedInstrGCLowest = ~0;
369 pVM->patm.s.pPatchedInstrGCHighest = 0;
370
371 pVM->patm.s.PatchLookupTreeHC->PatchTree = 0;
372 pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr = 0;
373 pVM->patm.s.PatchLookupTreeHC->PatchTreeByPage = 0;
374
375 pVM->patm.s.pfnSysEnterPatchGC = 0;
376 pVM->patm.s.pfnSysEnterGC = 0;
377
378 pVM->patm.s.fOutOfMemory = false;
379
380 pVM->patm.s.pfnHelperCallGC = 0;
381
382 /* Generate all global functions to be used by future patches. */
383 /* We generate a fake patch in order to use the existing code for relocation. */
384 rc = MMHyperAlloc(pVM, sizeof(PATMPATCHREC), 0, MM_TAG_PATM_PATCH, (void **)&pVM->patm.s.pGlobalPatchRec);
385 if (RT_FAILURE(rc))
386 {
387 Log(("Out of memory!!!!\n"));
388 return VERR_NO_MEMORY;
389 }
390 pVM->patm.s.pGlobalPatchRec->patch.flags = PATMFL_GLOBAL_FUNCTIONS;
391 pVM->patm.s.pGlobalPatchRec->patch.uState = PATCH_ENABLED;
392 pVM->patm.s.pGlobalPatchRec->patch.pPatchBlockOffset = pVM->patm.s.offPatchMem;
393
394 rc = patmPatchGenGlobalFunctions(pVM, &pVM->patm.s.pGlobalPatchRec->patch);
395 AssertRC(rc);
396
397 /* Update free pointer in patch memory. */
398 pVM->patm.s.offPatchMem += pVM->patm.s.pGlobalPatchRec->patch.uCurPatchOffset;
399 /* Round to next 8 byte boundary. */
400 pVM->patm.s.offPatchMem = RT_ALIGN_32(pVM->patm.s.offPatchMem, 8);
401 return rc;
402}
403
404
405/**
406 * Applies relocations to data and code managed by this
407 * component. This function will be called at init and
408 * whenever the VMM need to relocate it self inside the GC.
409 *
410 * The PATM will update the addresses used by the switcher.
411 *
412 * @param pVM The VM.
413 */
414VMMR3DECL(void) PATMR3Relocate(PVM pVM)
415{
416 RTRCPTR GCPtrNew = MMHyperR3ToRC(pVM, pVM->patm.s.pGCStateHC);
417 RTRCINTPTR delta = GCPtrNew - pVM->patm.s.pGCStateGC;
418
419 Log(("PATMR3Relocate from %RRv to %RRv - delta %08X\n", pVM->patm.s.pGCStateGC, GCPtrNew, delta));
420 if (delta)
421 {
422 PCPUMCTX pCtx;
423
424 /* Update CPUMCTX guest context pointer. */
425 pVM->patm.s.pCPUMCtxGC += delta;
426
427 pVM->patm.s.deltaReloc = delta;
428
429 RTAvloU32DoWithAll(&pVM->patm.s.PatchLookupTreeHC->PatchTree, true, RelocatePatches, (void *)pVM);
430
431 pCtx = CPUMQueryGuestCtxPtr(VMMGetCpu(pVM));
432
433 /* If we are running patch code right now, then also adjust EIP. */
434 if (PATMIsPatchGCAddr(pVM, pCtx->eip))
435 pCtx->eip += delta;
436
437 pVM->patm.s.pGCStateGC = GCPtrNew;
438 pVM->patm.s.pPatchMemGC = MMHyperR3ToRC(pVM, pVM->patm.s.pPatchMemHC);
439
440 pVM->patm.s.pGCStackGC = MMHyperR3ToRC(pVM, pVM->patm.s.pGCStackHC);
441
442 pVM->patm.s.pStatsGC = MMHyperR3ToRC(pVM, pVM->patm.s.pStatsHC);
443
444 pVM->patm.s.PatchLookupTreeGC = MMHyperR3ToRC(pVM, pVM->patm.s.PatchLookupTreeHC);
445
446 if (pVM->patm.s.pfnSysEnterPatchGC)
447 pVM->patm.s.pfnSysEnterPatchGC += delta;
448
449 /* Deal with the global patch functions. */
450 pVM->patm.s.pfnHelperCallGC += delta;
451 pVM->patm.s.pfnHelperRetGC += delta;
452 pVM->patm.s.pfnHelperIretGC += delta;
453 pVM->patm.s.pfnHelperJumpGC += delta;
454
455 RelocatePatches(&pVM->patm.s.pGlobalPatchRec->Core, (void *)pVM);
456 }
457}
458
459
460/**
461 * Terminates the PATM.
462 *
463 * Termination means cleaning up and freeing all resources,
464 * the VM it self is at this point powered off or suspended.
465 *
466 * @returns VBox status code.
467 * @param pVM The VM to operate on.
468 */
469VMMR3DECL(int) PATMR3Term(PVM pVM)
470{
471 /* Memory was all allocated from the two MM heaps and requires no freeing. */
472 return VINF_SUCCESS;
473}
474
475
476/**
477 * PATM reset callback.
478 *
479 * @returns VBox status code.
480 * @param pVM The VM which is reset.
481 */
482VMMR3DECL(int) PATMR3Reset(PVM pVM)
483{
484 Log(("PATMR3Reset\n"));
485
486 /* Free all patches. */
487 while (true)
488 {
489 PPATMPATCHREC pPatchRec = (PPATMPATCHREC)RTAvloU32RemoveBestFit(&pVM->patm.s.PatchLookupTreeHC->PatchTree, 0, true);
490 if (pPatchRec)
491 {
492 PATMRemovePatch(pVM, pPatchRec, true);
493 }
494 else
495 break;
496 }
497 Assert(!pVM->patm.s.PatchLookupTreeHC->PatchTreeByPage);
498 Assert(!pVM->patm.s.PatchLookupTreeHC->PatchTree);
499 pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr = 0;
500 pVM->patm.s.PatchLookupTreeHC->PatchTreeByPage = 0;
501
502 int rc = patmReinit(pVM);
503 if (RT_SUCCESS(rc))
504 rc = PATMR3InitFinalize(pVM); /* paranoia */
505
506 return rc;
507}
508
509/**
510 * Read callback for disassembly function; supports reading bytes that cross a page boundary
511 *
512 * @returns VBox status code.
513 * @param pSrc GC source pointer
514 * @param pDest HC destination pointer
515 * @param size Number of bytes to read
516 * @param pvUserdata Callback specific user data (pCpu)
517 *
518 */
519int patmReadBytes(RTUINTPTR pSrc, uint8_t *pDest, unsigned size, void *pvUserdata)
520{
521 DISCPUSTATE *pCpu = (DISCPUSTATE *)pvUserdata;
522 PATMDISASM *pDisInfo = (PATMDISASM *)pCpu->apvUserData[0];
523 int orgsize = size;
524
525 Assert(size);
526 if (size == 0)
527 return VERR_INVALID_PARAMETER;
528
529 /*
530 * Trap/interrupt handler typically call common code on entry. Which might already have patches inserted.
531 * As we currently don't support calling patch code from patch code, we'll let it read the original opcode bytes instead.
532 */
533 /** @todo could change in the future! */
534 if (pDisInfo->fReadFlags & PATMREAD_ORGCODE)
535 {
536 for (int i=0;i<orgsize;i++)
537 {
538 int rc = PATMR3QueryOpcode(pDisInfo->pVM, (RTRCPTR)pSrc, pDest);
539 if (RT_SUCCESS(rc))
540 {
541 pSrc++;
542 pDest++;
543 size--;
544 }
545 else break;
546 }
547 if (size == 0)
548 return VINF_SUCCESS;
549#ifdef VBOX_STRICT
550 if ( !(pDisInfo->pPatchInfo->flags & (PATMFL_DUPLICATE_FUNCTION|PATMFL_IDTHANDLER))
551 && !(pDisInfo->fReadFlags & PATMREAD_NOCHECK))
552 {
553 Assert(PATMR3IsInsidePatchJump(pDisInfo->pVM, pSrc, NULL) == false);
554 Assert(PATMR3IsInsidePatchJump(pDisInfo->pVM, pSrc+size-1, NULL) == false);
555 }
556#endif
557 }
558
559
560 if (PAGE_ADDRESS(pDisInfo->pInstrGC) != PAGE_ADDRESS(pSrc + size - 1) && !PATMIsPatchGCAddr(pDisInfo->pVM, pSrc))
561 {
562 return PGMPhysSimpleReadGCPtr(&pDisInfo->pVM->aCpus[0], pDest, pSrc, size);
563 }
564 else
565 {
566 uint8_t *pInstrHC = pDisInfo->pInstrHC;
567
568 Assert(pInstrHC);
569
570 /* pInstrHC is the base address; adjust according to the GC pointer. */
571 pInstrHC = pInstrHC + (pSrc - pDisInfo->pInstrGC);
572
573 memcpy(pDest, (void *)pInstrHC, size);
574 }
575
576 return VINF_SUCCESS;
577}
578
579/**
580 * Callback function for RTAvloU32DoWithAll
581 *
582 * Updates all fixups in the patches
583 *
584 * @returns VBox status code.
585 * @param pNode Current node
586 * @param pParam The VM to operate on.
587 */
588static DECLCALLBACK(int) RelocatePatches(PAVLOU32NODECORE pNode, void *pParam)
589{
590 PPATMPATCHREC pPatch = (PPATMPATCHREC)pNode;
591 PVM pVM = (PVM)pParam;
592 RTRCINTPTR delta;
593#ifdef LOG_ENABLED
594 DISCPUSTATE cpu;
595 char szOutput[256];
596 uint32_t opsize;
597 bool disret;
598#endif
599 int rc;
600
601 /* Nothing to do if the patch is not active. */
602 if (pPatch->patch.uState == PATCH_REFUSED)
603 return 0;
604
605#ifdef LOG_ENABLED
606 if (pPatch->patch.flags & PATMFL_PATCHED_GUEST_CODE)
607 {
608 /** @note pPrivInstrHC is probably not valid anymore */
609 rc = PGMPhysGCPtr2R3Ptr(VMMGetCpu0(pVM), pPatch->patch.pPrivInstrGC, (PRTR3PTR)&pPatch->patch.pPrivInstrHC);
610 if (rc == VINF_SUCCESS)
611 {
612 cpu.mode = (pPatch->patch.flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
613 disret = PATMR3DISInstr(pVM, &pPatch->patch, &cpu, pPatch->patch.pPrivInstrGC, pPatch->patch.pPrivInstrHC, &opsize, szOutput, PATMREAD_RAWCODE);
614 Log(("Org patch jump: %s", szOutput));
615 }
616 }
617#endif
618
619 Log(("Nr of fixups %d\n", pPatch->patch.nrFixups));
620 delta = (RTRCINTPTR)pVM->patm.s.deltaReloc;
621
622 /*
623 * Apply fixups
624 */
625 PRELOCREC pRec = 0;
626 AVLPVKEY key = 0;
627
628 while (true)
629 {
630 /* Get the record that's closest from above */
631 pRec = (PRELOCREC)RTAvlPVGetBestFit(&pPatch->patch.FixupTree, key, true);
632 if (pRec == 0)
633 break;
634
635 key = (AVLPVKEY)(pRec->pRelocPos + 1); /* search for the next record during the next round. */
636
637 switch (pRec->uType)
638 {
639 case FIXUP_ABSOLUTE:
640 Log(("Absolute fixup at %RRv %RHv -> %RHv at %RRv\n", pRec->pSource, *(RTRCUINTPTR *)pRec->pRelocPos, *(RTRCINTPTR*)pRec->pRelocPos + delta, pRec->pRelocPos));
641 if (!pRec->pSource || PATMIsPatchGCAddr(pVM, pRec->pSource))
642 {
643 *(RTRCUINTPTR *)pRec->pRelocPos += delta;
644 }
645 else
646 {
647 uint8_t curInstr[15];
648 uint8_t oldInstr[15];
649 Assert(pRec->pSource && pPatch->patch.cbPrivInstr <= 15);
650
651 Assert(!(pPatch->patch.flags & PATMFL_GLOBAL_FUNCTIONS));
652
653 memcpy(oldInstr, pPatch->patch.aPrivInstr, pPatch->patch.cbPrivInstr);
654 *(RTRCPTR *)&oldInstr[pPatch->patch.cbPrivInstr - sizeof(RTRCPTR)] = pRec->pDest;
655
656 rc = PGMPhysSimpleReadGCPtr(VMMGetCpu0(pVM), curInstr, pPatch->patch.pPrivInstrGC, pPatch->patch.cbPrivInstr);
657 Assert(RT_SUCCESS(rc) || rc == VERR_PAGE_NOT_PRESENT || rc == VERR_PAGE_TABLE_NOT_PRESENT);
658
659 pRec->pDest = (RTRCPTR)((RTRCUINTPTR)pRec->pDest + delta);
660
661 if (rc == VERR_PAGE_NOT_PRESENT || rc == VERR_PAGE_TABLE_NOT_PRESENT)
662 {
663 RTRCPTR pPage = pPatch->patch.pPrivInstrGC & PAGE_BASE_GC_MASK;
664
665 Log(("PATM: Patch page not present -> check later!\n"));
666 rc = PGMR3HandlerVirtualRegister(pVM, PGMVIRTHANDLERTYPE_ALL, pPage, pPage + (PAGE_SIZE - 1) /* inclusive! */, 0, patmVirtPageHandler, "PATMGCMonitorPage", 0, "PATMMonitorPatchJump");
667 Assert(RT_SUCCESS(rc) || rc == VERR_PGM_HANDLER_VIRTUAL_CONFLICT);
668 }
669 else
670 if (memcmp(curInstr, oldInstr, pPatch->patch.cbPrivInstr))
671 {
672 Log(("PATM: Patch was overwritten -> disabling patch!!\n"));
673 /*
674 * Disable patch; this is not a good solution
675 */
676 /* @todo hopefully it was completely overwritten (if the read was successful)!!!! */
677 pPatch->patch.uState = PATCH_DISABLED;
678 }
679 else
680 if (RT_SUCCESS(rc))
681 {
682 *(RTRCPTR *)&curInstr[pPatch->patch.cbPrivInstr - sizeof(RTRCPTR)] = pRec->pDest;
683 rc = PGMPhysSimpleDirtyWriteGCPtr(VMMGetCpu0(pVM), pRec->pSource, curInstr, pPatch->patch.cbPrivInstr);
684 AssertRC(rc);
685 }
686 }
687 break;
688
689 case FIXUP_REL_JMPTOPATCH:
690 {
691 RTRCPTR pTarget = (RTRCPTR)((RTRCINTPTR)pRec->pDest + delta);
692
693 if ( pPatch->patch.uState == PATCH_ENABLED
694 && (pPatch->patch.flags & PATMFL_PATCHED_GUEST_CODE))
695 {
696 uint8_t oldJump[SIZEOF_NEAR_COND_JUMP32];
697 uint8_t temp[SIZEOF_NEAR_COND_JUMP32];
698 RTRCPTR pJumpOffGC;
699 RTRCINTPTR displ = (RTRCINTPTR)pTarget - (RTRCINTPTR)pRec->pSource;
700 RTRCINTPTR displOld= (RTRCINTPTR)pRec->pDest - (RTRCINTPTR)pRec->pSource;
701
702 Log(("Relative fixup (g2p) %08X -> %08X at %08X (source=%08x, target=%08x)\n", *(int32_t*)pRec->pRelocPos, displ, pRec->pRelocPos, pRec->pSource, pRec->pDest));
703
704 Assert(pRec->pSource - pPatch->patch.cbPatchJump == pPatch->patch.pPrivInstrGC);
705#ifdef PATM_RESOLVE_CONFLICTS_WITH_JUMP_PATCHES
706 if (pPatch->patch.cbPatchJump == SIZEOF_NEAR_COND_JUMP32)
707 {
708 Assert(pPatch->patch.flags & PATMFL_JUMP_CONFLICT);
709
710 pJumpOffGC = pPatch->patch.pPrivInstrGC + 2; //two byte opcode
711 oldJump[0] = pPatch->patch.aPrivInstr[0];
712 oldJump[1] = pPatch->patch.aPrivInstr[1];
713 *(RTRCUINTPTR *)&oldJump[2] = displOld;
714 }
715 else
716#endif
717 if (pPatch->patch.cbPatchJump == SIZEOF_NEARJUMP32)
718 {
719 pJumpOffGC = pPatch->patch.pPrivInstrGC + 1; //one byte opcode
720 oldJump[0] = 0xE9;
721 *(RTRCUINTPTR *)&oldJump[1] = displOld;
722 }
723 else
724 {
725 AssertMsgFailed(("Invalid patch jump size %d\n", pPatch->patch.cbPatchJump));
726 continue; //this should never happen!!
727 }
728 Assert(pPatch->patch.cbPatchJump <= sizeof(temp));
729
730 /*
731 * Read old patch jump and compare it to the one we previously installed
732 */
733 rc = PGMPhysSimpleReadGCPtr(VMMGetCpu0(pVM), temp, pPatch->patch.pPrivInstrGC, pPatch->patch.cbPatchJump);
734 Assert(RT_SUCCESS(rc) || rc == VERR_PAGE_NOT_PRESENT || rc == VERR_PAGE_TABLE_NOT_PRESENT);
735
736 if (rc == VERR_PAGE_NOT_PRESENT || rc == VERR_PAGE_TABLE_NOT_PRESENT)
737 {
738 RTRCPTR pPage = pPatch->patch.pPrivInstrGC & PAGE_BASE_GC_MASK;
739
740 rc = PGMR3HandlerVirtualRegister(pVM, PGMVIRTHANDLERTYPE_ALL, pPage, pPage + (PAGE_SIZE - 1) /* inclusive! */, 0, patmVirtPageHandler, "PATMGCMonitorPage", 0, "PATMMonitorPatchJump");
741 Assert(RT_SUCCESS(rc) || rc == VERR_PGM_HANDLER_VIRTUAL_CONFLICT);
742 }
743 else
744 if (memcmp(temp, oldJump, pPatch->patch.cbPatchJump))
745 {
746 Log(("PATM: Patch jump was overwritten -> disabling patch!!\n"));
747 /*
748 * Disable patch; this is not a good solution
749 */
750 /* @todo hopefully it was completely overwritten (if the read was successful)!!!! */
751 pPatch->patch.uState = PATCH_DISABLED;
752 }
753 else
754 if (RT_SUCCESS(rc))
755 {
756 rc = PGMPhysSimpleDirtyWriteGCPtr(VMMGetCpu0(pVM), pJumpOffGC, &displ, sizeof(displ));
757 AssertRC(rc);
758 }
759 else
760 {
761 AssertMsgFailed(("Unexpected error %d from MMR3PhysReadGCVirt\n", rc));
762 }
763 }
764 else
765 {
766 Log(("Skip the guest jump to patch code for this disabled patch %08X - %08X\n", pPatch->patch.pPrivInstrHC, pRec->pRelocPos));
767 }
768
769 pRec->pDest = pTarget;
770 break;
771 }
772
773 case FIXUP_REL_JMPTOGUEST:
774 {
775 RTRCPTR pSource = (RTRCPTR)((RTRCINTPTR)pRec->pSource + delta);
776 RTRCINTPTR displ = (RTRCINTPTR)pRec->pDest - (RTRCINTPTR)pSource;
777
778 Assert(!(pPatch->patch.flags & PATMFL_GLOBAL_FUNCTIONS));
779 Log(("Relative fixup (p2g) %08X -> %08X at %08X (source=%08x, target=%08x)\n", *(int32_t*)pRec->pRelocPos, displ, pRec->pRelocPos, pRec->pSource, pRec->pDest));
780 *(RTRCUINTPTR *)pRec->pRelocPos = displ;
781 pRec->pSource = pSource;
782 break;
783 }
784
785 default:
786 AssertMsg(0, ("Invalid fixup type!!\n"));
787 return VERR_INVALID_PARAMETER;
788 }
789 }
790
791#ifdef LOG_ENABLED
792 if (pPatch->patch.flags & PATMFL_PATCHED_GUEST_CODE)
793 {
794 /** @note pPrivInstrHC is probably not valid anymore */
795 rc = PGMPhysGCPtr2R3Ptr(VMMGetCpu0(pVM), pPatch->patch.pPrivInstrGC, (PRTR3PTR)&pPatch->patch.pPrivInstrHC);
796 if (rc == VINF_SUCCESS)
797 {
798 cpu.mode = (pPatch->patch.flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
799 disret = PATMR3DISInstr(pVM, &pPatch->patch, &cpu, pPatch->patch.pPrivInstrGC, pPatch->patch.pPrivInstrHC, &opsize, szOutput, PATMREAD_RAWCODE);
800 Log(("Rel patch jump: %s", szOutput));
801 }
802 }
803#endif
804 return 0;
805}
806
807/**
808 * #PF Handler callback for virtual access handler ranges.
809 *
810 * Important to realize that a physical page in a range can have aliases, and
811 * for ALL and WRITE handlers these will also trigger.
812 *
813 * @returns VINF_SUCCESS if the handler have carried out the operation.
814 * @returns VINF_PGM_HANDLER_DO_DEFAULT if the caller should carry out the access operation.
815 * @param pVM VM Handle.
816 * @param GCPtr The virtual address the guest is writing to. (not correct if it's an alias!)
817 * @param pvPtr The HC mapping of that address.
818 * @param pvBuf What the guest is reading/writing.
819 * @param cbBuf How much it's reading/writing.
820 * @param enmAccessType The access type.
821 * @param pvUser User argument.
822 */
823DECLCALLBACK(int) patmVirtPageHandler(PVM pVM, RTGCPTR GCPtr, void *pvPtr, void *pvBuf, size_t cbBuf, PGMACCESSTYPE enmAccessType, void *pvUser)
824{
825 Assert(enmAccessType == PGMACCESSTYPE_WRITE);
826 /** @todo could be the wrong virtual address (alias) */
827 pVM->patm.s.pvFaultMonitor = GCPtr;
828 PATMR3HandleMonitoredPage(pVM);
829 return VINF_PGM_HANDLER_DO_DEFAULT;
830}
831
832
833#ifdef VBOX_WITH_DEBUGGER
834/**
835 * Callback function for RTAvloU32DoWithAll
836 *
837 * Enables the patch that's being enumerated
838 *
839 * @returns 0 (continue enumeration).
840 * @param pNode Current node
841 * @param pVM The VM to operate on.
842 */
843static DECLCALLBACK(int) EnableAllPatches(PAVLOU32NODECORE pNode, void *pVM)
844{
845 PPATMPATCHREC pPatch = (PPATMPATCHREC)pNode;
846
847 PATMR3EnablePatch((PVM)pVM, (RTRCPTR)pPatch->Core.Key);
848 return 0;
849}
850#endif /* VBOX_WITH_DEBUGGER */
851
852
853#ifdef VBOX_WITH_DEBUGGER
854/**
855 * Callback function for RTAvloU32DoWithAll
856 *
857 * Disables the patch that's being enumerated
858 *
859 * @returns 0 (continue enumeration).
860 * @param pNode Current node
861 * @param pVM The VM to operate on.
862 */
863static DECLCALLBACK(int) DisableAllPatches(PAVLOU32NODECORE pNode, void *pVM)
864{
865 PPATMPATCHREC pPatch = (PPATMPATCHREC)pNode;
866
867 PATMR3DisablePatch((PVM)pVM, (RTRCPTR)pPatch->Core.Key);
868 return 0;
869}
870#endif
871
872/**
873 * Returns the host context pointer and size of the patch memory block
874 *
875 * @returns VBox status code.
876 * @param pVM The VM to operate on.
877 * @param pcb Size of the patch memory block
878 */
879VMMR3DECL(void *) PATMR3QueryPatchMemHC(PVM pVM, uint32_t *pcb)
880{
881 if (pcb)
882 {
883 *pcb = pVM->patm.s.cbPatchMem;
884 }
885 return pVM->patm.s.pPatchMemHC;
886}
887
888
889/**
890 * Returns the guest context pointer and size of the patch memory block
891 *
892 * @returns VBox status code.
893 * @param pVM The VM to operate on.
894 * @param pcb Size of the patch memory block
895 */
896VMMR3DECL(RTRCPTR) PATMR3QueryPatchMemGC(PVM pVM, uint32_t *pcb)
897{
898 if (pcb)
899 {
900 *pcb = pVM->patm.s.cbPatchMem;
901 }
902 return pVM->patm.s.pPatchMemGC;
903}
904
905
906/**
907 * Returns the host context pointer of the GC context structure
908 *
909 * @returns VBox status code.
910 * @param pVM The VM to operate on.
911 */
912VMMR3DECL(PPATMGCSTATE) PATMR3QueryGCStateHC(PVM pVM)
913{
914 return pVM->patm.s.pGCStateHC;
915}
916
917
918/**
919 * Checks whether the HC address is part of our patch region
920 *
921 * @returns VBox status code.
922 * @param pVM The VM to operate on.
923 * @param pAddrGC Guest context address
924 */
925VMMR3DECL(bool) PATMR3IsPatchHCAddr(PVM pVM, R3PTRTYPE(uint8_t *) pAddrHC)
926{
927 return (pAddrHC >= pVM->patm.s.pPatchMemHC && pAddrHC < pVM->patm.s.pPatchMemHC + pVM->patm.s.cbPatchMem) ? true : false;
928}
929
930
931/**
932 * Allows or disallow patching of privileged instructions executed by the guest OS
933 *
934 * @returns VBox status code.
935 * @param pVM The VM to operate on.
936 * @param fAllowPatching Allow/disallow patching
937 */
938VMMR3DECL(int) PATMR3AllowPatching(PVM pVM, uint32_t fAllowPatching)
939{
940 pVM->fPATMEnabled = (fAllowPatching) ? true : false;
941 return VINF_SUCCESS;
942}
943
944/**
945 * Convert a GC patch block pointer to a HC patch pointer
946 *
947 * @returns HC pointer or NULL if it's not a GC patch pointer
948 * @param pVM The VM to operate on.
949 * @param pAddrGC GC pointer
950 */
951VMMR3DECL(R3PTRTYPE(void *)) PATMR3GCPtrToHCPtr(PVM pVM, RTRCPTR pAddrGC)
952{
953 if (pVM->patm.s.pPatchMemGC <= pAddrGC && pVM->patm.s.pPatchMemGC + pVM->patm.s.cbPatchMem > pAddrGC)
954 {
955 return pVM->patm.s.pPatchMemHC + (pAddrGC - pVM->patm.s.pPatchMemGC);
956 }
957 return NULL;
958}
959
960/**
961 * Query PATM state (enabled/disabled)
962 *
963 * @returns 0 - disabled, 1 - enabled
964 * @param pVM The VM to operate on.
965 */
966VMMR3DECL(int) PATMR3IsEnabled(PVM pVM)
967{
968 return pVM->fPATMEnabled;
969}
970
971
972/**
973 * Convert guest context address to host context pointer
974 *
975 * @returns VBox status code.
976 * @param pVM The VM to operate on.
977 * @param pPatch Patch block structure pointer
978 * @param pGCPtr Guest context pointer
979 *
980 * @returns Host context pointer or NULL in case of an error
981 *
982 */
983R3PTRTYPE(uint8_t *) PATMGCVirtToHCVirt(PVM pVM, PPATCHINFO pPatch, RCPTRTYPE(uint8_t *) pGCPtr)
984{
985 int rc;
986 R3PTRTYPE(uint8_t *) pHCPtr;
987 uint32_t offset;
988
989 if (PATMIsPatchGCAddr(pVM, pGCPtr))
990 {
991 return PATCHCODE_PTR_HC(pPatch) + (pGCPtr - PATCHCODE_PTR_GC(pPatch));
992 }
993
994 offset = pGCPtr & PAGE_OFFSET_MASK;
995 if (pPatch->cacheRec.pGuestLoc == (pGCPtr & PAGE_BASE_GC_MASK))
996 {
997 return pPatch->cacheRec.pPatchLocStartHC + offset;
998 }
999
1000 rc = PGMPhysGCPtr2R3Ptr(VMMGetCpu0(pVM), pGCPtr, (void **)&pHCPtr);
1001 if (rc != VINF_SUCCESS)
1002 {
1003 AssertMsg(rc == VINF_SUCCESS || rc == VERR_PAGE_NOT_PRESENT || rc == VERR_PAGE_TABLE_NOT_PRESENT, ("MMR3PhysGCVirt2HCVirtEx failed for %08X\n", pGCPtr));
1004 return NULL;
1005 }
1006////invalid? Assert(sizeof(R3PTRTYPE(uint8_t*)) == sizeof(uint32_t));
1007
1008 pPatch->cacheRec.pPatchLocStartHC = (R3PTRTYPE(uint8_t*))((RTHCUINTPTR)pHCPtr & PAGE_BASE_HC_MASK);
1009 pPatch->cacheRec.pGuestLoc = pGCPtr & PAGE_BASE_GC_MASK;
1010 return pHCPtr;
1011}
1012
1013
1014/* Calculates and fills in all branch targets
1015 *
1016 * @returns VBox status code.
1017 * @param pVM The VM to operate on.
1018 * @param pPatch Current patch block pointer
1019 *
1020 */
1021static int patmr3SetBranchTargets(PVM pVM, PPATCHINFO pPatch)
1022{
1023 int32_t displ;
1024
1025 PJUMPREC pRec = 0;
1026 int nrJumpRecs = 0;
1027
1028 /*
1029 * Set all branch targets inside the patch block.
1030 * We remove all jump records as they are no longer needed afterwards.
1031 */
1032 while (true)
1033 {
1034 RCPTRTYPE(uint8_t *) pInstrGC;
1035 RCPTRTYPE(uint8_t *) pBranchTargetGC = 0;
1036
1037 pRec = (PJUMPREC)RTAvlPVRemoveBestFit(&pPatch->JumpTree, 0, true);
1038 if (pRec == 0)
1039 break;
1040
1041 nrJumpRecs++;
1042
1043 /* HC in patch block to GC in patch block. */
1044 pInstrGC = patmPatchHCPtr2PatchGCPtr(pVM, pRec->pJumpHC);
1045
1046 if (pRec->opcode == OP_CALL)
1047 {
1048 /* Special case: call function replacement patch from this patch block.
1049 */
1050 PPATMPATCHREC pFunctionRec = PATMQueryFunctionPatch(pVM, pRec->pTargetGC);
1051 if (!pFunctionRec)
1052 {
1053 int rc;
1054
1055 if (PATMR3HasBeenPatched(pVM, pRec->pTargetGC) == false)
1056 rc = PATMR3InstallPatch(pVM, pRec->pTargetGC, PATMFL_CODE32 | PATMFL_DUPLICATE_FUNCTION);
1057 else
1058 rc = VERR_PATCHING_REFUSED; /* exists as a normal patch; can't use it */
1059
1060 if (RT_FAILURE(rc))
1061 {
1062 uint8_t *pPatchHC;
1063 RTRCPTR pPatchGC;
1064 RTRCPTR pOrgInstrGC;
1065
1066 pOrgInstrGC = PATMR3PatchToGCPtr(pVM, pInstrGC, 0);
1067 Assert(pOrgInstrGC);
1068
1069 /* Failure for some reason -> mark exit point with int 3. */
1070 Log(("Failed to install function replacement patch (at %x) for reason %Rrc\n", pOrgInstrGC, rc));
1071
1072 pPatchGC = patmGuestGCPtrToPatchGCPtr(pVM, pPatch, pOrgInstrGC);
1073 Assert(pPatchGC);
1074
1075 pPatchHC = pVM->patm.s.pPatchMemHC + (pPatchGC - pVM->patm.s.pPatchMemGC);
1076
1077 /* Set a breakpoint at the very beginning of the recompiled instruction */
1078 *pPatchHC = 0xCC;
1079
1080 continue;
1081 }
1082 }
1083 else
1084 {
1085 Log(("Patch block %RRv called as function\n", pFunctionRec->patch.pPrivInstrGC));
1086 pFunctionRec->patch.flags |= PATMFL_CODE_REFERENCED;
1087 }
1088
1089 pBranchTargetGC = PATMR3QueryPatchGCPtr(pVM, pRec->pTargetGC);
1090 }
1091 else
1092 {
1093 pBranchTargetGC = patmGuestGCPtrToPatchGCPtr(pVM, pPatch, pRec->pTargetGC);
1094 }
1095
1096 if (pBranchTargetGC == 0)
1097 {
1098 AssertMsgFailed(("patmr3SetBranchTargets: patmGuestGCPtrToPatchGCPtr failed for %08X\n", pRec->pTargetGC));
1099 return VERR_PATCHING_REFUSED;
1100 }
1101 /* Our jumps *always* have a dword displacement (to make things easier). */
1102 Assert(sizeof(uint32_t) == sizeof(RTRCPTR));
1103 displ = pBranchTargetGC - (pInstrGC + pRec->offDispl + sizeof(RTRCPTR));
1104 *(RTRCPTR *)(pRec->pJumpHC + pRec->offDispl) = displ;
1105 Log(("Set branch target %d to %08X : %08x - (%08x + %d + %d)\n", nrJumpRecs, displ, pBranchTargetGC, pInstrGC, pRec->offDispl, sizeof(RTRCPTR)));
1106 }
1107 Assert(nrJumpRecs == pPatch->nrJumpRecs);
1108 Assert(pPatch->JumpTree == 0);
1109 return VINF_SUCCESS;
1110}
1111
1112/* Add an illegal instruction record
1113 *
1114 * @param pVM The VM to operate on.
1115 * @param pPatch Patch structure ptr
1116 * @param pInstrGC Guest context pointer to privileged instruction
1117 *
1118 */
1119static void patmAddIllegalInstrRecord(PVM pVM, PPATCHINFO pPatch, RTRCPTR pInstrGC)
1120{
1121 PAVLPVNODECORE pRec;
1122
1123 pRec = (PAVLPVNODECORE)MMR3HeapAllocZ(pVM, MM_TAG_PATM_PATCH, sizeof(*pRec));
1124 Assert(pRec);
1125 pRec->Key = (AVLPVKEY)pInstrGC;
1126
1127 bool ret = RTAvlPVInsert(&pPatch->pTempInfo->IllegalInstrTree, pRec);
1128 Assert(ret); NOREF(ret);
1129 pPatch->pTempInfo->nrIllegalInstr++;
1130}
1131
1132static bool patmIsIllegalInstr(PPATCHINFO pPatch, RTRCPTR pInstrGC)
1133{
1134 PAVLPVNODECORE pRec;
1135
1136 pRec = RTAvlPVGet(&pPatch->pTempInfo->IllegalInstrTree, (AVLPVKEY)pInstrGC);
1137 if (pRec)
1138 return true;
1139 return false;
1140}
1141
1142/**
1143 * Add a patch to guest lookup record
1144 *
1145 * @param pVM The VM to operate on.
1146 * @param pPatch Patch structure ptr
1147 * @param pPatchInstrHC Guest context pointer to patch block
1148 * @param pInstrGC Guest context pointer to privileged instruction
1149 * @param enmType Lookup type
1150 * @param fDirty Dirty flag
1151 *
1152 */
1153 /** @note Be extremely careful with this function. Make absolutely sure the guest address is correct! (to avoid executing instructions twice!) */
1154void patmr3AddP2GLookupRecord(PVM pVM, PPATCHINFO pPatch, uint8_t *pPatchInstrHC, RTRCPTR pInstrGC, PATM_LOOKUP_TYPE enmType, bool fDirty)
1155{
1156 bool ret;
1157 PRECPATCHTOGUEST pPatchToGuestRec;
1158 PRECGUESTTOPATCH pGuestToPatchRec;
1159 uint32_t PatchOffset = pPatchInstrHC - pVM->patm.s.pPatchMemHC; /* Offset in memory reserved for PATM. */
1160
1161 if (enmType == PATM_LOOKUP_PATCH2GUEST)
1162 {
1163 pPatchToGuestRec = (PRECPATCHTOGUEST)RTAvlU32Get(&pPatch->Patch2GuestAddrTree, PatchOffset);
1164 if (pPatchToGuestRec && pPatchToGuestRec->Core.Key == PatchOffset)
1165 return; /* already there */
1166
1167 Assert(!pPatchToGuestRec);
1168 }
1169#ifdef VBOX_STRICT
1170 else
1171 {
1172 pPatchToGuestRec = (PRECPATCHTOGUEST)RTAvlU32Get(&pPatch->Patch2GuestAddrTree, PatchOffset);
1173 Assert(!pPatchToGuestRec);
1174 }
1175#endif
1176
1177 pPatchToGuestRec = (PRECPATCHTOGUEST)MMR3HeapAllocZ(pVM, MM_TAG_PATM_PATCH, sizeof(RECPATCHTOGUEST) + sizeof(RECGUESTTOPATCH));
1178 Assert(pPatchToGuestRec);
1179 pPatchToGuestRec->Core.Key = PatchOffset;
1180 pPatchToGuestRec->pOrgInstrGC = pInstrGC;
1181 pPatchToGuestRec->enmType = enmType;
1182 pPatchToGuestRec->fDirty = fDirty;
1183
1184 ret = RTAvlU32Insert(&pPatch->Patch2GuestAddrTree, &pPatchToGuestRec->Core);
1185 Assert(ret);
1186
1187 /* GC to patch address */
1188 if (enmType == PATM_LOOKUP_BOTHDIR)
1189 {
1190 pGuestToPatchRec = (PRECGUESTTOPATCH)RTAvlU32Get(&pPatch->Guest2PatchAddrTree, pInstrGC);
1191 if (!pGuestToPatchRec)
1192 {
1193 pGuestToPatchRec = (PRECGUESTTOPATCH)(pPatchToGuestRec+1);
1194 pGuestToPatchRec->Core.Key = pInstrGC;
1195 pGuestToPatchRec->PatchOffset = PatchOffset;
1196
1197 ret = RTAvlU32Insert(&pPatch->Guest2PatchAddrTree, &pGuestToPatchRec->Core);
1198 Assert(ret);
1199 }
1200 }
1201
1202 pPatch->nrPatch2GuestRecs++;
1203}
1204
1205
1206/**
1207 * Removes a patch to guest lookup record
1208 *
1209 * @param pVM The VM to operate on.
1210 * @param pPatch Patch structure ptr
1211 * @param pPatchInstrGC Guest context pointer to patch block
1212 */
1213void patmr3RemoveP2GLookupRecord(PVM pVM, PPATCHINFO pPatch, RTRCPTR pPatchInstrGC)
1214{
1215 PAVLU32NODECORE pNode;
1216 PAVLU32NODECORE pNode2;
1217 PRECPATCHTOGUEST pPatchToGuestRec;
1218 uint32_t PatchOffset = pPatchInstrGC - pVM->patm.s.pPatchMemGC; /* Offset in memory reserved for PATM. */
1219
1220 pPatchToGuestRec = (PRECPATCHTOGUEST)RTAvlU32Get(&pPatch->Patch2GuestAddrTree, PatchOffset);
1221 Assert(pPatchToGuestRec);
1222 if (pPatchToGuestRec)
1223 {
1224 if (pPatchToGuestRec->enmType == PATM_LOOKUP_BOTHDIR)
1225 {
1226 PRECGUESTTOPATCH pGuestToPatchRec = (PRECGUESTTOPATCH)(pPatchToGuestRec+1);
1227
1228 Assert(pGuestToPatchRec->Core.Key);
1229 pNode2 = RTAvlU32Remove(&pPatch->Guest2PatchAddrTree, pGuestToPatchRec->Core.Key);
1230 Assert(pNode2);
1231 }
1232 pNode = RTAvlU32Remove(&pPatch->Patch2GuestAddrTree, pPatchToGuestRec->Core.Key);
1233 Assert(pNode);
1234
1235 MMR3HeapFree(pPatchToGuestRec);
1236 pPatch->nrPatch2GuestRecs--;
1237 }
1238}
1239
1240
1241/**
1242 * RTAvlPVDestroy callback.
1243 */
1244static DECLCALLBACK(int) patmEmptyTreePVCallback(PAVLPVNODECORE pNode, void *)
1245{
1246 MMR3HeapFree(pNode);
1247 return 0;
1248}
1249
1250/**
1251 * Empty the specified tree (PV tree, MMR3 heap)
1252 *
1253 * @param pVM The VM to operate on.
1254 * @param ppTree Tree to empty
1255 */
1256void patmEmptyTree(PVM pVM, PAVLPVNODECORE *ppTree)
1257{
1258 RTAvlPVDestroy(ppTree, patmEmptyTreePVCallback, NULL);
1259}
1260
1261
1262/**
1263 * RTAvlU32Destroy callback.
1264 */
1265static DECLCALLBACK(int) patmEmptyTreeU32Callback(PAVLU32NODECORE pNode, void *)
1266{
1267 MMR3HeapFree(pNode);
1268 return 0;
1269}
1270
1271/**
1272 * Empty the specified tree (U32 tree, MMR3 heap)
1273 *
1274 * @param pVM The VM to operate on.
1275 * @param ppTree Tree to empty
1276 */
1277void patmEmptyTreeU32(PVM pVM, PPAVLU32NODECORE ppTree)
1278{
1279 RTAvlU32Destroy(ppTree, patmEmptyTreeU32Callback, NULL);
1280}
1281
1282
1283/**
1284 * Analyses the instructions following the cli for compliance with our heuristics for cli & pushf
1285 *
1286 * @returns VBox status code.
1287 * @param pVM The VM to operate on.
1288 * @param pCpu CPU disassembly state
1289 * @param pInstrGC Guest context pointer to privileged instruction
1290 * @param pCurInstrGC Guest context pointer to the current instruction
1291 * @param pUserData User pointer (callback specific)
1292 *
1293 */
1294static int patmAnalyseBlockCallback(PVM pVM, DISCPUSTATE *pCpu, RCPTRTYPE(uint8_t *) pInstrGC, RCPTRTYPE(uint8_t *) pCurInstrGC, void *pUserData)
1295{
1296 PPATCHINFO pPatch = (PPATCHINFO)pUserData;
1297 bool fIllegalInstr = false;
1298
1299 //Preliminary heuristics:
1300 //- no call instructions without a fixed displacement between cli and sti/popf
1301 //- no jumps in the instructions following cli (4+ bytes; enough for the replacement jump (5 bytes))
1302 //- no nested pushf/cli
1303 //- sti/popf should be the (eventual) target of all branches
1304 //- no near or far returns; no int xx, no into
1305 //
1306 // Note: Later on we can impose less stricter guidelines if the need arises
1307
1308 /* Bail out if the patch gets too big. */
1309 if (pPatch->cbPatchBlockSize >= MAX_PATCH_SIZE)
1310 {
1311 Log(("Code block too big (%x) for patch at %RRv!!\n", pPatch->cbPatchBlockSize, pCurInstrGC));
1312 fIllegalInstr = true;
1313 patmAddIllegalInstrRecord(pVM, pPatch, pCurInstrGC);
1314 }
1315 else
1316 {
1317 /* No unconditinal jumps or calls without fixed displacements. */
1318 if ( (pCpu->pCurInstr->optype & OPTYPE_CONTROLFLOW)
1319 && (pCpu->pCurInstr->opcode == OP_JMP || pCpu->pCurInstr->opcode == OP_CALL)
1320 )
1321 {
1322 Assert(pCpu->param1.size <= 4 || pCpu->param1.size == 6);
1323 if ( pCpu->param1.size == 6 /* far call/jmp */
1324 || (pCpu->pCurInstr->opcode == OP_CALL && !(pPatch->flags & PATMFL_SUPPORT_CALLS))
1325 || (OP_PARM_VTYPE(pCpu->pCurInstr->param1) != OP_PARM_J && !(pPatch->flags & PATMFL_SUPPORT_INDIRECT_CALLS))
1326 )
1327 {
1328 fIllegalInstr = true;
1329 patmAddIllegalInstrRecord(pVM, pPatch, pCurInstrGC);
1330 }
1331 }
1332
1333 /* An unconditional (short) jump right after a cli is a potential problem; we will overwrite whichever function comes afterwards */
1334 if (pPatch->opcode == OP_CLI && pCpu->pCurInstr->opcode == OP_JMP)
1335 {
1336 if (pCurInstrGC > pPatch->pPrivInstrGC && pCurInstrGC + pCpu->opsize < pPatch->pPrivInstrGC + SIZEOF_NEARJUMP32) /* hardcoded patch jump size; cbPatchJump is still zero */
1337 {
1338 Log(("Dangerous unconditional jump ends in our generated patch jump!! (%x vs %x)\n", pCurInstrGC, pPatch->pPrivInstrGC));
1339 /* We turn this one into a int 3 callable patch. */
1340 pPatch->flags |= PATMFL_INT3_REPLACEMENT_BLOCK;
1341 }
1342 }
1343 else
1344 /* no nested pushfs just yet; nested cli is allowed for cli patches though. */
1345 if (pPatch->opcode == OP_PUSHF)
1346 {
1347 if (pCurInstrGC != pInstrGC && pCpu->pCurInstr->opcode == OP_PUSHF)
1348 {
1349 fIllegalInstr = true;
1350 patmAddIllegalInstrRecord(pVM, pPatch, pCurInstrGC);
1351 }
1352 }
1353
1354 // no far returns
1355 if (pCpu->pCurInstr->opcode == OP_RETF)
1356 {
1357 pPatch->pTempInfo->nrRetInstr++;
1358 fIllegalInstr = true;
1359 patmAddIllegalInstrRecord(pVM, pPatch, pCurInstrGC);
1360 }
1361 else
1362 // no int xx or into either
1363 if (pCpu->pCurInstr->opcode == OP_INT3 || pCpu->pCurInstr->opcode == OP_INT || pCpu->pCurInstr->opcode == OP_INTO)
1364 {
1365 fIllegalInstr = true;
1366 patmAddIllegalInstrRecord(pVM, pPatch, pCurInstrGC);
1367 }
1368 }
1369
1370 pPatch->cbPatchBlockSize += pCpu->opsize;
1371
1372 /* Illegal instruction -> end of analysis phase for this code block */
1373 if (fIllegalInstr || patmIsIllegalInstr(pPatch, pCurInstrGC))
1374 return VINF_SUCCESS;
1375
1376 /* Check for exit points. */
1377 switch (pCpu->pCurInstr->opcode)
1378 {
1379 case OP_SYSEXIT:
1380 return VINF_SUCCESS; /* duplicate it; will fault or emulated in GC. */
1381
1382 case OP_SYSENTER:
1383 case OP_ILLUD2:
1384 //This appears to be some kind of kernel panic in Linux 2.4; no point to analyse more
1385 Log(("Illegal opcode (0xf 0xb) -> return here\n"));
1386 return VINF_SUCCESS;
1387
1388 case OP_STI:
1389 case OP_POPF:
1390 Assert(!(pPatch->flags & (PATMFL_DUPLICATE_FUNCTION)));
1391 /* If out exit point lies within the generated patch jump, then we have to refuse!! */
1392 if (pCurInstrGC > pPatch->pPrivInstrGC && pCurInstrGC < pPatch->pPrivInstrGC + SIZEOF_NEARJUMP32) /* hardcoded patch jump size; cbPatchJump is still zero */
1393 {
1394 Log(("Exit point within patch jump itself!! (%x vs %x)\n", pCurInstrGC, pPatch->pPrivInstrGC));
1395 return VERR_PATCHING_REFUSED;
1396 }
1397 if (pPatch->opcode == OP_PUSHF)
1398 {
1399 if (pCpu->pCurInstr->opcode == OP_POPF)
1400 {
1401 if (pPatch->cbPatchBlockSize >= SIZEOF_NEARJUMP32)
1402 return VINF_SUCCESS;
1403
1404 /* Or else we need to duplicate more instructions, because we can't jump back yet! */
1405 Log(("WARNING: End of block reached, but we need to duplicate some extra instruction to avoid a conflict with the patch jump\n"));
1406 pPatch->flags |= PATMFL_CHECK_SIZE;
1407 }
1408 break; //sti doesn't mark the end of a pushf block; only popf does
1409 }
1410 //else no break
1411 case OP_RETN: /* exit point for function replacement */
1412 return VINF_SUCCESS;
1413
1414 case OP_IRET:
1415 return VINF_SUCCESS; /* exitpoint */
1416
1417 case OP_CPUID:
1418 case OP_CALL:
1419 case OP_JMP:
1420 break;
1421
1422 default:
1423 if (pCpu->pCurInstr->optype & (OPTYPE_PRIVILEGED_NOTRAP))
1424 {
1425 patmAddIllegalInstrRecord(pVM, pPatch, pCurInstrGC);
1426 return VINF_SUCCESS; /* exit point */
1427 }
1428 break;
1429 }
1430
1431 // If single instruction patch, we've copied enough instructions *and* the current instruction is not a relative jump
1432 if ((pPatch->flags & PATMFL_CHECK_SIZE) && pPatch->cbPatchBlockSize > SIZEOF_NEARJUMP32 && !(pCpu->pCurInstr->optype & OPTYPE_RELATIVE_CONTROLFLOW))
1433 {
1434 // The end marker for this kind of patch is any instruction at a location outside our patch jump
1435 Log(("End of block at %RRv size %d\n", pCurInstrGC, pCpu->opsize));
1436 return VINF_SUCCESS;
1437 }
1438
1439 return VWRN_CONTINUE_ANALYSIS;
1440}
1441
1442/**
1443 * Analyses the instructions inside a function for compliance
1444 *
1445 * @returns VBox status code.
1446 * @param pVM The VM to operate on.
1447 * @param pCpu CPU disassembly state
1448 * @param pInstrGC Guest context pointer to privileged instruction
1449 * @param pCurInstrGC Guest context pointer to the current instruction
1450 * @param pUserData User pointer (callback specific)
1451 *
1452 */
1453static int patmAnalyseFunctionCallback(PVM pVM, DISCPUSTATE *pCpu, RCPTRTYPE(uint8_t *) pInstrGC, RCPTRTYPE(uint8_t *) pCurInstrGC, void *pUserData)
1454{
1455 PPATCHINFO pPatch = (PPATCHINFO)pUserData;
1456 bool fIllegalInstr = false;
1457
1458 //Preliminary heuristics:
1459 //- no call instructions
1460 //- ret ends a block
1461
1462 Assert(pPatch->flags & (PATMFL_DUPLICATE_FUNCTION));
1463
1464 // bail out if the patch gets too big
1465 if (pPatch->cbPatchBlockSize >= MAX_PATCH_SIZE)
1466 {
1467 Log(("Code block too big (%x) for function patch at %RRv!!\n", pPatch->cbPatchBlockSize, pCurInstrGC));
1468 fIllegalInstr = true;
1469 patmAddIllegalInstrRecord(pVM, pPatch, pCurInstrGC);
1470 }
1471 else
1472 {
1473 // no unconditinal jumps or calls without fixed displacements
1474 if ( (pCpu->pCurInstr->optype & OPTYPE_CONTROLFLOW)
1475 && (pCpu->pCurInstr->opcode == OP_JMP || pCpu->pCurInstr->opcode == OP_CALL)
1476 )
1477 {
1478 Assert(pCpu->param1.size <= 4 || pCpu->param1.size == 6);
1479 if ( pCpu->param1.size == 6 /* far call/jmp */
1480 || (pCpu->pCurInstr->opcode == OP_CALL && !(pPatch->flags & PATMFL_SUPPORT_CALLS))
1481 || (OP_PARM_VTYPE(pCpu->pCurInstr->param1) != OP_PARM_J && !(pPatch->flags & PATMFL_SUPPORT_INDIRECT_CALLS))
1482 )
1483 {
1484 fIllegalInstr = true;
1485 patmAddIllegalInstrRecord(pVM, pPatch, pCurInstrGC);
1486 }
1487 }
1488 else /* no far returns */
1489 if (pCpu->pCurInstr->opcode == OP_RETF)
1490 {
1491 patmAddIllegalInstrRecord(pVM, pPatch, pCurInstrGC);
1492 fIllegalInstr = true;
1493 }
1494 else /* no int xx or into either */
1495 if (pCpu->pCurInstr->opcode == OP_INT3 || pCpu->pCurInstr->opcode == OP_INT || pCpu->pCurInstr->opcode == OP_INTO)
1496 {
1497 patmAddIllegalInstrRecord(pVM, pPatch, pCurInstrGC);
1498 fIllegalInstr = true;
1499 }
1500
1501 #if 0
1502 ///@todo we can handle certain in/out and privileged instructions in the guest context
1503 if (pCpu->pCurInstr->optype & OPTYPE_PRIVILEGED && pCpu->pCurInstr->opcode != OP_STI)
1504 {
1505 Log(("Illegal instructions for function patch!!\n"));
1506 return VERR_PATCHING_REFUSED;
1507 }
1508 #endif
1509 }
1510
1511 pPatch->cbPatchBlockSize += pCpu->opsize;
1512
1513 /* Illegal instruction -> end of analysis phase for this code block */
1514 if (fIllegalInstr || patmIsIllegalInstr(pPatch, pCurInstrGC))
1515 {
1516 return VINF_SUCCESS;
1517 }
1518
1519 // Check for exit points
1520 switch (pCpu->pCurInstr->opcode)
1521 {
1522 case OP_ILLUD2:
1523 //This appears to be some kind of kernel panic in Linux 2.4; no point to analyse more
1524 Log(("Illegal opcode (0xf 0xb) -> return here\n"));
1525 return VINF_SUCCESS;
1526
1527 case OP_IRET:
1528 case OP_SYSEXIT: /* will fault or emulated in GC */
1529 case OP_RETN:
1530 return VINF_SUCCESS;
1531
1532 case OP_POPF:
1533 case OP_STI:
1534 return VWRN_CONTINUE_ANALYSIS;
1535 default:
1536 if (pCpu->pCurInstr->optype & (OPTYPE_PRIVILEGED_NOTRAP))
1537 {
1538 patmAddIllegalInstrRecord(pVM, pPatch, pCurInstrGC);
1539 return VINF_SUCCESS; /* exit point */
1540 }
1541 return VWRN_CONTINUE_ANALYSIS;
1542 }
1543
1544 return VWRN_CONTINUE_ANALYSIS;
1545}
1546
1547/**
1548 * Recompiles the instructions in a code block
1549 *
1550 * @returns VBox status code.
1551 * @param pVM The VM to operate on.
1552 * @param pCpu CPU disassembly state
1553 * @param pInstrGC Guest context pointer to privileged instruction
1554 * @param pCurInstrGC Guest context pointer to the current instruction
1555 * @param pUserData User pointer (callback specific)
1556 *
1557 */
1558static int patmRecompileCallback(PVM pVM, DISCPUSTATE *pCpu, RCPTRTYPE(uint8_t *) pInstrGC, RCPTRTYPE(uint8_t *) pCurInstrGC, void *pUserData)
1559{
1560 PPATCHINFO pPatch = (PPATCHINFO)pUserData;
1561 int rc = VINF_SUCCESS;
1562 bool fInhibitIRQInstr = false; /* did the instruction cause PATMFL_INHIBITIRQS to be set? */
1563
1564 LogFlow(("patmRecompileCallback %RRv %RRv\n", pInstrGC, pCurInstrGC));
1565
1566 if ( patmGuestGCPtrToPatchGCPtr(pVM, pPatch, pCurInstrGC) != 0
1567 && !(pPatch->flags & PATMFL_RECOMPILE_NEXT)) /* do not do this when the next instruction *must* be executed! */
1568 {
1569 /*
1570 * Been there, done that; so insert a jump (we don't want to duplicate code)
1571 * no need to record this instruction as it's glue code that never crashes (it had better not!)
1572 */
1573 Log(("patmRecompileCallback: jump to code we've recompiled before %RRv!\n", pCurInstrGC));
1574 return patmPatchGenRelJump(pVM, pPatch, pCurInstrGC, OP_JMP, !!(pCpu->prefix & PREFIX_OPSIZE));
1575 }
1576
1577 if (pPatch->flags & (PATMFL_DUPLICATE_FUNCTION))
1578 {
1579 rc = patmAnalyseFunctionCallback(pVM, pCpu, pInstrGC, pCurInstrGC, pUserData);
1580 }
1581 else
1582 rc = patmAnalyseBlockCallback(pVM, pCpu, pInstrGC, pCurInstrGC, pUserData);
1583
1584 if (RT_FAILURE(rc))
1585 return rc;
1586
1587 /** @note Never do a direct return unless a failure is encountered! */
1588
1589 /* Clear recompilation of next instruction flag; we are doing that right here. */
1590 if (pPatch->flags & PATMFL_RECOMPILE_NEXT)
1591 pPatch->flags &= ~PATMFL_RECOMPILE_NEXT;
1592
1593 /* Add lookup record for patch to guest address translation */
1594 patmr3AddP2GLookupRecord(pVM, pPatch, PATCHCODE_PTR_HC(pPatch) + pPatch->uCurPatchOffset, pCurInstrGC, PATM_LOOKUP_BOTHDIR);
1595
1596 /* Update lowest and highest instruction address for this patch */
1597 if (pCurInstrGC < pPatch->pInstrGCLowest)
1598 pPatch->pInstrGCLowest = pCurInstrGC;
1599 else
1600 if (pCurInstrGC > pPatch->pInstrGCHighest)
1601 pPatch->pInstrGCHighest = pCurInstrGC + pCpu->opsize;
1602
1603 /* Illegal instruction -> end of recompile phase for this code block. */
1604 if (patmIsIllegalInstr(pPatch, pCurInstrGC))
1605 {
1606 Log(("Illegal instruction at %RRv -> mark with int 3\n", pCurInstrGC));
1607 rc = patmPatchGenIllegalInstr(pVM, pPatch);
1608 goto end;
1609 }
1610
1611 /* For our first attempt, we'll handle only simple relative jumps (immediate offset coded in instruction).
1612 * Indirect calls are handled below.
1613 */
1614 if ( (pCpu->pCurInstr->optype & OPTYPE_CONTROLFLOW)
1615 && (pCpu->pCurInstr->opcode != OP_CALL || (pPatch->flags & PATMFL_SUPPORT_CALLS))
1616 && (OP_PARM_VTYPE(pCpu->pCurInstr->param1) == OP_PARM_J))
1617 {
1618 RCPTRTYPE(uint8_t *) pTargetGC = PATMResolveBranch(pCpu, pCurInstrGC);
1619 if (pTargetGC == 0)
1620 {
1621 Log(("We don't support far jumps here!! (%08X)\n", pCpu->param1.flags));
1622 return VERR_PATCHING_REFUSED;
1623 }
1624
1625 if (pCpu->pCurInstr->opcode == OP_CALL)
1626 {
1627 Assert(!PATMIsPatchGCAddr(pVM, pTargetGC));
1628 rc = patmPatchGenCall(pVM, pPatch, pCpu, pCurInstrGC, pTargetGC, false);
1629 if (RT_FAILURE(rc))
1630 goto end;
1631 }
1632 else
1633 rc = patmPatchGenRelJump(pVM, pPatch, pTargetGC, pCpu->pCurInstr->opcode, !!(pCpu->prefix & PREFIX_OPSIZE));
1634
1635 if (RT_SUCCESS(rc))
1636 rc = VWRN_CONTINUE_RECOMPILE;
1637
1638 goto end;
1639 }
1640
1641 switch (pCpu->pCurInstr->opcode)
1642 {
1643 case OP_CLI:
1644 {
1645 /* If a cli is found while duplicating instructions for another patch, then it's of vital importance to continue
1646 * until we've found the proper exit point(s).
1647 */
1648 if ( pCurInstrGC != pInstrGC
1649 && !(pPatch->flags & (PATMFL_DUPLICATE_FUNCTION))
1650 )
1651 {
1652 Log(("cli instruction found in other instruction patch block; force it to continue & find an exit point\n"));
1653 pPatch->flags &= ~(PATMFL_CHECK_SIZE | PATMFL_SINGLE_INSTRUCTION);
1654 }
1655 /* Set by irq inhibition; no longer valid now. */
1656 pPatch->flags &= ~PATMFL_GENERATE_JUMPTOGUEST;
1657
1658 rc = patmPatchGenCli(pVM, pPatch);
1659 if (RT_SUCCESS(rc))
1660 rc = VWRN_CONTINUE_RECOMPILE;
1661 break;
1662 }
1663
1664 case OP_MOV:
1665 if (pCpu->pCurInstr->optype & OPTYPE_POTENTIALLY_DANGEROUS)
1666 {
1667 /* mov ss, src? */
1668 if ( (pCpu->param1.flags & USE_REG_SEG)
1669 && (pCpu->param1.base.reg_seg == DIS_SELREG_SS))
1670 {
1671 Log(("Force recompilation of next instruction for OP_MOV at %RRv\n", pCurInstrGC));
1672 pPatch->flags |= PATMFL_RECOMPILE_NEXT;
1673 /** @todo this could cause a fault (ring 0 selector being loaded in ring 1) */
1674 }
1675#if 0 /* necessary for Haiku */
1676 else
1677 if ( (pCpu->param2.flags & USE_REG_SEG)
1678 && (pCpu->param2.base.reg_seg == USE_REG_SS)
1679 && (pCpu->param1.flags & (USE_REG_GEN32|USE_REG_GEN16))) /** @todo memory operand must in theory be handled too */
1680 {
1681 /* mov GPR, ss */
1682 rc = patmPatchGenMovFromSS(pVM, pPatch, pCpu, pCurInstrGC);
1683 if (RT_SUCCESS(rc))
1684 rc = VWRN_CONTINUE_RECOMPILE;
1685 break;
1686 }
1687#endif
1688 }
1689 goto duplicate_instr;
1690
1691 case OP_POP:
1692 if (pCpu->pCurInstr->param1 == OP_PARM_REG_SS)
1693 {
1694 Assert(pCpu->pCurInstr->optype & OPTYPE_INHIBIT_IRQS);
1695
1696 Log(("Force recompilation of next instruction for OP_MOV at %RRv\n", pCurInstrGC));
1697 pPatch->flags |= PATMFL_RECOMPILE_NEXT;
1698 }
1699 goto duplicate_instr;
1700
1701 case OP_STI:
1702 {
1703 RTRCPTR pNextInstrGC = 0; /* by default no inhibit irq */
1704
1705 /** In a sequence of instructions that inhibit irqs, only the first one actually inhibits irqs. */
1706 if (!(pPatch->flags & PATMFL_INHIBIT_IRQS))
1707 {
1708 pPatch->flags |= PATMFL_INHIBIT_IRQS | PATMFL_GENERATE_JUMPTOGUEST;
1709 fInhibitIRQInstr = true;
1710 pNextInstrGC = pCurInstrGC + pCpu->opsize;
1711 Log(("Inhibit irqs for instruction OP_STI at %RRv\n", pCurInstrGC));
1712 }
1713 rc = patmPatchGenSti(pVM, pPatch, pCurInstrGC, pNextInstrGC);
1714
1715 if (RT_SUCCESS(rc))
1716 {
1717 DISCPUSTATE cpu = *pCpu;
1718 unsigned opsize;
1719 int disret;
1720 RCPTRTYPE(uint8_t *) pNextInstrGC, pReturnInstrGC;
1721 R3PTRTYPE(uint8_t *) pNextInstrHC;
1722
1723 pPatch->flags |= PATMFL_FOUND_PATCHEND;
1724
1725 pNextInstrGC = pCurInstrGC + pCpu->opsize;
1726 pNextInstrHC = PATMGCVirtToHCVirt(pVM, pPatch, pNextInstrGC);
1727 if (pNextInstrHC == NULL)
1728 {
1729 AssertFailed();
1730 return VERR_PATCHING_REFUSED;
1731 }
1732
1733 // Disassemble the next instruction
1734 disret = PATMR3DISInstr(pVM, pPatch, &cpu, pNextInstrGC, pNextInstrHC, &opsize, NULL);
1735 if (disret == false)
1736 {
1737 AssertMsgFailed(("STI: Disassembly failed (probably page not present) -> return to caller\n"));
1738 return VERR_PATCHING_REFUSED;
1739 }
1740 pReturnInstrGC = pNextInstrGC + opsize;
1741
1742 if ( (pPatch->flags & (PATMFL_DUPLICATE_FUNCTION))
1743 || pReturnInstrGC <= pInstrGC
1744 || pReturnInstrGC - pInstrGC >= SIZEOF_NEARJUMP32
1745 )
1746 {
1747 /* Not an exit point for function duplication patches */
1748 if ( (pPatch->flags & PATMFL_DUPLICATE_FUNCTION)
1749 && RT_SUCCESS(rc))
1750 {
1751 pPatch->flags &= ~PATMFL_GENERATE_JUMPTOGUEST; /* Don't generate a jump back */
1752 rc = VWRN_CONTINUE_RECOMPILE;
1753 }
1754 else
1755 rc = VINF_SUCCESS; //exit point
1756 }
1757 else {
1758 Log(("PATM: sti occurred too soon; refusing patch!\n"));
1759 rc = VERR_PATCHING_REFUSED; //not allowed!!
1760 }
1761 }
1762 break;
1763 }
1764
1765 case OP_POPF:
1766 {
1767 bool fGenerateJmpBack = (pCurInstrGC + pCpu->opsize - pInstrGC >= SIZEOF_NEARJUMP32);
1768
1769 /* Not an exit point for IDT handler or function replacement patches */
1770 /* Note: keep IOPL in mind when changing any of this!! (see comments in PATMA.asm, PATMPopf32Replacement) */
1771 if (pPatch->flags & (PATMFL_IDTHANDLER|PATMFL_DUPLICATE_FUNCTION))
1772 fGenerateJmpBack = false;
1773
1774 rc = patmPatchGenPopf(pVM, pPatch, pCurInstrGC + pCpu->opsize, !!(pCpu->prefix & PREFIX_OPSIZE), fGenerateJmpBack);
1775 if (RT_SUCCESS(rc))
1776 {
1777 if (fGenerateJmpBack == false)
1778 {
1779 /* Not an exit point for IDT handler or function replacement patches */
1780 rc = VWRN_CONTINUE_RECOMPILE;
1781 }
1782 else
1783 {
1784 pPatch->flags |= PATMFL_FOUND_PATCHEND;
1785 rc = VINF_SUCCESS; /* exit point! */
1786 }
1787 }
1788 break;
1789 }
1790
1791 case OP_PUSHF:
1792 rc = patmPatchGenPushf(pVM, pPatch, !!(pCpu->prefix & PREFIX_OPSIZE));
1793 if (RT_SUCCESS(rc))
1794 rc = VWRN_CONTINUE_RECOMPILE;
1795 break;
1796
1797 case OP_PUSH:
1798 if (pCpu->pCurInstr->param1 == OP_PARM_REG_CS)
1799 {
1800 rc = patmPatchGenPushCS(pVM, pPatch);
1801 if (RT_SUCCESS(rc))
1802 rc = VWRN_CONTINUE_RECOMPILE;
1803 break;
1804 }
1805 goto duplicate_instr;
1806
1807 case OP_IRET:
1808 Log(("IRET at %RRv\n", pCurInstrGC));
1809 rc = patmPatchGenIret(pVM, pPatch, pCurInstrGC, !!(pCpu->prefix & PREFIX_OPSIZE));
1810 if (RT_SUCCESS(rc))
1811 {
1812 pPatch->flags |= PATMFL_FOUND_PATCHEND;
1813 rc = VINF_SUCCESS; /* exit point by definition */
1814 }
1815 break;
1816
1817 case OP_ILLUD2:
1818 /* This appears to be some kind of kernel panic in Linux 2.4; no point to continue */
1819 rc = patmPatchGenIllegalInstr(pVM, pPatch);
1820 if (RT_SUCCESS(rc))
1821 rc = VINF_SUCCESS; /* exit point by definition */
1822 Log(("Illegal opcode (0xf 0xb)\n"));
1823 break;
1824
1825 case OP_CPUID:
1826 rc = patmPatchGenCpuid(pVM, pPatch, pCurInstrGC);
1827 if (RT_SUCCESS(rc))
1828 rc = VWRN_CONTINUE_RECOMPILE;
1829 break;
1830
1831 case OP_STR:
1832 case OP_SLDT:
1833 rc = patmPatchGenSldtStr(pVM, pPatch, pCpu, pCurInstrGC);
1834 if (RT_SUCCESS(rc))
1835 rc = VWRN_CONTINUE_RECOMPILE;
1836 break;
1837
1838 case OP_SGDT:
1839 case OP_SIDT:
1840 rc = patmPatchGenSxDT(pVM, pPatch, pCpu, pCurInstrGC);
1841 if (RT_SUCCESS(rc))
1842 rc = VWRN_CONTINUE_RECOMPILE;
1843 break;
1844
1845 case OP_RETN:
1846 /* retn is an exit point for function patches */
1847 rc = patmPatchGenRet(pVM, pPatch, pCpu, pCurInstrGC);
1848 if (RT_SUCCESS(rc))
1849 rc = VINF_SUCCESS; /* exit point by definition */
1850 break;
1851
1852 case OP_SYSEXIT:
1853 /* Duplicate it, so it can be emulated in GC (or fault). */
1854 rc = patmPatchGenDuplicate(pVM, pPatch, pCpu, pCurInstrGC);
1855 if (RT_SUCCESS(rc))
1856 rc = VINF_SUCCESS; /* exit point by definition */
1857 break;
1858
1859 case OP_CALL:
1860 Assert(pPatch->flags & PATMFL_SUPPORT_INDIRECT_CALLS);
1861 /* In interrupt gate handlers it's possible to encounter jumps or calls when IF has been enabled again.
1862 * In that case we'll jump to the original instruction and continue from there. Otherwise an int 3 is executed.
1863 */
1864 Assert(pCpu->param1.size == 4 || pCpu->param1.size == 6);
1865 if (pPatch->flags & PATMFL_SUPPORT_INDIRECT_CALLS && pCpu->param1.size == 4 /* no far calls! */)
1866 {
1867 rc = patmPatchGenCall(pVM, pPatch, pCpu, pCurInstrGC, (RTRCPTR)0xDEADBEEF, true);
1868 if (RT_SUCCESS(rc))
1869 {
1870 rc = VWRN_CONTINUE_RECOMPILE;
1871 }
1872 break;
1873 }
1874 goto gen_illegal_instr;
1875
1876 case OP_JMP:
1877 Assert(pPatch->flags & PATMFL_SUPPORT_INDIRECT_CALLS);
1878 /* In interrupt gate handlers it's possible to encounter jumps or calls when IF has been enabled again.
1879 * In that case we'll jump to the original instruction and continue from there. Otherwise an int 3 is executed.
1880 */
1881 Assert(pCpu->param1.size == 4 || pCpu->param1.size == 6);
1882 if (pPatch->flags & PATMFL_SUPPORT_INDIRECT_CALLS && pCpu->param1.size == 4 /* no far jumps! */)
1883 {
1884 rc = patmPatchGenJump(pVM, pPatch, pCpu, pCurInstrGC);
1885 if (RT_SUCCESS(rc))
1886 rc = VINF_SUCCESS; /* end of branch */
1887 break;
1888 }
1889 goto gen_illegal_instr;
1890
1891 case OP_INT3:
1892 case OP_INT:
1893 case OP_INTO:
1894 goto gen_illegal_instr;
1895
1896 case OP_MOV_DR:
1897 /** @note: currently we let DRx writes cause a trap d; our trap handler will decide to interpret it or not. */
1898 if (pCpu->pCurInstr->param2 == OP_PARM_Dd)
1899 {
1900 rc = patmPatchGenMovDebug(pVM, pPatch, pCpu);
1901 if (RT_SUCCESS(rc))
1902 rc = VWRN_CONTINUE_RECOMPILE;
1903 break;
1904 }
1905 goto duplicate_instr;
1906
1907 case OP_MOV_CR:
1908 /** @note: currently we let CRx writes cause a trap d; our trap handler will decide to interpret it or not. */
1909 if (pCpu->pCurInstr->param2 == OP_PARM_Cd)
1910 {
1911 rc = patmPatchGenMovControl(pVM, pPatch, pCpu);
1912 if (RT_SUCCESS(rc))
1913 rc = VWRN_CONTINUE_RECOMPILE;
1914 break;
1915 }
1916 goto duplicate_instr;
1917
1918 default:
1919 if (pCpu->pCurInstr->optype & (OPTYPE_CONTROLFLOW | OPTYPE_PRIVILEGED_NOTRAP))
1920 {
1921gen_illegal_instr:
1922 rc = patmPatchGenIllegalInstr(pVM, pPatch);
1923 if (RT_SUCCESS(rc))
1924 rc = VINF_SUCCESS; /* exit point by definition */
1925 }
1926 else
1927 {
1928duplicate_instr:
1929 Log(("patmPatchGenDuplicate\n"));
1930 rc = patmPatchGenDuplicate(pVM, pPatch, pCpu, pCurInstrGC);
1931 if (RT_SUCCESS(rc))
1932 rc = VWRN_CONTINUE_RECOMPILE;
1933 }
1934 break;
1935 }
1936
1937end:
1938
1939 if ( !fInhibitIRQInstr
1940 && (pPatch->flags & PATMFL_INHIBIT_IRQS))
1941 {
1942 int rc2;
1943 RTRCPTR pNextInstrGC = pCurInstrGC + pCpu->opsize;
1944
1945 pPatch->flags &= ~PATMFL_INHIBIT_IRQS;
1946 Log(("Clear inhibit IRQ flag at %RRv\n", pCurInstrGC));
1947 if (pPatch->flags & PATMFL_GENERATE_JUMPTOGUEST)
1948 {
1949 Log(("patmRecompileCallback: generate jump back to guest (%RRv) after fused instruction\n", pNextInstrGC));
1950
1951 rc2 = patmPatchGenJumpToGuest(pVM, pPatch, pNextInstrGC, true /* clear inhibit irq flag */);
1952 pPatch->flags &= ~PATMFL_GENERATE_JUMPTOGUEST;
1953 rc = VINF_SUCCESS; /* end of the line */
1954 }
1955 else
1956 {
1957 rc2 = patmPatchGenClearInhibitIRQ(pVM, pPatch, pNextInstrGC);
1958 }
1959 if (RT_FAILURE(rc2))
1960 rc = rc2;
1961 }
1962
1963 if (RT_SUCCESS(rc))
1964 {
1965 // If single instruction patch, we've copied enough instructions *and* the current instruction is not a relative jump
1966 if ( (pPatch->flags & PATMFL_CHECK_SIZE)
1967 && pCurInstrGC + pCpu->opsize - pInstrGC >= SIZEOF_NEARJUMP32
1968 && !(pCpu->pCurInstr->optype & OPTYPE_RELATIVE_CONTROLFLOW)
1969 && !(pPatch->flags & PATMFL_RECOMPILE_NEXT) /* do not do this when the next instruction *must* be executed! */
1970 )
1971 {
1972 RTRCPTR pNextInstrGC = pCurInstrGC + pCpu->opsize;
1973
1974 // The end marker for this kind of patch is any instruction at a location outside our patch jump
1975 Log(("patmRecompileCallback: end found for single instruction patch at %RRv opsize %d\n", pNextInstrGC, pCpu->opsize));
1976
1977 rc = patmPatchGenJumpToGuest(pVM, pPatch, pNextInstrGC);
1978 AssertRC(rc);
1979 }
1980 }
1981 return rc;
1982}
1983
1984
1985#ifdef LOG_ENABLED
1986
1987/* Add a disasm jump record (temporary for prevent duplicate analysis)
1988 *
1989 * @param pVM The VM to operate on.
1990 * @param pPatch Patch structure ptr
1991 * @param pInstrGC Guest context pointer to privileged instruction
1992 *
1993 */
1994static void patmPatchAddDisasmJump(PVM pVM, PPATCHINFO pPatch, RTRCPTR pInstrGC)
1995{
1996 PAVLPVNODECORE pRec;
1997
1998 pRec = (PAVLPVNODECORE)MMR3HeapAllocZ(pVM, MM_TAG_PATM_PATCH, sizeof(*pRec));
1999 Assert(pRec);
2000 pRec->Key = (AVLPVKEY)pInstrGC;
2001
2002 int ret = RTAvlPVInsert(&pPatch->pTempInfo->DisasmJumpTree, pRec);
2003 Assert(ret);
2004}
2005
2006/**
2007 * Checks if jump target has been analysed before.
2008 *
2009 * @returns VBox status code.
2010 * @param pPatch Patch struct
2011 * @param pInstrGC Jump target
2012 *
2013 */
2014static bool patmIsKnownDisasmJump(PPATCHINFO pPatch, RTRCPTR pInstrGC)
2015{
2016 PAVLPVNODECORE pRec;
2017
2018 pRec = RTAvlPVGet(&pPatch->pTempInfo->DisasmJumpTree, (AVLPVKEY)pInstrGC);
2019 if (pRec)
2020 return true;
2021 return false;
2022}
2023
2024/**
2025 * For proper disassembly of the final patch block
2026 *
2027 * @returns VBox status code.
2028 * @param pVM The VM to operate on.
2029 * @param pCpu CPU disassembly state
2030 * @param pInstrGC Guest context pointer to privileged instruction
2031 * @param pCurInstrGC Guest context pointer to the current instruction
2032 * @param pUserData User pointer (callback specific)
2033 *
2034 */
2035int patmr3DisasmCallback(PVM pVM, DISCPUSTATE *pCpu, RCPTRTYPE(uint8_t *) pInstrGC, RCPTRTYPE(uint8_t *) pCurInstrGC, void *pUserData)
2036{
2037 PPATCHINFO pPatch = (PPATCHINFO)pUserData;
2038
2039 if (pCpu->pCurInstr->opcode == OP_INT3)
2040 {
2041 /* Could be an int3 inserted in a call patch. Check to be sure */
2042 DISCPUSTATE cpu;
2043 uint8_t *pOrgJumpHC;
2044 RTRCPTR pOrgJumpGC;
2045 uint32_t dummy;
2046
2047 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
2048 pOrgJumpGC = patmPatchGCPtr2GuestGCPtr(pVM, pPatch, pCurInstrGC);
2049 pOrgJumpHC = PATMGCVirtToHCVirt(pVM, pPatch, pOrgJumpGC);
2050
2051 bool disret = PATMR3DISInstr(pVM, pPatch, &cpu, pOrgJumpGC, pOrgJumpHC, &dummy, NULL);
2052 if (!disret || cpu.pCurInstr->opcode != OP_CALL || cpu.param1.size != 4 /* only near calls */)
2053 return VINF_SUCCESS;
2054
2055 return VWRN_CONTINUE_ANALYSIS;
2056 }
2057
2058 if ( pCpu->pCurInstr->opcode == OP_ILLUD2
2059 && PATMIsPatchGCAddr(pVM, pCurInstrGC))
2060 {
2061 /* the indirect call patch contains an 0xF/0xB illegal instr to call for assistance; check for this and continue */
2062 return VWRN_CONTINUE_ANALYSIS;
2063 }
2064
2065 if ( (pCpu->pCurInstr->opcode == OP_CALL && !(pPatch->flags & PATMFL_SUPPORT_CALLS))
2066 || pCpu->pCurInstr->opcode == OP_INT
2067 || pCpu->pCurInstr->opcode == OP_IRET
2068 || pCpu->pCurInstr->opcode == OP_RETN
2069 || pCpu->pCurInstr->opcode == OP_RETF
2070 )
2071 {
2072 return VINF_SUCCESS;
2073 }
2074
2075 if (pCpu->pCurInstr->opcode == OP_ILLUD2)
2076 return VINF_SUCCESS;
2077
2078 return VWRN_CONTINUE_ANALYSIS;
2079}
2080
2081
2082/**
2083 * Disassembles the code stream until the callback function detects a failure or decides everything is acceptable
2084 *
2085 * @returns VBox status code.
2086 * @param pVM The VM to operate on.
2087 * @param pInstrGC Guest context pointer to the initial privileged instruction
2088 * @param pCurInstrGC Guest context pointer to the current instruction
2089 * @param pfnPATMR3Disasm Callback for testing the disassembled instruction
2090 * @param pUserData User pointer (callback specific)
2091 *
2092 */
2093int patmr3DisasmCode(PVM pVM, RCPTRTYPE(uint8_t *) pInstrGC, RCPTRTYPE(uint8_t *) pCurInstrGC, PFN_PATMR3ANALYSE pfnPATMR3Disasm, void *pUserData)
2094{
2095 DISCPUSTATE cpu;
2096 PPATCHINFO pPatch = (PPATCHINFO)pUserData;
2097 int rc = VWRN_CONTINUE_ANALYSIS;
2098 uint32_t opsize, delta;
2099 R3PTRTYPE(uint8_t *) pCurInstrHC = 0;
2100 bool disret;
2101 char szOutput[256];
2102
2103 Assert(pCurInstrHC != PATCHCODE_PTR_HC(pPatch) || pPatch->pTempInfo->DisasmJumpTree == 0);
2104
2105 /* We need this to determine branch targets (and for disassembling). */
2106 delta = pVM->patm.s.pPatchMemGC - (uintptr_t)pVM->patm.s.pPatchMemHC;
2107
2108 while(rc == VWRN_CONTINUE_ANALYSIS)
2109 {
2110 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
2111
2112 pCurInstrHC = PATMGCVirtToHCVirt(pVM, pPatch, pCurInstrGC);
2113 if (pCurInstrHC == NULL)
2114 {
2115 rc = VERR_PATCHING_REFUSED;
2116 goto end;
2117 }
2118
2119 disret = PATMR3DISInstr(pVM, pPatch, &cpu, pCurInstrGC, pCurInstrHC, &opsize, szOutput, PATMREAD_RAWCODE);
2120 if (PATMIsPatchGCAddr(pVM, pCurInstrGC))
2121 {
2122 RTRCPTR pOrgInstrGC = patmPatchGCPtr2GuestGCPtr(pVM, pPatch, pCurInstrGC);
2123
2124 if (pOrgInstrGC != pPatch->pTempInfo->pLastDisasmInstrGC)
2125 Log(("DIS %RRv<-%s", pOrgInstrGC, szOutput));
2126 else
2127 Log(("DIS %s", szOutput));
2128
2129 pPatch->pTempInfo->pLastDisasmInstrGC = pOrgInstrGC;
2130 if (patmIsIllegalInstr(pPatch, pOrgInstrGC))
2131 {
2132 rc = VINF_SUCCESS;
2133 goto end;
2134 }
2135 }
2136 else
2137 Log(("DIS: %s", szOutput));
2138
2139 if (disret == false)
2140 {
2141 Log(("Disassembly failed (probably page not present) -> return to caller\n"));
2142 rc = VINF_SUCCESS;
2143 goto end;
2144 }
2145
2146 rc = pfnPATMR3Disasm(pVM, &cpu, pInstrGC, pCurInstrGC, pUserData);
2147 if (rc != VWRN_CONTINUE_ANALYSIS) {
2148 break; //done!
2149 }
2150
2151 /* For our first attempt, we'll handle only simple relative jumps and calls (immediate offset coded in instruction) */
2152 if ( (cpu.pCurInstr->optype & OPTYPE_CONTROLFLOW)
2153 && (OP_PARM_VTYPE(cpu.pCurInstr->param1) == OP_PARM_J)
2154 && cpu.pCurInstr->opcode != OP_CALL /* complete functions are replaced; don't bother here. */
2155 )
2156 {
2157 RTRCPTR pTargetGC = PATMResolveBranch(&cpu, pCurInstrGC);
2158 RTRCPTR pOrgTargetGC;
2159
2160 if (pTargetGC == 0)
2161 {
2162 Log(("We don't support far jumps here!! (%08X)\n", cpu.param1.flags));
2163 rc = VERR_PATCHING_REFUSED;
2164 break;
2165 }
2166
2167 if (!PATMIsPatchGCAddr(pVM, pTargetGC))
2168 {
2169 //jump back to guest code
2170 rc = VINF_SUCCESS;
2171 goto end;
2172 }
2173 pOrgTargetGC = PATMR3PatchToGCPtr(pVM, pTargetGC, 0);
2174
2175 if (patmIsCommonIDTHandlerPatch(pVM, pOrgTargetGC))
2176 {
2177 rc = VINF_SUCCESS;
2178 goto end;
2179 }
2180
2181 if (patmIsKnownDisasmJump(pPatch, pTargetGC) == false)
2182 {
2183 /* New jump, let's check it. */
2184 patmPatchAddDisasmJump(pVM, pPatch, pTargetGC);
2185
2186 if (cpu.pCurInstr->opcode == OP_CALL) pPatch->pTempInfo->nrCalls++;
2187 rc = patmr3DisasmCode(pVM, pInstrGC, pTargetGC, pfnPATMR3Disasm, pUserData);
2188 if (cpu.pCurInstr->opcode == OP_CALL) pPatch->pTempInfo->nrCalls--;
2189
2190 if (rc != VINF_SUCCESS) {
2191 break; //done!
2192 }
2193 }
2194 if (cpu.pCurInstr->opcode == OP_JMP)
2195 {
2196 /* Unconditional jump; return to caller. */
2197 rc = VINF_SUCCESS;
2198 goto end;
2199 }
2200
2201 rc = VWRN_CONTINUE_ANALYSIS;
2202 }
2203 pCurInstrGC += opsize;
2204 }
2205end:
2206 return rc;
2207}
2208
2209/**
2210 * Disassembles the code stream until the callback function detects a failure or decides everything is acceptable
2211 *
2212 * @returns VBox status code.
2213 * @param pVM The VM to operate on.
2214 * @param pInstrGC Guest context pointer to the initial privileged instruction
2215 * @param pCurInstrGC Guest context pointer to the current instruction
2216 * @param pfnPATMR3Disasm Callback for testing the disassembled instruction
2217 * @param pUserData User pointer (callback specific)
2218 *
2219 */
2220int patmr3DisasmCodeStream(PVM pVM, RCPTRTYPE(uint8_t *) pInstrGC, RCPTRTYPE(uint8_t *) pCurInstrGC, PFN_PATMR3ANALYSE pfnPATMR3Disasm, void *pUserData)
2221{
2222 PPATCHINFO pPatch = (PPATCHINFO)pUserData;
2223
2224 int rc = patmr3DisasmCode(pVM, pInstrGC, pCurInstrGC, pfnPATMR3Disasm, pUserData);
2225 /* Free all disasm jump records. */
2226 patmEmptyTree(pVM, &pPatch->pTempInfo->DisasmJumpTree);
2227 return rc;
2228}
2229
2230#endif /* LOG_ENABLED */
2231
2232/**
2233 * Detects it the specified address falls within a 5 byte jump generated for an active patch.
2234 * If so, this patch is permanently disabled.
2235 *
2236 * @param pVM The VM to operate on.
2237 * @param pInstrGC Guest context pointer to instruction
2238 * @param pConflictGC Guest context pointer to check
2239 *
2240 * @note also checks for patch hints to make sure they can never be enabled if a conflict is present.
2241 *
2242 */
2243VMMR3DECL(int) PATMR3DetectConflict(PVM pVM, RTRCPTR pInstrGC, RTRCPTR pConflictGC)
2244{
2245 PPATCHINFO pTargetPatch = PATMFindActivePatchByEntrypoint(pVM, pConflictGC, true /* include patch hints */);
2246 if (pTargetPatch)
2247 {
2248 return patmDisableUnusablePatch(pVM, pInstrGC, pConflictGC, pTargetPatch);
2249 }
2250 return VERR_PATCH_NO_CONFLICT;
2251}
2252
2253/**
2254 * Recompile the code stream until the callback function detects a failure or decides everything is acceptable
2255 *
2256 * @returns VBox status code.
2257 * @param pVM The VM to operate on.
2258 * @param pInstrGC Guest context pointer to privileged instruction
2259 * @param pCurInstrGC Guest context pointer to the current instruction
2260 * @param pfnPATMR3Recompile Callback for testing the disassembled instruction
2261 * @param pUserData User pointer (callback specific)
2262 *
2263 */
2264static int patmRecompileCodeStream(PVM pVM, RCPTRTYPE(uint8_t *) pInstrGC, RCPTRTYPE(uint8_t *) pCurInstrGC, PFN_PATMR3ANALYSE pfnPATMR3Recompile, void *pUserData)
2265{
2266 DISCPUSTATE cpu;
2267 PPATCHINFO pPatch = (PPATCHINFO)pUserData;
2268 int rc = VWRN_CONTINUE_ANALYSIS;
2269 uint32_t opsize;
2270 R3PTRTYPE(uint8_t *) pCurInstrHC = 0;
2271 bool disret;
2272#ifdef LOG_ENABLED
2273 char szOutput[256];
2274#endif
2275
2276 while (rc == VWRN_CONTINUE_RECOMPILE)
2277 {
2278 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
2279
2280 ////Log(("patmRecompileCodeStream %RRv %RRv\n", pInstrGC, pCurInstrGC));
2281
2282 pCurInstrHC = PATMGCVirtToHCVirt(pVM, pPatch, pCurInstrGC);
2283 if (pCurInstrHC == NULL)
2284 {
2285 rc = VERR_PATCHING_REFUSED; /* fatal in this case */
2286 goto end;
2287 }
2288#ifdef LOG_ENABLED
2289 disret = PATMR3DISInstr(pVM, pPatch, &cpu, pCurInstrGC, pCurInstrHC, &opsize, szOutput);
2290 Log(("Recompile: %s", szOutput));
2291#else
2292 disret = PATMR3DISInstr(pVM, pPatch, &cpu, pCurInstrGC, pCurInstrHC, &opsize, NULL);
2293#endif
2294 if (disret == false)
2295 {
2296 Log(("Disassembly failed (probably page not present) -> return to caller\n"));
2297
2298 /* Add lookup record for patch to guest address translation */
2299 patmr3AddP2GLookupRecord(pVM, pPatch, PATCHCODE_PTR_HC(pPatch) + pPatch->uCurPatchOffset, pCurInstrGC, PATM_LOOKUP_BOTHDIR);
2300 patmPatchGenIllegalInstr(pVM, pPatch);
2301 rc = VINF_SUCCESS; /* Note: don't fail here; we might refuse an important patch!! */
2302 goto end;
2303 }
2304
2305 rc = pfnPATMR3Recompile(pVM, &cpu, pInstrGC, pCurInstrGC, pUserData);
2306 if (rc != VWRN_CONTINUE_RECOMPILE)
2307 {
2308 /* If irqs are inhibited because of the current instruction, then we must make sure the next one is executed! */
2309 if ( rc == VINF_SUCCESS
2310 && (pPatch->flags & PATMFL_INHIBIT_IRQS))
2311 {
2312 DISCPUSTATE cpunext;
2313 uint32_t opsizenext;
2314 uint8_t *pNextInstrHC;
2315 RTRCPTR pNextInstrGC = pCurInstrGC + opsize;
2316
2317 Log(("patmRecompileCodeStream: irqs inhibited by instruction %RRv\n", pNextInstrGC));
2318
2319 /* Certain instructions (e.g. sti) force the next instruction to be executed before any interrupts can occur.
2320 * Recompile the next instruction as well
2321 */
2322 pNextInstrHC = PATMGCVirtToHCVirt(pVM, pPatch, pNextInstrGC);
2323 if (pNextInstrHC == NULL)
2324 {
2325 rc = VERR_PATCHING_REFUSED; /* fatal in this case */
2326 goto end;
2327 }
2328 cpunext.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
2329 disret = PATMR3DISInstr(pVM, pPatch, &cpunext, pNextInstrGC, pNextInstrHC, &opsizenext, NULL);
2330 if (disret == false)
2331 {
2332 rc = VERR_PATCHING_REFUSED; /* fatal in this case */
2333 goto end;
2334 }
2335 switch(cpunext.pCurInstr->opcode)
2336 {
2337 case OP_IRET: /* inhibit cleared in generated code */
2338 case OP_SYSEXIT: /* faults; inhibit should be cleared in HC handling */
2339 case OP_HLT:
2340 break; /* recompile these */
2341
2342 default:
2343 if (cpunext.pCurInstr->optype & OPTYPE_CONTROLFLOW)
2344 {
2345 Log(("Unexpected control flow instruction after inhibit irq instruction\n"));
2346
2347 rc = patmPatchGenJumpToGuest(pVM, pPatch, pNextInstrGC, true /* clear inhibit irq flag */);
2348 AssertRC(rc);
2349 pPatch->flags &= ~PATMFL_INHIBIT_IRQS;
2350 goto end; /** @todo should be ok to ignore instruction fusing in this case */
2351 }
2352 break;
2353 }
2354
2355 /** @note after a cli we must continue to a proper exit point */
2356 if (cpunext.pCurInstr->opcode != OP_CLI)
2357 {
2358 rc = pfnPATMR3Recompile(pVM, &cpunext, pInstrGC, pNextInstrGC, pUserData);
2359 if (RT_SUCCESS(rc))
2360 {
2361 rc = VINF_SUCCESS;
2362 goto end;
2363 }
2364 break;
2365 }
2366 else
2367 rc = VWRN_CONTINUE_RECOMPILE;
2368 }
2369 else
2370 break; /* done! */
2371 }
2372
2373 /** @todo continue with the instructions following the jump and then recompile the jump target code */
2374
2375
2376 /* For our first attempt, we'll handle only simple relative jumps and calls (immediate offset coded in instruction). */
2377 if ( (cpu.pCurInstr->optype & OPTYPE_CONTROLFLOW)
2378 && (OP_PARM_VTYPE(cpu.pCurInstr->param1) == OP_PARM_J)
2379 && cpu.pCurInstr->opcode != OP_CALL /* complete functions are replaced; don't bother here. */
2380 )
2381 {
2382 RCPTRTYPE(uint8_t *) addr = PATMResolveBranch(&cpu, pCurInstrGC);
2383 if (addr == 0)
2384 {
2385 Log(("We don't support far jumps here!! (%08X)\n", cpu.param1.flags));
2386 rc = VERR_PATCHING_REFUSED;
2387 break;
2388 }
2389
2390 Log(("Jump encountered target %RRv\n", addr));
2391
2392 /* We don't check if the branch target lies in a valid page as we've already done that in the analysis phase. */
2393 if (!(cpu.pCurInstr->optype & OPTYPE_UNCOND_CONTROLFLOW))
2394 {
2395 Log(("patmRecompileCodeStream continue passed conditional jump\n"));
2396 /* First we need to finish this linear code stream until the next exit point. */
2397 rc = patmRecompileCodeStream(pVM, pInstrGC, pCurInstrGC+opsize, pfnPATMR3Recompile, pUserData);
2398 if (RT_FAILURE(rc))
2399 {
2400 Log(("patmRecompileCodeStream fatal error %d\n", rc));
2401 break; //fatal error
2402 }
2403 }
2404
2405 if (patmGuestGCPtrToPatchGCPtr(pVM, pPatch, addr) == 0)
2406 {
2407 /* New code; let's recompile it. */
2408 Log(("patmRecompileCodeStream continue with jump\n"));
2409
2410 /*
2411 * If we are jumping to an existing patch (or within 5 bytes of the entrypoint), then we must temporarily disable
2412 * this patch so we can continue our analysis
2413 *
2414 * We rely on CSAM to detect and resolve conflicts
2415 */
2416 PPATCHINFO pTargetPatch = PATMFindActivePatchByEntrypoint(pVM, addr);
2417 if(pTargetPatch)
2418 {
2419 Log(("Found active patch at target %RRv (%RRv) -> temporarily disabling it!!\n", addr, pTargetPatch->pPrivInstrGC));
2420 PATMR3DisablePatch(pVM, pTargetPatch->pPrivInstrGC);
2421 }
2422
2423 if (cpu.pCurInstr->opcode == OP_CALL) pPatch->pTempInfo->nrCalls++;
2424 rc = patmRecompileCodeStream(pVM, pInstrGC, addr, pfnPATMR3Recompile, pUserData);
2425 if (cpu.pCurInstr->opcode == OP_CALL) pPatch->pTempInfo->nrCalls--;
2426
2427 if(pTargetPatch)
2428 {
2429 PATMR3EnablePatch(pVM, pTargetPatch->pPrivInstrGC);
2430 }
2431
2432 if (RT_FAILURE(rc))
2433 {
2434 Log(("patmRecompileCodeStream fatal error %d\n", rc));
2435 break; //done!
2436 }
2437 }
2438 /* Always return to caller here; we're done! */
2439 rc = VINF_SUCCESS;
2440 goto end;
2441 }
2442 else
2443 if (cpu.pCurInstr->optype & OPTYPE_UNCOND_CONTROLFLOW)
2444 {
2445 rc = VINF_SUCCESS;
2446 goto end;
2447 }
2448 pCurInstrGC += opsize;
2449 }
2450end:
2451 Assert(!(pPatch->flags & PATMFL_RECOMPILE_NEXT));
2452 return rc;
2453}
2454
2455
2456/**
2457 * Generate the jump from guest to patch code
2458 *
2459 * @returns VBox status code.
2460 * @param pVM The VM to operate on.
2461 * @param pPatch Patch record
2462 */
2463static int patmGenJumpToPatch(PVM pVM, PPATCHINFO pPatch, bool fAddFixup = true)
2464{
2465 uint8_t temp[8];
2466 uint8_t *pPB;
2467 int rc;
2468
2469 Assert(pPatch->cbPatchJump <= sizeof(temp));
2470 Assert(!(pPatch->flags & PATMFL_PATCHED_GUEST_CODE));
2471
2472 pPB = pPatch->pPrivInstrHC;
2473
2474#ifdef PATM_RESOLVE_CONFLICTS_WITH_JUMP_PATCHES
2475 if (pPatch->flags & PATMFL_JUMP_CONFLICT)
2476 {
2477 Assert(pPatch->pPatchJumpDestGC);
2478
2479 if (pPatch->cbPatchJump == SIZEOF_NEARJUMP32)
2480 {
2481 // jmp [PatchCode]
2482 if (fAddFixup)
2483 {
2484 if (patmPatchAddReloc32(pVM, pPatch, &pPB[1], FIXUP_REL_JMPTOPATCH, pPatch->pPrivInstrGC + pPatch->cbPatchJump, pPatch->pPatchJumpDestGC) != VINF_SUCCESS)
2485 {
2486 Log(("Relocation failed for the jump in the guest code!!\n"));
2487 return VERR_PATCHING_REFUSED;
2488 }
2489 }
2490
2491 temp[0] = pPatch->aPrivInstr[0]; //jump opcode copied from original instruction
2492 *(uint32_t *)&temp[1] = (uint32_t)pPatch->pPatchJumpDestGC - ((uint32_t)pPatch->pPrivInstrGC + pPatch->cbPatchJump); //return address
2493 }
2494 else
2495 if (pPatch->cbPatchJump == SIZEOF_NEAR_COND_JUMP32)
2496 {
2497 // jmp [PatchCode]
2498 if (fAddFixup)
2499 {
2500 if (patmPatchAddReloc32(pVM, pPatch, &pPB[2], FIXUP_REL_JMPTOPATCH, pPatch->pPrivInstrGC + pPatch->cbPatchJump, pPatch->pPatchJumpDestGC) != VINF_SUCCESS)
2501 {
2502 Log(("Relocation failed for the jump in the guest code!!\n"));
2503 return VERR_PATCHING_REFUSED;
2504 }
2505 }
2506
2507 temp[0] = pPatch->aPrivInstr[0]; //jump opcode copied from original instruction
2508 temp[1] = pPatch->aPrivInstr[1]; //jump opcode copied from original instruction
2509 *(uint32_t *)&temp[2] = (uint32_t)pPatch->pPatchJumpDestGC - ((uint32_t)pPatch->pPrivInstrGC + pPatch->cbPatchJump); //return address
2510 }
2511 else
2512 {
2513 Assert(0);
2514 return VERR_PATCHING_REFUSED;
2515 }
2516 }
2517 else
2518#endif
2519 {
2520 Assert(pPatch->cbPatchJump == SIZEOF_NEARJUMP32);
2521
2522 // jmp [PatchCode]
2523 if (fAddFixup)
2524 {
2525 if (patmPatchAddReloc32(pVM, pPatch, &pPB[1], FIXUP_REL_JMPTOPATCH, pPatch->pPrivInstrGC + SIZEOF_NEARJUMP32, PATCHCODE_PTR_GC(pPatch)) != VINF_SUCCESS)
2526 {
2527 Log(("Relocation failed for the jump in the guest code!!\n"));
2528 return VERR_PATCHING_REFUSED;
2529 }
2530 }
2531 temp[0] = 0xE9; //jmp
2532 *(uint32_t *)&temp[1] = (RTRCUINTPTR)PATCHCODE_PTR_GC(pPatch) - ((RTRCUINTPTR)pPatch->pPrivInstrGC + SIZEOF_NEARJUMP32); //return address
2533 }
2534 rc = PGMPhysSimpleDirtyWriteGCPtr(VMMGetCpu0(pVM), pPatch->pPrivInstrGC, temp, pPatch->cbPatchJump);
2535 AssertRC(rc);
2536
2537 if (rc == VINF_SUCCESS)
2538 pPatch->flags |= PATMFL_PATCHED_GUEST_CODE;
2539
2540 return rc;
2541}
2542
2543/**
2544 * Remove the jump from guest to patch code
2545 *
2546 * @returns VBox status code.
2547 * @param pVM The VM to operate on.
2548 * @param pPatch Patch record
2549 */
2550static int patmRemoveJumpToPatch(PVM pVM, PPATCHINFO pPatch)
2551{
2552#ifdef DEBUG
2553 DISCPUSTATE cpu;
2554 char szOutput[256];
2555 uint32_t opsize, i = 0;
2556 bool disret;
2557
2558 while(i < pPatch->cbPrivInstr)
2559 {
2560 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
2561 disret = PATMR3DISInstr(pVM, pPatch, &cpu, pPatch->pPrivInstrGC + i, &pPatch->pPrivInstrHC[i], &opsize, szOutput);
2562 if (disret == false)
2563 break;
2564
2565 Log(("Org patch jump: %s", szOutput));
2566 Assert(opsize);
2567 i += opsize;
2568 }
2569#endif
2570
2571 /* Restore original code (privileged instruction + following instructions that were overwritten because of the 5/6 byte jmp). */
2572 int rc = PGMPhysSimpleDirtyWriteGCPtr(VMMGetCpu0(pVM), pPatch->pPrivInstrGC, pPatch->aPrivInstr, pPatch->cbPatchJump);
2573#ifdef DEBUG
2574 if (rc == VINF_SUCCESS)
2575 {
2576 DISCPUSTATE cpu;
2577 char szOutput[256];
2578 uint32_t opsize, i = 0;
2579 bool disret;
2580
2581 while(i < pPatch->cbPrivInstr)
2582 {
2583 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
2584 disret = PATMR3DISInstr(pVM, pPatch, &cpu, pPatch->pPrivInstrGC + i, &pPatch->pPrivInstrHC[i], &opsize, szOutput);
2585 if (disret == false)
2586 break;
2587
2588 Log(("Org instr: %s", szOutput));
2589 Assert(opsize);
2590 i += opsize;
2591 }
2592 }
2593#endif
2594 pPatch->flags &= ~PATMFL_PATCHED_GUEST_CODE;
2595 return rc;
2596}
2597
2598/**
2599 * Generate the call from guest to patch code
2600 *
2601 * @returns VBox status code.
2602 * @param pVM The VM to operate on.
2603 * @param pPatch Patch record
2604 */
2605static int patmGenCallToPatch(PVM pVM, PPATCHINFO pPatch, RTRCPTR pTargetGC, bool fAddFixup = true)
2606{
2607 uint8_t temp[8];
2608 uint8_t *pPB;
2609 int rc;
2610
2611 Assert(pPatch->cbPatchJump <= sizeof(temp));
2612
2613 pPB = pPatch->pPrivInstrHC;
2614
2615 Assert(pPatch->cbPatchJump == SIZEOF_NEARJUMP32);
2616
2617 // jmp [PatchCode]
2618 if (fAddFixup)
2619 {
2620 if (patmPatchAddReloc32(pVM, pPatch, &pPB[1], FIXUP_REL_JMPTOPATCH, pPatch->pPrivInstrGC + SIZEOF_NEARJUMP32, pTargetGC) != VINF_SUCCESS)
2621 {
2622 Log(("Relocation failed for the jump in the guest code!!\n"));
2623 return VERR_PATCHING_REFUSED;
2624 }
2625 }
2626
2627 Assert(pPatch->aPrivInstr[0] == 0xE8 || pPatch->aPrivInstr[0] == 0xE9); /* call or jmp */
2628 temp[0] = pPatch->aPrivInstr[0];
2629 *(uint32_t *)&temp[1] = (uint32_t)pTargetGC - ((uint32_t)pPatch->pPrivInstrGC + SIZEOF_NEARJUMP32); //return address
2630
2631 rc = PGMPhysSimpleDirtyWriteGCPtr(VMMGetCpu0(pVM), pPatch->pPrivInstrGC, temp, pPatch->cbPatchJump);
2632 AssertRC(rc);
2633
2634 return rc;
2635}
2636
2637
2638/**
2639 * Patch cli/sti pushf/popf instruction block at specified location
2640 *
2641 * @returns VBox status code.
2642 * @param pVM The VM to operate on.
2643 * @param pInstrGC Guest context point to privileged instruction
2644 * @param pInstrHC Host context point to privileged instruction
2645 * @param uOpcode Instruction opcode
2646 * @param uOpSize Size of starting instruction
2647 * @param pPatchRec Patch record
2648 *
2649 * @note returns failure if patching is not allowed or possible
2650 *
2651 */
2652VMMR3DECL(int) PATMR3PatchBlock(PVM pVM, RTRCPTR pInstrGC, R3PTRTYPE(uint8_t *) pInstrHC,
2653 uint32_t uOpcode, uint32_t uOpSize, PPATMPATCHREC pPatchRec)
2654{
2655 PPATCHINFO pPatch = &pPatchRec->patch;
2656 int rc = VERR_PATCHING_REFUSED;
2657 DISCPUSTATE cpu;
2658 uint32_t orgOffsetPatchMem = ~0;
2659 RTRCPTR pInstrStart;
2660#ifdef LOG_ENABLED
2661 uint32_t opsize;
2662 char szOutput[256];
2663 bool disret;
2664#endif
2665
2666 /* Save original offset (in case of failures later on) */
2667 /** @todo use the hypervisor heap (that has quite a few consequences for save/restore though) */
2668 orgOffsetPatchMem = pVM->patm.s.offPatchMem;
2669
2670 Assert(!(pPatch->flags & (PATMFL_GUEST_SPECIFIC|PATMFL_USER_MODE|PATMFL_TRAPHANDLER)));
2671 switch (uOpcode)
2672 {
2673 case OP_MOV:
2674 break;
2675
2676 case OP_CLI:
2677 case OP_PUSHF:
2678 /* We can 'call' a cli or pushf patch. It will either return to the original guest code when IF is set again, or fault. */
2679 /** @note special precautions are taken when disabling and enabling such patches. */
2680 pPatch->flags |= PATMFL_CALLABLE_AS_FUNCTION;
2681 break;
2682
2683 default:
2684 if (!(pPatch->flags & PATMFL_IDTHANDLER))
2685 {
2686 AssertMsg(0, ("PATMR3PatchBlock: Invalid opcode %x\n", uOpcode));
2687 return VERR_INVALID_PARAMETER;
2688 }
2689 }
2690
2691 if (!(pPatch->flags & (PATMFL_IDTHANDLER|PATMFL_IDTHANDLER_WITHOUT_ENTRYPOINT|PATMFL_SYSENTER|PATMFL_INT3_REPLACEMENT_BLOCK)))
2692 pPatch->flags |= PATMFL_MUST_INSTALL_PATCHJMP;
2693
2694 /* If we're going to insert a patch jump, then the jump itself is not allowed to cross a page boundary. */
2695 if ( (pPatch->flags & PATMFL_MUST_INSTALL_PATCHJMP)
2696 && PAGE_ADDRESS(pInstrGC) != PAGE_ADDRESS(pInstrGC + SIZEOF_NEARJUMP32)
2697 )
2698 {
2699 STAM_COUNTER_INC(&pVM->patm.s.StatPageBoundaryCrossed);
2700#ifdef DEBUG_sandervl
2701//// AssertMsgFailed(("Patch jump would cross page boundary -> refuse!!\n"));
2702#endif
2703 rc = VERR_PATCHING_REFUSED;
2704 goto failure;
2705 }
2706
2707 pPatch->nrPatch2GuestRecs = 0;
2708 pInstrStart = pInstrGC;
2709
2710#ifdef PATM_ENABLE_CALL
2711 pPatch->flags |= PATMFL_SUPPORT_CALLS | PATMFL_SUPPORT_INDIRECT_CALLS;
2712#endif
2713
2714 pPatch->pPatchBlockOffset = pVM->patm.s.offPatchMem;
2715 pPatch->uCurPatchOffset = 0;
2716
2717 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
2718
2719 if ((pPatch->flags & (PATMFL_IDTHANDLER|PATMFL_IDTHANDLER_WITHOUT_ENTRYPOINT|PATMFL_SYSENTER)) == PATMFL_IDTHANDLER)
2720 {
2721 Assert(pPatch->flags & PATMFL_INTHANDLER);
2722
2723 /* Install fake cli patch (to clear the virtual IF and check int xx parameters) */
2724 rc = patmPatchGenIntEntry(pVM, pPatch, pInstrGC);
2725 if (RT_FAILURE(rc))
2726 goto failure;
2727 }
2728
2729 /***************************************************************************************************************************/
2730 /** @note We can't insert *any* code before a sysenter handler; some linux guests have an invalid stack at this point!!!!! */
2731 /***************************************************************************************************************************/
2732#ifdef VBOX_WITH_STATISTICS
2733 if (!(pPatch->flags & PATMFL_SYSENTER))
2734 {
2735 rc = patmPatchGenStats(pVM, pPatch, pInstrGC);
2736 if (RT_FAILURE(rc))
2737 goto failure;
2738 }
2739#endif
2740
2741 rc = patmRecompileCodeStream(pVM, pInstrGC, pInstrGC, patmRecompileCallback, pPatch);
2742 if (rc != VINF_SUCCESS)
2743 {
2744 Log(("PATMR3PatchCli: patmRecompileCodeStream failed with %d\n", rc));
2745 goto failure;
2746 }
2747
2748 /* Calculated during analysis. */
2749 if (pPatch->cbPatchBlockSize < SIZEOF_NEARJUMP32)
2750 {
2751 /* Most likely cause: we encountered an illegal instruction very early on. */
2752 /** @todo could turn it into an int3 callable patch. */
2753 Log(("PATMR3PatchBlock: patch block too small -> refuse\n"));
2754 rc = VERR_PATCHING_REFUSED;
2755 goto failure;
2756 }
2757
2758 /* size of patch block */
2759 pPatch->cbPatchBlockSize = pPatch->uCurPatchOffset;
2760
2761
2762 /* Update free pointer in patch memory. */
2763 pVM->patm.s.offPatchMem += pPatch->cbPatchBlockSize;
2764 /* Round to next 8 byte boundary. */
2765 pVM->patm.s.offPatchMem = RT_ALIGN_32(pVM->patm.s.offPatchMem, 8);
2766
2767 /*
2768 * Insert into patch to guest lookup tree
2769 */
2770 LogFlow(("Insert %RRv patch offset %RRv\n", pPatchRec->patch.pPrivInstrGC, pPatch->pPatchBlockOffset));
2771 pPatchRec->CoreOffset.Key = pPatch->pPatchBlockOffset;
2772 rc = RTAvloU32Insert(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr, &pPatchRec->CoreOffset);
2773 AssertMsg(rc, ("RTAvlULInsert failed for %x\n", pPatchRec->CoreOffset.Key));
2774 if (!rc)
2775 {
2776 rc = VERR_PATCHING_REFUSED;
2777 goto failure;
2778 }
2779
2780 /* Note that patmr3SetBranchTargets can install additional patches!! */
2781 rc = patmr3SetBranchTargets(pVM, pPatch);
2782 if (rc != VINF_SUCCESS)
2783 {
2784 Log(("PATMR3PatchCli: patmr3SetBranchTargets failed with %d\n", rc));
2785 goto failure;
2786 }
2787
2788#ifdef LOG_ENABLED
2789 Log(("Patch code ----------------------------------------------------------\n"));
2790 patmr3DisasmCodeStream(pVM, PATCHCODE_PTR_GC(pPatch), PATCHCODE_PTR_GC(pPatch), patmr3DisasmCallback, pPatch);
2791 Log(("Patch code ends -----------------------------------------------------\n"));
2792#endif
2793
2794 /* make a copy of the guest code bytes that will be overwritten */
2795 pPatch->cbPatchJump = SIZEOF_NEARJUMP32;
2796
2797 rc = PGMPhysSimpleReadGCPtr(VMMGetCpu0(pVM), pPatch->aPrivInstr, pPatch->pPrivInstrGC, pPatch->cbPatchJump);
2798 AssertRC(rc);
2799
2800 if (pPatch->flags & PATMFL_INT3_REPLACEMENT_BLOCK)
2801 {
2802 /*uint8_t ASMInt3 = 0xCC; - unused */
2803
2804 Log(("PATMR3PatchBlock %RRv -> int 3 callable patch.\n", pPatch->pPrivInstrGC));
2805 /* Replace first opcode byte with 'int 3'. */
2806 rc = patmActivateInt3Patch(pVM, pPatch);
2807 if (RT_FAILURE(rc))
2808 goto failure;
2809
2810 /* normal patch can be turned into an int3 patch -> clear patch jump installation flag. */
2811 pPatch->flags &= ~PATMFL_MUST_INSTALL_PATCHJMP;
2812
2813 pPatch->flags &= ~PATMFL_INSTR_HINT;
2814 STAM_COUNTER_INC(&pVM->patm.s.StatInt3Callable);
2815 }
2816 else
2817 if (pPatch->flags & PATMFL_MUST_INSTALL_PATCHJMP)
2818 {
2819 Assert(!(pPatch->flags & (PATMFL_IDTHANDLER|PATMFL_IDTHANDLER_WITHOUT_ENTRYPOINT|PATMFL_SYSENTER|PATMFL_INT3_REPLACEMENT_BLOCK)));
2820 /* now insert a jump in the guest code */
2821 rc = patmGenJumpToPatch(pVM, pPatch, true);
2822 AssertRC(rc);
2823 if (RT_FAILURE(rc))
2824 goto failure;
2825
2826 }
2827
2828#ifdef LOG_ENABLED
2829 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
2830 disret = PATMR3DISInstr(pVM, pPatch, &cpu, pPatch->pPrivInstrGC, pPatch->pPrivInstrHC, &opsize, szOutput, PATMREAD_RAWCODE);
2831 Log(("%s patch: %s", patmGetInstructionString(pPatch->opcode, pPatch->flags), szOutput));
2832#endif
2833
2834 patmEmptyTree(pVM, &pPatch->pTempInfo->IllegalInstrTree);
2835 pPatch->pTempInfo->nrIllegalInstr = 0;
2836
2837 Log(("Successfully installed %s patch at %RRv\n", patmGetInstructionString(pPatch->opcode, pPatch->flags), pInstrGC));
2838
2839 pPatch->uState = PATCH_ENABLED;
2840 return VINF_SUCCESS;
2841
2842failure:
2843 if (pPatchRec->CoreOffset.Key)
2844 RTAvloU32Remove(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr, pPatchRec->CoreOffset.Key);
2845
2846 patmEmptyTree(pVM, &pPatch->FixupTree);
2847 pPatch->nrFixups = 0;
2848
2849 patmEmptyTree(pVM, &pPatch->JumpTree);
2850 pPatch->nrJumpRecs = 0;
2851
2852 patmEmptyTree(pVM, &pPatch->pTempInfo->IllegalInstrTree);
2853 pPatch->pTempInfo->nrIllegalInstr = 0;
2854
2855 /* Turn this cli patch into a dummy. */
2856 pPatch->uState = PATCH_REFUSED;
2857 pPatch->pPatchBlockOffset = 0;
2858
2859 // Give back the patch memory we no longer need
2860 Assert(orgOffsetPatchMem != (uint32_t)~0);
2861 pVM->patm.s.offPatchMem = orgOffsetPatchMem;
2862
2863 return rc;
2864}
2865
2866/**
2867 * Patch IDT handler
2868 *
2869 * @returns VBox status code.
2870 * @param pVM The VM to operate on.
2871 * @param pInstrGC Guest context point to privileged instruction
2872 * @param pInstrHC Host context point to privileged instruction
2873 * @param uOpSize Size of starting instruction
2874 * @param pPatchRec Patch record
2875 *
2876 * @note returns failure if patching is not allowed or possible
2877 *
2878 */
2879static int patmIdtHandler(PVM pVM, RTRCPTR pInstrGC, R3PTRTYPE(uint8_t *) pInstrHC,
2880 uint32_t uOpSize, PPATMPATCHREC pPatchRec)
2881{
2882 PPATCHINFO pPatch = &pPatchRec->patch;
2883 bool disret;
2884 DISCPUSTATE cpuPush, cpuJmp;
2885 uint32_t opsize;
2886 RTRCPTR pCurInstrGC = pInstrGC;
2887 uint8_t *pCurInstrHC = pInstrHC;
2888 uint32_t orgOffsetPatchMem = ~0;
2889
2890 /*
2891 * In Linux it's often the case that many interrupt handlers push a predefined value onto the stack
2892 * and then jump to a common entrypoint. In order not to waste a lot of memory, we will check for this
2893 * condition here and only patch the common entypoint once.
2894 */
2895 cpuPush.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
2896 disret = PATMR3DISInstr(pVM, pPatch, &cpuPush, pCurInstrGC, pCurInstrHC, &opsize, NULL);
2897 Assert(disret);
2898 if (disret && cpuPush.pCurInstr->opcode == OP_PUSH)
2899 {
2900 RTRCPTR pJmpInstrGC;
2901 int rc;
2902
2903 pCurInstrGC += opsize;
2904 pCurInstrHC = PATMGCVirtToHCVirt(pVM, pPatch, pCurInstrGC);
2905
2906 cpuJmp.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
2907 disret = PATMR3DISInstr(pVM, pPatch, &cpuJmp, pCurInstrGC, pCurInstrHC, &opsize, NULL);
2908 if ( disret
2909 && cpuJmp.pCurInstr->opcode == OP_JMP
2910 && (pJmpInstrGC = PATMResolveBranch(&cpuJmp, pCurInstrGC))
2911 )
2912 {
2913 PPATMPATCHREC pJmpPatch = (PPATMPATCHREC)RTAvloU32Get(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pJmpInstrGC);
2914 if (pJmpPatch == 0)
2915 {
2916 /* Patch it first! */
2917 rc = PATMR3InstallPatch(pVM, pJmpInstrGC, pPatch->flags | PATMFL_IDTHANDLER_WITHOUT_ENTRYPOINT);
2918 if (rc != VINF_SUCCESS)
2919 goto failure;
2920 pJmpPatch = (PPATMPATCHREC)RTAvloU32Get(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pJmpInstrGC);
2921 Assert(pJmpPatch);
2922 }
2923 if (pJmpPatch->patch.uState != PATCH_ENABLED)
2924 goto failure;
2925
2926 /* save original offset (in case of failures later on) */
2927 orgOffsetPatchMem = pVM->patm.s.offPatchMem;
2928
2929 pPatch->pPatchBlockOffset = pVM->patm.s.offPatchMem;
2930 pPatch->uCurPatchOffset = 0;
2931 pPatch->nrPatch2GuestRecs = 0;
2932
2933#ifdef VBOX_WITH_STATISTICS
2934 rc = patmPatchGenStats(pVM, pPatch, pInstrGC);
2935 if (RT_FAILURE(rc))
2936 goto failure;
2937#endif
2938
2939 /* Install fake cli patch (to clear the virtual IF) */
2940 rc = patmPatchGenIntEntry(pVM, pPatch, pInstrGC);
2941 if (RT_FAILURE(rc))
2942 goto failure;
2943
2944 /* Add lookup record for patch to guest address translation (for the push) */
2945 patmr3AddP2GLookupRecord(pVM, pPatch, PATCHCODE_PTR_HC(pPatch) + pPatch->uCurPatchOffset, pInstrGC, PATM_LOOKUP_BOTHDIR);
2946
2947 /* Duplicate push. */
2948 rc = patmPatchGenDuplicate(pVM, pPatch, &cpuPush, pInstrGC);
2949 if (RT_FAILURE(rc))
2950 goto failure;
2951
2952 /* Generate jump to common entrypoint. */
2953 rc = patmPatchGenPatchJump(pVM, pPatch, pCurInstrGC, PATCHCODE_PTR_GC(&pJmpPatch->patch));
2954 if (RT_FAILURE(rc))
2955 goto failure;
2956
2957 /* size of patch block */
2958 pPatch->cbPatchBlockSize = pPatch->uCurPatchOffset;
2959
2960 /* Update free pointer in patch memory. */
2961 pVM->patm.s.offPatchMem += pPatch->cbPatchBlockSize;
2962 /* Round to next 8 byte boundary */
2963 pVM->patm.s.offPatchMem = RT_ALIGN_32(pVM->patm.s.offPatchMem, 8);
2964
2965 /* There's no jump from guest to patch code. */
2966 pPatch->cbPatchJump = 0;
2967
2968
2969#ifdef LOG_ENABLED
2970 Log(("Patch code ----------------------------------------------------------\n"));
2971 patmr3DisasmCodeStream(pVM, PATCHCODE_PTR_GC(pPatch), PATCHCODE_PTR_GC(pPatch), patmr3DisasmCallback, pPatch);
2972 Log(("Patch code ends -----------------------------------------------------\n"));
2973#endif
2974 Log(("Successfully installed IDT handler patch at %RRv\n", pInstrGC));
2975
2976 /*
2977 * Insert into patch to guest lookup tree
2978 */
2979 LogFlow(("Insert %RRv patch offset %RRv\n", pPatchRec->patch.pPrivInstrGC, pPatch->pPatchBlockOffset));
2980 pPatchRec->CoreOffset.Key = pPatch->pPatchBlockOffset;
2981 rc = RTAvloU32Insert(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr, &pPatchRec->CoreOffset);
2982 AssertMsg(rc, ("RTAvlULInsert failed for %x\n", pPatchRec->CoreOffset.Key));
2983
2984 pPatch->uState = PATCH_ENABLED;
2985
2986 return VINF_SUCCESS;
2987 }
2988 }
2989failure:
2990 /* Give back the patch memory we no longer need */
2991 if (orgOffsetPatchMem != (uint32_t)~0)
2992 pVM->patm.s.offPatchMem = orgOffsetPatchMem;
2993
2994 return PATMR3PatchBlock(pVM, pInstrGC, pInstrHC, OP_CLI, uOpSize, pPatchRec);
2995}
2996
2997/**
2998 * Install a trampoline to call a guest trap handler directly
2999 *
3000 * @returns VBox status code.
3001 * @param pVM The VM to operate on.
3002 * @param pInstrGC Guest context point to privileged instruction
3003 * @param pPatchRec Patch record
3004 *
3005 */
3006static int patmInstallTrapTrampoline(PVM pVM, RTRCPTR pInstrGC, PPATMPATCHREC pPatchRec)
3007{
3008 PPATCHINFO pPatch = &pPatchRec->patch;
3009 int rc = VERR_PATCHING_REFUSED;
3010 uint32_t orgOffsetPatchMem = ~0;
3011#ifdef LOG_ENABLED
3012 bool disret;
3013 DISCPUSTATE cpu;
3014 uint32_t opsize;
3015 char szOutput[256];
3016#endif
3017
3018 // save original offset (in case of failures later on)
3019 orgOffsetPatchMem = pVM->patm.s.offPatchMem;
3020
3021 pPatch->pPatchBlockOffset = pVM->patm.s.offPatchMem;
3022 pPatch->uCurPatchOffset = 0;
3023 pPatch->nrPatch2GuestRecs = 0;
3024
3025#ifdef VBOX_WITH_STATISTICS
3026 rc = patmPatchGenStats(pVM, pPatch, pInstrGC);
3027 if (RT_FAILURE(rc))
3028 goto failure;
3029#endif
3030
3031 rc = patmPatchGenTrapEntry(pVM, pPatch, pInstrGC);
3032 if (RT_FAILURE(rc))
3033 goto failure;
3034
3035 /* size of patch block */
3036 pPatch->cbPatchBlockSize = pPatch->uCurPatchOffset;
3037
3038 /* Update free pointer in patch memory. */
3039 pVM->patm.s.offPatchMem += pPatch->cbPatchBlockSize;
3040 /* Round to next 8 byte boundary */
3041 pVM->patm.s.offPatchMem = RT_ALIGN_32(pVM->patm.s.offPatchMem, 8);
3042
3043 /* There's no jump from guest to patch code. */
3044 pPatch->cbPatchJump = 0;
3045
3046#ifdef LOG_ENABLED
3047 Log(("Patch code ----------------------------------------------------------\n"));
3048 patmr3DisasmCodeStream(pVM, PATCHCODE_PTR_GC(pPatch), PATCHCODE_PTR_GC(pPatch), patmr3DisasmCallback, pPatch);
3049 Log(("Patch code ends -----------------------------------------------------\n"));
3050#endif
3051
3052#ifdef LOG_ENABLED
3053 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
3054 disret = PATMR3DISInstr(pVM, pPatch, &cpu, pPatch->pPrivInstrGC, pPatch->pPrivInstrHC, &opsize, szOutput);
3055 Log(("TRAP handler patch: %s", szOutput));
3056#endif
3057 Log(("Successfully installed Trap Trampoline patch at %RRv\n", pInstrGC));
3058
3059 /*
3060 * Insert into patch to guest lookup tree
3061 */
3062 LogFlow(("Insert %RRv patch offset %RRv\n", pPatchRec->patch.pPrivInstrGC, pPatch->pPatchBlockOffset));
3063 pPatchRec->CoreOffset.Key = pPatch->pPatchBlockOffset;
3064 rc = RTAvloU32Insert(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr, &pPatchRec->CoreOffset);
3065 AssertMsg(rc, ("RTAvlULInsert failed for %x\n", pPatchRec->CoreOffset.Key));
3066
3067 pPatch->uState = PATCH_ENABLED;
3068 return VINF_SUCCESS;
3069
3070failure:
3071 AssertMsgFailed(("Failed to install trap handler trampoline!!\n"));
3072
3073 /* Turn this cli patch into a dummy. */
3074 pPatch->uState = PATCH_REFUSED;
3075 pPatch->pPatchBlockOffset = 0;
3076
3077 /* Give back the patch memory we no longer need */
3078 Assert(orgOffsetPatchMem != (uint32_t)~0);
3079 pVM->patm.s.offPatchMem = orgOffsetPatchMem;
3080
3081 return rc;
3082}
3083
3084
3085#ifdef LOG_ENABLED
3086/**
3087 * Check if the instruction is patched as a common idt handler
3088 *
3089 * @returns true or false
3090 * @param pVM The VM to operate on.
3091 * @param pInstrGC Guest context point to the instruction
3092 *
3093 */
3094static bool patmIsCommonIDTHandlerPatch(PVM pVM, RTRCPTR pInstrGC)
3095{
3096 PPATMPATCHREC pRec;
3097
3098 pRec = (PPATMPATCHREC)RTAvloU32Get(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pInstrGC);
3099 if (pRec && pRec->patch.flags & PATMFL_IDTHANDLER_WITHOUT_ENTRYPOINT)
3100 return true;
3101 return false;
3102}
3103#endif //DEBUG
3104
3105
3106/**
3107 * Duplicates a complete function
3108 *
3109 * @returns VBox status code.
3110 * @param pVM The VM to operate on.
3111 * @param pInstrGC Guest context point to privileged instruction
3112 * @param pPatchRec Patch record
3113 *
3114 */
3115static int patmDuplicateFunction(PVM pVM, RTRCPTR pInstrGC, PPATMPATCHREC pPatchRec)
3116{
3117 PPATCHINFO pPatch = &pPatchRec->patch;
3118 int rc = VERR_PATCHING_REFUSED;
3119 DISCPUSTATE cpu;
3120 uint32_t orgOffsetPatchMem = ~0;
3121
3122 Log(("patmDuplicateFunction %RRv\n", pInstrGC));
3123 /* Save original offset (in case of failures later on). */
3124 orgOffsetPatchMem = pVM->patm.s.offPatchMem;
3125
3126 /* We will not go on indefinitely with call instruction handling. */
3127 if (pVM->patm.s.ulCallDepth > PATM_MAX_CALL_DEPTH)
3128 {
3129 Log(("patmDuplicateFunction: maximum callback depth reached!!\n"));
3130 return VERR_PATCHING_REFUSED;
3131 }
3132
3133 pVM->patm.s.ulCallDepth++;
3134
3135#ifdef PATM_ENABLE_CALL
3136 pPatch->flags |= PATMFL_SUPPORT_CALLS | PATMFL_SUPPORT_INDIRECT_CALLS;
3137#endif
3138
3139 Assert(pPatch->flags & (PATMFL_DUPLICATE_FUNCTION));
3140
3141 pPatch->nrPatch2GuestRecs = 0;
3142 pPatch->pPatchBlockOffset = pVM->patm.s.offPatchMem;
3143 pPatch->uCurPatchOffset = 0;
3144
3145 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
3146
3147 /** @note Set the PATM interrupt flag here; it was cleared before the patched call. (!!!) */
3148 rc = patmPatchGenSetPIF(pVM, pPatch, pInstrGC);
3149 if (RT_FAILURE(rc))
3150 goto failure;
3151
3152#ifdef VBOX_WITH_STATISTICS
3153 rc = patmPatchGenStats(pVM, pPatch, pInstrGC);
3154 if (RT_FAILURE(rc))
3155 goto failure;
3156#endif
3157 rc = patmRecompileCodeStream(pVM, pInstrGC, pInstrGC, patmRecompileCallback, pPatch);
3158 if (rc != VINF_SUCCESS)
3159 {
3160 Log(("PATMR3PatchCli: patmRecompileCodeStream failed with %d\n", rc));
3161 goto failure;
3162 }
3163
3164 //size of patch block
3165 pPatch->cbPatchBlockSize = pPatch->uCurPatchOffset;
3166
3167 //update free pointer in patch memory
3168 pVM->patm.s.offPatchMem += pPatch->cbPatchBlockSize;
3169 /* Round to next 8 byte boundary. */
3170 pVM->patm.s.offPatchMem = RT_ALIGN_32(pVM->patm.s.offPatchMem, 8);
3171
3172 pPatch->uState = PATCH_ENABLED;
3173
3174 /*
3175 * Insert into patch to guest lookup tree
3176 */
3177 LogFlow(("Insert %RRv patch offset %RRv\n", pPatchRec->patch.pPrivInstrGC, pPatch->pPatchBlockOffset));
3178 pPatchRec->CoreOffset.Key = pPatch->pPatchBlockOffset;
3179 rc = RTAvloU32Insert(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr, &pPatchRec->CoreOffset);
3180 AssertMsg(rc, ("RTAvloU32Insert failed for %x\n", pPatchRec->CoreOffset.Key));
3181 if (!rc)
3182 {
3183 rc = VERR_PATCHING_REFUSED;
3184 goto failure;
3185 }
3186
3187 /* Note that patmr3SetBranchTargets can install additional patches!! */
3188 rc = patmr3SetBranchTargets(pVM, pPatch);
3189 if (rc != VINF_SUCCESS)
3190 {
3191 Log(("PATMR3PatchCli: patmr3SetBranchTargets failed with %d\n", rc));
3192 goto failure;
3193 }
3194
3195#ifdef LOG_ENABLED
3196 Log(("Patch code ----------------------------------------------------------\n"));
3197 patmr3DisasmCodeStream(pVM, PATCHCODE_PTR_GC(pPatch), PATCHCODE_PTR_GC(pPatch), patmr3DisasmCallback, pPatch);
3198 Log(("Patch code ends -----------------------------------------------------\n"));
3199#endif
3200
3201 Log(("Successfully installed function duplication patch at %RRv\n", pInstrGC));
3202
3203 patmEmptyTree(pVM, &pPatch->pTempInfo->IllegalInstrTree);
3204 pPatch->pTempInfo->nrIllegalInstr = 0;
3205
3206 pVM->patm.s.ulCallDepth--;
3207 STAM_COUNTER_INC(&pVM->patm.s.StatInstalledFunctionPatches);
3208 return VINF_SUCCESS;
3209
3210failure:
3211 if (pPatchRec->CoreOffset.Key)
3212 RTAvloU32Remove(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr, pPatchRec->CoreOffset.Key);
3213
3214 patmEmptyTree(pVM, &pPatch->FixupTree);
3215 pPatch->nrFixups = 0;
3216
3217 patmEmptyTree(pVM, &pPatch->JumpTree);
3218 pPatch->nrJumpRecs = 0;
3219
3220 patmEmptyTree(pVM, &pPatch->pTempInfo->IllegalInstrTree);
3221 pPatch->pTempInfo->nrIllegalInstr = 0;
3222
3223 /* Turn this cli patch into a dummy. */
3224 pPatch->uState = PATCH_REFUSED;
3225 pPatch->pPatchBlockOffset = 0;
3226
3227 // Give back the patch memory we no longer need
3228 Assert(orgOffsetPatchMem != (uint32_t)~0);
3229 pVM->patm.s.offPatchMem = orgOffsetPatchMem;
3230
3231 pVM->patm.s.ulCallDepth--;
3232 Log(("patmDupicateFunction %RRv failed!!\n", pInstrGC));
3233 return rc;
3234}
3235
3236/**
3237 * Creates trampoline code to jump inside an existing patch
3238 *
3239 * @returns VBox status code.
3240 * @param pVM The VM to operate on.
3241 * @param pInstrGC Guest context point to privileged instruction
3242 * @param pPatchRec Patch record
3243 *
3244 */
3245static int patmCreateTrampoline(PVM pVM, RTRCPTR pInstrGC, PPATMPATCHREC pPatchRec)
3246{
3247 PPATCHINFO pPatch = &pPatchRec->patch;
3248 RTRCPTR pPage, pPatchTargetGC = 0;
3249 uint32_t orgOffsetPatchMem = ~0;
3250 int rc = VERR_PATCHING_REFUSED;
3251
3252 Log(("patmCreateTrampoline %RRv\n", pInstrGC));
3253 /* Save original offset (in case of failures later on). */
3254 orgOffsetPatchMem = pVM->patm.s.offPatchMem;
3255
3256 /* First we check if the duplicate function target lies in some existing function patch already. Will save some space. */
3257 /** @todo we already checked this before */
3258 pPage = pInstrGC & PAGE_BASE_GC_MASK;
3259
3260 PPATMPATCHPAGE pPatchPage = (PPATMPATCHPAGE)RTAvloU32Get(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPage, (RTRCPTR)pPage);
3261 if (pPatchPage)
3262 {
3263 uint32_t i;
3264
3265 for (i=0;i<pPatchPage->cCount;i++)
3266 {
3267 if (pPatchPage->aPatch[i])
3268 {
3269 PPATCHINFO pPatch = pPatchPage->aPatch[i];
3270
3271 if ( (pPatch->flags & PATMFL_DUPLICATE_FUNCTION)
3272 && pPatch->uState == PATCH_ENABLED)
3273 {
3274 pPatchTargetGC = patmGuestGCPtrToPatchGCPtr(pVM, pPatch, pInstrGC);
3275 if (pPatchTargetGC)
3276 {
3277 uint32_t offsetPatch = pPatchTargetGC - pVM->patm.s.pPatchMemGC;
3278 PRECPATCHTOGUEST pPatchToGuestRec = (PRECPATCHTOGUEST)RTAvlU32GetBestFit(&pPatch->Patch2GuestAddrTree, offsetPatch, false);
3279 Assert(pPatchToGuestRec);
3280
3281 pPatchToGuestRec->fJumpTarget = true;
3282 Assert(pPatchTargetGC != pPatch->pPrivInstrGC);
3283 Log(("patmCreateTrampoline: generating jump to code inside patch at %RRv\n", pPatch->pPrivInstrGC));
3284 pPatch->flags |= PATMFL_EXTERNAL_JUMP_INSIDE;
3285 break;
3286 }
3287 }
3288 }
3289 }
3290 }
3291 AssertReturn(pPatchPage && pPatchTargetGC, VERR_PATCHING_REFUSED);
3292
3293 pPatch->nrPatch2GuestRecs = 0;
3294 pPatch->pPatchBlockOffset = pVM->patm.s.offPatchMem;
3295 pPatch->uCurPatchOffset = 0;
3296
3297 /** @note Set the PATM interrupt flag here; it was cleared before the patched call. (!!!) */
3298 rc = patmPatchGenSetPIF(pVM, pPatch, pInstrGC);
3299 if (RT_FAILURE(rc))
3300 goto failure;
3301
3302#ifdef VBOX_WITH_STATISTICS
3303 rc = patmPatchGenStats(pVM, pPatch, pInstrGC);
3304 if (RT_FAILURE(rc))
3305 goto failure;
3306#endif
3307
3308 rc = patmPatchGenPatchJump(pVM, pPatch, pInstrGC, pPatchTargetGC);
3309 if (RT_FAILURE(rc))
3310 goto failure;
3311
3312 /*
3313 * Insert into patch to guest lookup tree
3314 */
3315 LogFlow(("Insert %RRv patch offset %RRv\n", pPatchRec->patch.pPrivInstrGC, pPatch->pPatchBlockOffset));
3316 pPatchRec->CoreOffset.Key = pPatch->pPatchBlockOffset;
3317 rc = RTAvloU32Insert(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr, &pPatchRec->CoreOffset);
3318 AssertMsg(rc, ("RTAvloU32Insert failed for %x\n", pPatchRec->CoreOffset.Key));
3319 if (!rc)
3320 {
3321 rc = VERR_PATCHING_REFUSED;
3322 goto failure;
3323 }
3324
3325 /* size of patch block */
3326 pPatch->cbPatchBlockSize = pPatch->uCurPatchOffset;
3327
3328 /* Update free pointer in patch memory. */
3329 pVM->patm.s.offPatchMem += pPatch->cbPatchBlockSize;
3330 /* Round to next 8 byte boundary */
3331 pVM->patm.s.offPatchMem = RT_ALIGN_32(pVM->patm.s.offPatchMem, 8);
3332
3333 /* There's no jump from guest to patch code. */
3334 pPatch->cbPatchJump = 0;
3335
3336 /* Enable the patch. */
3337 pPatch->uState = PATCH_ENABLED;
3338 /* We allow this patch to be called as a function. */
3339 pPatch->flags |= PATMFL_CALLABLE_AS_FUNCTION;
3340 STAM_COUNTER_INC(&pVM->patm.s.StatInstalledTrampoline);
3341 return VINF_SUCCESS;
3342
3343failure:
3344 if (pPatchRec->CoreOffset.Key)
3345 RTAvloU32Remove(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr, pPatchRec->CoreOffset.Key);
3346
3347 patmEmptyTree(pVM, &pPatch->FixupTree);
3348 pPatch->nrFixups = 0;
3349
3350 patmEmptyTree(pVM, &pPatch->JumpTree);
3351 pPatch->nrJumpRecs = 0;
3352
3353 patmEmptyTree(pVM, &pPatch->pTempInfo->IllegalInstrTree);
3354 pPatch->pTempInfo->nrIllegalInstr = 0;
3355
3356 /* Turn this cli patch into a dummy. */
3357 pPatch->uState = PATCH_REFUSED;
3358 pPatch->pPatchBlockOffset = 0;
3359
3360 // Give back the patch memory we no longer need
3361 Assert(orgOffsetPatchMem != (uint32_t)~0);
3362 pVM->patm.s.offPatchMem = orgOffsetPatchMem;
3363
3364 return rc;
3365}
3366
3367
3368/**
3369 * Patch branch target function for call/jump at specified location.
3370 * (in responds to a VINF_PATM_DUPLICATE_FUNCTION GC exit reason)
3371 *
3372 * @returns VBox status code.
3373 * @param pVM The VM to operate on.
3374 * @param pCtx Guest context
3375 *
3376 */
3377VMMR3DECL(int) PATMR3DuplicateFunctionRequest(PVM pVM, PCPUMCTX pCtx)
3378{
3379 RTRCPTR pBranchTarget, pPage;
3380 int rc;
3381 RTRCPTR pPatchTargetGC = 0;
3382
3383 pBranchTarget = pCtx->edx;
3384 pBranchTarget = SELMToFlat(pVM, DIS_SELREG_CS, CPUMCTX2CORE(pCtx), pBranchTarget);
3385
3386 /* First we check if the duplicate function target lies in some existing function patch already. Will save some space. */
3387 pPage = pBranchTarget & PAGE_BASE_GC_MASK;
3388
3389 PPATMPATCHPAGE pPatchPage = (PPATMPATCHPAGE)RTAvloU32Get(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPage, (RTRCPTR)pPage);
3390 if (pPatchPage)
3391 {
3392 uint32_t i;
3393
3394 for (i=0;i<pPatchPage->cCount;i++)
3395 {
3396 if (pPatchPage->aPatch[i])
3397 {
3398 PPATCHINFO pPatch = pPatchPage->aPatch[i];
3399
3400 if ( (pPatch->flags & PATMFL_DUPLICATE_FUNCTION)
3401 && pPatch->uState == PATCH_ENABLED)
3402 {
3403 pPatchTargetGC = patmGuestGCPtrToPatchGCPtr(pVM, pPatch, pBranchTarget);
3404 if (pPatchTargetGC)
3405 {
3406 STAM_COUNTER_INC(&pVM->patm.s.StatDuplicateUseExisting);
3407 break;
3408 }
3409 }
3410 }
3411 }
3412 }
3413
3414 if (pPatchTargetGC)
3415 {
3416 /* Create a trampoline that also sets PATM_INTERRUPTFLAG. */
3417 rc = PATMR3InstallPatch(pVM, pBranchTarget, PATMFL_CODE32 | PATMFL_TRAMPOLINE);
3418 }
3419 else
3420 {
3421 rc = PATMR3InstallPatch(pVM, pBranchTarget, PATMFL_CODE32 | PATMFL_DUPLICATE_FUNCTION);
3422 }
3423
3424 if (rc == VINF_SUCCESS)
3425 {
3426 pPatchTargetGC = PATMR3QueryPatchGCPtr(pVM, pBranchTarget);
3427 Assert(pPatchTargetGC);
3428 }
3429
3430 if (pPatchTargetGC)
3431 {
3432 pCtx->eax = pPatchTargetGC;
3433 pCtx->eax = pCtx->eax - (RTRCUINTPTR)pVM->patm.s.pPatchMemGC; /* make it relative */
3434 }
3435 else
3436 {
3437 /* We add a dummy entry into the lookup cache so we won't get bombarded with the same requests over and over again. */
3438 pCtx->eax = 0;
3439 STAM_COUNTER_INC(&pVM->patm.s.StatDuplicateREQFailed);
3440 }
3441 Assert(PATMIsPatchGCAddr(pVM, pCtx->edi));
3442 rc = PATMAddBranchToLookupCache(pVM, pCtx->edi, pBranchTarget, pCtx->eax);
3443 AssertRC(rc);
3444
3445 pCtx->eip += PATM_ILLEGAL_INSTR_SIZE;
3446 STAM_COUNTER_INC(&pVM->patm.s.StatDuplicateREQSuccess);
3447 return VINF_SUCCESS;
3448}
3449
3450/**
3451 * Replaces a function call by a call to an existing function duplicate (or jmp -> jmp)
3452 *
3453 * @returns VBox status code.
3454 * @param pVM The VM to operate on.
3455 * @param pCpu Disassembly CPU structure ptr
3456 * @param pInstrGC Guest context point to privileged instruction
3457 * @param pPatch Patch record
3458 *
3459 */
3460static int patmReplaceFunctionCall(PVM pVM, DISCPUSTATE *pCpu, RTRCPTR pInstrGC, PPATCHINFO pPatch)
3461{
3462 int rc = VERR_PATCHING_REFUSED;
3463 DISCPUSTATE cpu;
3464 RTRCPTR pTargetGC;
3465 PPATMPATCHREC pPatchFunction;
3466 uint32_t opsize;
3467 bool disret;
3468#ifdef LOG_ENABLED
3469 char szOutput[256];
3470#endif
3471
3472 Assert(pPatch->flags & PATMFL_REPLACE_FUNCTION_CALL);
3473 Assert((pCpu->pCurInstr->opcode == OP_CALL || pCpu->pCurInstr->opcode == OP_JMP) && pCpu->opsize == SIZEOF_NEARJUMP32);
3474
3475 if ((pCpu->pCurInstr->opcode != OP_CALL && pCpu->pCurInstr->opcode != OP_JMP) || pCpu->opsize != SIZEOF_NEARJUMP32)
3476 {
3477 rc = VERR_PATCHING_REFUSED;
3478 goto failure;
3479 }
3480
3481 pTargetGC = PATMResolveBranch(pCpu, pInstrGC);
3482 if (pTargetGC == 0)
3483 {
3484 Log(("We don't support far jumps here!! (%08X)\n", pCpu->param1.flags));
3485 rc = VERR_PATCHING_REFUSED;
3486 goto failure;
3487 }
3488
3489 pPatchFunction = (PPATMPATCHREC)RTAvloU32Get(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pTargetGC);
3490 if (pPatchFunction == NULL)
3491 {
3492 for(;;)
3493 {
3494 /* It could be an indirect call (call -> jmp dest).
3495 * Note that it's dangerous to assume the jump will never change...
3496 */
3497 uint8_t *pTmpInstrHC;
3498
3499 pTmpInstrHC = PATMGCVirtToHCVirt(pVM, pPatch, pTargetGC);
3500 Assert(pTmpInstrHC);
3501 if (pTmpInstrHC == 0)
3502 break;
3503
3504 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
3505 disret = PATMR3DISInstr(pVM, pPatch, &cpu, pTargetGC, pTmpInstrHC, &opsize, NULL);
3506 if (disret == false || cpu.pCurInstr->opcode != OP_JMP)
3507 break;
3508
3509 pTargetGC = PATMResolveBranch(&cpu, pTargetGC);
3510 if (pTargetGC == 0)
3511 {
3512 break;
3513 }
3514
3515 pPatchFunction = (PPATMPATCHREC)RTAvloU32Get(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pTargetGC);
3516 break;
3517 }
3518 if (pPatchFunction == 0)
3519 {
3520 AssertMsgFailed(("Unable to find duplicate function %RRv\n", pTargetGC));
3521 rc = VERR_PATCHING_REFUSED;
3522 goto failure;
3523 }
3524 }
3525
3526 // make a copy of the guest code bytes that will be overwritten
3527 pPatch->cbPatchJump = SIZEOF_NEARJUMP32;
3528
3529 rc = PGMPhysSimpleReadGCPtr(VMMGetCpu0(pVM), pPatch->aPrivInstr, pPatch->pPrivInstrGC, pPatch->cbPatchJump);
3530 AssertRC(rc);
3531
3532 /* Now replace the original call in the guest code */
3533 rc = patmGenCallToPatch(pVM, pPatch, PATCHCODE_PTR_GC(&pPatchFunction->patch), true);
3534 AssertRC(rc);
3535 if (RT_FAILURE(rc))
3536 goto failure;
3537
3538 /* Lowest and highest address for write monitoring. */
3539 pPatch->pInstrGCLowest = pInstrGC;
3540 pPatch->pInstrGCHighest = pInstrGC + pCpu->opsize;
3541
3542#ifdef LOG_ENABLED
3543 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
3544 disret = PATMR3DISInstr(pVM, pPatch, &cpu, pPatch->pPrivInstrGC, pPatch->pPrivInstrHC, &opsize, szOutput);
3545 Log(("Call patch: %s", szOutput));
3546#endif
3547
3548 Log(("Successfully installed function replacement patch at %RRv\n", pInstrGC));
3549
3550 pPatch->uState = PATCH_ENABLED;
3551 return VINF_SUCCESS;
3552
3553failure:
3554 /* Turn this patch into a dummy. */
3555 pPatch->uState = PATCH_REFUSED;
3556
3557 return rc;
3558}
3559
3560/**
3561 * Replace the address in an MMIO instruction with the cached version.
3562 *
3563 * @returns VBox status code.
3564 * @param pVM The VM to operate on.
3565 * @param pInstrGC Guest context point to privileged instruction
3566 * @param pCpu Disassembly CPU structure ptr
3567 * @param pPatch Patch record
3568 *
3569 * @note returns failure if patching is not allowed or possible
3570 *
3571 */
3572static int patmPatchMMIOInstr(PVM pVM, RTRCPTR pInstrGC, DISCPUSTATE *pCpu, PPATCHINFO pPatch)
3573{
3574 uint8_t *pPB;
3575 int rc = VERR_PATCHING_REFUSED;
3576#ifdef LOG_ENABLED
3577 DISCPUSTATE cpu;
3578 uint32_t opsize;
3579 bool disret;
3580 char szOutput[256];
3581#endif
3582
3583 Assert(pVM->patm.s.mmio.pCachedData);
3584 if (!pVM->patm.s.mmio.pCachedData)
3585 goto failure;
3586
3587 if (pCpu->param2.flags != USE_DISPLACEMENT32)
3588 goto failure;
3589
3590 pPB = pPatch->pPrivInstrHC;
3591
3592 /* Add relocation record for cached data access. */
3593 if (patmPatchAddReloc32(pVM, pPatch, &pPB[pCpu->opsize - sizeof(RTRCPTR)], FIXUP_ABSOLUTE, pPatch->pPrivInstrGC, pVM->patm.s.mmio.pCachedData) != VINF_SUCCESS)
3594 {
3595 Log(("Relocation failed for cached mmio address!!\n"));
3596 return VERR_PATCHING_REFUSED;
3597 }
3598#ifdef LOG_ENABLED
3599 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
3600 disret = PATMR3DISInstr(pVM, pPatch, &cpu, pPatch->pPrivInstrGC, pPatch->pPrivInstrHC, &opsize, szOutput);
3601 Log(("MMIO patch old instruction: %s", szOutput));
3602#endif
3603
3604 /* Save original instruction. */
3605 rc = PGMPhysSimpleReadGCPtr(VMMGetCpu0(pVM), pPatch->aPrivInstr, pPatch->pPrivInstrGC, pPatch->cbPrivInstr);
3606 AssertRC(rc);
3607
3608 pPatch->cbPatchJump = pPatch->cbPrivInstr; /* bit of a misnomer in this case; size of replacement instruction. */
3609
3610 /* Replace address with that of the cached item. */
3611 rc = PGMPhysSimpleDirtyWriteGCPtr(VMMGetCpu0(pVM), pInstrGC + pCpu->opsize - sizeof(RTRCPTR), &pVM->patm.s.mmio.pCachedData, sizeof(RTRCPTR));
3612 AssertRC(rc);
3613 if (RT_FAILURE(rc))
3614 {
3615 goto failure;
3616 }
3617
3618#ifdef LOG_ENABLED
3619 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
3620 disret = PATMR3DISInstr(pVM, pPatch, &cpu, pPatch->pPrivInstrGC, pPatch->pPrivInstrHC, &opsize, szOutput);
3621 Log(("MMIO patch: %s", szOutput));
3622#endif
3623 pVM->patm.s.mmio.pCachedData = 0;
3624 pVM->patm.s.mmio.GCPhys = 0;
3625 pPatch->uState = PATCH_ENABLED;
3626 return VINF_SUCCESS;
3627
3628failure:
3629 /* Turn this patch into a dummy. */
3630 pPatch->uState = PATCH_REFUSED;
3631
3632 return rc;
3633}
3634
3635
3636/**
3637 * Replace the address in an MMIO instruction with the cached version. (instruction is part of an existing patch)
3638 *
3639 * @returns VBox status code.
3640 * @param pVM The VM to operate on.
3641 * @param pInstrGC Guest context point to privileged instruction
3642 * @param pPatch Patch record
3643 *
3644 * @note returns failure if patching is not allowed or possible
3645 *
3646 */
3647static int patmPatchPATMMMIOInstr(PVM pVM, RTRCPTR pInstrGC, PPATCHINFO pPatch)
3648{
3649 DISCPUSTATE cpu;
3650 uint32_t opsize;
3651 bool disret;
3652 uint8_t *pInstrHC;
3653#ifdef LOG_ENABLED
3654 char szOutput[256];
3655#endif
3656
3657 AssertReturn(pVM->patm.s.mmio.pCachedData, VERR_INVALID_PARAMETER);
3658
3659 /* Convert GC to HC address. */
3660 pInstrHC = patmPatchGCPtr2PatchHCPtr(pVM, pInstrGC);
3661 AssertReturn(pInstrHC, VERR_PATCHING_REFUSED);
3662
3663 /* Disassemble mmio instruction. */
3664 cpu.mode = pPatch->uOpMode;
3665 disret = PATMR3DISInstr(pVM, pPatch, &cpu, pInstrGC, pInstrHC, &opsize, NULL);
3666 if (disret == false)
3667 {
3668 Log(("Disassembly failed (probably page not present) -> return to caller\n"));
3669 return VERR_PATCHING_REFUSED;
3670 }
3671
3672 AssertMsg(opsize <= MAX_INSTR_SIZE, ("privileged instruction too big %d!!\n", opsize));
3673 if (opsize > MAX_INSTR_SIZE)
3674 return VERR_PATCHING_REFUSED;
3675 if (cpu.param2.flags != USE_DISPLACEMENT32)
3676 return VERR_PATCHING_REFUSED;
3677
3678 /* Add relocation record for cached data access. */
3679 if (patmPatchAddReloc32(pVM, pPatch, &pInstrHC[cpu.opsize - sizeof(RTRCPTR)], FIXUP_ABSOLUTE) != VINF_SUCCESS)
3680 {
3681 Log(("Relocation failed for cached mmio address!!\n"));
3682 return VERR_PATCHING_REFUSED;
3683 }
3684 /* Replace address with that of the cached item. */
3685 *(RTRCPTR *)&pInstrHC[cpu.opsize - sizeof(RTRCPTR)] = pVM->patm.s.mmio.pCachedData;
3686
3687 /* Lowest and highest address for write monitoring. */
3688 pPatch->pInstrGCLowest = pInstrGC;
3689 pPatch->pInstrGCHighest = pInstrGC + cpu.opsize;
3690
3691#ifdef LOG_ENABLED
3692 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
3693 disret = PATMR3DISInstr(pVM, pPatch, &cpu, pInstrGC, pInstrHC, &opsize, szOutput);
3694 Log(("MMIO patch: %s", szOutput));
3695#endif
3696
3697 pVM->patm.s.mmio.pCachedData = 0;
3698 pVM->patm.s.mmio.GCPhys = 0;
3699 return VINF_SUCCESS;
3700}
3701
3702/**
3703 * Activates an int3 patch
3704 *
3705 * @returns VBox status code.
3706 * @param pVM The VM to operate on.
3707 * @param pPatch Patch record
3708 */
3709static int patmActivateInt3Patch(PVM pVM, PPATCHINFO pPatch)
3710{
3711 uint8_t ASMInt3 = 0xCC;
3712 int rc;
3713
3714 Assert(pPatch->flags & (PATMFL_INT3_REPLACEMENT|PATMFL_INT3_REPLACEMENT_BLOCK));
3715 Assert(pPatch->uState != PATCH_ENABLED);
3716
3717 /* Replace first opcode byte with 'int 3'. */
3718 rc = PGMPhysSimpleDirtyWriteGCPtr(VMMGetCpu0(pVM), pPatch->pPrivInstrGC, &ASMInt3, sizeof(ASMInt3));
3719 AssertRC(rc);
3720
3721 pPatch->cbPatchJump = sizeof(ASMInt3);
3722
3723 return rc;
3724}
3725
3726/**
3727 * Deactivates an int3 patch
3728 *
3729 * @returns VBox status code.
3730 * @param pVM The VM to operate on.
3731 * @param pPatch Patch record
3732 */
3733static int patmDeactivateInt3Patch(PVM pVM, PPATCHINFO pPatch)
3734{
3735 uint8_t ASMInt3 = 0xCC;
3736 int rc;
3737
3738 Assert(pPatch->flags & (PATMFL_INT3_REPLACEMENT|PATMFL_INT3_REPLACEMENT_BLOCK));
3739 Assert(pPatch->uState == PATCH_ENABLED || pPatch->uState == PATCH_DIRTY);
3740
3741 /* Restore first opcode byte. */
3742 rc = PGMPhysSimpleDirtyWriteGCPtr(VMMGetCpu0(pVM), pPatch->pPrivInstrGC, pPatch->aPrivInstr, sizeof(ASMInt3));
3743 AssertRC(rc);
3744 return rc;
3745}
3746
3747/**
3748 * Replace an instruction with a breakpoint (0xCC), that is handled dynamically in the guest context.
3749 *
3750 * @returns VBox status code.
3751 * @param pVM The VM to operate on.
3752 * @param pInstrGC Guest context point to privileged instruction
3753 * @param pInstrHC Host context point to privileged instruction
3754 * @param pCpu Disassembly CPU structure ptr
3755 * @param pPatch Patch record
3756 *
3757 * @note returns failure if patching is not allowed or possible
3758 *
3759 */
3760VMMR3DECL(int) PATMR3PatchInstrInt3(PVM pVM, RTRCPTR pInstrGC, R3PTRTYPE(uint8_t *) pInstrHC, DISCPUSTATE *pCpu, PPATCHINFO pPatch)
3761{
3762 uint8_t ASMInt3 = 0xCC;
3763 int rc;
3764
3765 /** @note Do not use patch memory here! It might called during patch installation too. */
3766
3767#ifdef LOG_ENABLED
3768 DISCPUSTATE cpu;
3769 char szOutput[256];
3770 uint32_t opsize;
3771
3772 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
3773 PATMR3DISInstr(pVM, pPatch, &cpu, pInstrGC, pInstrHC, &opsize, szOutput);
3774 Log(("PATMR3PatchInstrInt3: %s", szOutput));
3775#endif
3776
3777 /* Save the original instruction. */
3778 rc = PGMPhysSimpleReadGCPtr(VMMGetCpu0(pVM), pPatch->aPrivInstr, pPatch->pPrivInstrGC, pPatch->cbPrivInstr);
3779 AssertRC(rc);
3780 pPatch->cbPatchJump = sizeof(ASMInt3); /* bit of a misnomer in this case; size of replacement instruction. */
3781
3782 pPatch->flags |= PATMFL_INT3_REPLACEMENT;
3783
3784 /* Replace first opcode byte with 'int 3'. */
3785 rc = patmActivateInt3Patch(pVM, pPatch);
3786 if (RT_FAILURE(rc))
3787 goto failure;
3788
3789 /* Lowest and highest address for write monitoring. */
3790 pPatch->pInstrGCLowest = pInstrGC;
3791 pPatch->pInstrGCHighest = pInstrGC + pCpu->opsize;
3792
3793 pPatch->uState = PATCH_ENABLED;
3794 return VINF_SUCCESS;
3795
3796failure:
3797 /* Turn this patch into a dummy. */
3798 return VERR_PATCHING_REFUSED;
3799}
3800
3801#ifdef PATM_RESOLVE_CONFLICTS_WITH_JUMP_PATCHES
3802/**
3803 * Patch a jump instruction at specified location
3804 *
3805 * @returns VBox status code.
3806 * @param pVM The VM to operate on.
3807 * @param pInstrGC Guest context point to privileged instruction
3808 * @param pInstrHC Host context point to privileged instruction
3809 * @param pCpu Disassembly CPU structure ptr
3810 * @param pPatchRec Patch record
3811 *
3812 * @note returns failure if patching is not allowed or possible
3813 *
3814 */
3815int patmPatchJump(PVM pVM, RTRCPTR pInstrGC, R3PTRTYPE(uint8_t *) pInstrHC, DISCPUSTATE *pCpu, PPATMPATCHREC pPatchRec)
3816{
3817 PPATCHINFO pPatch = &pPatchRec->patch;
3818 int rc = VERR_PATCHING_REFUSED;
3819#ifdef LOG_ENABLED
3820 bool disret;
3821 DISCPUSTATE cpu;
3822 uint32_t opsize;
3823 char szOutput[256];
3824#endif
3825
3826 pPatch->pPatchBlockOffset = 0; /* doesn't use patch memory */
3827 pPatch->uCurPatchOffset = 0;
3828 pPatch->cbPatchBlockSize = 0;
3829 pPatch->flags |= PATMFL_SINGLE_INSTRUCTION;
3830
3831 /*
3832 * Instruction replacements such as these should never be interrupted. I've added code to EM.cpp to
3833 * make sure this never happens. (unless a trap is triggered (intentionally or not))
3834 */
3835 switch (pCpu->pCurInstr->opcode)
3836 {
3837 case OP_JO:
3838 case OP_JNO:
3839 case OP_JC:
3840 case OP_JNC:
3841 case OP_JE:
3842 case OP_JNE:
3843 case OP_JBE:
3844 case OP_JNBE:
3845 case OP_JS:
3846 case OP_JNS:
3847 case OP_JP:
3848 case OP_JNP:
3849 case OP_JL:
3850 case OP_JNL:
3851 case OP_JLE:
3852 case OP_JNLE:
3853 case OP_JMP:
3854 Assert(pPatch->flags & PATMFL_JUMP_CONFLICT);
3855 Assert(pCpu->param1.flags & USE_IMMEDIATE32_REL);
3856 if (!(pCpu->param1.flags & USE_IMMEDIATE32_REL))
3857 goto failure;
3858
3859 Assert(pCpu->opsize == SIZEOF_NEARJUMP32 || pCpu->opsize == SIZEOF_NEAR_COND_JUMP32);
3860 if (pCpu->opsize != SIZEOF_NEARJUMP32 && pCpu->opsize != SIZEOF_NEAR_COND_JUMP32)
3861 goto failure;
3862
3863 if (PAGE_ADDRESS(pInstrGC) != PAGE_ADDRESS(pInstrGC + pCpu->opsize))
3864 {
3865 STAM_COUNTER_INC(&pVM->patm.s.StatPageBoundaryCrossed);
3866 AssertMsgFailed(("Patch jump would cross page boundary -> refuse!!\n"));
3867 rc = VERR_PATCHING_REFUSED;
3868 goto failure;
3869 }
3870
3871 break;
3872
3873 default:
3874 goto failure;
3875 }
3876
3877 // make a copy of the guest code bytes that will be overwritten
3878 Assert(pCpu->opsize <= sizeof(pPatch->aPrivInstr));
3879 Assert(pCpu->opsize >= SIZEOF_NEARJUMP32);
3880 pPatch->cbPatchJump = pCpu->opsize;
3881
3882 rc = PGMPhysSimpleReadGCPtr(VMMGetCpu0(pVM), pPatch->aPrivInstr, pPatch->pPrivInstrGC, pPatch->cbPatchJump);
3883 AssertRC(rc);
3884
3885 /* Now insert a jump in the guest code. */
3886 /*
3887 * A conflict jump patch needs to be treated differently; we'll just replace the relative jump address with one that
3888 * references the target instruction in the conflict patch.
3889 */
3890 RTRCPTR pJmpDest = PATMR3GuestGCPtrToPatchGCPtr(pVM, pInstrGC + pCpu->opsize + (int32_t)pCpu->param1.parval);
3891
3892 AssertMsg(pJmpDest, ("PATMR3GuestGCPtrToPatchGCPtr failed for %RRv\n", pInstrGC + pCpu->opsize + (int32_t)pCpu->param1.parval));
3893 pPatch->pPatchJumpDestGC = pJmpDest;
3894
3895 rc = patmGenJumpToPatch(pVM, pPatch, true);
3896 AssertRC(rc);
3897 if (RT_FAILURE(rc))
3898 goto failure;
3899
3900 pPatch->flags |= PATMFL_MUST_INSTALL_PATCHJMP;
3901
3902#ifdef LOG_ENABLED
3903 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
3904 disret = PATMR3DISInstr(pVM, pPatch, &cpu, pPatch->pPrivInstrGC, pPatch->pPrivInstrHC, &opsize, szOutput);
3905 Log(("%s patch: %s", patmGetInstructionString(pPatch->opcode, pPatch->flags), szOutput));
3906#endif
3907
3908 Log(("Successfully installed %s patch at %RRv\n", patmGetInstructionString(pPatch->opcode, pPatch->flags), pInstrGC));
3909
3910 STAM_COUNTER_INC(&pVM->patm.s.StatInstalledJump);
3911
3912 /* Lowest and highest address for write monitoring. */
3913 pPatch->pInstrGCLowest = pInstrGC;
3914 pPatch->pInstrGCHighest = pInstrGC + pPatch->cbPatchJump;
3915
3916 pPatch->uState = PATCH_ENABLED;
3917 return VINF_SUCCESS;
3918
3919failure:
3920 /* Turn this cli patch into a dummy. */
3921 pPatch->uState = PATCH_REFUSED;
3922
3923 return rc;
3924}
3925#endif /* PATM_RESOLVE_CONFLICTS_WITH_JUMP_PATCHES */
3926
3927
3928/**
3929 * Gives hint to PATM about supervisor guest instructions
3930 *
3931 * @returns VBox status code.
3932 * @param pVM The VM to operate on.
3933 * @param pInstr Guest context point to privileged instruction
3934 * @param flags Patch flags
3935 */
3936VMMR3DECL(int) PATMR3AddHint(PVM pVM, RTRCPTR pInstrGC, uint32_t flags)
3937{
3938 Assert(pInstrGC);
3939 Assert(flags == PATMFL_CODE32);
3940
3941 Log(("PATMR3AddHint %RRv\n", pInstrGC));
3942 return PATMR3InstallPatch(pVM, pInstrGC, PATMFL_CODE32 | PATMFL_INSTR_HINT);
3943}
3944
3945/**
3946 * Patch privileged instruction at specified location
3947 *
3948 * @returns VBox status code.
3949 * @param pVM The VM to operate on.
3950 * @param pInstr Guest context point to privileged instruction (0:32 flat address)
3951 * @param flags Patch flags
3952 *
3953 * @note returns failure if patching is not allowed or possible
3954 */
3955VMMR3DECL(int) PATMR3InstallPatch(PVM pVM, RTRCPTR pInstrGC, uint64_t flags)
3956{
3957 DISCPUSTATE cpu;
3958 R3PTRTYPE(uint8_t *) pInstrHC;
3959 uint32_t opsize;
3960 PPATMPATCHREC pPatchRec;
3961 PCPUMCTX pCtx = 0;
3962 bool disret;
3963 int rc;
3964 PVMCPU pVCpu = VMMGetCpu0(pVM);
3965
3966 if (!pVM || pInstrGC == 0 || (flags & ~(PATMFL_CODE32|PATMFL_IDTHANDLER|PATMFL_INTHANDLER|PATMFL_SYSENTER|PATMFL_TRAPHANDLER|PATMFL_DUPLICATE_FUNCTION|PATMFL_REPLACE_FUNCTION_CALL|PATMFL_GUEST_SPECIFIC|PATMFL_INT3_REPLACEMENT|PATMFL_TRAPHANDLER_WITH_ERRORCODE|PATMFL_IDTHANDLER_WITHOUT_ENTRYPOINT|PATMFL_MMIO_ACCESS|PATMFL_TRAMPOLINE|PATMFL_INSTR_HINT|PATMFL_JUMP_CONFLICT)))
3967 {
3968 AssertFailed();
3969 return VERR_INVALID_PARAMETER;
3970 }
3971
3972 if (PATMIsEnabled(pVM) == false)
3973 return VERR_PATCHING_REFUSED;
3974
3975 /* Test for patch conflict only with patches that actually change guest code. */
3976 if (!(flags & (PATMFL_GUEST_SPECIFIC|PATMFL_IDTHANDLER|PATMFL_INTHANDLER|PATMFL_TRAMPOLINE)))
3977 {
3978 PPATCHINFO pConflictPatch = PATMFindActivePatchByEntrypoint(pVM, pInstrGC);
3979 AssertReleaseMsg(pConflictPatch == 0, ("Unable to patch overwritten instruction at %RRv (%RRv)\n", pInstrGC, pConflictPatch->pPrivInstrGC));
3980 if (pConflictPatch != 0)
3981 return VERR_PATCHING_REFUSED;
3982 }
3983
3984 if (!(flags & PATMFL_CODE32))
3985 {
3986 /** @todo Only 32 bits code right now */
3987 AssertMsgFailed(("PATMR3InstallPatch: We don't support 16 bits code at this moment!!\n"));
3988 return VERR_NOT_IMPLEMENTED;
3989 }
3990
3991 /* We ran out of patch memory; don't bother anymore. */
3992 if (pVM->patm.s.fOutOfMemory == true)
3993 return VERR_PATCHING_REFUSED;
3994
3995 /* Make sure the code selector is wide open; otherwise refuse. */
3996 pCtx = CPUMQueryGuestCtxPtr(pVCpu);
3997 if (CPUMGetGuestCPL(pVCpu, CPUMCTX2CORE(pCtx)) == 0)
3998 {
3999 RTRCPTR pInstrGCFlat = SELMToFlat(pVM, DIS_SELREG_CS, CPUMCTX2CORE(pCtx), pInstrGC);
4000 if (pInstrGCFlat != pInstrGC)
4001 {
4002 Log(("PATMR3InstallPatch: code selector not wide open: %04x:%RRv != %RRv eflags=%08x\n", pCtx->cs, pInstrGCFlat, pInstrGC, pCtx->eflags.u32));
4003 return VERR_PATCHING_REFUSED;
4004 }
4005 }
4006
4007 /** @note the OpenBSD specific check will break if we allow additional patches to be installed (int 3)) */
4008 if (!(flags & PATMFL_GUEST_SPECIFIC))
4009 {
4010 /* New code. Make sure CSAM has a go at it first. */
4011 CSAMR3CheckCode(pVM, pInstrGC);
4012 }
4013
4014 /** @note obsolete */
4015 if ( PATMIsPatchGCAddr(pVM, pInstrGC)
4016 && (flags & PATMFL_MMIO_ACCESS))
4017 {
4018 RTRCUINTPTR offset;
4019 void *pvPatchCoreOffset;
4020
4021 /* Find the patch record. */
4022 offset = pInstrGC - pVM->patm.s.pPatchMemGC;
4023 pvPatchCoreOffset = RTAvloU32GetBestFit(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr, offset, false);
4024 if (pvPatchCoreOffset == NULL)
4025 {
4026 AssertMsgFailed(("PATMR3InstallPatch: patch not found at address %RRv!!\n", pInstrGC));
4027 return VERR_PATCH_NOT_FOUND; //fatal error
4028 }
4029 pPatchRec = PATM_PATCHREC_FROM_COREOFFSET(pvPatchCoreOffset);
4030
4031 return patmPatchPATMMMIOInstr(pVM, pInstrGC, &pPatchRec->patch);
4032 }
4033
4034 AssertReturn(!PATMIsPatchGCAddr(pVM, pInstrGC), VERR_PATCHING_REFUSED);
4035
4036 pPatchRec = (PPATMPATCHREC)RTAvloU32Get(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pInstrGC);
4037 if (pPatchRec)
4038 {
4039 Assert(!(flags & PATMFL_TRAMPOLINE));
4040
4041 /* Hints about existing patches are ignored. */
4042 if (flags & PATMFL_INSTR_HINT)
4043 return VERR_PATCHING_REFUSED;
4044
4045 if (pPatchRec->patch.uState == PATCH_DISABLE_PENDING)
4046 {
4047 Log(("PATMR3InstallPatch: disable operation is pending for patch at %RRv\n", pPatchRec->patch.pPrivInstrGC));
4048 PATMR3DisablePatch(pVM, pPatchRec->patch.pPrivInstrGC);
4049 Assert(pPatchRec->patch.uState == PATCH_DISABLED);
4050 }
4051
4052 if (pPatchRec->patch.uState == PATCH_DISABLED)
4053 {
4054 /* A patch, for which we previously received a hint, will be enabled and turned into a normal patch. */
4055 if (pPatchRec->patch.flags & PATMFL_INSTR_HINT)
4056 {
4057 Log(("Enabling HINTED patch %RRv\n", pInstrGC));
4058 pPatchRec->patch.flags &= ~PATMFL_INSTR_HINT;
4059 }
4060 else
4061 Log(("Enabling patch %RRv again\n", pInstrGC));
4062
4063 /** @todo we shouldn't disable and enable patches too often (it's relatively cheap, but pointless if it always happens) */
4064 rc = PATMR3EnablePatch(pVM, pInstrGC);
4065 if (RT_SUCCESS(rc))
4066 return VWRN_PATCH_ENABLED;
4067
4068 return rc;
4069 }
4070 if ( pPatchRec->patch.uState == PATCH_ENABLED
4071 || pPatchRec->patch.uState == PATCH_DIRTY)
4072 {
4073 /*
4074 * The patch might have been overwritten.
4075 */
4076 STAM_COUNTER_INC(&pVM->patm.s.StatOverwritten);
4077 if (pPatchRec->patch.uState != PATCH_REFUSED && pPatchRec->patch.uState != PATCH_UNUSABLE)
4078 {
4079 /* Patch must have been overwritten; remove it and pretend nothing happened. */
4080 Log(("Patch an existing patched instruction?!? (%RRv)\n", pInstrGC));
4081 if (pPatchRec->patch.flags & (PATMFL_DUPLICATE_FUNCTION|PATMFL_IDTHANDLER|PATMFL_MMIO_ACCESS|PATMFL_INT3_REPLACEMENT|PATMFL_INT3_REPLACEMENT_BLOCK))
4082 {
4083 if (flags & PATMFL_IDTHANDLER)
4084 pPatchRec->patch.flags |= (flags & (PATMFL_IDTHANDLER|PATMFL_TRAPHANDLER|PATMFL_INTHANDLER)); /* update the type */
4085
4086 return VERR_PATM_ALREADY_PATCHED; /* already done once */
4087 }
4088 }
4089 rc = PATMR3RemovePatch(pVM, pInstrGC);
4090 if (RT_FAILURE(rc))
4091 return VERR_PATCHING_REFUSED;
4092 }
4093 else
4094 {
4095 AssertMsg(pPatchRec->patch.uState == PATCH_REFUSED || pPatchRec->patch.uState == PATCH_UNUSABLE, ("Patch an existing patched instruction?!? (%RRv, state=%d)\n", pInstrGC, pPatchRec->patch.uState));
4096 /* already tried it once! */
4097 return VERR_PATCHING_REFUSED;
4098 }
4099 }
4100
4101 rc = MMHyperAlloc(pVM, sizeof(PATMPATCHREC), 0, MM_TAG_PATM_PATCH, (void **)&pPatchRec);
4102 if (RT_FAILURE(rc))
4103 {
4104 Log(("Out of memory!!!!\n"));
4105 return VERR_NO_MEMORY;
4106 }
4107 pPatchRec->Core.Key = pInstrGC;
4108 pPatchRec->patch.uState = PATCH_REFUSED; //default
4109 rc = RTAvloU32Insert(&pVM->patm.s.PatchLookupTreeHC->PatchTree, &pPatchRec->Core);
4110 Assert(rc);
4111
4112 RTGCPHYS GCPhys;
4113 rc = PGMGstGetPage(pVCpu, pInstrGC, NULL, &GCPhys);
4114 if (rc != VINF_SUCCESS)
4115 {
4116 Log(("PGMGstGetPage failed with %Rrc\n", rc));
4117 return rc;
4118 }
4119 /* Disallow patching instructions inside ROM code; complete function duplication is allowed though. */
4120 if ( !(flags & (PATMFL_DUPLICATE_FUNCTION|PATMFL_TRAMPOLINE))
4121 && !PGMPhysIsGCPhysNormal(pVM, GCPhys))
4122 {
4123 Log(("Code at %RGv (phys %RGp) is in a ROM, MMIO or invalid page - refused\n", pInstrGC, GCPhys));
4124 return VERR_PATCHING_REFUSED;
4125 }
4126 GCPhys = GCPhys + (pInstrGC & PAGE_OFFSET_MASK);
4127 rc = PGMPhysGCPhys2R3Ptr(pVM, GCPhys, MAX_INSTR_SIZE, (void **)&pInstrHC);
4128 AssertRCReturn(rc, rc);
4129
4130 pPatchRec->patch.pPrivInstrHC = pInstrHC;
4131 pPatchRec->patch.pPrivInstrGC = pInstrGC;
4132 pPatchRec->patch.flags = flags;
4133 pPatchRec->patch.uOpMode = (flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
4134
4135 pPatchRec->patch.pInstrGCLowest = pInstrGC;
4136 pPatchRec->patch.pInstrGCHighest = pInstrGC;
4137
4138 if (!(pPatchRec->patch.flags & (PATMFL_DUPLICATE_FUNCTION | PATMFL_IDTHANDLER | PATMFL_SYSENTER | PATMFL_TRAMPOLINE)))
4139 {
4140 /*
4141 * Close proximity to an unusable patch is a possible hint that this patch would turn out to be dangerous too!
4142 */
4143 PPATMPATCHREC pPatchNear = (PPATMPATCHREC)RTAvloU32GetBestFit(&pVM->patm.s.PatchLookupTreeHC->PatchTree, (pInstrGC + SIZEOF_NEARJUMP32 - 1), false);
4144 if (pPatchNear)
4145 {
4146 if (pPatchNear->patch.uState == PATCH_UNUSABLE && pInstrGC < pPatchNear->patch.pPrivInstrGC && pInstrGC + SIZEOF_NEARJUMP32 > pPatchNear->patch.pPrivInstrGC)
4147 {
4148 Log(("Dangerous patch; would overwrite the ususable patch at %RRv\n", pPatchNear->patch.pPrivInstrGC));
4149
4150 pPatchRec->patch.uState = PATCH_UNUSABLE;
4151 /*
4152 * Leave the new patch active as it's marked unusable; to prevent us from checking it over and over again
4153 */
4154 return VERR_PATCHING_REFUSED;
4155 }
4156 }
4157 }
4158
4159 pPatchRec->patch.pTempInfo = (PPATCHINFOTEMP)MMR3HeapAllocZ(pVM, MM_TAG_PATM_PATCH, sizeof(PATCHINFOTEMP));
4160 if (pPatchRec->patch.pTempInfo == 0)
4161 {
4162 Log(("Out of memory!!!!\n"));
4163 return VERR_NO_MEMORY;
4164 }
4165
4166 cpu.mode = pPatchRec->patch.uOpMode;
4167 disret = PATMR3DISInstr(pVM, &pPatchRec->patch, &cpu, pInstrGC, pInstrHC, &opsize, NULL);
4168 if (disret == false)
4169 {
4170 Log(("Disassembly failed (probably page not present) -> return to caller\n"));
4171 return VERR_PATCHING_REFUSED;
4172 }
4173
4174 AssertMsg(opsize <= MAX_INSTR_SIZE, ("privileged instruction too big %d!!\n", opsize));
4175 if (opsize > MAX_INSTR_SIZE)
4176 {
4177 return VERR_PATCHING_REFUSED;
4178 }
4179
4180 pPatchRec->patch.cbPrivInstr = opsize;
4181 pPatchRec->patch.opcode = cpu.pCurInstr->opcode;
4182
4183 /* Restricted hinting for now. */
4184 Assert(!(flags & PATMFL_INSTR_HINT) || cpu.pCurInstr->opcode == OP_CLI);
4185
4186 /* Allocate statistics slot */
4187 if (pVM->patm.s.uCurrentPatchIdx < PATM_STAT_MAX_COUNTERS)
4188 {
4189 pPatchRec->patch.uPatchIdx = pVM->patm.s.uCurrentPatchIdx++;
4190 }
4191 else
4192 {
4193 Log(("WARNING: Patch index wrap around!!\n"));
4194 pPatchRec->patch.uPatchIdx = PATM_STAT_INDEX_DUMMY;
4195 }
4196
4197 if (pPatchRec->patch.flags & PATMFL_TRAPHANDLER)
4198 {
4199 rc = patmInstallTrapTrampoline(pVM, pInstrGC, pPatchRec);
4200 }
4201 else
4202 if (pPatchRec->patch.flags & (PATMFL_DUPLICATE_FUNCTION ))
4203 {
4204 rc = patmDuplicateFunction(pVM, pInstrGC, pPatchRec);
4205 }
4206 else
4207 if (pPatchRec->patch.flags & PATMFL_TRAMPOLINE)
4208 {
4209 rc = patmCreateTrampoline(pVM, pInstrGC, pPatchRec);
4210 }
4211 else
4212 if (pPatchRec->patch.flags & PATMFL_REPLACE_FUNCTION_CALL)
4213 {
4214 rc = patmReplaceFunctionCall(pVM, &cpu, pInstrGC, &pPatchRec->patch);
4215 }
4216 else
4217 if (pPatchRec->patch.flags & PATMFL_INT3_REPLACEMENT)
4218 {
4219 rc = PATMR3PatchInstrInt3(pVM, pInstrGC, pInstrHC, &cpu, &pPatchRec->patch);
4220 }
4221 else
4222 if (pPatchRec->patch.flags & PATMFL_MMIO_ACCESS)
4223 {
4224 rc = patmPatchMMIOInstr(pVM, pInstrGC, &cpu, &pPatchRec->patch);
4225 }
4226 else
4227 if (pPatchRec->patch.flags & (PATMFL_IDTHANDLER|PATMFL_SYSENTER))
4228 {
4229 if (pPatchRec->patch.flags & PATMFL_SYSENTER)
4230 pPatchRec->patch.flags |= PATMFL_IDTHANDLER; /* we treat a sysenter handler as an IDT handler */
4231
4232 rc = patmIdtHandler(pVM, pInstrGC, pInstrHC, opsize, pPatchRec);
4233#ifdef VBOX_WITH_STATISTICS
4234 if ( rc == VINF_SUCCESS
4235 && (pPatchRec->patch.flags & PATMFL_SYSENTER))
4236 {
4237 pVM->patm.s.uSysEnterPatchIdx = pPatchRec->patch.uPatchIdx;
4238 }
4239#endif
4240 }
4241 else
4242 if (pPatchRec->patch.flags & PATMFL_GUEST_SPECIFIC)
4243 {
4244 switch (cpu.pCurInstr->opcode)
4245 {
4246 case OP_SYSENTER:
4247 case OP_PUSH:
4248 rc = PATMInstallGuestSpecificPatch(pVM, &cpu, pInstrGC, pInstrHC, pPatchRec);
4249 if (rc == VINF_SUCCESS)
4250 {
4251 if (rc == VINF_SUCCESS)
4252 Log(("PATMR3InstallPatch GUEST: %s %RRv code32=%d\n", patmGetInstructionString(pPatchRec->patch.opcode, pPatchRec->patch.flags), pInstrGC, (flags & PATMFL_CODE32) ? 1 : 0));
4253 return rc;
4254 }
4255 break;
4256
4257 default:
4258 rc = VERR_NOT_IMPLEMENTED;
4259 break;
4260 }
4261 }
4262 else
4263 {
4264 switch (cpu.pCurInstr->opcode)
4265 {
4266 case OP_SYSENTER:
4267 rc = PATMInstallGuestSpecificPatch(pVM, &cpu, pInstrGC, pInstrHC, pPatchRec);
4268 if (rc == VINF_SUCCESS)
4269 {
4270 Log(("PATMR3InstallPatch GUEST: %s %RRv code32=%d\n", patmGetInstructionString(pPatchRec->patch.opcode, pPatchRec->patch.flags), pInstrGC, (flags & PATMFL_CODE32) ? 1 : 0));
4271 return VINF_SUCCESS;
4272 }
4273 break;
4274
4275#ifdef PATM_RESOLVE_CONFLICTS_WITH_JUMP_PATCHES
4276 case OP_JO:
4277 case OP_JNO:
4278 case OP_JC:
4279 case OP_JNC:
4280 case OP_JE:
4281 case OP_JNE:
4282 case OP_JBE:
4283 case OP_JNBE:
4284 case OP_JS:
4285 case OP_JNS:
4286 case OP_JP:
4287 case OP_JNP:
4288 case OP_JL:
4289 case OP_JNL:
4290 case OP_JLE:
4291 case OP_JNLE:
4292 case OP_JECXZ:
4293 case OP_LOOP:
4294 case OP_LOOPNE:
4295 case OP_LOOPE:
4296 case OP_JMP:
4297 if (pPatchRec->patch.flags & PATMFL_JUMP_CONFLICT)
4298 {
4299 rc = patmPatchJump(pVM, pInstrGC, pInstrHC, &cpu, pPatchRec);
4300 break;
4301 }
4302 return VERR_NOT_IMPLEMENTED;
4303#endif
4304
4305 case OP_PUSHF:
4306 case OP_CLI:
4307 Log(("PATMR3InstallPatch %s %RRv code32=%d\n", patmGetInstructionString(pPatchRec->patch.opcode, pPatchRec->patch.flags), pInstrGC, (flags & PATMFL_CODE32) ? 1 : 0));
4308 rc = PATMR3PatchBlock(pVM, pInstrGC, pInstrHC, cpu.pCurInstr->opcode, opsize, pPatchRec);
4309 break;
4310
4311 case OP_STR:
4312 case OP_SGDT:
4313 case OP_SLDT:
4314 case OP_SIDT:
4315 case OP_CPUID:
4316 case OP_LSL:
4317 case OP_LAR:
4318 case OP_SMSW:
4319 case OP_VERW:
4320 case OP_VERR:
4321 case OP_IRET:
4322 rc = PATMR3PatchInstrInt3(pVM, pInstrGC, pInstrHC, &cpu, &pPatchRec->patch);
4323 break;
4324
4325 default:
4326 return VERR_NOT_IMPLEMENTED;
4327 }
4328 }
4329
4330 if (rc != VINF_SUCCESS)
4331 {
4332 if (pPatchRec && pPatchRec->patch.nrPatch2GuestRecs)
4333 {
4334 patmEmptyTreeU32(pVM, &pPatchRec->patch.Patch2GuestAddrTree);
4335 pPatchRec->patch.nrPatch2GuestRecs = 0;
4336 }
4337 pVM->patm.s.uCurrentPatchIdx--;
4338 }
4339 else
4340 {
4341 rc = patmInsertPatchPages(pVM, &pPatchRec->patch);
4342 AssertRCReturn(rc, rc);
4343
4344 /* Keep track upper and lower boundaries of patched instructions */
4345 if (pPatchRec->patch.pInstrGCLowest < pVM->patm.s.pPatchedInstrGCLowest)
4346 pVM->patm.s.pPatchedInstrGCLowest = pPatchRec->patch.pInstrGCLowest;
4347 if (pPatchRec->patch.pInstrGCHighest > pVM->patm.s.pPatchedInstrGCHighest)
4348 pVM->patm.s.pPatchedInstrGCHighest = pPatchRec->patch.pInstrGCHighest;
4349
4350 Log(("Patch lowest %RRv highest %RRv\n", pPatchRec->patch.pInstrGCLowest, pPatchRec->patch.pInstrGCHighest));
4351 Log(("Global lowest %RRv highest %RRv\n", pVM->patm.s.pPatchedInstrGCLowest, pVM->patm.s.pPatchedInstrGCHighest));
4352
4353 STAM_COUNTER_ADD(&pVM->patm.s.StatInstalled, 1);
4354 STAM_COUNTER_ADD(&pVM->patm.s.StatPATMMemoryUsed, pPatchRec->patch.cbPatchBlockSize);
4355
4356 rc = VINF_SUCCESS;
4357
4358 /* Patch hints are not enabled by default. Only when the are actually encountered. */
4359 if (pPatchRec->patch.flags & PATMFL_INSTR_HINT)
4360 {
4361 rc = PATMR3DisablePatch(pVM, pInstrGC);
4362 AssertRCReturn(rc, rc);
4363 }
4364
4365#ifdef VBOX_WITH_STATISTICS
4366 /* Register statistics counter */
4367 if (PATM_STAT_INDEX_IS_VALID(pPatchRec->patch.uPatchIdx))
4368 {
4369 STAMR3RegisterCallback(pVM, &pPatchRec->patch, STAMVISIBILITY_NOT_GUI, STAMUNIT_GOOD_BAD, patmResetStat, patmPrintStat, "Patch statistics",
4370 "/PATM/Stats/Patch/0x%RRv", pPatchRec->patch.pPrivInstrGC);
4371#ifndef DEBUG_sandervl
4372 /* Full breakdown for the GUI. */
4373 STAMR3RegisterF(pVM, &pVM->patm.s.pStatsHC[pPatchRec->patch.uPatchIdx], STAMTYPE_RATIO_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_GOOD_BAD, PATMPatchType(pVM, &pPatchRec->patch),
4374 "/PATM/Stats/PatchBD/0x%RRv", pPatchRec->patch.pPrivInstrGC);
4375 STAMR3RegisterF(pVM, &pPatchRec->patch.cbPatchBlockSize,STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_BYTES, NULL, "/PATM/Stats/PatchBD/0x%RRv/cbPatchBlockSize", pPatchRec->patch.pPrivInstrGC);
4376 STAMR3RegisterF(pVM, &pPatchRec->patch.cbPatchJump, STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_BYTES, NULL, "/PATM/Stats/PatchBD/0x%RRv/cbPatchJump", pPatchRec->patch.pPrivInstrGC);
4377 STAMR3RegisterF(pVM, &pPatchRec->patch.cbPrivInstr, STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_BYTES, NULL, "/PATM/Stats/PatchBD/0x%RRv/cbPrivInstr", pPatchRec->patch.pPrivInstrGC);
4378 STAMR3RegisterF(pVM, &pPatchRec->patch.cCodeWrites, STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_OCCURENCES, NULL, "/PATM/Stats/PatchBD/0x%RRv/cCodeWrites", pPatchRec->patch.pPrivInstrGC);
4379 STAMR3RegisterF(pVM, &pPatchRec->patch.cInvalidWrites, STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_OCCURENCES, NULL, "/PATM/Stats/PatchBD/0x%RRv/cInvalidWrites", pPatchRec->patch.pPrivInstrGC);
4380 STAMR3RegisterF(pVM, &pPatchRec->patch.cTraps, STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_OCCURENCES, NULL, "/PATM/Stats/PatchBD/0x%RRv/cTraps", pPatchRec->patch.pPrivInstrGC);
4381 STAMR3RegisterF(pVM, &pPatchRec->patch.flags, STAMTYPE_X32, STAMVISIBILITY_ALWAYS, STAMUNIT_NONE, NULL, "/PATM/Stats/PatchBD/0x%RRv/flags", pPatchRec->patch.pPrivInstrGC);
4382 STAMR3RegisterF(pVM, &pPatchRec->patch.nrJumpRecs, STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_OCCURENCES, NULL, "/PATM/Stats/PatchBD/0x%RRv/nrJumpRecs", pPatchRec->patch.pPrivInstrGC);
4383 STAMR3RegisterF(pVM, &pPatchRec->patch.nrFixups, STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_OCCURENCES, NULL, "/PATM/Stats/PatchBD/0x%RRv/nrFixups", pPatchRec->patch.pPrivInstrGC);
4384 STAMR3RegisterF(pVM, &pPatchRec->patch.opcode, STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_OCCURENCES, NULL, "/PATM/Stats/PatchBD/0x%RRv/opcode", pPatchRec->patch.pPrivInstrGC);
4385 STAMR3RegisterF(pVM, &pPatchRec->patch.uOldState, STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_NONE, NULL, "/PATM/Stats/PatchBD/0x%RRv/uOldState", pPatchRec->patch.pPrivInstrGC);
4386 STAMR3RegisterF(pVM, &pPatchRec->patch.uOpMode, STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_NONE, NULL, "/PATM/Stats/PatchBD/0x%RRv/uOpMode", pPatchRec->patch.pPrivInstrGC);
4387 /// @todo change the state to be a callback so we can get a state mnemonic instead.
4388 STAMR3RegisterF(pVM, &pPatchRec->patch.uState, STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_NONE, NULL, "/PATM/Stats/PatchBD/0x%RRv/uState", pPatchRec->patch.pPrivInstrGC);
4389#endif
4390 }
4391#endif
4392 }
4393 return rc;
4394}
4395
4396/**
4397 * Query instruction size
4398 *
4399 * @returns VBox status code.
4400 * @param pVM The VM to operate on.
4401 * @param pPatch Patch record
4402 * @param pInstrGC Instruction address
4403 */
4404static uint32_t patmGetInstrSize(PVM pVM, PPATCHINFO pPatch, RTRCPTR pInstrGC)
4405{
4406 uint8_t *pInstrHC;
4407
4408 int rc = PGMPhysGCPtr2R3Ptr(VMMGetCpu0(pVM), pInstrGC, (PRTR3PTR)&pInstrHC);
4409 if (rc == VINF_SUCCESS)
4410 {
4411 DISCPUSTATE cpu;
4412 bool disret;
4413 uint32_t opsize;
4414
4415 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
4416 disret = PATMR3DISInstr(pVM, pPatch, &cpu, pInstrGC, pInstrHC, &opsize, NULL, PATMREAD_ORGCODE | PATMREAD_NOCHECK);
4417 if (disret)
4418 return opsize;
4419 }
4420 return 0;
4421}
4422
4423/**
4424 * Add patch to page record
4425 *
4426 * @returns VBox status code.
4427 * @param pVM The VM to operate on.
4428 * @param pPage Page address
4429 * @param pPatch Patch record
4430 */
4431int patmAddPatchToPage(PVM pVM, RTRCUINTPTR pPage, PPATCHINFO pPatch)
4432{
4433 PPATMPATCHPAGE pPatchPage;
4434 int rc;
4435
4436 Log(("patmAddPatchToPage: insert patch %RHv to page %RRv\n", pPatch, pPage));
4437
4438 pPatchPage = (PPATMPATCHPAGE)RTAvloU32Get(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPage, pPage);
4439 if (pPatchPage)
4440 {
4441 Assert(pPatchPage->cCount <= pPatchPage->cMaxPatches);
4442 if (pPatchPage->cCount == pPatchPage->cMaxPatches)
4443 {
4444 uint32_t cMaxPatchesOld = pPatchPage->cMaxPatches;
4445 PPATCHINFO *paPatchOld = pPatchPage->aPatch;
4446
4447 pPatchPage->cMaxPatches += PATMPATCHPAGE_PREALLOC_INCREMENT;
4448 rc = MMHyperAlloc(pVM, sizeof(PPATCHINFO)*pPatchPage->cMaxPatches, 0, MM_TAG_PATM_PATCH, (void **)&pPatchPage->aPatch);
4449 if (RT_FAILURE(rc))
4450 {
4451 Log(("Out of memory!!!!\n"));
4452 return VERR_NO_MEMORY;
4453 }
4454 memcpy(pPatchPage->aPatch, paPatchOld, cMaxPatchesOld*sizeof(PPATCHINFO));
4455 MMHyperFree(pVM, paPatchOld);
4456 }
4457 pPatchPage->aPatch[pPatchPage->cCount] = pPatch;
4458 pPatchPage->cCount++;
4459 }
4460 else
4461 {
4462 rc = MMHyperAlloc(pVM, sizeof(PATMPATCHPAGE), 0, MM_TAG_PATM_PATCH, (void **)&pPatchPage);
4463 if (RT_FAILURE(rc))
4464 {
4465 Log(("Out of memory!!!!\n"));
4466 return VERR_NO_MEMORY;
4467 }
4468 pPatchPage->Core.Key = pPage;
4469 pPatchPage->cCount = 1;
4470 pPatchPage->cMaxPatches = PATMPATCHPAGE_PREALLOC_INCREMENT;
4471
4472 rc = MMHyperAlloc(pVM, sizeof(PPATCHINFO)*PATMPATCHPAGE_PREALLOC_INCREMENT, 0, MM_TAG_PATM_PATCH, (void **)&pPatchPage->aPatch);
4473 if (RT_FAILURE(rc))
4474 {
4475 Log(("Out of memory!!!!\n"));
4476 MMHyperFree(pVM, pPatchPage);
4477 return VERR_NO_MEMORY;
4478 }
4479 pPatchPage->aPatch[0] = pPatch;
4480
4481 rc = RTAvloU32Insert(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPage, &pPatchPage->Core);
4482 Assert(rc);
4483 pVM->patm.s.cPageRecords++;
4484
4485 STAM_COUNTER_INC(&pVM->patm.s.StatPatchPageInserted);
4486 }
4487 CSAMR3MonitorPage(pVM, pPage, CSAM_TAG_PATM);
4488
4489 /* Get the closest guest instruction (from below) */
4490 PRECGUESTTOPATCH pGuestToPatchRec = (PRECGUESTTOPATCH)RTAvlU32GetBestFit(&pPatch->Guest2PatchAddrTree, pPage, true);
4491 Assert(pGuestToPatchRec);
4492 if (pGuestToPatchRec)
4493 {
4494 LogFlow(("patmAddPatchToPage: lowest patch page address %RRv current lowest %RRv\n", pGuestToPatchRec->Core.Key, pPatchPage->pLowestAddrGC));
4495 if ( pPatchPage->pLowestAddrGC == 0
4496 || pPatchPage->pLowestAddrGC > (RTRCPTR)pGuestToPatchRec->Core.Key)
4497 {
4498 RTRCUINTPTR offset;
4499
4500 pPatchPage->pLowestAddrGC = (RTRCPTR)pGuestToPatchRec->Core.Key;
4501
4502 offset = pPatchPage->pLowestAddrGC & PAGE_OFFSET_MASK;
4503 /* If we're too close to the page boundary, then make sure an instruction from the previous page doesn't cross the boundary itself. */
4504 if (offset && offset < MAX_INSTR_SIZE)
4505 {
4506 /* Get the closest guest instruction (from above) */
4507 pGuestToPatchRec = (PRECGUESTTOPATCH)RTAvlU32GetBestFit(&pPatch->Guest2PatchAddrTree, pPage-1, false);
4508
4509 if (pGuestToPatchRec)
4510 {
4511 uint32_t size = patmGetInstrSize(pVM, pPatch, (RTRCPTR)pGuestToPatchRec->Core.Key);
4512 if ((RTRCUINTPTR)pGuestToPatchRec->Core.Key + size > pPage)
4513 {
4514 pPatchPage->pLowestAddrGC = pPage;
4515 LogFlow(("patmAddPatchToPage: new lowest %RRv\n", pPatchPage->pLowestAddrGC));
4516 }
4517 }
4518 }
4519 }
4520 }
4521
4522 /* Get the closest guest instruction (from above) */
4523 pGuestToPatchRec = (PRECGUESTTOPATCH)RTAvlU32GetBestFit(&pPatch->Guest2PatchAddrTree, pPage+PAGE_SIZE-1, false);
4524 Assert(pGuestToPatchRec);
4525 if (pGuestToPatchRec)
4526 {
4527 LogFlow(("patmAddPatchToPage: highest patch page address %RRv current lowest %RRv\n", pGuestToPatchRec->Core.Key, pPatchPage->pHighestAddrGC));
4528 if ( pPatchPage->pHighestAddrGC == 0
4529 || pPatchPage->pHighestAddrGC <= (RTRCPTR)pGuestToPatchRec->Core.Key)
4530 {
4531 pPatchPage->pHighestAddrGC = (RTRCPTR)pGuestToPatchRec->Core.Key;
4532 /* Increase by instruction size. */
4533 uint32_t size = patmGetInstrSize(pVM, pPatch, pPatchPage->pHighestAddrGC);
4534//// Assert(size);
4535 pPatchPage->pHighestAddrGC += size;
4536 LogFlow(("patmAddPatchToPage: new highest %RRv\n", pPatchPage->pHighestAddrGC));
4537 }
4538 }
4539
4540 return VINF_SUCCESS;
4541}
4542
4543/**
4544 * Remove patch from page record
4545 *
4546 * @returns VBox status code.
4547 * @param pVM The VM to operate on.
4548 * @param pPage Page address
4549 * @param pPatch Patch record
4550 */
4551int patmRemovePatchFromPage(PVM pVM, RTRCUINTPTR pPage, PPATCHINFO pPatch)
4552{
4553 PPATMPATCHPAGE pPatchPage;
4554 int rc;
4555
4556 pPatchPage = (PPATMPATCHPAGE)RTAvloU32Get(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPage, pPage);
4557 Assert(pPatchPage);
4558
4559 if (!pPatchPage)
4560 return VERR_INVALID_PARAMETER;
4561
4562 Assert(pPatchPage->cCount <= pPatchPage->cMaxPatches);
4563
4564 Log(("patmRemovePatchPage: remove patch %RHv from page %RRv\n", pPatch, pPage));
4565 if (pPatchPage->cCount > 1)
4566 {
4567 uint32_t i;
4568
4569 /* Used by multiple patches */
4570 for (i=0;i<pPatchPage->cCount;i++)
4571 {
4572 if (pPatchPage->aPatch[i] == pPatch)
4573 {
4574 pPatchPage->aPatch[i] = 0;
4575 break;
4576 }
4577 }
4578 /* close the gap between the remaining pointers. */
4579 if (i < pPatchPage->cCount - 1)
4580 {
4581 memcpy(&pPatchPage->aPatch[i], &pPatchPage->aPatch[i+1], sizeof(PPATCHINFO)*(pPatchPage->cCount - (i+1)));
4582 }
4583 AssertMsg(i < pPatchPage->cCount, ("Unable to find patch %RHv in page %RRv\n", pPatch, pPage));
4584
4585 pPatchPage->cCount--;
4586 }
4587 else
4588 {
4589 PPATMPATCHPAGE pPatchNode;
4590
4591 Log(("patmRemovePatchFromPage %RRv\n", pPage));
4592
4593 STAM_COUNTER_INC(&pVM->patm.s.StatPatchPageRemoved);
4594 pPatchNode = (PPATMPATCHPAGE)RTAvloU32Remove(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPage, pPage);
4595 Assert(pPatchNode && pPatchNode == pPatchPage);
4596
4597 Assert(pPatchPage->aPatch);
4598 rc = MMHyperFree(pVM, pPatchPage->aPatch);
4599 AssertRC(rc);
4600 rc = MMHyperFree(pVM, pPatchPage);
4601 AssertRC(rc);
4602 pVM->patm.s.cPageRecords--;
4603 }
4604 return VINF_SUCCESS;
4605}
4606
4607/**
4608 * Insert page records for all guest pages that contain instructions that were recompiled for this patch
4609 *
4610 * @returns VBox status code.
4611 * @param pVM The VM to operate on.
4612 * @param pPatch Patch record
4613 */
4614int patmInsertPatchPages(PVM pVM, PPATCHINFO pPatch)
4615{
4616 int rc;
4617 RTRCUINTPTR pPatchPageStart, pPatchPageEnd, pPage;
4618
4619 /* Insert the pages that contain patched instructions into a lookup tree for detecting self-modifying code. */
4620 pPatchPageStart = (RTRCUINTPTR)pPatch->pInstrGCLowest & PAGE_BASE_GC_MASK;
4621 pPatchPageEnd = (RTRCUINTPTR)pPatch->pInstrGCHighest & PAGE_BASE_GC_MASK;
4622
4623 /** @todo optimize better (large gaps between current and next used page) */
4624 for(pPage = pPatchPageStart; pPage <= pPatchPageEnd; pPage += PAGE_SIZE)
4625 {
4626 /* Get the closest guest instruction (from above) */
4627 PRECGUESTTOPATCH pGuestToPatchRec = (PRECGUESTTOPATCH)RTAvlU32GetBestFit(&pPatch->Guest2PatchAddrTree, pPage, true);
4628 if ( pGuestToPatchRec
4629 && PAGE_ADDRESS(pGuestToPatchRec->Core.Key) == PAGE_ADDRESS(pPage)
4630 )
4631 {
4632 /* Code in page really patched -> add record */
4633 rc = patmAddPatchToPage(pVM, pPage, pPatch);
4634 AssertRC(rc);
4635 }
4636 }
4637 pPatch->flags |= PATMFL_CODE_MONITORED;
4638 return VINF_SUCCESS;
4639}
4640
4641/**
4642 * Remove page records for all guest pages that contain instructions that were recompiled for this patch
4643 *
4644 * @returns VBox status code.
4645 * @param pVM The VM to operate on.
4646 * @param pPatch Patch record
4647 */
4648int patmRemovePatchPages(PVM pVM, PPATCHINFO pPatch)
4649{
4650 int rc;
4651 RTRCUINTPTR pPatchPageStart, pPatchPageEnd, pPage;
4652
4653 /* Insert the pages that contain patched instructions into a lookup tree for detecting self-modifying code. */
4654 pPatchPageStart = (RTRCUINTPTR)pPatch->pInstrGCLowest & PAGE_BASE_GC_MASK;
4655 pPatchPageEnd = (RTRCUINTPTR)pPatch->pInstrGCHighest & PAGE_BASE_GC_MASK;
4656
4657 for(pPage = pPatchPageStart; pPage <= pPatchPageEnd; pPage += PAGE_SIZE)
4658 {
4659 /* Get the closest guest instruction (from above) */
4660 PRECGUESTTOPATCH pGuestToPatchRec = (PRECGUESTTOPATCH)RTAvlU32GetBestFit(&pPatch->Guest2PatchAddrTree, pPage, true);
4661 if ( pGuestToPatchRec
4662 && PAGE_ADDRESS(pGuestToPatchRec->Core.Key) == PAGE_ADDRESS(pPage) /** @todo bird: PAGE_ADDRESS is for the current context really. check out these. */
4663 )
4664 {
4665 /* Code in page really patched -> remove record */
4666 rc = patmRemovePatchFromPage(pVM, pPage, pPatch);
4667 AssertRC(rc);
4668 }
4669 }
4670 pPatch->flags &= ~PATMFL_CODE_MONITORED;
4671 return VINF_SUCCESS;
4672}
4673
4674/**
4675 * Notifies PATM about a (potential) write to code that has been patched.
4676 *
4677 * @returns VBox status code.
4678 * @param pVM The VM to operate on.
4679 * @param GCPtr GC pointer to write address
4680 * @param cbWrite Nr of bytes to write
4681 *
4682 */
4683VMMR3DECL(int) PATMR3PatchWrite(PVM pVM, RTRCPTR GCPtr, uint32_t cbWrite)
4684{
4685 RTRCUINTPTR pWritePageStart, pWritePageEnd, pPage;
4686
4687 Log(("PATMR3PatchWrite %RRv %x\n", GCPtr, cbWrite));
4688
4689 Assert(VM_IS_EMT(pVM));
4690
4691 /* Quick boundary check */
4692 if ( GCPtr < pVM->patm.s.pPatchedInstrGCLowest
4693 || GCPtr > pVM->patm.s.pPatchedInstrGCHighest
4694 )
4695 return VINF_SUCCESS;
4696
4697 STAM_PROFILE_ADV_START(&pVM->patm.s.StatPatchWrite, a);
4698
4699 pWritePageStart = (RTRCUINTPTR)GCPtr & PAGE_BASE_GC_MASK;
4700 pWritePageEnd = ((RTRCUINTPTR)GCPtr + cbWrite - 1) & PAGE_BASE_GC_MASK;
4701
4702 for (pPage = pWritePageStart; pPage <= pWritePageEnd; pPage += PAGE_SIZE)
4703 {
4704loop_start:
4705 PPATMPATCHPAGE pPatchPage = (PPATMPATCHPAGE)RTAvloU32Get(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPage, (RTRCPTR)pPage);
4706 if (pPatchPage)
4707 {
4708 uint32_t i;
4709 bool fValidPatchWrite = false;
4710
4711 /* Quick check to see if the write is in the patched part of the page */
4712 if ( pPatchPage->pLowestAddrGC > (RTRCPTR)((RTRCUINTPTR)GCPtr + cbWrite - 1)
4713 || pPatchPage->pHighestAddrGC < GCPtr)
4714 {
4715 break;
4716 }
4717
4718 for (i=0;i<pPatchPage->cCount;i++)
4719 {
4720 if (pPatchPage->aPatch[i])
4721 {
4722 PPATCHINFO pPatch = pPatchPage->aPatch[i];
4723 RTRCPTR pPatchInstrGC;
4724 //unused: bool fForceBreak = false;
4725
4726 Assert(pPatchPage->aPatch[i]->flags & PATMFL_CODE_MONITORED);
4727 /** @todo inefficient and includes redundant checks for multiple pages. */
4728 for (uint32_t j=0; j<cbWrite; j++)
4729 {
4730 RTRCPTR pGuestPtrGC = (RTRCPTR)((RTRCUINTPTR)GCPtr + j);
4731
4732 if ( pPatch->cbPatchJump
4733 && pGuestPtrGC >= pPatch->pPrivInstrGC
4734 && pGuestPtrGC < pPatch->pPrivInstrGC + pPatch->cbPatchJump)
4735 {
4736 /* The guest is about to overwrite the 5 byte jump to patch code. Remove the patch. */
4737 Log(("PATMR3PatchWrite: overwriting jump to patch code -> remove patch.\n"));
4738 int rc = PATMR3RemovePatch(pVM, pPatch->pPrivInstrGC);
4739 if (rc == VINF_SUCCESS)
4740 /** @note jump back to the start as the pPatchPage has been deleted or changed */
4741 goto loop_start;
4742
4743 continue;
4744 }
4745
4746 /* Find the closest instruction from below; the above quick check ensured that we are indeed in patched code */
4747 pPatchInstrGC = patmGuestGCPtrToPatchGCPtr(pVM, pPatch, pGuestPtrGC);
4748 if (!pPatchInstrGC)
4749 {
4750 RTRCPTR pClosestInstrGC;
4751 uint32_t size;
4752
4753 pPatchInstrGC = patmGuestGCPtrToClosestPatchGCPtr(pVM, pPatch, pGuestPtrGC);
4754 if (pPatchInstrGC)
4755 {
4756 pClosestInstrGC = patmPatchGCPtr2GuestGCPtr(pVM, pPatch, pPatchInstrGC);
4757 Assert(pClosestInstrGC <= pGuestPtrGC);
4758 size = patmGetInstrSize(pVM, pPatch, pClosestInstrGC);
4759 /* Check if this is not a write into a gap between two patches */
4760 if (pClosestInstrGC + size - 1 < pGuestPtrGC)
4761 pPatchInstrGC = 0;
4762 }
4763 }
4764 if (pPatchInstrGC)
4765 {
4766 uint32_t PatchOffset = pPatchInstrGC - pVM->patm.s.pPatchMemGC; /* Offset in memory reserved for PATM. */
4767
4768 fValidPatchWrite = true;
4769
4770 PRECPATCHTOGUEST pPatchToGuestRec = (PRECPATCHTOGUEST)RTAvlU32Get(&pPatch->Patch2GuestAddrTree, PatchOffset);
4771 Assert(pPatchToGuestRec);
4772 if (pPatchToGuestRec && !pPatchToGuestRec->fDirty)
4773 {
4774 Log(("PATMR3PatchWrite: Found patched instruction %RRv -> %RRv\n", pGuestPtrGC, pPatchInstrGC));
4775
4776 if (++pPatch->cCodeWrites > PATM_MAX_CODE_WRITES)
4777 {
4778 LogRel(("PATM: Disable block at %RRv - write %RRv-%RRv\n", pPatch->pPrivInstrGC, pGuestPtrGC, pGuestPtrGC+cbWrite));
4779
4780 PATMR3MarkDirtyPatch(pVM, pPatch);
4781
4782 /** @note jump back to the start as the pPatchPage has been deleted or changed */
4783 goto loop_start;
4784 }
4785 else
4786 {
4787 /* Replace the patch instruction with a breakpoint; when it's hit, then we'll attempt to recompile the instruction again. */
4788 uint8_t *pInstrHC = patmPatchGCPtr2PatchHCPtr(pVM, pPatchInstrGC);
4789
4790 pPatchToGuestRec->u8DirtyOpcode = *pInstrHC;
4791 pPatchToGuestRec->fDirty = true;
4792
4793 *pInstrHC = 0xCC;
4794
4795 STAM_COUNTER_INC(&pVM->patm.s.StatInstrDirty);
4796 }
4797 }
4798 /* else already marked dirty */
4799 }
4800 }
4801 }
4802 } /* for each patch */
4803
4804 if (fValidPatchWrite == false)
4805 {
4806 /* Write to a part of the page that either:
4807 * - doesn't contain any code (shared code/data); rather unlikely
4808 * - old code page that's no longer in active use.
4809 */
4810invalid_write_loop_start:
4811 pPatchPage = (PPATMPATCHPAGE)RTAvloU32Get(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPage, (RTRCPTR)pPage);
4812
4813 if (pPatchPage)
4814 {
4815 for (i=0;i<pPatchPage->cCount;i++)
4816 {
4817 PPATCHINFO pPatch = pPatchPage->aPatch[i];
4818
4819 if (pPatch->cInvalidWrites > PATM_MAX_INVALID_WRITES)
4820 {
4821 /** @note possibly dangerous assumption that all future writes will be harmless. */
4822 if (pPatch->flags & PATMFL_IDTHANDLER)
4823 {
4824 LogRel(("PATM: Stop monitoring IDT handler pages at %RRv - invalid write %RRv-%RRv (this is not a fatal error)\n", pPatch->pPrivInstrGC, GCPtr, GCPtr+cbWrite));
4825
4826 Assert(pPatch->flags & PATMFL_CODE_MONITORED);
4827 int rc = patmRemovePatchPages(pVM, pPatch);
4828 AssertRC(rc);
4829 }
4830 else
4831 {
4832 LogRel(("PATM: Disable block at %RRv - invalid write %RRv-%RRv \n", pPatch->pPrivInstrGC, GCPtr, GCPtr+cbWrite));
4833 PATMR3MarkDirtyPatch(pVM, pPatch);
4834 }
4835 /** @note jump back to the start as the pPatchPage has been deleted or changed */
4836 goto invalid_write_loop_start;
4837 }
4838 } /* for */
4839 }
4840 }
4841 }
4842 }
4843 STAM_PROFILE_ADV_STOP(&pVM->patm.s.StatPatchWrite, a);
4844 return VINF_SUCCESS;
4845
4846}
4847
4848/**
4849 * Disable all patches in a flushed page
4850 *
4851 * @returns VBox status code
4852 * @param pVM The VM to operate on.
4853 * @param addr GC address of the page to flush
4854 */
4855/** @note Currently only called by CSAMR3FlushPage; optimization to avoid having to double check if the physical address has changed
4856 */
4857VMMR3DECL(int) PATMR3FlushPage(PVM pVM, RTRCPTR addr)
4858{
4859 addr &= PAGE_BASE_GC_MASK;
4860
4861 PPATMPATCHPAGE pPatchPage = (PPATMPATCHPAGE)RTAvloU32Get(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPage, addr);
4862 if (pPatchPage)
4863 {
4864 int i;
4865
4866 /* From top to bottom as the array is modified by PATMR3MarkDirtyPatch. */
4867 for (i=(int)pPatchPage->cCount-1;i>=0;i--)
4868 {
4869 if (pPatchPage->aPatch[i])
4870 {
4871 PPATCHINFO pPatch = pPatchPage->aPatch[i];
4872
4873 Log(("PATMR3FlushPage %RRv remove patch at %RRv\n", addr, pPatch->pPrivInstrGC));
4874 PATMR3MarkDirtyPatch(pVM, pPatch);
4875 }
4876 }
4877 STAM_COUNTER_INC(&pVM->patm.s.StatFlushed);
4878 }
4879 return VINF_SUCCESS;
4880}
4881
4882/**
4883 * Checks if the instructions at the specified address has been patched already.
4884 *
4885 * @returns boolean, patched or not
4886 * @param pVM The VM to operate on.
4887 * @param pInstrGC Guest context pointer to instruction
4888 */
4889VMMR3DECL(bool) PATMR3HasBeenPatched(PVM pVM, RTRCPTR pInstrGC)
4890{
4891 PPATMPATCHREC pPatchRec;
4892 pPatchRec = (PPATMPATCHREC)RTAvloU32Get(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pInstrGC);
4893 if (pPatchRec && pPatchRec->patch.uState == PATCH_ENABLED)
4894 return true;
4895 return false;
4896}
4897
4898/**
4899 * Query the opcode of the original code that was overwritten by the 5 bytes patch jump
4900 *
4901 * @returns VBox status code.
4902 * @param pVM The VM to operate on.
4903 * @param pInstrGC GC address of instr
4904 * @param pByte opcode byte pointer (OUT)
4905 *
4906 */
4907VMMR3DECL(int) PATMR3QueryOpcode(PVM pVM, RTRCPTR pInstrGC, uint8_t *pByte)
4908{
4909 PPATMPATCHREC pPatchRec;
4910
4911 /** @todo this will not work for aliased pages! (never has, but so far not a problem for us) */
4912
4913 /* Shortcut. */
4914 if ( !PATMIsEnabled(pVM)
4915 || pInstrGC < pVM->patm.s.pPatchedInstrGCLowest
4916 || pInstrGC > pVM->patm.s.pPatchedInstrGCHighest)
4917 {
4918 return VERR_PATCH_NOT_FOUND;
4919 }
4920
4921 pPatchRec = (PPATMPATCHREC)RTAvloU32GetBestFit(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pInstrGC, false);
4922 // if the patch is enabled and the pointer lies within 5 bytes of this priv instr ptr, then we've got a hit!
4923 if ( pPatchRec
4924 && pPatchRec->patch.uState == PATCH_ENABLED
4925 && pInstrGC >= pPatchRec->patch.pPrivInstrGC
4926 && pInstrGC < pPatchRec->patch.pPrivInstrGC + pPatchRec->patch.cbPatchJump)
4927 {
4928 RTRCPTR offset = pInstrGC - pPatchRec->patch.pPrivInstrGC;
4929 *pByte = pPatchRec->patch.aPrivInstr[offset];
4930
4931 if (pPatchRec->patch.cbPatchJump == 1)
4932 {
4933 Log(("PATMR3QueryOpcode: returning opcode %2X for instruction at %RRv\n", *pByte, pInstrGC));
4934 }
4935 STAM_COUNTER_ADD(&pVM->patm.s.StatNrOpcodeRead, 1);
4936 return VINF_SUCCESS;
4937 }
4938 return VERR_PATCH_NOT_FOUND;
4939}
4940
4941/**
4942 * Disable patch for privileged instruction at specified location
4943 *
4944 * @returns VBox status code.
4945 * @param pVM The VM to operate on.
4946 * @param pInstr Guest context point to privileged instruction
4947 *
4948 * @note returns failure if patching is not allowed or possible
4949 *
4950 */
4951VMMR3DECL(int) PATMR3DisablePatch(PVM pVM, RTRCPTR pInstrGC)
4952{
4953 PPATMPATCHREC pPatchRec;
4954 PPATCHINFO pPatch;
4955
4956 Log(("PATMR3DisablePatch: %RRv\n", pInstrGC));
4957 pPatchRec = (PPATMPATCHREC)RTAvloU32Get(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pInstrGC);
4958 if (pPatchRec)
4959 {
4960 int rc = VINF_SUCCESS;
4961
4962 pPatch = &pPatchRec->patch;
4963
4964 /* Already disabled? */
4965 if (pPatch->uState == PATCH_DISABLED)
4966 return VINF_SUCCESS;
4967
4968 /* Clear the IDT entries for the patch we're disabling. */
4969 /** @note very important as we clear IF in the patch itself */
4970 /** @todo this needs to be changed */
4971 if (pPatch->flags & PATMFL_IDTHANDLER)
4972 {
4973 uint32_t iGate;
4974
4975 iGate = TRPMR3QueryGateByHandler(pVM, PATCHCODE_PTR_GC(pPatch));
4976 if (iGate != (uint32_t)~0)
4977 {
4978 TRPMR3SetGuestTrapHandler(pVM, iGate, TRPM_INVALID_HANDLER);
4979 if (++cIDTHandlersDisabled < 256)
4980 LogRel(("PATM: Disabling IDT %x patch handler %RRv\n", iGate, pInstrGC));
4981 }
4982 }
4983
4984 /* Mark the entry with a breakpoint in case somebody else calls it later on (cli patch used as a function, function, trampoline or idt patches) */
4985 if ( pPatch->pPatchBlockOffset
4986 && pPatch->uState == PATCH_ENABLED)
4987 {
4988 Log(("Invalidate patch at %RRv (HC=%RRv)\n", PATCHCODE_PTR_GC(pPatch), PATCHCODE_PTR_HC(pPatch)));
4989 pPatch->bDirtyOpcode = *PATCHCODE_PTR_HC(pPatch);
4990 *PATCHCODE_PTR_HC(pPatch) = 0xCC;
4991 }
4992
4993 /* IDT or function patches haven't changed any guest code. */
4994 if (pPatch->flags & PATMFL_PATCHED_GUEST_CODE)
4995 {
4996 Assert(pPatch->flags & PATMFL_MUST_INSTALL_PATCHJMP);
4997 Assert(!(pPatch->flags & (PATMFL_DUPLICATE_FUNCTION|PATMFL_IDTHANDLER|PATMFL_TRAMPOLINE|PATMFL_INT3_REPLACEMENT|PATMFL_INT3_REPLACEMENT_BLOCK)));
4998
4999 if (pPatch->uState != PATCH_REFUSED)
5000 {
5001 AssertMsg(pPatch->pPrivInstrHC, ("Invalid HC pointer?!? (%RRv)\n", pInstrGC));
5002 Assert(pPatch->cbPatchJump);
5003
5004 /** pPrivInstrHC is probably not valid anymore */
5005 rc = PGMPhysGCPtr2R3Ptr(VMMGetCpu0(pVM), pPatchRec->patch.pPrivInstrGC, (PRTR3PTR)&pPatchRec->patch.pPrivInstrHC);
5006 if (rc == VINF_SUCCESS)
5007 {
5008 uint8_t temp[16];
5009
5010 Assert(pPatch->cbPatchJump < sizeof(temp));
5011
5012 /* Let's first check if the guest code is still the same. */
5013 rc = PGMPhysSimpleReadGCPtr(VMMGetCpu0(pVM), temp, pPatch->pPrivInstrGC, pPatch->cbPatchJump);
5014 Assert(rc == VINF_SUCCESS || rc == VERR_PAGE_TABLE_NOT_PRESENT || rc == VERR_PAGE_NOT_PRESENT);
5015 if (rc == VINF_SUCCESS)
5016 {
5017 RTRCINTPTR displ = (RTRCUINTPTR)PATCHCODE_PTR_GC(pPatch) - ((RTRCUINTPTR)pPatch->pPrivInstrGC + SIZEOF_NEARJUMP32);
5018
5019 if ( temp[0] != 0xE9 /* jmp opcode */
5020 || *(RTRCINTPTR *)(&temp[1]) != displ
5021 )
5022 {
5023 Log(("PATMR3DisablePatch: Can't disable a patch who's guest code has changed!!\n"));
5024 STAM_COUNTER_INC(&pVM->patm.s.StatOverwritten);
5025 /* Remove it completely */
5026 pPatch->uState = PATCH_DISABLED; /* don't call PATMR3DisablePatch again */
5027 rc = PATMR3RemovePatch(pVM, pInstrGC);
5028 AssertRC(rc);
5029 return VWRN_PATCH_REMOVED;
5030 }
5031 }
5032 patmRemoveJumpToPatch(pVM, pPatch);
5033
5034 }
5035 else
5036 {
5037 Log(("PATMR3DisablePatch: unable to disable patch -> mark PATCH_DISABLE_PENDING\n"));
5038 pPatch->uState = PATCH_DISABLE_PENDING;
5039 }
5040 }
5041 else
5042 {
5043 AssertMsgFailed(("Patch was refused!\n"));
5044 return VERR_PATCH_ALREADY_DISABLED;
5045 }
5046 }
5047 else
5048 if (pPatch->flags & (PATMFL_INT3_REPLACEMENT|PATMFL_INT3_REPLACEMENT_BLOCK))
5049 {
5050 uint8_t temp[16];
5051
5052 Assert(pPatch->cbPatchJump < sizeof(temp));
5053
5054 /* Let's first check if the guest code is still the same. */
5055 rc = PGMPhysSimpleReadGCPtr(VMMGetCpu0(pVM), temp, pPatch->pPrivInstrGC, pPatch->cbPatchJump);
5056 Assert(rc == VINF_SUCCESS || rc == VERR_PAGE_TABLE_NOT_PRESENT || rc == VERR_PAGE_NOT_PRESENT);
5057 if (rc == VINF_SUCCESS)
5058 {
5059 if (temp[0] != 0xCC)
5060 {
5061 Log(("PATMR3DisablePatch: Can't disable a patch who's guest code has changed!!\n"));
5062 STAM_COUNTER_INC(&pVM->patm.s.StatOverwritten);
5063 /* Remove it completely */
5064 pPatch->uState = PATCH_DISABLED; /* don't call PATMR3DisablePatch again */
5065 rc = PATMR3RemovePatch(pVM, pInstrGC);
5066 AssertRC(rc);
5067 return VWRN_PATCH_REMOVED;
5068 }
5069 patmDeactivateInt3Patch(pVM, pPatch);
5070 }
5071 }
5072
5073 if (rc == VINF_SUCCESS)
5074 {
5075 /* Save old state and mark this one as disabled (so it can be enabled later on). */
5076 if (pPatch->uState == PATCH_DISABLE_PENDING)
5077 {
5078 /* Just to be safe, let's make sure this one can never be reused; the patch might be marked dirty already (int3 at start) */
5079 pPatch->uState = PATCH_UNUSABLE;
5080 }
5081 else
5082 if (pPatch->uState != PATCH_DIRTY)
5083 {
5084 pPatch->uOldState = pPatch->uState;
5085 pPatch->uState = PATCH_DISABLED;
5086 }
5087 STAM_COUNTER_ADD(&pVM->patm.s.StatDisabled, 1);
5088 }
5089
5090 Log(("PATMR3DisablePatch: disabled patch at %RRv\n", pInstrGC));
5091 return VINF_SUCCESS;
5092 }
5093 Log(("Patch not found!\n"));
5094 return VERR_PATCH_NOT_FOUND;
5095}
5096
5097/**
5098 * Permanently disable patch for privileged instruction at specified location
5099 *
5100 * @returns VBox status code.
5101 * @param pVM The VM to operate on.
5102 * @param pInstr Guest context instruction pointer
5103 * @param pConflictAddr Guest context pointer which conflicts with specified patch
5104 * @param pConflictPatch Conflicting patch
5105 *
5106 */
5107static int patmDisableUnusablePatch(PVM pVM, RTRCPTR pInstrGC, RTRCPTR pConflictAddr, PPATCHINFO pConflictPatch)
5108{
5109#ifdef PATM_RESOLVE_CONFLICTS_WITH_JUMP_PATCHES
5110 PATCHINFO patch = {0};
5111 DISCPUSTATE cpu;
5112 R3PTRTYPE(uint8_t *) pInstrHC;
5113 uint32_t opsize;
5114 bool disret;
5115 int rc;
5116
5117 pInstrHC = PATMGCVirtToHCVirt(pVM, &patch, pInstrGC);
5118 cpu.mode = (pConflictPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
5119 disret = PATMR3DISInstr(pVM, &patch, &cpu, pInstrGC, pInstrHC, &opsize, NULL);
5120 /*
5121 * If it's a 5 byte relative jump, then we can work around the problem by replacing the 32 bits relative offset
5122 * with one that jumps right into the conflict patch.
5123 * Otherwise we must disable the conflicting patch to avoid serious problems.
5124 */
5125 if ( disret == true
5126 && (pConflictPatch->flags & PATMFL_CODE32)
5127 && (cpu.pCurInstr->opcode == OP_JMP || (cpu.pCurInstr->optype & OPTYPE_COND_CONTROLFLOW))
5128 && (cpu.param1.flags & USE_IMMEDIATE32_REL))
5129 {
5130 /* Hint patches must be enabled first. */
5131 if (pConflictPatch->flags & PATMFL_INSTR_HINT)
5132 {
5133 Log(("Enabling HINTED patch %RRv\n", pConflictPatch->pPrivInstrGC));
5134 pConflictPatch->flags &= ~PATMFL_INSTR_HINT;
5135 rc = PATMR3EnablePatch(pVM, pConflictPatch->pPrivInstrGC);
5136 Assert(rc == VINF_SUCCESS || rc == VERR_PATCH_NOT_FOUND);
5137 /* Enabling might fail if the patched code has changed in the meantime. */
5138 if (rc != VINF_SUCCESS)
5139 return rc;
5140 }
5141
5142 rc = PATMR3InstallPatch(pVM, pInstrGC, PATMFL_CODE32 | PATMFL_JUMP_CONFLICT);
5143 if (RT_SUCCESS(rc))
5144 {
5145 Log(("PATM -> CONFLICT: Installed JMP patch for patch conflict at %RRv\n", pInstrGC));
5146 STAM_COUNTER_INC(&pVM->patm.s.StatFixedConflicts);
5147 return VINF_SUCCESS;
5148 }
5149 }
5150#endif
5151
5152 if (pConflictPatch->opcode == OP_CLI)
5153 {
5154 /* Turn it into an int3 patch; our GC trap handler will call the generated code manually. */
5155 Log(("PATM -> CONFLICT: Found active patch at instruction %RRv with target %RRv -> turn into int 3 patch!!\n", pInstrGC, pConflictPatch->pPrivInstrGC));
5156 int rc = PATMR3DisablePatch(pVM, pConflictPatch->pPrivInstrGC);
5157 if (rc == VWRN_PATCH_REMOVED)
5158 return VINF_SUCCESS;
5159 if (RT_SUCCESS(rc))
5160 {
5161 pConflictPatch->flags &= ~(PATMFL_MUST_INSTALL_PATCHJMP|PATMFL_INSTR_HINT);
5162 pConflictPatch->flags |= PATMFL_INT3_REPLACEMENT_BLOCK;
5163 rc = PATMR3EnablePatch(pVM, pConflictPatch->pPrivInstrGC);
5164 if (rc == VERR_PATCH_NOT_FOUND)
5165 return VINF_SUCCESS; /* removed already */
5166
5167 AssertRC(rc);
5168 if (RT_SUCCESS(rc))
5169 {
5170 STAM_COUNTER_INC(&pVM->patm.s.StatInt3Callable);
5171 return VINF_SUCCESS;
5172 }
5173 }
5174 /* else turned into unusable patch (see below) */
5175 }
5176 else
5177 {
5178 Log(("PATM -> CONFLICT: Found active patch at instruction %RRv with target %RRv -> DISABLING it!!\n", pInstrGC, pConflictPatch->pPrivInstrGC));
5179 int rc = PATMR3DisablePatch(pVM, pConflictPatch->pPrivInstrGC);
5180 if (rc == VWRN_PATCH_REMOVED)
5181 return VINF_SUCCESS;
5182 }
5183
5184 /* No need to monitor the code anymore. */
5185 if (pConflictPatch->flags & PATMFL_CODE_MONITORED)
5186 {
5187 int rc = patmRemovePatchPages(pVM, pConflictPatch);
5188 AssertRC(rc);
5189 }
5190 pConflictPatch->uState = PATCH_UNUSABLE;
5191 STAM_COUNTER_INC(&pVM->patm.s.StatUnusable);
5192 return VERR_PATCH_DISABLED;
5193}
5194
5195/**
5196 * Enable patch for privileged instruction at specified location
5197 *
5198 * @returns VBox status code.
5199 * @param pVM The VM to operate on.
5200 * @param pInstr Guest context point to privileged instruction
5201 *
5202 * @note returns failure if patching is not allowed or possible
5203 *
5204 */
5205VMMR3DECL(int) PATMR3EnablePatch(PVM pVM, RTRCPTR pInstrGC)
5206{
5207 PPATMPATCHREC pPatchRec;
5208 PPATCHINFO pPatch;
5209
5210 Log(("PATMR3EnablePatch %RRv\n", pInstrGC));
5211 pPatchRec = (PPATMPATCHREC)RTAvloU32Get(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pInstrGC);
5212 if (pPatchRec)
5213 {
5214 int rc = VINF_SUCCESS;
5215
5216 pPatch = &pPatchRec->patch;
5217
5218 if (pPatch->uState == PATCH_DISABLED)
5219 {
5220 if (pPatch->flags & PATMFL_MUST_INSTALL_PATCHJMP)
5221 {
5222 Assert(!(pPatch->flags & PATMFL_PATCHED_GUEST_CODE));
5223 /** @todo -> pPrivInstrHC is probably not valid anymore */
5224 rc = PGMPhysGCPtr2R3Ptr(VMMGetCpu0(pVM), pPatchRec->patch.pPrivInstrGC, (PRTR3PTR)&pPatchRec->patch.pPrivInstrHC);
5225 if (rc == VINF_SUCCESS)
5226 {
5227#ifdef DEBUG
5228 DISCPUSTATE cpu;
5229 char szOutput[256];
5230 uint32_t opsize, i = 0;
5231#endif
5232 uint8_t temp[16];
5233
5234 Assert(pPatch->cbPatchJump < sizeof(temp));
5235
5236 // let's first check if the guest code is still the same
5237 int rc = PGMPhysSimpleReadGCPtr(VMMGetCpu0(pVM), temp, pPatch->pPrivInstrGC, pPatch->cbPatchJump);
5238 AssertRC(rc);
5239
5240 if (memcmp(temp, pPatch->aPrivInstr, pPatch->cbPatchJump))
5241 {
5242 Log(("PATMR3EnablePatch: Can't enable a patch who's guest code has changed!!\n"));
5243 STAM_COUNTER_INC(&pVM->patm.s.StatOverwritten);
5244 /* Remove it completely */
5245 rc = PATMR3RemovePatch(pVM, pInstrGC);
5246 AssertRC(rc);
5247 return VERR_PATCH_NOT_FOUND;
5248 }
5249
5250 rc = patmGenJumpToPatch(pVM, pPatch, false);
5251 AssertRC(rc);
5252 if (RT_FAILURE(rc))
5253 return rc;
5254
5255#ifdef DEBUG
5256 bool disret;
5257 i = 0;
5258 while(i < pPatch->cbPatchJump)
5259 {
5260 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
5261 disret = PATMR3DISInstr(pVM, pPatch, &cpu, pPatch->pPrivInstrGC + i, &pPatch->pPrivInstrHC[i], &opsize, szOutput);
5262 Log(("Renewed patch instr: %s", szOutput));
5263 i += opsize;
5264 }
5265#endif
5266 }
5267 }
5268 else
5269 if (pPatch->flags & (PATMFL_INT3_REPLACEMENT|PATMFL_INT3_REPLACEMENT_BLOCK))
5270 {
5271 uint8_t temp[16];
5272
5273 Assert(pPatch->cbPatchJump < sizeof(temp));
5274
5275 /* Let's first check if the guest code is still the same. */
5276 int rc = PGMPhysSimpleReadGCPtr(VMMGetCpu0(pVM), temp, pPatch->pPrivInstrGC, pPatch->cbPatchJump);
5277 AssertRC(rc);
5278
5279 if (memcmp(temp, pPatch->aPrivInstr, pPatch->cbPatchJump))
5280 {
5281 Log(("PATMR3EnablePatch: Can't enable a patch who's guest code has changed!!\n"));
5282 STAM_COUNTER_INC(&pVM->patm.s.StatOverwritten);
5283 rc = PATMR3RemovePatch(pVM, pInstrGC);
5284 AssertRC(rc);
5285 return VERR_PATCH_NOT_FOUND;
5286 }
5287
5288 rc = patmActivateInt3Patch(pVM, pPatch);
5289 if (RT_FAILURE(rc))
5290 return rc;
5291 }
5292
5293 pPatch->uState = pPatch->uOldState; //restore state
5294
5295 /* Restore the entry breakpoint with the original opcode (see PATMR3DisablePatch). */
5296 if (pPatch->pPatchBlockOffset)
5297 {
5298 *PATCHCODE_PTR_HC(pPatch) = pPatch->bDirtyOpcode;
5299 }
5300
5301 STAM_COUNTER_ADD(&pVM->patm.s.StatEnabled, 1);
5302 }
5303 else
5304 Log(("PATMR3EnablePatch: Unable to enable patch %RRv with state %d\n", pInstrGC, pPatch->uState));
5305
5306 return rc;
5307 }
5308 return VERR_PATCH_NOT_FOUND;
5309}
5310
5311/**
5312 * Remove patch for privileged instruction at specified location
5313 *
5314 * @returns VBox status code.
5315 * @param pVM The VM to operate on.
5316 * @param pPatchRec Patch record
5317 * @param fForceRemove Remove *all* patches
5318 */
5319int PATMRemovePatch(PVM pVM, PPATMPATCHREC pPatchRec, bool fForceRemove)
5320{
5321 PPATCHINFO pPatch;
5322
5323 pPatch = &pPatchRec->patch;
5324
5325 /* Strictly forbidden to remove such patches. There can be dependencies!! */
5326 if (!fForceRemove && (pPatch->flags & (PATMFL_DUPLICATE_FUNCTION|PATMFL_CODE_REFERENCED)))
5327 {
5328 Log(("PATMRemovePatch %RRv REFUSED!\n", pPatch->pPrivInstrGC));
5329 return VERR_ACCESS_DENIED;
5330 }
5331 Log(("PATMRemovePatch %RRv\n", pPatch->pPrivInstrGC));
5332
5333 /** @note NEVER EVER REUSE PATCH MEMORY */
5334 /** @note PATMR3DisablePatch put a breakpoint (0xCC) at the entry of this patch */
5335
5336 if (pPatchRec->patch.pPatchBlockOffset)
5337 {
5338 PAVLOU32NODECORE pNode;
5339
5340 pNode = RTAvloU32Remove(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr, pPatchRec->patch.pPatchBlockOffset);
5341 Assert(pNode);
5342 }
5343
5344 if (pPatchRec->patch.flags & PATMFL_CODE_MONITORED)
5345 {
5346 int rc = patmRemovePatchPages(pVM, &pPatchRec->patch);
5347 AssertRC(rc);
5348 }
5349
5350#ifdef VBOX_WITH_STATISTICS
5351 if (PATM_STAT_INDEX_IS_VALID(pPatchRec->patch.uPatchIdx))
5352 {
5353 STAMR3Deregister(pVM, &pPatchRec->patch);
5354#ifndef DEBUG_sandervl
5355 STAMR3Deregister(pVM, &pVM->patm.s.pStatsHC[pPatchRec->patch.uPatchIdx]);
5356 STAMR3Deregister(pVM, &pPatchRec->patch.cbPatchBlockSize);
5357 STAMR3Deregister(pVM, &pPatchRec->patch.cbPatchJump);
5358 STAMR3Deregister(pVM, &pPatchRec->patch.cbPrivInstr);
5359 STAMR3Deregister(pVM, &pPatchRec->patch.cCodeWrites);
5360 STAMR3Deregister(pVM, &pPatchRec->patch.cInvalidWrites);
5361 STAMR3Deregister(pVM, &pPatchRec->patch.cTraps);
5362 STAMR3Deregister(pVM, &pPatchRec->patch.flags);
5363 STAMR3Deregister(pVM, &pPatchRec->patch.nrJumpRecs);
5364 STAMR3Deregister(pVM, &pPatchRec->patch.nrFixups);
5365 STAMR3Deregister(pVM, &pPatchRec->patch.opcode);
5366 STAMR3Deregister(pVM, &pPatchRec->patch.uState);
5367 STAMR3Deregister(pVM, &pPatchRec->patch.uOldState);
5368 STAMR3Deregister(pVM, &pPatchRec->patch.uOpMode);
5369#endif
5370 }
5371#endif
5372
5373 /** @note no need to free Guest2PatchAddrTree as those records share memory with Patch2GuestAddrTree records. */
5374 patmEmptyTreeU32(pVM, &pPatch->Patch2GuestAddrTree);
5375 pPatch->nrPatch2GuestRecs = 0;
5376 Assert(pPatch->Patch2GuestAddrTree == 0);
5377
5378 patmEmptyTree(pVM, &pPatch->FixupTree);
5379 pPatch->nrFixups = 0;
5380 Assert(pPatch->FixupTree == 0);
5381
5382 if (pPatchRec->patch.pTempInfo)
5383 MMR3HeapFree(pPatchRec->patch.pTempInfo);
5384
5385 /** @note might fail, because it has already been removed (e.g. during reset). */
5386 RTAvloU32Remove(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pPatchRec->Core.Key);
5387
5388 /* Free the patch record */
5389 MMHyperFree(pVM, pPatchRec);
5390 return VINF_SUCCESS;
5391}
5392
5393/**
5394 * Attempt to refresh the patch by recompiling its entire code block
5395 *
5396 * @returns VBox status code.
5397 * @param pVM The VM to operate on.
5398 * @param pPatchRec Patch record
5399 */
5400int patmR3RefreshPatch(PVM pVM, PPATMPATCHREC pPatchRec)
5401{
5402 PPATCHINFO pPatch;
5403 int rc;
5404 RTRCPTR pInstrGC = pPatchRec->patch.pPrivInstrGC;
5405
5406 Log(("patmR3RefreshPatch: attempt to refresh patch at %RRv\n", pInstrGC));
5407
5408 pPatch = &pPatchRec->patch;
5409 AssertReturn(pPatch->flags & (PATMFL_DUPLICATE_FUNCTION|PATMFL_IDTHANDLER|PATMFL_TRAPHANDLER), VERR_PATCHING_REFUSED);
5410 if (pPatch->flags & PATMFL_EXTERNAL_JUMP_INSIDE)
5411 {
5412 Log(("patmR3RefreshPatch: refused because external jumps to this patch exist\n"));
5413 return VERR_PATCHING_REFUSED;
5414 }
5415
5416 /** Note: quite ugly to enable/disable/remove/insert old and new patches, but there's no easy way around it. */
5417
5418 rc = PATMR3DisablePatch(pVM, pInstrGC);
5419 AssertRC(rc);
5420
5421 /** Kick it out of the lookup tree to make sure PATMR3InstallPatch doesn't fail (hack alert) */
5422 RTAvloU32Remove(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pPatchRec->Core.Key);
5423#ifdef VBOX_WITH_STATISTICS
5424 if (PATM_STAT_INDEX_IS_VALID(pPatchRec->patch.uPatchIdx))
5425 {
5426 STAMR3Deregister(pVM, &pPatchRec->patch);
5427#ifndef DEBUG_sandervl
5428 STAMR3Deregister(pVM, &pVM->patm.s.pStatsHC[pPatchRec->patch.uPatchIdx]);
5429 STAMR3Deregister(pVM, &pPatchRec->patch.cbPatchBlockSize);
5430 STAMR3Deregister(pVM, &pPatchRec->patch.cbPatchJump);
5431 STAMR3Deregister(pVM, &pPatchRec->patch.cbPrivInstr);
5432 STAMR3Deregister(pVM, &pPatchRec->patch.cCodeWrites);
5433 STAMR3Deregister(pVM, &pPatchRec->patch.cInvalidWrites);
5434 STAMR3Deregister(pVM, &pPatchRec->patch.cTraps);
5435 STAMR3Deregister(pVM, &pPatchRec->patch.flags);
5436 STAMR3Deregister(pVM, &pPatchRec->patch.nrJumpRecs);
5437 STAMR3Deregister(pVM, &pPatchRec->patch.nrFixups);
5438 STAMR3Deregister(pVM, &pPatchRec->patch.opcode);
5439 STAMR3Deregister(pVM, &pPatchRec->patch.uState);
5440 STAMR3Deregister(pVM, &pPatchRec->patch.uOldState);
5441 STAMR3Deregister(pVM, &pPatchRec->patch.uOpMode);
5442#endif
5443 }
5444#endif
5445
5446 /** Note: We don't attempt to reuse patch memory here as it's quite common that the new code block requires more memory. */
5447
5448 /* Attempt to install a new patch. */
5449 rc = PATMR3InstallPatch(pVM, pInstrGC, pPatch->flags & (PATMFL_CODE32|PATMFL_IDTHANDLER|PATMFL_INTHANDLER|PATMFL_TRAPHANDLER|PATMFL_DUPLICATE_FUNCTION|PATMFL_TRAPHANDLER_WITH_ERRORCODE|PATMFL_IDTHANDLER_WITHOUT_ENTRYPOINT));
5450 if (RT_SUCCESS(rc))
5451 {
5452 RTRCPTR pPatchTargetGC;
5453 PPATMPATCHREC pNewPatchRec;
5454
5455 /* Determine target address in new patch */
5456 pPatchTargetGC = PATMR3QueryPatchGCPtr(pVM, pInstrGC);
5457 Assert(pPatchTargetGC);
5458 if (!pPatchTargetGC)
5459 {
5460 rc = VERR_PATCHING_REFUSED;
5461 goto failure;
5462 }
5463
5464 /* Reset offset into patch memory to put the next code blocks right at the beginning. */
5465 pPatch->uCurPatchOffset = 0;
5466
5467 /* insert jump to new patch in old patch block */
5468 rc = patmPatchGenPatchJump(pVM, pPatch, pInstrGC, pPatchTargetGC, false /* no lookup record */);
5469 if (RT_FAILURE(rc))
5470 goto failure;
5471
5472 pNewPatchRec = (PPATMPATCHREC)RTAvloU32Get(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pInstrGC);
5473 Assert(pNewPatchRec); /* can't fail */
5474
5475 /* Remove old patch (only do that when everything is finished) */
5476 int rc2 = PATMRemovePatch(pVM, pPatchRec, true /* force removal */);
5477 AssertRC(rc2);
5478
5479 /* Put the new patch back into the tree, because removing the old one kicked this one out. (hack alert) */
5480 RTAvloU32Insert(&pVM->patm.s.PatchLookupTreeHC->PatchTree, &pNewPatchRec->Core);
5481
5482 LogRel(("PATM: patmR3RefreshPatch: succeeded to refresh patch at %RRv \n", pInstrGC));
5483 STAM_COUNTER_INC(&pVM->patm.s.StatPatchRefreshSuccess);
5484
5485 /* Used by another patch, so don't remove it! */
5486 pNewPatchRec->patch.flags |= PATMFL_CODE_REFERENCED;
5487 }
5488
5489failure:
5490 if (RT_FAILURE(rc))
5491 {
5492 LogRel(("PATM: patmR3RefreshPatch: failed to refresh patch at %RRv. Reactiving old one. \n", pInstrGC));
5493
5494 /* Remove the new inactive patch */
5495 rc = PATMR3RemovePatch(pVM, pInstrGC);
5496 AssertRC(rc);
5497
5498 /* Put the old patch back into the tree (or else it won't be saved) (hack alert) */
5499 RTAvloU32Insert(&pVM->patm.s.PatchLookupTreeHC->PatchTree, &pPatchRec->Core);
5500
5501 /* Enable again in case the dirty instruction is near the end and there are safe code paths. */
5502 int rc2 = PATMR3EnablePatch(pVM, pInstrGC);
5503 AssertRC(rc2);
5504
5505 STAM_COUNTER_INC(&pVM->patm.s.StatPatchRefreshFailed);
5506 }
5507 return rc;
5508}
5509
5510/**
5511 * Find patch for privileged instruction at specified location
5512 *
5513 * @returns Patch structure pointer if found; else NULL
5514 * @param pVM The VM to operate on.
5515 * @param pInstr Guest context point to instruction that might lie within 5 bytes of an existing patch jump
5516 * @param fIncludeHints Include hinted patches or not
5517 *
5518 */
5519PPATCHINFO PATMFindActivePatchByEntrypoint(PVM pVM, RTRCPTR pInstrGC, bool fIncludeHints)
5520{
5521 PPATMPATCHREC pPatchRec = (PPATMPATCHREC)RTAvloU32GetBestFit(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pInstrGC, false);
5522 /* if the patch is enabled, the pointer is not indentical to the privileged patch ptr and it lies within 5 bytes of this priv instr ptr, then we've got a hit! */
5523 if (pPatchRec)
5524 {
5525 if ( pPatchRec->patch.uState == PATCH_ENABLED
5526 && (pPatchRec->patch.flags & PATMFL_PATCHED_GUEST_CODE)
5527 && pInstrGC > pPatchRec->patch.pPrivInstrGC
5528 && pInstrGC < pPatchRec->patch.pPrivInstrGC + pPatchRec->patch.cbPatchJump)
5529 {
5530 Log(("Found active patch at %RRv (org %RRv)\n", pInstrGC, pPatchRec->patch.pPrivInstrGC));
5531 return &pPatchRec->patch;
5532 }
5533 else
5534 if ( fIncludeHints
5535 && pPatchRec->patch.uState == PATCH_DISABLED
5536 && (pPatchRec->patch.flags & PATMFL_INSTR_HINT)
5537 && pInstrGC > pPatchRec->patch.pPrivInstrGC
5538 && pInstrGC < pPatchRec->patch.pPrivInstrGC + pPatchRec->patch.cbPatchJump)
5539 {
5540 Log(("Found HINT patch at %RRv (org %RRv)\n", pInstrGC, pPatchRec->patch.pPrivInstrGC));
5541 return &pPatchRec->patch;
5542 }
5543 }
5544 return NULL;
5545}
5546
5547/**
5548 * Checks whether the GC address is inside a generated patch jump
5549 *
5550 * @returns true -> yes, false -> no
5551 * @param pVM The VM to operate on.
5552 * @param pAddr Guest context address
5553 * @param pPatchAddr Guest context patch address (if true)
5554 */
5555VMMR3DECL(bool) PATMR3IsInsidePatchJump(PVM pVM, RTRCPTR pAddr, PRTGCPTR32 pPatchAddr)
5556{
5557 RTRCPTR addr;
5558 PPATCHINFO pPatch;
5559
5560 if (PATMIsEnabled(pVM) == false)
5561 return false;
5562
5563 if (pPatchAddr == NULL)
5564 pPatchAddr = &addr;
5565
5566 *pPatchAddr = 0;
5567
5568 pPatch = PATMFindActivePatchByEntrypoint(pVM, pAddr);
5569 if (pPatch)
5570 {
5571 *pPatchAddr = pPatch->pPrivInstrGC;
5572 }
5573 return *pPatchAddr == 0 ? false : true;
5574}
5575
5576/**
5577 * Remove patch for privileged instruction at specified location
5578 *
5579 * @returns VBox status code.
5580 * @param pVM The VM to operate on.
5581 * @param pInstr Guest context point to privileged instruction
5582 *
5583 * @note returns failure if patching is not allowed or possible
5584 *
5585 */
5586VMMR3DECL(int) PATMR3RemovePatch(PVM pVM, RTRCPTR pInstrGC)
5587{
5588 PPATMPATCHREC pPatchRec;
5589
5590 pPatchRec = (PPATMPATCHREC)RTAvloU32Get(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pInstrGC);
5591 if (pPatchRec)
5592 {
5593 int rc = PATMR3DisablePatch(pVM, pInstrGC);
5594 if (rc == VWRN_PATCH_REMOVED)
5595 return VINF_SUCCESS;
5596 return PATMRemovePatch(pVM, pPatchRec, false);
5597 }
5598 AssertFailed();
5599 return VERR_PATCH_NOT_FOUND;
5600}
5601
5602/**
5603 * Mark patch as dirty
5604 *
5605 * @returns VBox status code.
5606 * @param pVM The VM to operate on.
5607 * @param pPatch Patch record
5608 *
5609 * @note returns failure if patching is not allowed or possible
5610 *
5611 */
5612VMMR3DECL(int) PATMR3MarkDirtyPatch(PVM pVM, PPATCHINFO pPatch)
5613{
5614 if (pPatch->pPatchBlockOffset)
5615 {
5616 Log(("Invalidate patch at %RRv (HC=%RRv)\n", PATCHCODE_PTR_GC(pPatch), PATCHCODE_PTR_HC(pPatch)));
5617 pPatch->bDirtyOpcode = *PATCHCODE_PTR_HC(pPatch);
5618 *PATCHCODE_PTR_HC(pPatch) = 0xCC;
5619 }
5620
5621 STAM_COUNTER_INC(&pVM->patm.s.StatDirty);
5622 /* Put back the replaced instruction. */
5623 int rc = PATMR3DisablePatch(pVM, pPatch->pPrivInstrGC);
5624 if (rc == VWRN_PATCH_REMOVED)
5625 return VINF_SUCCESS;
5626
5627 /** @note we don't restore patch pages for patches that are not enabled! */
5628 /** @note be careful when changing this behaviour!! */
5629
5630 /* The patch pages are no longer marked for self-modifying code detection */
5631 if (pPatch->flags & PATMFL_CODE_MONITORED)
5632 {
5633 int rc = patmRemovePatchPages(pVM, pPatch);
5634 AssertRCReturn(rc, rc);
5635 }
5636 pPatch->uState = PATCH_DIRTY;
5637
5638 /* Paranoia; make sure this patch is not somewhere in the callchain, so prevent ret instructions from succeeding. */
5639 CTXSUFF(pVM->patm.s.pGCState)->Psp = PATM_STACK_SIZE;
5640
5641 return VINF_SUCCESS;
5642}
5643
5644/**
5645 * Query the corresponding GC instruction pointer from a pointer inside the patch block itself
5646 *
5647 * @returns VBox status code.
5648 * @param pVM The VM to operate on.
5649 * @param pPatch Patch block structure pointer
5650 * @param pPatchGC GC address in patch block
5651 */
5652RTRCPTR patmPatchGCPtr2GuestGCPtr(PVM pVM, PPATCHINFO pPatch, RCPTRTYPE(uint8_t *) pPatchGC)
5653{
5654 Assert(pPatch->Patch2GuestAddrTree);
5655 /* Get the closest record from below. */
5656 PRECPATCHTOGUEST pPatchToGuestRec = (PRECPATCHTOGUEST)RTAvlU32GetBestFit(&pPatch->Patch2GuestAddrTree, pPatchGC - pVM->patm.s.pPatchMemGC, false);
5657 if (pPatchToGuestRec)
5658 return pPatchToGuestRec->pOrgInstrGC;
5659
5660 return 0;
5661}
5662
5663/* Converts Guest code GC ptr to Patch code GC ptr (if found)
5664 *
5665 * @returns corresponding GC pointer in patch block
5666 * @param pVM The VM to operate on.
5667 * @param pPatch Current patch block pointer
5668 * @param pInstrGC Guest context pointer to privileged instruction
5669 *
5670 */
5671RTRCPTR patmGuestGCPtrToPatchGCPtr(PVM pVM, PPATCHINFO pPatch, RCPTRTYPE(uint8_t*) pInstrGC)
5672{
5673 if (pPatch->Guest2PatchAddrTree)
5674 {
5675 PRECGUESTTOPATCH pGuestToPatchRec = (PRECGUESTTOPATCH)RTAvlU32Get(&pPatch->Guest2PatchAddrTree, pInstrGC);
5676 if (pGuestToPatchRec)
5677 return pVM->patm.s.pPatchMemGC + pGuestToPatchRec->PatchOffset;
5678 }
5679
5680 return 0;
5681}
5682
5683/* Converts Guest code GC ptr to Patch code GC ptr (or nearest from below if no identical match)
5684 *
5685 * @returns corresponding GC pointer in patch block
5686 * @param pVM The VM to operate on.
5687 * @param pPatch Current patch block pointer
5688 * @param pInstrGC Guest context pointer to privileged instruction
5689 *
5690 */
5691RTRCPTR patmGuestGCPtrToClosestPatchGCPtr(PVM pVM, PPATCHINFO pPatch, RCPTRTYPE(uint8_t*) pInstrGC)
5692{
5693 PRECGUESTTOPATCH pGuestToPatchRec = (PRECGUESTTOPATCH)RTAvlU32GetBestFit(&pPatch->Guest2PatchAddrTree, pInstrGC, false);
5694 if (pGuestToPatchRec)
5695 return pVM->patm.s.pPatchMemGC + pGuestToPatchRec->PatchOffset;
5696
5697 return 0;
5698}
5699
5700/* Converts Guest code GC ptr to Patch code GC ptr (if found)
5701 *
5702 * @returns corresponding GC pointer in patch block
5703 * @param pVM The VM to operate on.
5704 * @param pInstrGC Guest context pointer to privileged instruction
5705 *
5706 */
5707VMMR3DECL(RTRCPTR) PATMR3GuestGCPtrToPatchGCPtr(PVM pVM, RCPTRTYPE(uint8_t*) pInstrGC)
5708{
5709 PPATMPATCHREC pPatchRec = (PPATMPATCHREC)RTAvloU32GetBestFit(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pInstrGC, false);
5710 if (pPatchRec && pPatchRec->patch.uState == PATCH_ENABLED && pInstrGC >= pPatchRec->patch.pPrivInstrGC)
5711 {
5712 return patmGuestGCPtrToPatchGCPtr(pVM, &pPatchRec->patch, pInstrGC);
5713 }
5714 return 0;
5715}
5716
5717/**
5718 * Query the corresponding GC instruction pointer from a pointer inside the patch block itself
5719 *
5720 * @returns original GC instruction pointer or 0 if not found
5721 * @param pVM The VM to operate on.
5722 * @param pPatchGC GC address in patch block
5723 * @param pEnmState State of the translated address (out)
5724 *
5725 */
5726VMMR3DECL(RTRCPTR) PATMR3PatchToGCPtr(PVM pVM, RTRCPTR pPatchGC, PATMTRANSSTATE *pEnmState)
5727{
5728 PPATMPATCHREC pPatchRec;
5729 void *pvPatchCoreOffset;
5730 RTRCPTR pPrivInstrGC;
5731
5732 Assert(PATMIsPatchGCAddr(pVM, pPatchGC));
5733 pvPatchCoreOffset = RTAvloU32GetBestFit(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr, pPatchGC - pVM->patm.s.pPatchMemGC, false);
5734 if (pvPatchCoreOffset == 0)
5735 {
5736 Log(("PATMR3PatchToGCPtr failed for %RRv offset %x\n", pPatchGC, pPatchGC - pVM->patm.s.pPatchMemGC));
5737 return 0;
5738 }
5739 pPatchRec = PATM_PATCHREC_FROM_COREOFFSET(pvPatchCoreOffset);
5740 pPrivInstrGC = patmPatchGCPtr2GuestGCPtr(pVM, &pPatchRec->patch, pPatchGC);
5741 if (pEnmState)
5742 {
5743 AssertMsg(pPrivInstrGC && ( pPatchRec->patch.uState == PATCH_ENABLED
5744 || pPatchRec->patch.uState == PATCH_DIRTY
5745 || pPatchRec->patch.uState == PATCH_DISABLE_PENDING
5746 || pPatchRec->patch.uState == PATCH_UNUSABLE),
5747 ("pPrivInstrGC=%RRv uState=%d\n", pPrivInstrGC, pPatchRec->patch.uState));
5748
5749 if ( !pPrivInstrGC
5750 || pPatchRec->patch.uState == PATCH_UNUSABLE
5751 || pPatchRec->patch.uState == PATCH_REFUSED)
5752 {
5753 pPrivInstrGC = 0;
5754 *pEnmState = PATMTRANS_FAILED;
5755 }
5756 else
5757 if (pVM->patm.s.pGCStateHC->GCPtrInhibitInterrupts == pPrivInstrGC)
5758 {
5759 *pEnmState = PATMTRANS_INHIBITIRQ;
5760 }
5761 else
5762 if ( pPatchRec->patch.uState == PATCH_ENABLED
5763 && !(pPatchRec->patch.flags & (PATMFL_DUPLICATE_FUNCTION|PATMFL_IDTHANDLER|PATMFL_TRAMPOLINE))
5764 && pPrivInstrGC > pPatchRec->patch.pPrivInstrGC
5765 && pPrivInstrGC < pPatchRec->patch.pPrivInstrGC + pPatchRec->patch.cbPatchJump)
5766 {
5767 *pEnmState = PATMTRANS_OVERWRITTEN;
5768 }
5769 else
5770 if (PATMFindActivePatchByEntrypoint(pVM, pPrivInstrGC))
5771 {
5772 *pEnmState = PATMTRANS_OVERWRITTEN;
5773 }
5774 else
5775 if (pPrivInstrGC == pPatchRec->patch.pPrivInstrGC)
5776 {
5777 *pEnmState = PATMTRANS_PATCHSTART;
5778 }
5779 else
5780 *pEnmState = PATMTRANS_SAFE;
5781 }
5782 return pPrivInstrGC;
5783}
5784
5785/**
5786 * Returns the GC pointer of the patch for the specified GC address
5787 *
5788 * @returns VBox status code.
5789 * @param pVM The VM to operate on.
5790 * @param pAddrGC Guest context address
5791 */
5792VMMR3DECL(RTRCPTR) PATMR3QueryPatchGCPtr(PVM pVM, RTRCPTR pAddrGC)
5793{
5794 PPATMPATCHREC pPatchRec;
5795
5796 // Find the patch record
5797 pPatchRec = (PPATMPATCHREC)RTAvloU32Get(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pAddrGC);
5798 /** @todo we should only use patches that are enabled! always did this, but it's incorrect! */
5799 if (pPatchRec && (pPatchRec->patch.uState == PATCH_ENABLED || pPatchRec->patch.uState == PATCH_DIRTY))
5800 return PATCHCODE_PTR_GC(&pPatchRec->patch);
5801
5802 return 0;
5803}
5804
5805/**
5806 * Attempt to recover dirty instructions
5807 *
5808 * @returns VBox status code.
5809 * @param pVM The VM to operate on.
5810 * @param pCtx CPU context
5811 * @param pPatch Patch record
5812 * @param pPatchToGuestRec Patch to guest address record
5813 * @param pEip GC pointer of trapping instruction
5814 */
5815static int patmR3HandleDirtyInstr(PVM pVM, PCPUMCTX pCtx, PPATMPATCHREC pPatch, PRECPATCHTOGUEST pPatchToGuestRec, RTRCPTR pEip)
5816{
5817 DISCPUSTATE CpuOld, CpuNew;
5818 uint8_t *pPatchInstrHC, *pCurPatchInstrHC;
5819 int rc;
5820 RTRCPTR pCurInstrGC, pCurPatchInstrGC;
5821 uint32_t cbDirty;
5822 PRECPATCHTOGUEST pRec;
5823 PVMCPU pVCpu = VMMGetCpu0(pVM);
5824
5825 Log(("patmR3HandleDirtyInstr: dirty instruction at %RRv (%RRv)\n", pEip, pPatchToGuestRec->pOrgInstrGC));
5826
5827 pRec = pPatchToGuestRec;
5828 pCurInstrGC = pPatchToGuestRec->pOrgInstrGC;
5829 pCurPatchInstrGC = pEip;
5830 cbDirty = 0;
5831 pPatchInstrHC = patmPatchGCPtr2PatchHCPtr(pVM, pCurPatchInstrGC);
5832
5833 /* Find all adjacent dirty instructions */
5834 while (true)
5835 {
5836 if (pRec->fJumpTarget)
5837 {
5838 LogRel(("PATM: patmR3HandleDirtyInstr: dirty instruction at %RRv (%RRv) ignored, because instruction in function was reused as target of jump\n", pEip, pPatchToGuestRec->pOrgInstrGC));
5839 pRec->fDirty = false;
5840 return VERR_PATCHING_REFUSED;
5841 }
5842
5843 /* Restore original instruction opcode byte so we can check if the write was indeed safe. */
5844 pCurPatchInstrHC = patmPatchGCPtr2PatchHCPtr(pVM, pCurPatchInstrGC);
5845 *pCurPatchInstrHC = pRec->u8DirtyOpcode;
5846
5847 /* Only harmless instructions are acceptable. */
5848 rc = CPUMR3DisasmInstrCPU(pVM, pVCpu, pCtx, pCurPatchInstrGC, &CpuOld, 0);
5849 if ( RT_FAILURE(rc)
5850 || !(CpuOld.pCurInstr->optype & OPTYPE_HARMLESS))
5851 {
5852 if (RT_SUCCESS(rc))
5853 cbDirty += CpuOld.opsize;
5854 else
5855 if (!cbDirty)
5856 cbDirty = 1;
5857 break;
5858 }
5859
5860#ifdef DEBUG
5861 char szBuf[256];
5862 szBuf[0] = '\0';
5863 DBGFR3DisasInstrEx(pVM, pVCpu->idCpu, pCtx->cs, pCurPatchInstrGC, 0, szBuf, sizeof(szBuf), NULL);
5864 Log(("DIRTY: %s\n", szBuf));
5865#endif
5866 /* Mark as clean; if we fail we'll let it always fault. */
5867 pRec->fDirty = false;
5868
5869 /** Remove old lookup record. */
5870 patmr3RemoveP2GLookupRecord(pVM, &pPatch->patch, pCurPatchInstrGC);
5871
5872 pCurPatchInstrGC += CpuOld.opsize;
5873 cbDirty += CpuOld.opsize;
5874
5875 /* Let's see if there's another dirty instruction right after. */
5876 pRec = (PRECPATCHTOGUEST)RTAvlU32GetBestFit(&pPatch->patch.Patch2GuestAddrTree, pCurPatchInstrGC - pVM->patm.s.pPatchMemGC, true);
5877 if (!pRec || !pRec->fDirty)
5878 break; /* no more dirty instructions */
5879
5880 /* In case of complex instructions the next guest instruction could be quite far off. */
5881 pCurPatchInstrGC = pRec->Core.Key + pVM->patm.s.pPatchMemGC;
5882 }
5883
5884 if ( RT_SUCCESS(rc)
5885 && (CpuOld.pCurInstr->optype & OPTYPE_HARMLESS)
5886 )
5887 {
5888 uint32_t cbLeft;
5889
5890 pCurPatchInstrHC = pPatchInstrHC;
5891 pCurPatchInstrGC = pEip;
5892 cbLeft = cbDirty;
5893
5894 while (cbLeft && RT_SUCCESS(rc))
5895 {
5896 bool fValidInstr;
5897
5898 rc = CPUMR3DisasmInstrCPU(pVM, pVCpu, pCtx, pCurInstrGC, &CpuNew, 0);
5899
5900 fValidInstr = !!(CpuNew.pCurInstr->optype & OPTYPE_HARMLESS);
5901 if ( !fValidInstr
5902 && (CpuNew.pCurInstr->optype & OPTYPE_RELATIVE_CONTROLFLOW)
5903 )
5904 {
5905 RTRCPTR pTargetGC = PATMResolveBranch(&CpuNew, pCurInstrGC);
5906
5907 if ( pTargetGC >= pPatchToGuestRec->pOrgInstrGC
5908 && pTargetGC <= pPatchToGuestRec->pOrgInstrGC + cbDirty
5909 )
5910 {
5911 /* A relative jump to an instruction inside or to the end of the dirty block is acceptable. */
5912 fValidInstr = true;
5913 }
5914 }
5915
5916 /* If the instruction is completely harmless (which implies a 1:1 patch copy). */
5917 if ( rc == VINF_SUCCESS
5918 && CpuNew.opsize <= cbLeft /* must still fit */
5919 && fValidInstr
5920 )
5921 {
5922#ifdef DEBUG
5923 char szBuf[256];
5924 szBuf[0] = '\0';
5925 DBGFR3DisasInstrEx(pVM, pVCpu->idCpu, pCtx->cs, pCurInstrGC, 0, szBuf, sizeof(szBuf), NULL);
5926 Log(("NEW: %s\n", szBuf));
5927#endif
5928
5929 /* Copy the new instruction. */
5930 rc = PGMPhysSimpleReadGCPtr(VMMGetCpu0(pVM), pCurPatchInstrHC, pCurInstrGC, CpuNew.opsize);
5931 AssertRC(rc);
5932
5933 /* Add a new lookup record for the duplicated instruction. */
5934 patmr3AddP2GLookupRecord(pVM, &pPatch->patch, pCurPatchInstrHC, pCurInstrGC, PATM_LOOKUP_BOTHDIR);
5935 }
5936 else
5937 {
5938#ifdef DEBUG
5939 char szBuf[256];
5940 szBuf[0] = '\0';
5941 DBGFR3DisasInstrEx(pVM, pVCpu->idCpu, pCtx->cs, pCurInstrGC, 0, szBuf, sizeof(szBuf), NULL);
5942 Log(("NEW: %s (FAILED)\n", szBuf));
5943#endif
5944 /* Restore the old lookup record for the duplicated instruction. */
5945 patmr3AddP2GLookupRecord(pVM, &pPatch->patch, pCurPatchInstrHC, pCurInstrGC, PATM_LOOKUP_BOTHDIR);
5946
5947 /** @todo in theory we need to restore the lookup records for the remaining dirty instructions too! */
5948 rc = VERR_PATCHING_REFUSED;
5949 break;
5950 }
5951 pCurInstrGC += CpuNew.opsize;
5952 pCurPatchInstrHC += CpuNew.opsize;
5953 pCurPatchInstrGC += CpuNew.opsize;
5954 cbLeft -= CpuNew.opsize;
5955 }
5956 }
5957 else
5958 rc = VERR_PATCHING_REFUSED;
5959
5960 if (RT_SUCCESS(rc))
5961 {
5962 STAM_COUNTER_INC(&pVM->patm.s.StatInstrDirtyGood);
5963 }
5964 else
5965 {
5966 STAM_COUNTER_INC(&pVM->patm.s.StatInstrDirtyBad);
5967 Assert(cbDirty);
5968
5969 /* Mark the whole instruction stream with breakpoints. */
5970 if (cbDirty)
5971 memset(pPatchInstrHC, 0xCC, cbDirty);
5972
5973 if ( pVM->patm.s.fOutOfMemory == false
5974 && (pPatch->patch.flags & (PATMFL_DUPLICATE_FUNCTION|PATMFL_IDTHANDLER|PATMFL_TRAPHANDLER)))
5975 {
5976 rc = patmR3RefreshPatch(pVM, pPatch);
5977 if (RT_FAILURE(rc))
5978 {
5979 LogRel(("PATM: Failed to refresh dirty patch at %RRv. Disabling it.\n", pPatch->patch.pPrivInstrGC));
5980 }
5981 /* Even if we succeed, we must go back to the original instruction as the patched one could be invalid. */
5982 rc = VERR_PATCHING_REFUSED;
5983 }
5984 }
5985 return rc;
5986}
5987
5988/**
5989 * Handle trap inside patch code
5990 *
5991 * @returns VBox status code.
5992 * @param pVM The VM to operate on.
5993 * @param pCtx CPU context
5994 * @param pEip GC pointer of trapping instruction
5995 * @param ppNewEip GC pointer to new instruction
5996 */
5997VMMR3DECL(int) PATMR3HandleTrap(PVM pVM, PCPUMCTX pCtx, RTRCPTR pEip, RTGCPTR *ppNewEip)
5998{
5999 PPATMPATCHREC pPatch = 0;
6000 void *pvPatchCoreOffset;
6001 RTRCUINTPTR offset;
6002 RTRCPTR pNewEip;
6003 int rc ;
6004 PRECPATCHTOGUEST pPatchToGuestRec = 0;
6005 PVMCPU pVCpu = VMMGetCpu0(pVM);
6006
6007 Assert(pVM->cCpus == 1);
6008
6009 pNewEip = 0;
6010 *ppNewEip = 0;
6011
6012 STAM_PROFILE_ADV_START(&pVM->patm.s.StatHandleTrap, a);
6013
6014 /* Find the patch record. */
6015 /** @note there might not be a patch to guest translation record (global function) */
6016 offset = pEip - pVM->patm.s.pPatchMemGC;
6017 pvPatchCoreOffset = RTAvloU32GetBestFit(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr, offset, false);
6018 if (pvPatchCoreOffset)
6019 {
6020 pPatch = PATM_PATCHREC_FROM_COREOFFSET(pvPatchCoreOffset);
6021
6022 Assert(offset >= pPatch->patch.pPatchBlockOffset && offset < pPatch->patch.pPatchBlockOffset + pPatch->patch.cbPatchBlockSize);
6023
6024 if (pPatch->patch.uState == PATCH_DIRTY)
6025 {
6026 Log(("PATMR3HandleTrap: trap in dirty patch at %RRv\n", pEip));
6027 if (pPatch->patch.flags & (PATMFL_DUPLICATE_FUNCTION|PATMFL_CODE_REFERENCED))
6028 {
6029 /* Function duplication patches set fPIF to 1 on entry */
6030 pVM->patm.s.pGCStateHC->fPIF = 1;
6031 }
6032 }
6033 else
6034 if (pPatch->patch.uState == PATCH_DISABLED)
6035 {
6036 Log(("PATMR3HandleTrap: trap in disabled patch at %RRv\n", pEip));
6037 if (pPatch->patch.flags & (PATMFL_DUPLICATE_FUNCTION|PATMFL_CODE_REFERENCED))
6038 {
6039 /* Function duplication patches set fPIF to 1 on entry */
6040 pVM->patm.s.pGCStateHC->fPIF = 1;
6041 }
6042 }
6043 else
6044 if (pPatch->patch.uState == PATCH_DISABLE_PENDING)
6045 {
6046 RTRCPTR pPrivInstrGC = pPatch->patch.pPrivInstrGC;
6047
6048 Log(("PATMR3HandleTrap: disable operation is pending for patch at %RRv\n", pPatch->patch.pPrivInstrGC));
6049 rc = PATMR3DisablePatch(pVM, pPatch->patch.pPrivInstrGC);
6050 AssertReleaseMsg(rc != VWRN_PATCH_REMOVED, ("PATMR3DisablePatch removed patch at %RRv\n", pPrivInstrGC));
6051 AssertMsg(pPatch->patch.uState == PATCH_DISABLED || pPatch->patch.uState == PATCH_UNUSABLE, ("Unexpected failure to disable patch state=%d rc=%Rrc\n", pPatch->patch.uState, rc));
6052 }
6053
6054 pPatchToGuestRec = (PRECPATCHTOGUEST)RTAvlU32GetBestFit(&pPatch->patch.Patch2GuestAddrTree, offset, false);
6055 AssertReleaseMsg(pPatchToGuestRec, ("PATMR3HandleTrap: Unable to find corresponding guest address for %RRv (offset %x)\n", pEip, offset));
6056
6057 pNewEip = pPatchToGuestRec->pOrgInstrGC;
6058 pPatch->patch.cTraps++;
6059 PATM_STAT_FAULT_INC(&pPatch->patch);
6060 }
6061 else
6062 AssertReleaseMsg(pVM->patm.s.pGCStateHC->fPIF == 0, ("PATMR3HandleTrap: Unable to find translation record for %RRv (PIF=0)\n", pEip));
6063
6064 /* Check if we were interrupted in PATM generated instruction code. */
6065 if (pVM->patm.s.pGCStateHC->fPIF == 0)
6066 {
6067 DISCPUSTATE Cpu;
6068 rc = CPUMR3DisasmInstrCPU(pVM, pVCpu, pCtx, pEip, &Cpu, "PIF Trap: ");
6069 AssertRC(rc);
6070
6071 if ( rc == VINF_SUCCESS
6072 && ( Cpu.pCurInstr->opcode == OP_PUSHF
6073 || Cpu.pCurInstr->opcode == OP_PUSH
6074 || Cpu.pCurInstr->opcode == OP_CALL)
6075 )
6076 {
6077 uint64_t fFlags;
6078
6079 STAM_COUNTER_INC(&pVM->patm.s.StatPushTrap);
6080
6081 if (Cpu.pCurInstr->opcode == OP_PUSH)
6082 {
6083 rc = PGMShwGetPage(pVCpu, pCtx->esp, &fFlags, NULL);
6084 if ( rc == VINF_SUCCESS
6085 && ((fFlags & (X86_PTE_P|X86_PTE_RW)) == (X86_PTE_P|X86_PTE_RW)) )
6086 {
6087 /* The stack address is fine, so the push argument is a pointer -> emulate this instruction */
6088
6089 /* Reset the PATM stack. */
6090 CTXSUFF(pVM->patm.s.pGCState)->Psp = PATM_STACK_SIZE;
6091
6092 pVM->patm.s.pGCStateHC->fPIF = 1;
6093
6094 Log(("Faulting push -> go back to the original instruction\n"));
6095
6096 /* continue at the original instruction */
6097 *ppNewEip = pNewEip - SELMToFlat(pVM, DIS_SELREG_CS, CPUMCTX2CORE(pCtx), 0);
6098 STAM_PROFILE_ADV_STOP(&pVM->patm.s.StatHandleTrap, a);
6099 return VINF_SUCCESS;
6100 }
6101 }
6102
6103 /* Typical pushf (most patches)/push (call patch) trap because of a monitored page. */
6104 rc = PGMShwModifyPage(pVCpu, pCtx->esp, 1, X86_PTE_RW, ~(uint64_t)X86_PTE_RW);
6105 AssertMsgRC(rc, ("PGMShwModifyPage -> rc=%Rrc\n", rc));
6106 if (rc == VINF_SUCCESS)
6107 {
6108
6109 /* The guest page *must* be present. */
6110 rc = PGMGstGetPage(pVCpu, pCtx->esp, &fFlags, NULL);
6111 if (rc == VINF_SUCCESS && (fFlags & X86_PTE_P))
6112 {
6113 STAM_PROFILE_ADV_STOP(&pVM->patm.s.StatHandleTrap, a);
6114 return VINF_PATCH_CONTINUE;
6115 }
6116 }
6117 }
6118 else
6119 if (pPatch->patch.pPrivInstrGC == pNewEip)
6120 {
6121 /* Invalidated patch or first instruction overwritten.
6122 * We can ignore the fPIF state in this case.
6123 */
6124 /* Reset the PATM stack. */
6125 CTXSUFF(pVM->patm.s.pGCState)->Psp = PATM_STACK_SIZE;
6126
6127 Log(("Call to invalidated patch -> go back to the original instruction\n"));
6128
6129 pVM->patm.s.pGCStateHC->fPIF = 1;
6130
6131 /* continue at the original instruction */
6132 *ppNewEip = pNewEip - SELMToFlat(pVM, DIS_SELREG_CS, CPUMCTX2CORE(pCtx), 0);
6133 STAM_PROFILE_ADV_STOP(&pVM->patm.s.StatHandleTrap, a);
6134 return VINF_SUCCESS;
6135 }
6136
6137 char szBuf[256];
6138 szBuf[0] = '\0';
6139 DBGFR3DisasInstrEx(pVM, pVCpu->idCpu, pCtx->cs, pEip, 0, szBuf, sizeof(szBuf), NULL);
6140
6141 /* Very bad. We crashed in emitted code. Probably stack? */
6142 if (pPatch)
6143 {
6144 AssertReleaseMsg(pVM->patm.s.pGCStateHC->fPIF == 1,
6145 ("Crash in patch code %RRv (%RRv) esp=%RX32\nPatch state=%x flags=%RX64 fDirty=%d\n%s\n", pEip, pNewEip, CPUMGetGuestESP(pVCpu), pPatch->patch.uState, pPatch->patch.flags, pPatchToGuestRec->fDirty, szBuf));
6146 }
6147 else
6148 AssertReleaseMsg(pVM->patm.s.pGCStateHC->fPIF == 1,
6149 ("Crash in patch code %RRv (%RRv) esp=%RX32\n%s\n", pEip, pNewEip, CPUMGetGuestESP(pVCpu), szBuf));
6150 EMR3FatalError(pVCpu, VERR_INTERNAL_ERROR);
6151 }
6152
6153 /* From here on, we must have a valid patch to guest translation. */
6154 if (pvPatchCoreOffset == 0)
6155 {
6156 STAM_PROFILE_ADV_STOP(&pVM->patm.s.StatHandleTrap, a);
6157 AssertMsgFailed(("PATMR3HandleTrap: patch not found at address %RRv!!\n", pEip));
6158 return VERR_PATCH_NOT_FOUND; //fatal error
6159 }
6160
6161 /* Take care of dirty/changed instructions. */
6162 if (pPatchToGuestRec->fDirty)
6163 {
6164 Assert(pPatchToGuestRec->Core.Key == offset);
6165 Assert(pVM->patm.s.pGCStateHC->fPIF == 1);
6166
6167 rc = patmR3HandleDirtyInstr(pVM, pCtx, pPatch, pPatchToGuestRec, pEip);
6168 if (RT_SUCCESS(rc))
6169 {
6170 /* Retry the current instruction. */
6171 pNewEip = pEip;
6172 rc = VINF_PATCH_CONTINUE; /* Continue at current patch instruction. */
6173 }
6174 else
6175 {
6176 /* Reset the PATM stack. */
6177 CTXSUFF(pVM->patm.s.pGCState)->Psp = PATM_STACK_SIZE;
6178
6179 rc = VINF_SUCCESS; /* Continue at original instruction. */
6180 }
6181
6182 *ppNewEip = pNewEip - SELMToFlat(pVM, DIS_SELREG_CS, CPUMCTX2CORE(pCtx), 0);
6183 STAM_PROFILE_ADV_STOP(&pVM->patm.s.StatHandleTrap, a);
6184 return rc;
6185 }
6186
6187#ifdef VBOX_STRICT
6188 if (pPatch->patch.flags & PATMFL_DUPLICATE_FUNCTION)
6189 {
6190 DISCPUSTATE cpu;
6191 bool disret;
6192 uint32_t opsize;
6193
6194 cpu.mode = (pPatch->patch.flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
6195 disret = PATMR3DISInstr(pVM, &pPatch->patch, &cpu, pNewEip, PATMGCVirtToHCVirt(pVM, &pPatch->patch, pNewEip), &opsize, NULL, PATMREAD_RAWCODE);
6196 if (disret && cpu.pCurInstr->opcode == OP_RETN)
6197 {
6198 RTRCPTR retaddr;
6199 PCPUMCTX pCtx;
6200
6201 pCtx = CPUMQueryGuestCtxPtr(pVCpu);
6202
6203 rc = PGMPhysSimpleReadGCPtr(pVCpu, &retaddr, pCtx->esp, sizeof(retaddr));
6204 AssertRC(rc);
6205
6206 Log(("Return failed at %RRv (%RRv)\n", pEip, pNewEip));
6207 Log(("Expected return address %RRv found address %RRv Psp=%x\n", pVM->patm.s.pGCStackHC[(pVM->patm.s.pGCStateHC->Psp+PATM_STACK_SIZE)/sizeof(RTRCPTR)], retaddr, pVM->patm.s.pGCStateHC->Psp));
6208 }
6209 }
6210#endif
6211
6212 /* Return original address, correct by subtracting the CS base address. */
6213 *ppNewEip = pNewEip - SELMToFlat(pVM, DIS_SELREG_CS, CPUMCTX2CORE(pCtx), 0);
6214
6215 /* Reset the PATM stack. */
6216 CTXSUFF(pVM->patm.s.pGCState)->Psp = PATM_STACK_SIZE;
6217
6218 if (pVM->patm.s.pGCStateHC->GCPtrInhibitInterrupts == pNewEip)
6219 {
6220 /* Must be a faulting instruction after sti; currently only sysexit, hlt or iret */
6221 Log(("PATMR3HandleTrap %RRv -> inhibit irqs set!\n", pEip));
6222#ifdef VBOX_STRICT
6223 DISCPUSTATE cpu;
6224 bool disret;
6225 uint32_t opsize;
6226
6227 cpu.mode = (pPatch->patch.flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
6228 disret = PATMR3DISInstr(pVM, &pPatch->patch, &cpu, pNewEip, PATMGCVirtToHCVirt(pVM, &pPatch->patch, pNewEip), &opsize, NULL, PATMREAD_ORGCODE);
6229
6230 if (disret && (cpu.pCurInstr->opcode == OP_SYSEXIT || cpu.pCurInstr->opcode == OP_HLT || cpu.pCurInstr->opcode == OP_INT3))
6231 {
6232 cpu.mode = (pPatch->patch.flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
6233 disret = PATMR3DISInstr(pVM, &pPatch->patch, &cpu, pNewEip, PATMGCVirtToHCVirt(pVM, &pPatch->patch, pNewEip), &opsize, NULL, PATMREAD_RAWCODE);
6234
6235 Assert(cpu.pCurInstr->opcode == OP_SYSEXIT || cpu.pCurInstr->opcode == OP_HLT || cpu.pCurInstr->opcode == OP_IRET);
6236 }
6237#endif
6238 EMSetInhibitInterruptsPC(pVCpu, pNewEip);
6239 pVM->patm.s.pGCStateHC->GCPtrInhibitInterrupts = 0;
6240 }
6241
6242 Log2(("pPatchBlockGC %RRv - pEip %RRv corresponding GC address %RRv\n", PATCHCODE_PTR_GC(&pPatch->patch), pEip, pNewEip));
6243#ifdef LOG_ENABLED
6244 CPUMR3DisasmInstr(pVM, pVCpu, pCtx, pNewEip, "PATCHRET: ");
6245#endif
6246 if (pNewEip >= pPatch->patch.pPrivInstrGC && pNewEip < pPatch->patch.pPrivInstrGC + pPatch->patch.cbPatchJump)
6247 {
6248 /* We can't jump back to code that we've overwritten with a 5 byte jump! */
6249 Log(("Disabling patch at location %RRv due to trap too close to the privileged instruction \n", pPatch->patch.pPrivInstrGC));
6250 PATMR3DisablePatch(pVM, pPatch->patch.pPrivInstrGC);
6251 STAM_PROFILE_ADV_STOP(&pVM->patm.s.StatHandleTrap, a);
6252 return VERR_PATCH_DISABLED;
6253 }
6254
6255#ifdef PATM_REMOVE_PATCH_ON_TOO_MANY_TRAPS
6256 /** @todo compare to nr of successful runs. add some aging algorithm and determine the best time to disable the patch */
6257 if (pPatch->patch.cTraps > MAX_PATCH_TRAPS)
6258 {
6259 Log(("Disabling patch at location %RRv due to too many traps inside patch code\n", pPatch->patch.pPrivInstrGC));
6260 //we are only wasting time, back out the patch
6261 PATMR3DisablePatch(pVM, pPatch->patch.pPrivInstrGC);
6262 pTrapRec->pNextPatchInstr = 0;
6263 STAM_PROFILE_ADV_STOP(&pVM->patm.s.StatHandleTrap, a);
6264 return VERR_PATCH_DISABLED;
6265 }
6266#endif
6267
6268 STAM_PROFILE_ADV_STOP(&pVM->patm.s.StatHandleTrap, a);
6269 return VINF_SUCCESS;
6270}
6271
6272
6273/**
6274 * Handle page-fault in monitored page
6275 *
6276 * @returns VBox status code.
6277 * @param pVM The VM to operate on.
6278 */
6279VMMR3DECL(int) PATMR3HandleMonitoredPage(PVM pVM)
6280{
6281 RTRCPTR addr = pVM->patm.s.pvFaultMonitor;
6282
6283 addr &= PAGE_BASE_GC_MASK;
6284
6285 int rc = PGMHandlerVirtualDeregister(pVM, addr);
6286 AssertRC(rc); NOREF(rc);
6287
6288 PPATMPATCHREC pPatchRec = (PPATMPATCHREC)RTAvloU32GetBestFit(&pVM->patm.s.PatchLookupTreeHC->PatchTree, addr, false);
6289 if (pPatchRec && pPatchRec->patch.uState == PATCH_ENABLED && PAGE_ADDRESS(pPatchRec->patch.pPrivInstrGC) == PAGE_ADDRESS(addr))
6290 {
6291 STAM_COUNTER_INC(&pVM->patm.s.StatMonitored);
6292 Log(("Renewing patch at %RRv\n", pPatchRec->patch.pPrivInstrGC));
6293 rc = PATMR3DisablePatch(pVM, pPatchRec->patch.pPrivInstrGC);
6294 if (rc == VWRN_PATCH_REMOVED)
6295 return VINF_SUCCESS;
6296
6297 PATMR3EnablePatch(pVM, pPatchRec->patch.pPrivInstrGC);
6298
6299 if (addr == pPatchRec->patch.pPrivInstrGC)
6300 addr++;
6301 }
6302
6303 for(;;)
6304 {
6305 pPatchRec = (PPATMPATCHREC)RTAvloU32GetBestFit(&pVM->patm.s.PatchLookupTreeHC->PatchTree, addr, true);
6306
6307 if (!pPatchRec || PAGE_ADDRESS(pPatchRec->patch.pPrivInstrGC) != PAGE_ADDRESS(addr))
6308 break;
6309
6310 if (pPatchRec && pPatchRec->patch.uState == PATCH_ENABLED)
6311 {
6312 STAM_COUNTER_INC(&pVM->patm.s.StatMonitored);
6313 Log(("Renewing patch at %RRv\n", pPatchRec->patch.pPrivInstrGC));
6314 PATMR3DisablePatch(pVM, pPatchRec->patch.pPrivInstrGC);
6315 PATMR3EnablePatch(pVM, pPatchRec->patch.pPrivInstrGC);
6316 }
6317 addr = pPatchRec->patch.pPrivInstrGC + 1;
6318 }
6319
6320 pVM->patm.s.pvFaultMonitor = 0;
6321 return VINF_SUCCESS;
6322}
6323
6324
6325#ifdef VBOX_WITH_STATISTICS
6326
6327static const char *PATMPatchType(PVM pVM, PPATCHINFO pPatch)
6328{
6329 if (pPatch->flags & PATMFL_SYSENTER)
6330 {
6331 return "SYSENT";
6332 }
6333 else
6334 if (pPatch->flags & (PATMFL_TRAPHANDLER|PATMFL_INTHANDLER))
6335 {
6336 static char szTrap[16];
6337 uint32_t iGate;
6338
6339 iGate = TRPMR3QueryGateByHandler(pVM, PATCHCODE_PTR_GC(pPatch));
6340 if (iGate < 256)
6341 RTStrPrintf(szTrap, sizeof(szTrap), (pPatch->flags & PATMFL_INTHANDLER) ? "INT-%2X" : "TRAP-%2X", iGate);
6342 else
6343 RTStrPrintf(szTrap, sizeof(szTrap), (pPatch->flags & PATMFL_INTHANDLER) ? "INT-??" : "TRAP-??");
6344 return szTrap;
6345 }
6346 else
6347 if (pPatch->flags & (PATMFL_DUPLICATE_FUNCTION))
6348 return "DUPFUNC";
6349 else
6350 if (pPatch->flags & PATMFL_REPLACE_FUNCTION_CALL)
6351 return "FUNCCALL";
6352 else
6353 if (pPatch->flags & PATMFL_TRAMPOLINE)
6354 return "TRAMP";
6355 else
6356 return patmGetInstructionString(pPatch->opcode, pPatch->flags);
6357}
6358
6359static const char *PATMPatchState(PVM pVM, PPATCHINFO pPatch)
6360{
6361 switch(pPatch->uState)
6362 {
6363 case PATCH_ENABLED:
6364 return "ENA";
6365 case PATCH_DISABLED:
6366 return "DIS";
6367 case PATCH_DIRTY:
6368 return "DIR";
6369 case PATCH_UNUSABLE:
6370 return "UNU";
6371 case PATCH_REFUSED:
6372 return "REF";
6373 case PATCH_DISABLE_PENDING:
6374 return "DIP";
6375 default:
6376 AssertFailed();
6377 return " ";
6378 }
6379}
6380
6381/**
6382 * Resets the sample.
6383 * @param pVM The VM handle.
6384 * @param pvSample The sample registered using STAMR3RegisterCallback.
6385 */
6386static void patmResetStat(PVM pVM, void *pvSample)
6387{
6388 PPATCHINFO pPatch = (PPATCHINFO)pvSample;
6389 Assert(pPatch);
6390
6391 pVM->patm.s.pStatsHC[pPatch->uPatchIdx].u32A = 0;
6392 pVM->patm.s.pStatsHC[pPatch->uPatchIdx].u32B = 0;
6393}
6394
6395/**
6396 * Prints the sample into the buffer.
6397 *
6398 * @param pVM The VM handle.
6399 * @param pvSample The sample registered using STAMR3RegisterCallback.
6400 * @param pszBuf The buffer to print into.
6401 * @param cchBuf The size of the buffer.
6402 */
6403static void patmPrintStat(PVM pVM, void *pvSample, char *pszBuf, size_t cchBuf)
6404{
6405 PPATCHINFO pPatch = (PPATCHINFO)pvSample;
6406 Assert(pPatch);
6407
6408 Assert(pPatch->uState != PATCH_REFUSED);
6409 Assert(!(pPatch->flags & (PATMFL_REPLACE_FUNCTION_CALL|PATMFL_MMIO_ACCESS)));
6410
6411 RTStrPrintf(pszBuf, cchBuf, "size %04x ->%3s %8s - %08d - %08d",
6412 pPatch->cbPatchBlockSize, PATMPatchState(pVM, pPatch), PATMPatchType(pVM, pPatch),
6413 pVM->patm.s.pStatsHC[pPatch->uPatchIdx].u32A, pVM->patm.s.pStatsHC[pPatch->uPatchIdx].u32B);
6414}
6415
6416/**
6417 * Returns the GC address of the corresponding patch statistics counter
6418 *
6419 * @returns Stat address
6420 * @param pVM The VM to operate on.
6421 * @param pPatch Patch structure
6422 */
6423RTRCPTR patmPatchQueryStatAddress(PVM pVM, PPATCHINFO pPatch)
6424{
6425 Assert(pPatch->uPatchIdx != PATM_STAT_INDEX_NONE);
6426 return pVM->patm.s.pStatsGC + sizeof(STAMRATIOU32) * pPatch->uPatchIdx + RT_OFFSETOF(STAMRATIOU32, u32A);
6427}
6428
6429#endif /* VBOX_WITH_STATISTICS */
6430
6431#ifdef VBOX_WITH_DEBUGGER
6432/**
6433 * The '.patmoff' command.
6434 *
6435 * @returns VBox status.
6436 * @param pCmd Pointer to the command descriptor (as registered).
6437 * @param pCmdHlp Pointer to command helper functions.
6438 * @param pVM Pointer to the current VM (if any).
6439 * @param paArgs Pointer to (readonly) array of arguments.
6440 * @param cArgs Number of arguments in the array.
6441 */
6442static DECLCALLBACK(int) patmr3CmdOff(PCDBGCCMD pCmd, PDBGCCMDHLP pCmdHlp, PVM pVM, PCDBGCVAR paArgs, unsigned cArgs, PDBGCVAR pResult)
6443{
6444 /*
6445 * Validate input.
6446 */
6447 if (!pVM)
6448 return pCmdHlp->pfnPrintf(pCmdHlp, NULL, "error: The command requires VM to be selected.\n");
6449
6450 RTAvloU32DoWithAll(&pVM->patm.s.PatchLookupTreeHC->PatchTree, true, DisableAllPatches, pVM);
6451 PATMR3AllowPatching(pVM, false);
6452 return pCmdHlp->pfnPrintf(pCmdHlp, NULL, "Patching disabled\n");
6453}
6454
6455/**
6456 * The '.patmon' command.
6457 *
6458 * @returns VBox status.
6459 * @param pCmd Pointer to the command descriptor (as registered).
6460 * @param pCmdHlp Pointer to command helper functions.
6461 * @param pVM Pointer to the current VM (if any).
6462 * @param paArgs Pointer to (readonly) array of arguments.
6463 * @param cArgs Number of arguments in the array.
6464 */
6465static DECLCALLBACK(int) patmr3CmdOn(PCDBGCCMD pCmd, PDBGCCMDHLP pCmdHlp, PVM pVM, PCDBGCVAR paArgs, unsigned cArgs, PDBGCVAR pResult)
6466{
6467 /*
6468 * Validate input.
6469 */
6470 if (!pVM)
6471 return pCmdHlp->pfnPrintf(pCmdHlp, NULL, "error: The command requires VM to be selected.\n");
6472
6473 PATMR3AllowPatching(pVM, true);
6474 RTAvloU32DoWithAll(&pVM->patm.s.PatchLookupTreeHC->PatchTree, true, EnableAllPatches, pVM);
6475 return pCmdHlp->pfnPrintf(pCmdHlp, NULL, "Patching enabled\n");
6476}
6477#endif
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette