VirtualBox

source: vbox/trunk/src/VBox/VMM/PATM/PATM.cpp@ 2046

Last change on this file since 2046 was 2046, checked in by vboxsync, 18 years ago

Corrections and activation of mov gpr,ss patch.
  • Property svn:eol-style set to native
  • Property svn:keywords set to Id
File size: 236.2 KB
Line 
1/* $Id: PATM.cpp 2046 2007-04-12 13:23:27Z vboxsync $ */
2/** @file
3 * PATM - Dynamic Guest OS Patching Manager
4 *
5 * NOTE: Never ever reuse patch memory!!
6 */
7
8/*
9 * Copyright (C) 2006 InnoTek Systemberatung GmbH
10 *
11 * This file is part of VirtualBox Open Source Edition (OSE), as
12 * available from http://www.virtualbox.org. This file is free software;
13 * you can redistribute it and/or modify it under the terms of the GNU
14 * General Public License as published by the Free Software Foundation,
15 * in version 2 as it comes in the "COPYING" file of the VirtualBox OSE
16 * distribution. VirtualBox OSE is distributed in the hope that it will
17 * be useful, but WITHOUT ANY WARRANTY of any kind.
18 *
19 * If you received this file as part of a commercial VirtualBox
20 * distribution, then only the terms of your commercial VirtualBox
21 * license agreement apply instead of the previous paragraph.
22 */
23
24/*******************************************************************************
25* Header Files *
26*******************************************************************************/
27#define LOG_GROUP LOG_GROUP_PATM
28#include <VBox/patm.h>
29#include <VBox/stam.h>
30#include <VBox/pgm.h>
31#include <VBox/cpum.h>
32#include <VBox/cpumdis.h>
33#include <VBox/iom.h>
34#include <VBox/sup.h>
35#include <VBox/mm.h>
36#include <VBox/ssm.h>
37#include <VBox/pdm.h>
38#include <VBox/trpm.h>
39#include <VBox/cfgm.h>
40#include <VBox/param.h>
41#include <VBox/selm.h>
42#include <iprt/avl.h>
43#include "PATMInternal.h"
44#include "PATMPatch.h"
45#include <VBox/vm.h>
46#include <VBox/csam.h>
47
48#include <VBox/dbg.h>
49#include <VBox/err.h>
50#include <VBox/log.h>
51#include <iprt/assert.h>
52#include <iprt/asm.h>
53#include <VBox/dis.h>
54#include <VBox/disopcode.h>
55
56#include <iprt/string.h>
57#include "PATMA.h"
58
59//#define PATM_REMOVE_PATCH_ON_TOO_MANY_TRAPS
60//#define PATM_DISABLE_ALL
61
62/*******************************************************************************
63* Internal Functions *
64*******************************************************************************/
65
66static int patmDisableUnusablePatch(PVM pVM, RTGCPTR pInstrGC, RTGCPTR pConflictAddr, PPATCHINFO pPatch);
67static int patmActivateInt3Patch(PVM pVM, PPATCHINFO pPatch);
68static int patmDeactivateInt3Patch(PVM pVM, PPATCHINFO pPatch);
69
70#ifdef DEBUG // keep gcc quiet
71static bool patmIsCommonIDTHandlerPatch(PVM pVM, RTGCPTR pInstrGC);
72#endif
73#ifdef VBOX_WITH_STATISTICS
74static const char *PATMPatchType(PVM pVM, PPATCHINFO pPatch);
75static void patmResetStat(PVM pVM, void *pvSample);
76static void patmPrintStat(PVM pVM, void *pvSample, char *pszBuf, size_t cchBuf);
77#endif
78
79#define patmPatchHCPtr2PatchGCPtr(pVM, pHC) (pVM->patm.s.pPatchMemGC + (pHC - pVM->patm.s.pPatchMemHC))
80#define patmPatchGCPtr2PatchHCPtr(pVM, pGC) (pVM->patm.s.pPatchMemHC + (pGC - pVM->patm.s.pPatchMemGC))
81
82static int patmReinit(PVM pVM);
83static DECLCALLBACK(int) RelocatePatches(PAVLOGCPTRNODECORE pNode, void *pParam);
84static DECLCALLBACK(int) patmVirtPageHandler(PVM pVM, RTGCPTR GCPtr, void *pvPtr, void *pvBuf, size_t cbBuf, PGMACCESSTYPE enmAccessType, void *pvUser);
85
86#ifdef VBOX_WITH_DEBUGGER
87static DECLCALLBACK(int) DisableAllPatches(PAVLOGCPTRNODECORE pNode, void *pVM);
88static DECLCALLBACK(int) patmr3CmdOn(PCDBGCCMD pCmd, PDBGCCMDHLP pCmdHlp, PVM pVM, PCDBGCVAR paArgs, unsigned cArgs, PDBGCVAR pResult);
89static DECLCALLBACK(int) patmr3CmdOff(PCDBGCCMD pCmd, PDBGCCMDHLP pCmdHlp, PVM pVM, PCDBGCVAR paArgs, unsigned cArgs, PDBGCVAR pResult);
90
91/** Command descriptors. */
92static const DBGCCMD g_aCmds[] =
93{
94 /* pszCmd, cArgsMin, cArgsMax, paArgDesc, cArgDescs, pResultDesc, fFlags, pfnHandler pszSyntax, ....pszDescription */
95 { "patmon", 0, 0, NULL, 0, NULL, 0, patmr3CmdOn, "", "Enable patching." },
96 { "patmoff", 0, 0, NULL, 0, NULL, 0, patmr3CmdOff, "", "Disable patching." },
97};
98#endif
99
100/**
101 * Initializes the PATM.
102 *
103 * @returns VBox status code.
104 * @param pVM The VM to operate on.
105 */
106PATMR3DECL(int) PATMR3Init(PVM pVM)
107{
108 int rc;
109
110 Log(("PATMR3Init: Patch record size %d\n", sizeof(PATCHINFO)));
111
112 AssertReleaseMsg(PATMInterruptFlag == (VM_FF_INTERRUPT_APIC | VM_FF_INTERRUPT_PIC | VM_FF_TIMER | VM_FF_REQUEST), ("Interrupt flags out of sync!!\n"));
113
114 /* Allocate patch memory and GC patch state memory. */
115 pVM->patm.s.cbPatchMem = PATCH_MEMORY_SIZE;
116 /* Add another page in case the generated code is much larger than expected. */
117 /** @todo bad safety precaution */
118 rc = MMR3HyperAllocOnceNoRel(pVM, PATCH_MEMORY_SIZE + PAGE_SIZE + PATM_STACK_TOTAL_SIZE + PAGE_SIZE + PATM_STAT_MEMSIZE, PAGE_SIZE, MM_TAG_PATM, (void **)&pVM->patm.s.pPatchMemHC);
119 if (VBOX_FAILURE(rc))
120 {
121 Log(("MMR3HyperAlloc failed with %Vrc\n", rc));
122 return rc;
123 }
124 pVM->patm.s.pPatchMemGC = MMHyperHC2GC(pVM, pVM->patm.s.pPatchMemHC);
125
126 /* PATM stack page for call instruction execution. (2 parts: one for our private stack and one to store the original return address */
127 pVM->patm.s.pGCStackHC = (RTGCPTR *)(pVM->patm.s.pPatchMemHC + PATCH_MEMORY_SIZE + PAGE_SIZE);
128 pVM->patm.s.pGCStackGC = MMHyperHC2GC(pVM, pVM->patm.s.pGCStackHC);
129
130 /*
131 * Hypervisor memory for GC status data (read/write)
132 *
133 * Note1: This is non-critical data; if trashed by the guest, then it will only cause problems for itself
134 * Note2: This doesn't really belong here, but we need access to it for relocation purposes
135 *
136 */
137 Assert(sizeof(PATMGCSTATE) < PAGE_SIZE); /** @note hardcoded dependencies on this exist. */
138 pVM->patm.s.pGCStateHC = (PPATMGCSTATE)((uint8_t *)pVM->patm.s.pGCStackHC + PATM_STACK_TOTAL_SIZE);
139 pVM->patm.s.pGCStateGC = MMHyperHC2GC(pVM, pVM->patm.s.pGCStateHC);
140
141 /* Hypervisor memory for patch statistics */
142 pVM->patm.s.pStatsHC = (PSTAMRATIOU32)((uint8_t *)pVM->patm.s.pGCStateHC + PAGE_SIZE);
143 pVM->patm.s.pStatsGC = MMHyperHC2GC(pVM, pVM->patm.s.pStatsHC);
144
145 /* Memory for patch lookup trees. */
146 rc = MMHyperAlloc(pVM, sizeof(*pVM->patm.s.PatchLookupTreeHC), 0, MM_TAG_PATM, (void **)&pVM->patm.s.PatchLookupTreeHC);
147 AssertRCReturn(rc, rc);
148 pVM->patm.s.PatchLookupTreeGC = MMHyperHC2GC(pVM, pVM->patm.s.PatchLookupTreeHC);
149
150#ifdef __AMD64__ /* see patmReinit(). */
151 /* Check CFGM option. */
152 rc = CFGMR3QueryBool(CFGMR3GetRoot(pVM), "PATMEnabled", &pVM->fPATMEnabled);
153 if (VBOX_FAILURE(rc))
154# ifdef PATM_DISABLE_ALL
155 pVM->fPATMEnabled = false;
156# else
157 pVM->fPATMEnabled = true;
158# endif
159#endif
160
161 rc = patmReinit(pVM);
162 AssertRC(rc);
163 if (VBOX_FAILURE(rc))
164 return rc;
165
166 /*
167 * Register save and load state notificators.
168 */
169 rc = SSMR3RegisterInternal(pVM, "PATM", 0, PATM_SSM_VERSION, sizeof(pVM->patm.s) + PATCH_MEMORY_SIZE + PAGE_SIZE + PATM_STACK_TOTAL_SIZE + PAGE_SIZE,
170 NULL, patmr3Save, NULL,
171 NULL, patmr3Load, NULL);
172 if (VBOX_FAILURE(rc))
173 {
174 AssertRC(rc);
175 return rc;
176 }
177
178#ifdef VBOX_WITH_DEBUGGER
179 /*
180 * Debugger commands.
181 */
182 static bool fRegisteredCmds = false;
183 if (!fRegisteredCmds)
184 {
185 int rc = DBGCRegisterCommands(&g_aCmds[0], ELEMENTS(g_aCmds));
186 if (VBOX_SUCCESS(rc))
187 fRegisteredCmds = true;
188 }
189#endif
190
191#ifdef VBOX_WITH_STATISTICS
192 STAM_REG(pVM, &pVM->patm.s.StatNrOpcodeRead, STAMTYPE_COUNTER, "/PATM/OpcodeBytesRead", STAMUNIT_OCCURENCES, "The number of opcode bytes read by the recompiler.");
193 STAM_REG(pVM, &pVM->patm.s.StatPATMMemoryUsed,STAMTYPE_COUNTER, "/PATM/MemoryUsed", STAMUNIT_OCCURENCES, "The amount of hypervisor heap used for patches.");
194 STAM_REG(pVM, &pVM->patm.s.StatDisabled, STAMTYPE_COUNTER, "/PATM/Patch/Disabled", STAMUNIT_OCCURENCES, "Number of times patches were disabled.");
195 STAM_REG(pVM, &pVM->patm.s.StatEnabled, STAMTYPE_COUNTER, "/PATM/Patch/Enabled", STAMUNIT_OCCURENCES, "Number of times patches were enabled.");
196 STAM_REG(pVM, &pVM->patm.s.StatDirty, STAMTYPE_COUNTER, "/PATM/Patch/Dirty", STAMUNIT_OCCURENCES, "Number of times patches were marked dirty.");
197 STAM_REG(pVM, &pVM->patm.s.StatUnusable, STAMTYPE_COUNTER, "/PATM/Patch/Unusable", STAMUNIT_OCCURENCES, "Number of unusable patches (conflicts).");
198 STAM_REG(pVM, &pVM->patm.s.StatInstalled, STAMTYPE_COUNTER, "/PATM/Patch/Installed", STAMUNIT_OCCURENCES, "Number of installed patches.");
199 STAM_REG(pVM, &pVM->patm.s.StatInt3Callable, STAMTYPE_COUNTER, "/PATM/Patch/Int3Callable", STAMUNIT_OCCURENCES, "Number of cli patches turned into int3 patches.");
200
201 STAM_REG(pVM, &pVM->patm.s.StatInt3BlockRun, STAMTYPE_COUNTER, "/PATM/Patch/Run/Int3", STAMUNIT_OCCURENCES, "Number of times an int3 block patch was executed.");
202 STAMR3RegisterF(pVM, &pVM->patm.s.pGCStateHC->uPatchCalls, STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_OCCURENCES, NULL, "/PATM/Patch/Run/Normal");
203
204 STAM_REG(pVM, &pVM->patm.s.StatInstalledFunctionPatches, STAMTYPE_COUNTER, "/PATM/Patch/Installed/Function", STAMUNIT_OCCURENCES, "Number of installed function duplication patches.");
205 STAM_REG(pVM, &pVM->patm.s.StatInstalledTrampoline, STAMTYPE_COUNTER, "/PATM/Patch/Installed/Trampoline", STAMUNIT_OCCURENCES, "Number of installed trampoline patches.");
206 STAM_REG(pVM, &pVM->patm.s.StatInstalledJump, STAMTYPE_COUNTER, "/PATM/Patch/Installed/Jump", STAMUNIT_OCCURENCES, "Number of installed jump patches.");
207
208 STAM_REG(pVM, &pVM->patm.s.StatOverwritten, STAMTYPE_COUNTER, "/PATM/Patch/Overwritten", STAMUNIT_OCCURENCES, "Number of overwritten patches.");
209 STAM_REG(pVM, &pVM->patm.s.StatFixedConflicts,STAMTYPE_COUNTER, "/PATM/Patch/ConflictFixed", STAMUNIT_OCCURENCES, "Number of fixed conflicts.");
210 STAM_REG(pVM, &pVM->patm.s.StatFlushed, STAMTYPE_COUNTER, "/PATM/Patch/Flushed", STAMUNIT_OCCURENCES, "Number of flushes of pages with patch jumps.");
211 STAM_REG(pVM, &pVM->patm.s.StatMonitored, STAMTYPE_COUNTER, "/PATM/Patch/Monitored", STAMUNIT_OCCURENCES, "Number of patches in monitored patch pages.");
212 STAM_REG(pVM, &pVM->patm.s.StatPageBoundaryCrossed, STAMTYPE_COUNTER, "/PATM/Patch/BoundaryCross", STAMUNIT_OCCURENCES, "Number of refused patches due to patch jump crossing page boundary.");
213
214 STAM_REG(pVM, &pVM->patm.s.StatHandleTrap, STAMTYPE_PROFILE, "/PATM/HandleTrap", STAMUNIT_TICKS_PER_CALL, "Profiling of PATMR3HandleTrap");
215 STAM_REG(pVM, &pVM->patm.s.StatPushTrap, STAMTYPE_COUNTER, "/PATM/HandleTrap/PushWP", STAMUNIT_OCCURENCES, "Number of traps due to monitored stack pages.");
216
217 STAM_REG(pVM, &pVM->patm.s.StatSwitchBack, STAMTYPE_COUNTER, "/PATM/SwitchBack", STAMUNIT_OCCURENCES, "Switch back to original guest code when IF=1 & executing PATM instructions");
218 STAM_REG(pVM, &pVM->patm.s.StatSwitchBackFail,STAMTYPE_COUNTER, "/PATM/SwitchBackFail", STAMUNIT_OCCURENCES, "Failed switch back to original guest code when IF=1 & executing PATM instructions");
219
220 STAM_REG(pVM, &pVM->patm.s.StatDuplicateREQFailed, STAMTYPE_COUNTER, "/PATM/Function/DupREQ/Failed", STAMUNIT_OCCURENCES, "Nr of failed PATMR3DuplicateFunctionRequest calls");
221 STAM_REG(pVM, &pVM->patm.s.StatDuplicateREQSuccess, STAMTYPE_COUNTER, "/PATM/Function/DupREQ/Success", STAMUNIT_OCCURENCES, "Nr of successful PATMR3DuplicateFunctionRequest calls");
222 STAM_REG(pVM, &pVM->patm.s.StatDuplicateUseExisting,STAMTYPE_COUNTER, "/PATM/Function/DupREQ/UseExist", STAMUNIT_OCCURENCES, "Nr of successful PATMR3DuplicateFunctionRequest calls when using an existing patch");
223
224 STAM_REG(pVM, &pVM->patm.s.StatFunctionLookupInsert, STAMTYPE_COUNTER, "/PATM/Function/Lookup/Insert", STAMUNIT_OCCURENCES, "Nr of successful function address insertions");
225 STAM_REG(pVM, &pVM->patm.s.StatFunctionLookupReplace, STAMTYPE_COUNTER, "/PATM/Function/Lookup/Replace", STAMUNIT_OCCURENCES, "Nr of successful function address replacements");
226 STAM_REG(pVM, &pVM->patm.s.StatU32FunctionMaxSlotsUsed, STAMTYPE_U32_RESET,"/PATM/Function/Lookup/MaxSlots", STAMUNIT_OCCURENCES, "Maximum nr of lookup slots used in all call patches");
227
228 STAM_REG(pVM, &pVM->patm.s.StatFunctionFound, STAMTYPE_COUNTER, "/PATM/Function/Found", STAMUNIT_OCCURENCES, "Nr of successful function patch lookups in GC");
229 STAM_REG(pVM, &pVM->patm.s.StatFunctionNotFound, STAMTYPE_COUNTER, "/PATM/Function/NotFound", STAMUNIT_OCCURENCES, "Nr of failed function patch lookups in GC");
230
231 STAM_REG(pVM, &pVM->patm.s.StatPatchWrite, STAMTYPE_PROFILE, "/PATM/Write/Handle", STAMUNIT_TICKS_PER_CALL, "Profiling of PATMR3PatchWrite");
232 STAM_REG(pVM, &pVM->patm.s.StatPatchWriteDetect, STAMTYPE_PROFILE, "/PATM/Write/Detect", STAMUNIT_TICKS_PER_CALL, "Profiling of PATMIsWriteToPatchPage");
233 STAM_REG(pVM, &pVM->patm.s.StatPatchWriteInterpreted, STAMTYPE_COUNTER, "/PATM/Write/Interpreted/Success", STAMUNIT_OCCURENCES, "Nr of interpreted patch writes.");
234 STAM_REG(pVM, &pVM->patm.s.StatPatchWriteInterpretedFailed, STAMTYPE_COUNTER, "/PATM/Write/Interpreted/Failed", STAMUNIT_OCCURENCES, "Nr of failed interpreted patch writes.");
235
236 STAM_REG(pVM, &pVM->patm.s.StatPatchRefreshSuccess, STAMTYPE_COUNTER, "/PATM/Refresh/Success", STAMUNIT_OCCURENCES, "Successful patch refreshes");
237 STAM_REG(pVM, &pVM->patm.s.StatPatchRefreshFailed, STAMTYPE_COUNTER, "/PATM/Refresh/Failure", STAMUNIT_OCCURENCES, "Failed patch refreshes");
238
239 STAM_REG(pVM, &pVM->patm.s.StatPatchPageInserted, STAMTYPE_COUNTER, "/PATM/Page/Inserted", STAMUNIT_OCCURENCES, "Nr of inserted guest pages that were patched");
240 STAM_REG(pVM, &pVM->patm.s.StatPatchPageRemoved, STAMTYPE_COUNTER, "/PATM/Page/Removed", STAMUNIT_OCCURENCES, "Nr of removed guest pages that were patched");
241
242 STAM_REG(pVM, &pVM->patm.s.StatInstrDirty, STAMTYPE_COUNTER, "/PATM/Instr/Dirty/Detected", STAMUNIT_OCCURENCES, "Number of times instructions were marked dirty.");
243 STAM_REG(pVM, &pVM->patm.s.StatInstrDirtyGood, STAMTYPE_COUNTER, "/PATM/Instr/Dirty/Corrected", STAMUNIT_OCCURENCES, "Number of times instructions were marked dirty and corrected later on.");
244 STAM_REG(pVM, &pVM->patm.s.StatInstrDirtyBad, STAMTYPE_COUNTER, "/PATM/Instr/Dirty/Failed", STAMUNIT_OCCURENCES, "Number of times instructions were marked dirty and we were not able to correct them.");
245
246 STAM_REG(pVM, &pVM->patm.s.StatSysEnter, STAMTYPE_COUNTER, "/PATM/Emul/SysEnter", STAMUNIT_OCCURENCES, "Number of times sysenter was emulated.");
247 STAM_REG(pVM, &pVM->patm.s.StatSysExit, STAMTYPE_COUNTER, "/PATM/Emul/SysExit" , STAMUNIT_OCCURENCES, "Number of times sysexit was emulated.");
248 STAM_REG(pVM, &pVM->patm.s.StatEmulIret, STAMTYPE_COUNTER, "/PATM/Emul/Iret/Success", STAMUNIT_OCCURENCES, "Number of times iret was emulated.");
249 STAM_REG(pVM, &pVM->patm.s.StatEmulIretFailed, STAMTYPE_COUNTER, "/PATM/Emul/Iret/Failed", STAMUNIT_OCCURENCES, "Number of times iret was emulated.");
250
251 STAM_REG(pVM, &pVM->patm.s.StatGenRet, STAMTYPE_COUNTER, "/PATM/Gen/Ret" , STAMUNIT_OCCURENCES, "Number of generated ret instructions.");
252 STAM_REG(pVM, &pVM->patm.s.StatGenRetReused, STAMTYPE_COUNTER, "/PATM/Gen/RetReused" , STAMUNIT_OCCURENCES, "Number of reused ret instructions.");
253 STAM_REG(pVM, &pVM->patm.s.StatGenCall, STAMTYPE_COUNTER, "/PATM/Gen/Call", STAMUNIT_OCCURENCES, "Number of generated call instructions.");
254 STAM_REG(pVM, &pVM->patm.s.StatGenJump, STAMTYPE_COUNTER, "/PATM/Gen/Jmp" , STAMUNIT_OCCURENCES, "Number of generated indirect jump instructions.");
255 STAM_REG(pVM, &pVM->patm.s.StatGenPopf, STAMTYPE_COUNTER, "/PATM/Gen/Popf" , STAMUNIT_OCCURENCES, "Number of generated popf instructions.");
256
257 STAM_REG(pVM, &pVM->patm.s.StatCheckPendingIRQ, STAMTYPE_COUNTER, "/PATM/GC/CheckIRQ" , STAMUNIT_OCCURENCES, "Number of traps that ask to check for pending irqs.");
258#endif /* VBOX_WITH_STATISTICS */
259
260 Log(("PATMCallRecord.size %d\n", PATMCallRecord.size));
261 Log(("PATMCallIndirectRecord.size %d\n", PATMCallIndirectRecord.size));
262 Log(("PATMRetRecord.size %d\n", PATMRetRecord.size));
263 Log(("PATMJumpIndirectRecord.size %d\n", PATMJumpIndirectRecord.size));
264 Log(("PATMPopf32Record.size %d\n", PATMPopf32Record.size));
265 Log(("PATMIretRecord.size %d\n", PATMIretRecord.size));
266 Log(("PATMStiRecord.size %d\n", PATMStiRecord.size));
267 Log(("PATMCheckIFRecord.size %d\n", PATMCheckIFRecord.size));
268
269 return rc;
270}
271
272/**
273 * Finalizes HMA page attributes.
274 *
275 * @returns VBox status code.
276 * @param pVM The VM handle.
277 */
278PATMR3DECL(int) PATMR3InitFinalize(PVM pVM)
279{
280 /* The GC state, stack and statistics must be read/write for the guest (supervisor only of course). */
281 int rc = PGMMapSetPage(pVM, pVM->patm.s.pGCStateGC, PAGE_SIZE, X86_PTE_P | X86_PTE_A | X86_PTE_D | X86_PTE_RW);
282 if (VBOX_FAILURE(rc))
283 Log(("PATMR3InitFinalize: PGMMapSetPage failed with %Vrc!!\n", rc));
284
285 rc = PGMMapSetPage(pVM, pVM->patm.s.pGCStackGC, PATM_STACK_TOTAL_SIZE, X86_PTE_P | X86_PTE_A | X86_PTE_D | X86_PTE_RW);
286 if (VBOX_FAILURE(rc))
287 Log(("PATMR3InitFinalize: PGMMapSetPage failed with %Vrc!!\n", rc));
288
289 rc = PGMMapSetPage(pVM, pVM->patm.s.pStatsGC, PATM_STAT_MEMSIZE, X86_PTE_P | X86_PTE_A | X86_PTE_D | X86_PTE_RW);
290 if (VBOX_FAILURE(rc))
291 Log(("PATMR3InitFinalize: PGMMapSetPage failed with %Vrc!!\n", rc));
292
293 return rc;
294}
295
296/**
297 * (Re)initializes PATM
298 *
299 * @param pVM The VM.
300 */
301static int patmReinit(PVM pVM)
302{
303 int rc;
304
305 /*
306 * Assert alignment and sizes.
307 */
308 AssertRelease(!(RT_OFFSETOF(VM, patm.s) & 31));
309 AssertRelease(sizeof(pVM->patm.s) <= sizeof(pVM->patm.padding));
310
311 /*
312 * Setup any fixed pointers and offsets.
313 */
314 pVM->patm.s.offVM = RT_OFFSETOF(VM, patm);
315
316#ifndef __AMD64__ /* would be nice if this was changed everywhere. was driving me crazy on AMD64. */
317#ifndef PATM_DISABLE_ALL
318 pVM->fPATMEnabled = true;
319#endif
320#endif
321
322 Assert(pVM->patm.s.pGCStateHC);
323 memset(pVM->patm.s.pGCStateHC, 0, PAGE_SIZE);
324 AssertReleaseMsg(pVM->patm.s.pGCStateGC, ("Impossible! MMHyperHC2GC(%p) failed!\n", pVM->patm.s.pGCStateGC));
325 Log(("Patch memory allocated at %p - %VGv\n", pVM->patm.s.pPatchMemHC, pVM->patm.s.pPatchMemGC));
326 pVM->patm.s.pGCStateHC->uVMFlags = X86_EFL_IF;
327
328 Assert(pVM->patm.s.pGCStackHC);
329 memset(pVM->patm.s.pGCStackHC, 0, PAGE_SIZE);
330 AssertReleaseMsg(pVM->patm.s.pGCStackGC, ("Impossible! MMHyperHC2GC(%p) failed!\n", pVM->patm.s.pGCStackGC));
331 pVM->patm.s.pGCStateHC->Psp = PATM_STACK_SIZE;
332 pVM->patm.s.pGCStateHC->fPIF = 1; /* PATM Interrupt Flag */
333
334 Assert(pVM->patm.s.pStatsHC);
335 memset(pVM->patm.s.pStatsHC, 0, PATM_STAT_MEMSIZE);
336 AssertReleaseMsg(pVM->patm.s.pStatsGC, ("Impossible! MMHyperHC2GC(%p) failed!\n", pVM->patm.s.pStatsGC));
337
338 Assert(pVM->patm.s.pPatchMemHC);
339 Assert(pVM->patm.s.pPatchMemGC = MMHyperHC2GC(pVM, pVM->patm.s.pPatchMemHC));
340 memset(pVM->patm.s.pPatchMemHC, 0, PATCH_MEMORY_SIZE);
341 AssertReleaseMsg(pVM->patm.s.pPatchMemGC, ("Impossible! MMHyperHC2GC(%p) failed!\n", pVM->patm.s.pPatchMemHC));
342
343 /* Needed for future patching of sldt/sgdt/sidt/str etc. */
344 rc = CPUMR3QueryGuestCtxGCPtr(pVM, &pVM->patm.s.pCPUMCtxGC);
345 AssertRCReturn(rc, rc);
346
347 Assert(pVM->patm.s.PatchLookupTreeHC);
348 Assert(pVM->patm.s.PatchLookupTreeGC == MMHyperHC2GC(pVM, pVM->patm.s.PatchLookupTreeHC));
349
350 /*
351 * (Re)Initialize PATM structure
352 */
353 Assert(!pVM->patm.s.PatchLookupTreeHC->PatchTree);
354 Assert(!pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr);
355 Assert(!pVM->patm.s.PatchLookupTreeHC->PatchTreeByPage);
356 pVM->patm.s.offPatchMem = 16; /* don't start with zero here */
357 pVM->patm.s.uCurrentPatchIdx = 1; /* Index zero is a dummy */
358 pVM->patm.s.pvFaultMonitor = 0;
359 pVM->patm.s.deltaReloc = 0;
360
361 /* Lowest and highest patched instruction */
362 pVM->patm.s.pPatchedInstrGCLowest = ~0;
363 pVM->patm.s.pPatchedInstrGCHighest = 0;
364
365 pVM->patm.s.PatchLookupTreeHC->PatchTree = 0;
366 pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr = 0;
367 pVM->patm.s.PatchLookupTreeHC->PatchTreeByPage = 0;
368
369 pVM->patm.s.pfnSysEnterPatchGC = 0;
370 pVM->patm.s.pfnSysEnterGC = 0;
371
372 pVM->patm.s.fOutOfMemory = false;
373
374 pVM->patm.s.pfnHelperCallGC = 0;
375
376 /* Generate all global functions to be used by future patches. */
377 /* We generate a fake patch in order to use the existing code for relocation. */
378 rc = MMHyperAlloc(pVM, sizeof(PATMPATCHREC), 0, MM_TAG_PATM_PATCH, (void **)&pVM->patm.s.pGlobalPatchRec);
379 if (VBOX_FAILURE(rc))
380 {
381 Log(("Out of memory!!!!\n"));
382 return VERR_NO_MEMORY;
383 }
384 pVM->patm.s.pGlobalPatchRec->patch.flags = PATMFL_GLOBAL_FUNCTIONS;
385 pVM->patm.s.pGlobalPatchRec->patch.uState = PATCH_ENABLED;
386 pVM->patm.s.pGlobalPatchRec->patch.pPatchBlockOffset = pVM->patm.s.offPatchMem;
387
388 rc = patmPatchGenGlobalFunctions(pVM, &pVM->patm.s.pGlobalPatchRec->patch);
389 AssertRC(rc);
390
391 /* Update free pointer in patch memory. */
392 pVM->patm.s.offPatchMem += pVM->patm.s.pGlobalPatchRec->patch.uCurPatchOffset;
393 /* Round to next 8 byte boundary. */
394 pVM->patm.s.offPatchMem = RT_ALIGN_32(pVM->patm.s.offPatchMem, 8);
395 return rc;
396}
397
398
399/**
400 * Applies relocations to data and code managed by this
401 * component. This function will be called at init and
402 * whenever the VMM need to relocate it self inside the GC.
403 *
404 * The PATM will update the addresses used by the switcher.
405 *
406 * @param pVM The VM.
407 */
408PATMR3DECL(void) PATMR3Relocate(PVM pVM)
409{
410 RTGCPTR GCPtrNew = MMHyperHC2GC(pVM, pVM->patm.s.pGCStateHC);
411 RTGCINTPTR delta = GCPtrNew - pVM->patm.s.pGCStateGC;
412
413 Log(("PATMR3Relocate from %VGv to %VGv - delta %08X\n", pVM->patm.s.pGCStateGC, GCPtrNew, delta));
414 if (delta)
415 {
416 PCPUMCTX pCtx;
417 int rc;
418
419 /* Update CPUMCTX guest context pointer. */
420 pVM->patm.s.pCPUMCtxGC += delta;
421
422 pVM->patm.s.deltaReloc = delta;
423
424 RTAvloGCPtrDoWithAll(&pVM->patm.s.PatchLookupTreeHC->PatchTree, true, RelocatePatches, (void *)pVM);
425
426 rc = CPUMQueryGuestCtxPtr(pVM, &pCtx);
427 AssertRC(rc);
428
429 /* If we are running patch code right now, then also adjust EIP. */
430 if (PATMIsPatchGCAddr(pVM, pCtx->eip))
431 pCtx->eip += delta;
432
433 pVM->patm.s.pGCStateGC = GCPtrNew;
434 pVM->patm.s.pPatchMemGC = MMHyperHC2GC(pVM, pVM->patm.s.pPatchMemHC);
435
436 pVM->patm.s.pGCStackGC = MMHyperHC2GC(pVM, pVM->patm.s.pGCStackHC);
437
438 pVM->patm.s.pStatsGC = MMHyperHC2GC(pVM, pVM->patm.s.pStatsHC);
439
440 pVM->patm.s.PatchLookupTreeGC = MMHyperHC2GC(pVM, pVM->patm.s.PatchLookupTreeHC);
441
442 if (pVM->patm.s.pfnSysEnterPatchGC)
443 pVM->patm.s.pfnSysEnterPatchGC += delta;
444
445 /* Deal with the global patch functions. */
446 pVM->patm.s.pfnHelperCallGC += delta;
447 pVM->patm.s.pfnHelperRetGC += delta;
448 pVM->patm.s.pfnHelperIretGC += delta;
449 pVM->patm.s.pfnHelperJumpGC += delta;
450
451 RelocatePatches(&pVM->patm.s.pGlobalPatchRec->Core, (void *)pVM);
452 }
453}
454
455
456/**
457 * Terminates the PATM.
458 *
459 * Termination means cleaning up and freeing all resources,
460 * the VM it self is at this point powered off or suspended.
461 *
462 * @returns VBox status code.
463 * @param pVM The VM to operate on.
464 */
465PATMR3DECL(int) PATMR3Term(PVM pVM)
466{
467 /* Memory was all allocated from the two MM heaps and requires no freeing. */
468 return VINF_SUCCESS;
469}
470
471
472/**
473 * PATM reset callback.
474 *
475 * @returns VBox status code.
476 * @param pVM The VM which is reset.
477 */
478PATMR3DECL(int) PATMR3Reset(PVM pVM)
479{
480 Log(("PATMR3Reset\n"));
481
482 /* Free all patches. */
483 while (true)
484 {
485 PPATMPATCHREC pPatchRec = (PPATMPATCHREC)RTAvloGCPtrRemoveBestFit(&pVM->patm.s.PatchLookupTreeHC->PatchTree, 0, true);
486 if (pPatchRec)
487 {
488 PATMRemovePatch(pVM, pPatchRec, true);
489 }
490 else
491 break;
492 }
493 Assert(!pVM->patm.s.PatchLookupTreeHC->PatchTreeByPage);
494 Assert(!pVM->patm.s.PatchLookupTreeHC->PatchTree);
495 pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr = 0;
496 pVM->patm.s.PatchLookupTreeHC->PatchTreeByPage = 0;
497
498 int rc = patmReinit(pVM);
499 if (VBOX_SUCCESS(rc))
500 rc = PATMR3InitFinalize(pVM); /* paranoia */
501
502 return rc;
503}
504
505/**
506 * Read callback for disassembly function; supports reading bytes that cross a page boundary
507 *
508 * @returns VBox status code.
509 * @param pSrc GC source pointer
510 * @param pDest HC destination pointer
511 * @param size Number of bytes to read
512 * @param dwUserdata Callback specific user data (pCpu)
513 *
514 */
515int32_t patmReadBytes(RTHCUINTPTR pSrc, uint8_t *pDest, uint32_t size, RTHCUINTPTR dwUserdata)
516{
517 DISCPUSTATE *pCpu = (DISCPUSTATE *)dwUserdata;
518 PATMDISASM *pDisInfo = (PATMDISASM *)pCpu->dwUserData[0];
519 int orgsize = size;
520
521 Assert(size);
522 if (size == 0)
523 return VERR_INVALID_PARAMETER;
524
525 /*
526 * Trap/interrupt handler typically call common code on entry. Which might already have patches inserted.
527 * As we currently don't support calling patch code from patch code, we'll let it read the original opcode bytes instead.
528 */
529 /** @todo could change in the future! */
530 if (pDisInfo->fReadFlags & PATMREAD_ORGCODE)
531 {
532 for (int i=0;i<orgsize;i++)
533 {
534 int rc = PATMR3QueryOpcode(pDisInfo->pVM, (RTGCPTR)pSrc, pDest);
535 if (VBOX_SUCCESS(rc))
536 {
537 pSrc++;
538 pDest++;
539 size--;
540 }
541 else break;
542 }
543 if (size == 0)
544 return VINF_SUCCESS;
545#ifdef VBOX_STRICT
546 if ( !(pDisInfo->pPatchInfo->flags & (PATMFL_DUPLICATE_FUNCTION|PATMFL_IDTHANDLER))
547 && !(pDisInfo->fReadFlags & PATMREAD_NOCHECK))
548 {
549 Assert(PATMR3IsInsidePatchJump(pDisInfo->pVM, pSrc, NULL) == false);
550 Assert(PATMR3IsInsidePatchJump(pDisInfo->pVM, pSrc+size-1, NULL) == false);
551 }
552#endif
553 }
554
555
556 if (PAGE_ADDRESS(pDisInfo->pInstrGC) != PAGE_ADDRESS(pSrc + size - 1) && !PATMIsPatchGCAddr(pDisInfo->pVM, pSrc))
557 {
558 return PGMPhysReadGCPtr(pDisInfo->pVM, pDest, pSrc, size);
559 }
560 else
561 {
562 uint8_t *pInstrHC = pDisInfo->pInstrHC;
563
564 Assert(pInstrHC);
565
566 /* pInstrHC is the base address; adjust according to the GC pointer. */
567 pInstrHC = pInstrHC + (pSrc - pDisInfo->pInstrGC);
568
569 memcpy(pDest, (void *)pInstrHC, size);
570 }
571
572 return VINF_SUCCESS;
573}
574
575/**
576 * Callback function for RTAvloGCPtrDoWithAll
577 *
578 * Updates all fixups in the patches
579 *
580 * @returns VBox status code.
581 * @param pNode Current node
582 * @param pParam The VM to operate on.
583 */
584static DECLCALLBACK(int) RelocatePatches(PAVLOGCPTRNODECORE pNode, void *pParam)
585{
586 PPATMPATCHREC pPatch = (PPATMPATCHREC)pNode;
587 PVM pVM = (PVM)pParam;
588 RTGCINTPTR delta;
589#ifdef LOG_ENABLED
590 DISCPUSTATE cpu;
591 char szOutput[256];
592 uint32_t opsize;
593 bool disret;
594#endif
595 int rc;
596
597 /* Nothing to do if the patch is not active. */
598 if (pPatch->patch.uState == PATCH_REFUSED)
599 return 0;
600
601#ifdef LOG_ENABLED
602 if (pPatch->patch.flags & PATMFL_PATCHED_GUEST_CODE)
603 {
604 /** @note pPrivInstrHC is probably not valid anymore */
605 rc = PGMPhysGCPtr2HCPtr(pVM, pPatch->patch.pPrivInstrGC, (PRTHCPTR)&pPatch->patch.pPrivInstrHC);
606 if (rc == VINF_SUCCESS)
607 {
608 cpu.mode = (pPatch->patch.flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
609 disret = PATMR3DISInstr(pVM, &pPatch->patch, &cpu, pPatch->patch.pPrivInstrGC, pPatch->patch.pPrivInstrHC, &opsize, szOutput, PATMREAD_RAWCODE);
610 Log(("Org patch jump: %s", szOutput));
611 }
612 }
613#endif
614
615 Log(("Nr of fixups %d\n", pPatch->patch.nrFixups));
616 delta = (RTGCINTPTR)pVM->patm.s.deltaReloc;
617
618 /*
619 * Apply fixups
620 */
621 PRELOCREC pRec = 0;
622 AVLPVKEY key = 0;
623
624 while (true)
625 {
626 /* Get the record that's closest from above */
627 pRec = (PRELOCREC)RTAvlPVGetBestFit(&pPatch->patch.FixupTree, key, true);
628 if (pRec == 0)
629 break;
630
631 key = (AVLPVKEY)(pRec->pRelocPos + 1); /* search for the next record during the next round. */
632
633 switch (pRec->uType)
634 {
635 case FIXUP_ABSOLUTE:
636 Log(("Absolute fixup at %VGv %VHv -> %VHv at %VGv\n", pRec->pSource, *(RTGCUINTPTR*)pRec->pRelocPos, *(RTGCINTPTR*)pRec->pRelocPos + delta, pRec->pRelocPos));
637 if (!pRec->pSource || PATMIsPatchGCAddr(pVM, pRec->pSource))
638 {
639 *(RTGCUINTPTR *)pRec->pRelocPos += delta;
640 }
641 else
642 {
643 uint8_t curInstr[15];
644 uint8_t oldInstr[15];
645 Assert(pRec->pSource && pPatch->patch.cbPrivInstr <= 15);
646
647 Assert(!(pPatch->patch.flags & PATMFL_GLOBAL_FUNCTIONS));
648
649 memcpy(oldInstr, pPatch->patch.aPrivInstr, pPatch->patch.cbPrivInstr);
650 *(RTGCPTR *)&oldInstr[pPatch->patch.cbPrivInstr - sizeof(RTGCPTR)] = pRec->pDest;
651
652 rc = PGMPhysReadGCPtr(pVM, curInstr, pPatch->patch.pPrivInstrGC, pPatch->patch.cbPrivInstr);
653 Assert(VBOX_SUCCESS(rc) || rc == VERR_PAGE_NOT_PRESENT || rc == VERR_PAGE_TABLE_NOT_PRESENT);
654
655 pRec->pDest = (RTGCPTR)((RTGCUINTPTR)pRec->pDest + delta);
656
657 if (rc == VERR_PAGE_NOT_PRESENT || rc == VERR_PAGE_TABLE_NOT_PRESENT)
658 {
659 RTGCPTR pPage = pPatch->patch.pPrivInstrGC & PAGE_BASE_GC_MASK;
660
661 Log(("PATM: Patch page not present -> check later!\n"));
662 rc = PGMR3HandlerVirtualRegister(pVM, PGMVIRTHANDLERTYPE_ALL, pPage, pPage + (PAGE_SIZE - 1) /* inclusive! */, 0, patmVirtPageHandler, "PATMGCMonitorPage", 0, "PATMMonitorPatchJump");
663 Assert(VBOX_SUCCESS(rc) || rc == VERR_PGM_HANDLER_VIRTUAL_CONFLICT);
664 }
665 else
666 if (memcmp(curInstr, oldInstr, pPatch->patch.cbPrivInstr))
667 {
668 Log(("PATM: Patch was overwritten -> disabling patch!!\n"));
669 /*
670 * Disable patch; this is not a good solution
671 */
672 /* @todo hopefully it was completely overwritten (if the read was successful)!!!! */
673 pPatch->patch.uState = PATCH_DISABLED;
674 }
675 else
676 if (VBOX_SUCCESS(rc))
677 {
678 *(RTGCPTR *)&curInstr[pPatch->patch.cbPrivInstr - sizeof(RTGCPTR)] = pRec->pDest;
679 rc = PGMPhysWriteGCPtrDirty(pVM, pRec->pSource, curInstr, pPatch->patch.cbPrivInstr);
680 AssertRC(rc);
681 }
682 }
683 break;
684
685 case FIXUP_REL_JMPTOPATCH:
686 {
687 RTGCPTR pTarget = (RTGCPTR)((RTGCINTPTR)pRec->pDest + delta);
688
689 if ( pPatch->patch.uState == PATCH_ENABLED
690 && (pPatch->patch.flags & PATMFL_PATCHED_GUEST_CODE))
691 {
692 uint8_t oldJump[SIZEOF_NEAR_COND_JUMP32];
693 uint8_t temp[SIZEOF_NEAR_COND_JUMP32];
694 RTGCPTR pJumpOffGC;
695 RTGCINTPTR displ = (RTGCINTPTR)pTarget - (RTGCINTPTR)pRec->pSource;
696 RTGCINTPTR displOld= (RTGCINTPTR)pRec->pDest - (RTGCINTPTR)pRec->pSource;
697
698 Log(("Relative fixup (g2p) %08X -> %08X at %08X (source=%08x, target=%08x)\n", *(int32_t*)pRec->pRelocPos, displ, pRec->pRelocPos, pRec->pSource, pRec->pDest));
699
700 Assert(pRec->pSource - pPatch->patch.cbPatchJump == pPatch->patch.pPrivInstrGC);
701#ifdef PATM_RESOLVE_CONFLICTS_WITH_JUMP_PATCHES
702 if (pPatch->patch.cbPatchJump == SIZEOF_NEAR_COND_JUMP32)
703 {
704 Assert(pPatch->patch.flags & PATMFL_JUMP_CONFLICT);
705
706 pJumpOffGC = pPatch->patch.pPrivInstrGC + 2; //two byte opcode
707 oldJump[0] = pPatch->patch.aPrivInstr[0];
708 oldJump[1] = pPatch->patch.aPrivInstr[1];
709 *(RTGCUINTPTR *)&oldJump[2] = displOld;
710 }
711 else
712#endif
713 if (pPatch->patch.cbPatchJump == SIZEOF_NEARJUMP32)
714 {
715 pJumpOffGC = pPatch->patch.pPrivInstrGC + 1; //one byte opcode
716 oldJump[0] = 0xE9;
717 *(RTGCUINTPTR *)&oldJump[1] = displOld;
718 }
719 else
720 {
721 AssertMsgFailed(("Invalid patch jump size %d\n", pPatch->patch.cbPatchJump));
722 continue; //this should never happen!!
723 }
724 Assert(pPatch->patch.cbPatchJump <= sizeof(temp));
725
726 /*
727 * Read old patch jump and compare it to the one we previously installed
728 */
729 rc = PGMPhysReadGCPtr(pVM, temp, pPatch->patch.pPrivInstrGC, pPatch->patch.cbPatchJump);
730 Assert(VBOX_SUCCESS(rc) || rc == VERR_PAGE_NOT_PRESENT || rc == VERR_PAGE_TABLE_NOT_PRESENT);
731
732 if (rc == VERR_PAGE_NOT_PRESENT || rc == VERR_PAGE_TABLE_NOT_PRESENT)
733 {
734 RTGCPTR pPage = pPatch->patch.pPrivInstrGC & PAGE_BASE_GC_MASK;
735
736 rc = PGMR3HandlerVirtualRegister(pVM, PGMVIRTHANDLERTYPE_ALL, pPage, pPage + (PAGE_SIZE - 1) /* inclusive! */, 0, patmVirtPageHandler, "PATMGCMonitorPage", 0, "PATMMonitorPatchJump");
737 Assert(VBOX_SUCCESS(rc) || rc == VERR_PGM_HANDLER_VIRTUAL_CONFLICT);
738 }
739 else
740 if (memcmp(temp, oldJump, pPatch->patch.cbPatchJump))
741 {
742 Log(("PATM: Patch jump was overwritten -> disabling patch!!\n"));
743 /*
744 * Disable patch; this is not a good solution
745 */
746 /* @todo hopefully it was completely overwritten (if the read was successful)!!!! */
747 pPatch->patch.uState = PATCH_DISABLED;
748 }
749 else
750 if (VBOX_SUCCESS(rc))
751 {
752 rc = PGMPhysWriteGCPtrDirty(pVM, pJumpOffGC, &displ, sizeof(displ));
753 AssertRC(rc);
754 }
755 else
756 {
757 AssertMsgFailed(("Unexpected error %d from MMR3PhysReadGCVirt\n", rc));
758 }
759 }
760 else
761 {
762 Log(("Skip the guest jump to patch code for this disabled patch %08X - %08X\n", pPatch->patch.pPrivInstrHC, pRec->pRelocPos));
763 }
764
765 pRec->pDest = pTarget;
766 break;
767 }
768
769 case FIXUP_REL_JMPTOGUEST:
770 {
771 RTGCPTR pSource = (RTGCPTR)((RTGCINTPTR)pRec->pSource + delta);
772 RTGCINTPTR displ = (RTGCINTPTR)pRec->pDest - (RTGCINTPTR)pSource;
773
774 Assert(!(pPatch->patch.flags & PATMFL_GLOBAL_FUNCTIONS));
775 Log(("Relative fixup (p2g) %08X -> %08X at %08X (source=%08x, target=%08x)\n", *(int32_t*)pRec->pRelocPos, displ, pRec->pRelocPos, pRec->pSource, pRec->pDest));
776 *(RTGCUINTPTR *)pRec->pRelocPos = displ;
777 pRec->pSource = pSource;
778 break;
779 }
780
781 default:
782 AssertMsg(0, ("Invalid fixup type!!\n"));
783 return VERR_INVALID_PARAMETER;
784 }
785 }
786
787#ifdef LOG_ENABLED
788 if (pPatch->patch.flags & PATMFL_PATCHED_GUEST_CODE)
789 {
790 /** @note pPrivInstrHC is probably not valid anymore */
791 rc = PGMPhysGCPtr2HCPtr(pVM, pPatch->patch.pPrivInstrGC, (PRTHCPTR)&pPatch->patch.pPrivInstrHC);
792 if (rc == VINF_SUCCESS)
793 {
794 cpu.mode = (pPatch->patch.flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
795 disret = PATMR3DISInstr(pVM, &pPatch->patch, &cpu, pPatch->patch.pPrivInstrGC, pPatch->patch.pPrivInstrHC, &opsize, szOutput, PATMREAD_RAWCODE);
796 Log(("Rel patch jump: %s", szOutput));
797 }
798 }
799#endif
800 return 0;
801}
802
803/**
804 * #PF Handler callback for virtual access handler ranges.
805 *
806 * Important to realize that a physical page in a range can have aliases, and
807 * for ALL and WRITE handlers these will also trigger.
808 *
809 * @returns VINF_SUCCESS if the handler have carried out the operation.
810 * @returns VINF_PGM_HANDLER_DO_DEFAULT if the caller should carry out the access operation.
811 * @param pVM VM Handle.
812 * @param GCPtr The virtual address the guest is writing to. (not correct if it's an alias!)
813 * @param pvPtr The HC mapping of that address.
814 * @param pvBuf What the guest is reading/writing.
815 * @param cbBuf How much it's reading/writing.
816 * @param enmAccessType The access type.
817 * @param pvUser User argument.
818 */
819static DECLCALLBACK(int) patmVirtPageHandler(PVM pVM, RTGCPTR GCPtr, void *pvPtr, void *pvBuf, size_t cbBuf, PGMACCESSTYPE enmAccessType, void *pvUser)
820{
821 Assert(enmAccessType == PGMACCESSTYPE_WRITE);
822 /** @todo could be the wrong virtual address (alias) */
823 pVM->patm.s.pvFaultMonitor = GCPtr;
824 PATMR3HandleMonitoredPage(pVM);
825 return VINF_PGM_HANDLER_DO_DEFAULT;
826}
827
828
829#ifdef VBOX_WITH_DEBUGGER
830/**
831 * Callback function for RTAvloGCPtrDoWithAll
832 *
833 * Enables the patch that's being enumerated
834 *
835 * @returns 0 (continue enumeration).
836 * @param pNode Current node
837 * @param pVM The VM to operate on.
838 */
839static DECLCALLBACK(int) EnableAllPatches(PAVLOGCPTRNODECORE pNode, void *pVM)
840{
841 PPATMPATCHREC pPatch = (PPATMPATCHREC)pNode;
842
843 PATMR3EnablePatch((PVM)pVM, (RTGCPTR)pPatch->Core.Key);
844 return 0;
845}
846#endif /* VBOX_WITH_DEBUGGER */
847
848
849#ifdef VBOX_WITH_DEBUGGER
850/**
851 * Callback function for RTAvloGCPtrDoWithAll
852 *
853 * Disables the patch that's being enumerated
854 *
855 * @returns 0 (continue enumeration).
856 * @param pNode Current node
857 * @param pVM The VM to operate on.
858 */
859static DECLCALLBACK(int) DisableAllPatches(PAVLOGCPTRNODECORE pNode, void *pVM)
860{
861 PPATMPATCHREC pPatch = (PPATMPATCHREC)pNode;
862
863 PATMR3DisablePatch((PVM)pVM, (RTGCPTR)pPatch->Core.Key);
864 return 0;
865}
866#endif
867
868/**
869 * Returns the host context pointer and size of the patch memory block
870 *
871 * @returns VBox status code.
872 * @param pVM The VM to operate on.
873 * @param pcb Size of the patch memory block
874 */
875PATMR3DECL(void *) PATMR3QueryPatchMemHC(PVM pVM, uint32_t *pcb)
876{
877 if (pcb)
878 {
879 *pcb = pVM->patm.s.cbPatchMem;
880 }
881 return pVM->patm.s.pPatchMemHC;
882}
883
884
885/**
886 * Returns the guest context pointer and size of the patch memory block
887 *
888 * @returns VBox status code.
889 * @param pVM The VM to operate on.
890 * @param pcb Size of the patch memory block
891 */
892PATMR3DECL(RTGCPTR) PATMR3QueryPatchMemGC(PVM pVM, uint32_t *pcb)
893{
894 if (pcb)
895 {
896 *pcb = pVM->patm.s.cbPatchMem;
897 }
898 return pVM->patm.s.pPatchMemGC;
899}
900
901
902/**
903 * Returns the host context pointer of the GC context structure
904 *
905 * @returns VBox status code.
906 * @param pVM The VM to operate on.
907 */
908PATMR3DECL(PPATMGCSTATE) PATMR3QueryGCStateHC(PVM pVM)
909{
910 return pVM->patm.s.pGCStateHC;
911}
912
913
914/**
915 * Checks whether the HC address is part of our patch region
916 *
917 * @returns VBox status code.
918 * @param pVM The VM to operate on.
919 * @param pAddrGC Guest context address
920 */
921PATMR3DECL(bool) PATMR3IsPatchHCAddr(PVM pVM, HCPTRTYPE(uint8_t *) pAddrHC)
922{
923 return (pAddrHC >= pVM->patm.s.pPatchMemHC && pAddrHC < pVM->patm.s.pPatchMemHC + pVM->patm.s.cbPatchMem) ? true : false;
924}
925
926
927/**
928 * Allows or disallow patching of privileged instructions executed by the guest OS
929 *
930 * @returns VBox status code.
931 * @param pVM The VM to operate on.
932 * @param fAllowPatching Allow/disallow patching
933 */
934PATMR3DECL(int) PATMR3AllowPatching(PVM pVM, uint32_t fAllowPatching)
935{
936 pVM->fPATMEnabled = (fAllowPatching) ? true : false;
937 return VINF_SUCCESS;
938}
939
940/**
941 * Convert a GC patch block pointer to a HC patch pointer
942 *
943 * @returns HC pointer or NULL if it's not a GC patch pointer
944 * @param pVM The VM to operate on.
945 * @param pAddrGC GC pointer
946 */
947PATMR3DECL(HCPTRTYPE(void *)) PATMR3GCPtrToHCPtr(PVM pVM, RTGCPTR pAddrGC)
948{
949 if (pVM->patm.s.pPatchMemGC <= pAddrGC && pVM->patm.s.pPatchMemGC + pVM->patm.s.cbPatchMem > pAddrGC)
950 {
951 return pVM->patm.s.pPatchMemHC + (pAddrGC - pVM->patm.s.pPatchMemGC);
952 }
953 return NULL;
954}
955
956/**
957 * Query PATM state (enabled/disabled)
958 *
959 * @returns 0 - disabled, 1 - enabled
960 * @param pVM The VM to operate on.
961 */
962PATMR3DECL(int) PATMR3IsEnabled(PVM pVM)
963{
964 return pVM->fPATMEnabled;
965}
966
967
968/**
969 * Convert guest context address to host context pointer
970 *
971 * @returns VBox status code.
972 * @param pVM The VM to operate on.
973 * @param pPatch Patch block structure pointer
974 * @param pGCPtr Guest context pointer
975 *
976 * @returns Host context pointer or NULL in case of an error
977 *
978 */
979HCPTRTYPE(uint8_t *) PATMGCVirtToHCVirt(PVM pVM, PPATCHINFO pPatch, GCPTRTYPE(uint8_t *)pGCPtr)
980{
981 int rc;
982 HCPTRTYPE(uint8_t *)pHCPtr;
983 uint32_t offset;
984
985 if (PATMIsPatchGCAddr(pVM, pGCPtr))
986 {
987 return PATCHCODE_PTR_HC(pPatch) + (pGCPtr - PATCHCODE_PTR_GC(pPatch));
988 }
989
990 offset = pGCPtr & PAGE_OFFSET_MASK;
991 if (pPatch->cacheRec.pGuestLoc == (pGCPtr & PAGE_BASE_GC_MASK))
992 {
993 return pPatch->cacheRec.pPatchLocStartHC + offset;
994 }
995
996 rc = PGMPhysGCPtr2HCPtr(pVM, pGCPtr, (void **)&pHCPtr);
997 if (rc != VINF_SUCCESS)
998 {
999 AssertMsg(rc == VINF_SUCCESS || rc == VERR_PAGE_NOT_PRESENT || rc == VERR_PAGE_TABLE_NOT_PRESENT, ("MMR3PhysGCVirt2HCVirtEx failed for %08X\n", pGCPtr));
1000 return NULL;
1001 }
1002////invalid? Assert(sizeof(HCPTRTYPE(uint8_t*)) == sizeof(uint32_t));
1003
1004 pPatch->cacheRec.pPatchLocStartHC = (HCPTRTYPE(uint8_t*))((RTHCUINTPTR)pHCPtr & PAGE_BASE_HC_MASK);
1005 pPatch->cacheRec.pGuestLoc = pGCPtr & PAGE_BASE_GC_MASK;
1006 return pHCPtr;
1007}
1008
1009
1010/* Calculates and fills in all branch targets
1011 *
1012 * @returns VBox status code.
1013 * @param pVM The VM to operate on.
1014 * @param pPatch Current patch block pointer
1015 *
1016 */
1017static int patmr3SetBranchTargets(PVM pVM, PPATCHINFO pPatch)
1018{
1019 int32_t displ;
1020
1021 PJUMPREC pRec = 0;
1022 int nrJumpRecs = 0;
1023
1024 /*
1025 * Set all branch targets inside the patch block.
1026 * We remove all jump records as they are no longer needed afterwards.
1027 */
1028 while (true)
1029 {
1030 GCPTRTYPE(uint8_t *)pInstrGC;
1031 GCPTRTYPE(uint8_t *)pBranchTargetGC = 0;
1032
1033 pRec = (PJUMPREC)RTAvlPVRemoveBestFit(&pPatch->JumpTree, 0, true);
1034 if (pRec == 0)
1035 break;
1036
1037 nrJumpRecs++;
1038
1039 /* HC in patch block to GC in patch block. */
1040 pInstrGC = patmPatchHCPtr2PatchGCPtr(pVM, pRec->pJumpHC);
1041
1042 if (pRec->opcode == OP_CALL)
1043 {
1044 /* Special case: call function replacement patch from this patch block.
1045 */
1046 if (PATMQueryFunctionPatch(pVM, pRec->pTargetGC) == 0)
1047 {
1048 int rc;
1049
1050 if (PATMR3HasBeenPatched(pVM, pRec->pTargetGC) == false)
1051 rc = PATMR3InstallPatch(pVM, pRec->pTargetGC, PATMFL_CODE32 | PATMFL_DUPLICATE_FUNCTION);
1052 else
1053 rc = VERR_PATCHING_REFUSED; /* exists as a normal patch; can't use it */
1054
1055 if (VBOX_FAILURE(rc))
1056 {
1057 uint8_t *pPatchHC;
1058 RTGCPTR pPatchGC;
1059 RTGCPTR pOrgInstrGC;
1060
1061 pOrgInstrGC = PATMR3PatchToGCPtr(pVM, pInstrGC, 0);
1062 Assert(pOrgInstrGC);
1063
1064 /* Failure for some reason -> mark exit point with int 3. */
1065 Log(("Failed to install function replacement patch (at %x) for reason %Vrc\n", pOrgInstrGC, rc));
1066
1067 pPatchGC = patmGuestGCPtrToPatchGCPtr(pVM, pPatch, pOrgInstrGC);
1068 Assert(pPatchGC);
1069
1070 pPatchHC = pVM->patm.s.pPatchMemHC + (pPatchGC - pVM->patm.s.pPatchMemGC);
1071
1072 /* Set a breakpoint at the very beginning of the recompiled instruction */
1073 *pPatchHC = 0xCC;
1074
1075 continue;
1076 }
1077 }
1078 pBranchTargetGC = PATMR3QueryPatchGCPtr(pVM, pRec->pTargetGC);
1079 }
1080 else
1081 {
1082 pBranchTargetGC = patmGuestGCPtrToPatchGCPtr(pVM, pPatch, pRec->pTargetGC);
1083 }
1084
1085 if (pBranchTargetGC == 0)
1086 {
1087 AssertMsgFailed(("patmr3SetBranchTargets: patmGuestGCPtrToPatchGCPtr failed for %08X\n", pRec->pTargetGC));
1088 return VERR_PATCHING_REFUSED;
1089 }
1090 /* Our jumps *always* have a dword displacement (to make things easier). */
1091 Assert(sizeof(uint32_t) == sizeof(RTGCPTR));
1092 displ = pBranchTargetGC - (pInstrGC + pRec->offDispl + sizeof(RTGCPTR));
1093 *(RTGCPTR *)(pRec->pJumpHC + pRec->offDispl) = displ;
1094 Log(("Set branch target %d to %08X : %08x - (%08x + %d + %d)\n", nrJumpRecs, displ, pBranchTargetGC, pInstrGC, pRec->offDispl, sizeof(RTGCPTR)));
1095 }
1096 Assert(nrJumpRecs == pPatch->nrJumpRecs);
1097 Assert(pPatch->JumpTree == 0);
1098 return VINF_SUCCESS;
1099}
1100
1101/* Add an illegal instruction record
1102 *
1103 * @param pVM The VM to operate on.
1104 * @param pPatch Patch structure ptr
1105 * @param pInstrGC Guest context pointer to privileged instruction
1106 *
1107 */
1108static void patmAddIllegalInstrRecord(PVM pVM, PPATCHINFO pPatch, RTGCPTR pInstrGC)
1109{
1110 PAVLPVNODECORE pRec;
1111
1112 pRec = (PAVLPVNODECORE)MMR3HeapAllocZ(pVM, MM_TAG_PATM_PATCH, sizeof(*pRec));
1113 Assert(pRec);
1114 pRec->Key = (AVLPVKEY)pInstrGC;
1115
1116 bool ret = RTAvlPVInsert(&pPatch->pTempInfo->IllegalInstrTree, pRec);
1117 Assert(ret); NOREF(ret);
1118 pPatch->pTempInfo->nrIllegalInstr++;
1119}
1120
1121static bool patmIsIllegalInstr(PPATCHINFO pPatch, RTGCPTR pInstrGC)
1122{
1123 PAVLPVNODECORE pRec;
1124
1125 pRec = RTAvlPVGet(&pPatch->pTempInfo->IllegalInstrTree, (AVLPVKEY)pInstrGC);
1126 if (pRec)
1127 return true;
1128 return false;
1129}
1130
1131/**
1132 * Add a patch to guest lookup record
1133 *
1134 * @param pVM The VM to operate on.
1135 * @param pPatch Patch structure ptr
1136 * @param pPatchInstrHC Guest context pointer to patch block
1137 * @param pInstrGC Guest context pointer to privileged instruction
1138 * @param enmType Lookup type
1139 * @param fDirty Dirty flag
1140 *
1141 */
1142 /** @note Be extremely careful with this function. Make absolutely sure the guest address is correct! (to avoid executing instructions twice!) */
1143void patmr3AddP2GLookupRecord(PVM pVM, PPATCHINFO pPatch, uint8_t *pPatchInstrHC, RTGCPTR pInstrGC, PATM_LOOKUP_TYPE enmType, bool fDirty)
1144{
1145 bool ret;
1146 PRECPATCHTOGUEST pPatchToGuestRec;
1147 PRECGUESTTOPATCH pGuestToPatchRec;
1148 uint32_t PatchOffset = pPatchInstrHC - pVM->patm.s.pPatchMemHC; /* Offset in memory reserved for PATM. */
1149
1150 if (enmType == PATM_LOOKUP_PATCH2GUEST)
1151 {
1152 pPatchToGuestRec = (PRECPATCHTOGUEST)RTAvlU32Get(&pPatch->Patch2GuestAddrTree, PatchOffset);
1153 if (pPatchToGuestRec && pPatchToGuestRec->Core.Key == PatchOffset)
1154 return; /* already there */
1155
1156 Assert(!pPatchToGuestRec);
1157 }
1158#ifdef VBOX_STRICT
1159 else
1160 {
1161 pPatchToGuestRec = (PRECPATCHTOGUEST)RTAvlU32Get(&pPatch->Patch2GuestAddrTree, PatchOffset);
1162 Assert(!pPatchToGuestRec);
1163 }
1164#endif
1165
1166 pPatchToGuestRec = (PRECPATCHTOGUEST)MMR3HeapAllocZ(pVM, MM_TAG_PATM_PATCH, sizeof(RECPATCHTOGUEST) + sizeof(RECGUESTTOPATCH));
1167 Assert(pPatchToGuestRec);
1168 pPatchToGuestRec->Core.Key = PatchOffset;
1169 pPatchToGuestRec->pOrgInstrGC = pInstrGC;
1170 pPatchToGuestRec->enmType = enmType;
1171 pPatchToGuestRec->fDirty = fDirty;
1172
1173 ret = RTAvlU32Insert(&pPatch->Patch2GuestAddrTree, &pPatchToGuestRec->Core);
1174 Assert(ret);
1175
1176 /* GC to patch address */
1177 if (enmType == PATM_LOOKUP_BOTHDIR)
1178 {
1179 pGuestToPatchRec = (PRECGUESTTOPATCH)RTAvlGCPtrGet(&pPatch->Guest2PatchAddrTree, pInstrGC);
1180 if (!pGuestToPatchRec)
1181 {
1182 pGuestToPatchRec = (PRECGUESTTOPATCH)(pPatchToGuestRec+1);
1183 pGuestToPatchRec->Core.Key = pInstrGC;
1184 pGuestToPatchRec->PatchOffset = PatchOffset;
1185
1186 ret = RTAvlGCPtrInsert(&pPatch->Guest2PatchAddrTree, &pGuestToPatchRec->Core);
1187 Assert(ret);
1188 }
1189 }
1190
1191 pPatch->nrPatch2GuestRecs++;
1192}
1193
1194
1195/**
1196 * Removes a patch to guest lookup record
1197 *
1198 * @param pVM The VM to operate on.
1199 * @param pPatch Patch structure ptr
1200 * @param pPatchInstrGC Guest context pointer to patch block
1201 */
1202void patmr3RemoveP2GLookupRecord(PVM pVM, PPATCHINFO pPatch, RTGCPTR pPatchInstrGC)
1203{
1204 PAVLU32NODECORE pNode;
1205 PAVLGCPTRNODECORE pNode2;
1206 PRECPATCHTOGUEST pPatchToGuestRec;
1207 uint32_t PatchOffset = pPatchInstrGC - pVM->patm.s.pPatchMemGC; /* Offset in memory reserved for PATM. */
1208
1209 pPatchToGuestRec = (PRECPATCHTOGUEST)RTAvlU32Get(&pPatch->Patch2GuestAddrTree, PatchOffset);
1210 Assert(pPatchToGuestRec);
1211 if (pPatchToGuestRec)
1212 {
1213 if (pPatchToGuestRec->enmType == PATM_LOOKUP_BOTHDIR)
1214 {
1215 PRECGUESTTOPATCH pGuestToPatchRec = (PRECGUESTTOPATCH)(pPatchToGuestRec+1);
1216
1217 Assert(pGuestToPatchRec->Core.Key);
1218 pNode2 = RTAvlGCPtrRemove(&pPatch->Guest2PatchAddrTree, pGuestToPatchRec->Core.Key);
1219 Assert(pNode2);
1220 }
1221 pNode = RTAvlU32Remove(&pPatch->Patch2GuestAddrTree, pPatchToGuestRec->Core.Key);
1222 Assert(pNode);
1223
1224 MMR3HeapFree(pPatchToGuestRec);
1225 pPatch->nrPatch2GuestRecs--;
1226 }
1227}
1228
1229
1230/**
1231 * RTAvlPVDestroy callback.
1232 */
1233static DECLCALLBACK(int) patmEmptyTreePVCallback(PAVLPVNODECORE pNode, void *)
1234{
1235 MMR3HeapFree(pNode);
1236 return 0;
1237}
1238
1239/**
1240 * Empty the specified tree (PV tree, MMR3 heap)
1241 *
1242 * @param pVM The VM to operate on.
1243 * @param ppTree Tree to empty
1244 */
1245void patmEmptyTree(PVM pVM, PAVLPVNODECORE *ppTree)
1246{
1247 RTAvlPVDestroy(ppTree, patmEmptyTreePVCallback, NULL);
1248}
1249
1250
1251/**
1252 * RTAvlU32Destroy callback.
1253 */
1254static DECLCALLBACK(int) patmEmptyTreeU32Callback(PAVLU32NODECORE pNode, void *)
1255{
1256 MMR3HeapFree(pNode);
1257 return 0;
1258}
1259
1260/**
1261 * Empty the specified tree (U32 tree, MMR3 heap)
1262 *
1263 * @param pVM The VM to operate on.
1264 * @param ppTree Tree to empty
1265 */
1266void patmEmptyTreeU32(PVM pVM, PPAVLU32NODECORE ppTree)
1267{
1268 RTAvlU32Destroy(ppTree, patmEmptyTreeU32Callback, NULL);
1269}
1270
1271
1272/**
1273 * Analyses the instructions following the cli for compliance with our heuristics for cli & pushf
1274 *
1275 * @returns VBox status code.
1276 * @param pVM The VM to operate on.
1277 * @param pCpu CPU disassembly state
1278 * @param pInstrGC Guest context pointer to privileged instruction
1279 * @param pCurInstrGC Guest context pointer to the current instruction
1280 * @param pUserData User pointer (callback specific)
1281 *
1282 */
1283static int patmAnalyseBlockCallback(PVM pVM, DISCPUSTATE *pCpu, GCPTRTYPE(uint8_t *) pInstrGC, GCPTRTYPE(uint8_t *) pCurInstrGC, void *pUserData)
1284{
1285 PPATCHINFO pPatch = (PPATCHINFO)pUserData;
1286 bool fIllegalInstr = false;
1287
1288 //Preliminary heuristics:
1289 //- no call instructions without a fixed displacement between cli and sti/popf
1290 //- no jumps in the instructions following cli (4+ bytes; enough for the replacement jump (5 bytes))
1291 //- no nested pushf/cli
1292 //- sti/popf should be the (eventual) target of all branches
1293 //- no near or far returns; no int xx, no into
1294 //
1295 // Note: Later on we can impose less stricter guidelines if the need arises
1296
1297 /* Bail out if the patch gets too big. */
1298 if (pPatch->cbPatchBlockSize >= MAX_PATCH_SIZE)
1299 {
1300 Log(("Code block too big (%x) for patch at %VGv!!\n", pPatch->cbPatchBlockSize, pCurInstrGC));
1301 fIllegalInstr = true;
1302 patmAddIllegalInstrRecord(pVM, pPatch, pCurInstrGC);
1303 }
1304 else
1305 {
1306 /* No unconditinal jumps or calls without fixed displacements. */
1307 if ( (pCpu->pCurInstr->optype & OPTYPE_CONTROLFLOW)
1308 && (pCpu->pCurInstr->opcode == OP_JMP || pCpu->pCurInstr->opcode == OP_CALL)
1309 )
1310 {
1311 Assert(pCpu->param1.size <= 4 || pCpu->param1.size == 8);
1312 if ( pCpu->param1.size == 8 /* far call/jmp */
1313 || (pCpu->pCurInstr->opcode == OP_CALL && !(pPatch->flags & PATMFL_SUPPORT_CALLS))
1314 || (OP_PARM_VTYPE(pCpu->pCurInstr->param1) != OP_PARM_J && !(pPatch->flags & PATMFL_SUPPORT_INDIRECT_CALLS))
1315 )
1316 {
1317 fIllegalInstr = true;
1318 patmAddIllegalInstrRecord(pVM, pPatch, pCurInstrGC);
1319 }
1320 }
1321
1322 /* An unconditional (short) jump right after a cli is a potential problem; we will overwrite whichever function comes afterwards */
1323 if (pPatch->opcode == OP_CLI && pCpu->pCurInstr->opcode == OP_JMP)
1324 {
1325 if (pCurInstrGC > pPatch->pPrivInstrGC && pCurInstrGC + pCpu->opsize < pPatch->pPrivInstrGC + SIZEOF_NEARJUMP32) /* hardcoded patch jump size; cbPatchJump is still zero */
1326 {
1327 Log(("Dangerous unconditional jump ends in our generated patch jump!! (%x vs %x)\n", pCurInstrGC, pPatch->pPrivInstrGC));
1328 /* We turn this one into a int 3 callable patch. */
1329 pPatch->flags |= PATMFL_INT3_REPLACEMENT_BLOCK;
1330 }
1331 }
1332 else
1333 /* no nested pushfs just yet; nested cli is allowed for cli patches though. */
1334 if (pPatch->opcode == OP_PUSHF)
1335 {
1336 if (pCurInstrGC != pInstrGC && pCpu->pCurInstr->opcode == OP_PUSHF)
1337 {
1338 fIllegalInstr = true;
1339 patmAddIllegalInstrRecord(pVM, pPatch, pCurInstrGC);
1340 }
1341 }
1342
1343 // no far returns
1344 if (pCpu->pCurInstr->opcode == OP_RETF)
1345 {
1346 pPatch->pTempInfo->nrRetInstr++;
1347 fIllegalInstr = true;
1348 patmAddIllegalInstrRecord(pVM, pPatch, pCurInstrGC);
1349 }
1350 else
1351 // no int xx or into either
1352 if (pCpu->pCurInstr->opcode == OP_INT3 || pCpu->pCurInstr->opcode == OP_INT || pCpu->pCurInstr->opcode == OP_INTO)
1353 {
1354 fIllegalInstr = true;
1355 patmAddIllegalInstrRecord(pVM, pPatch, pCurInstrGC);
1356 }
1357 }
1358
1359 pPatch->cbPatchBlockSize += pCpu->opsize;
1360
1361 /* Illegal instruction -> end of analysis phase for this code block */
1362 if (fIllegalInstr || patmIsIllegalInstr(pPatch, pCurInstrGC))
1363 return VINF_SUCCESS;
1364
1365 /* Check for exit points. */
1366 switch (pCpu->pCurInstr->opcode)
1367 {
1368 case OP_SYSEXIT:
1369 return VINF_SUCCESS; /* duplicate it; will fault or emulated in GC. */
1370
1371 case OP_SYSENTER:
1372 case OP_ILLUD2:
1373 //This appears to be some kind of kernel panic in Linux 2.4; no point to analyse more
1374 Log(("Illegal opcode (0xf 0xb) -> return here\n"));
1375 return VINF_SUCCESS;
1376
1377 case OP_STI:
1378 case OP_POPF:
1379 Assert(!(pPatch->flags & (PATMFL_DUPLICATE_FUNCTION)));
1380 /* If out exit point lies within the generated patch jump, then we have to refuse!! */
1381 if (pCurInstrGC > pPatch->pPrivInstrGC && pCurInstrGC < pPatch->pPrivInstrGC + SIZEOF_NEARJUMP32) /* hardcoded patch jump size; cbPatchJump is still zero */
1382 {
1383 Log(("Exit point within patch jump itself!! (%x vs %x)\n", pCurInstrGC, pPatch->pPrivInstrGC));
1384 return VERR_PATCHING_REFUSED;
1385 }
1386 if (pPatch->opcode == OP_PUSHF)
1387 {
1388 if (pCpu->pCurInstr->opcode == OP_POPF)
1389 {
1390 if (pPatch->cbPatchBlockSize >= SIZEOF_NEARJUMP32)
1391 return VINF_SUCCESS;
1392
1393 /* Or else we need to duplicate more instructions, because we can't jump back yet! */
1394 Log(("WARNING: End of block reached, but we need to duplicate some extra instruction to avoid a conflict with the patch jump\n"));
1395 pPatch->flags |= PATMFL_CHECK_SIZE;
1396 }
1397 break; //sti doesn't mark the end of a pushf block; only popf does
1398 }
1399 //else no break
1400 case OP_RETN: /* exit point for function replacement */
1401 return VINF_SUCCESS;
1402
1403 case OP_IRET:
1404 return VINF_SUCCESS; /* exitpoint */
1405
1406 case OP_CPUID:
1407 case OP_CALL:
1408 case OP_JMP:
1409 break;
1410
1411 default:
1412 if (pCpu->pCurInstr->optype & (OPTYPE_PRIVILEGED_NOTRAP))
1413 {
1414 patmAddIllegalInstrRecord(pVM, pPatch, pCurInstrGC);
1415 return VINF_SUCCESS; /* exit point */
1416 }
1417 break;
1418 }
1419
1420 // If single instruction patch, we've copied enough instructions *and* the current instruction is not a relative jump
1421 if ((pPatch->flags & PATMFL_CHECK_SIZE) && pPatch->cbPatchBlockSize > SIZEOF_NEARJUMP32 && !(pCpu->pCurInstr->optype & OPTYPE_RELATIVE_CONTROLFLOW))
1422 {
1423 // The end marker for this kind of patch is any instruction at a location outside our patch jump
1424 Log(("End of block at %VGv size %d\n", pCurInstrGC, pCpu->opsize));
1425 return VINF_SUCCESS;
1426 }
1427
1428 return VWRN_CONTINUE_ANALYSIS;
1429}
1430
1431/**
1432 * Analyses the instructions inside a function for compliance
1433 *
1434 * @returns VBox status code.
1435 * @param pVM The VM to operate on.
1436 * @param pCpu CPU disassembly state
1437 * @param pInstrGC Guest context pointer to privileged instruction
1438 * @param pCurInstrGC Guest context pointer to the current instruction
1439 * @param pUserData User pointer (callback specific)
1440 *
1441 */
1442static int patmAnalyseFunctionCallback(PVM pVM, DISCPUSTATE *pCpu, GCPTRTYPE(uint8_t *) pInstrGC, GCPTRTYPE(uint8_t *) pCurInstrGC, void *pUserData)
1443{
1444 PPATCHINFO pPatch = (PPATCHINFO)pUserData;
1445 bool fIllegalInstr = false;
1446
1447 //Preliminary heuristics:
1448 //- no call instructions
1449 //- ret ends a block
1450
1451 Assert(pPatch->flags & (PATMFL_DUPLICATE_FUNCTION));
1452
1453 // bail out if the patch gets too big
1454 if (pPatch->cbPatchBlockSize >= MAX_PATCH_SIZE)
1455 {
1456 Log(("Code block too big (%x) for function patch at %VGv!!\n", pPatch->cbPatchBlockSize, pCurInstrGC));
1457 fIllegalInstr = true;
1458 patmAddIllegalInstrRecord(pVM, pPatch, pCurInstrGC);
1459 }
1460 else
1461 {
1462 // no unconditinal jumps or calls without fixed displacements
1463 if ( (pCpu->pCurInstr->optype & OPTYPE_CONTROLFLOW)
1464 && (pCpu->pCurInstr->opcode == OP_JMP || pCpu->pCurInstr->opcode == OP_CALL)
1465 )
1466 {
1467 Assert(pCpu->param1.size <= 4 || pCpu->param1.size == 8);
1468 if ( pCpu->param1.size == 8 /* far call/jmp */
1469 || (pCpu->pCurInstr->opcode == OP_CALL && !(pPatch->flags & PATMFL_SUPPORT_CALLS))
1470 || (OP_PARM_VTYPE(pCpu->pCurInstr->param1) != OP_PARM_J && !(pPatch->flags & PATMFL_SUPPORT_INDIRECT_CALLS))
1471 )
1472 {
1473 fIllegalInstr = true;
1474 patmAddIllegalInstrRecord(pVM, pPatch, pCurInstrGC);
1475 }
1476 }
1477 else /* no far returns */
1478 if (pCpu->pCurInstr->opcode == OP_RETF)
1479 {
1480 patmAddIllegalInstrRecord(pVM, pPatch, pCurInstrGC);
1481 fIllegalInstr = true;
1482 }
1483 else /* no int xx or into either */
1484 if (pCpu->pCurInstr->opcode == OP_INT3 || pCpu->pCurInstr->opcode == OP_INT || pCpu->pCurInstr->opcode == OP_INTO)
1485 {
1486 patmAddIllegalInstrRecord(pVM, pPatch, pCurInstrGC);
1487 fIllegalInstr = true;
1488 }
1489
1490 #if 0
1491 ///@todo we can handle certain in/out and privileged instructions in the guest context
1492 if (pCpu->pCurInstr->optype & OPTYPE_PRIVILEGED && pCpu->pCurInstr->opcode != OP_STI)
1493 {
1494 Log(("Illegal instructions for function patch!!\n"));
1495 return VERR_PATCHING_REFUSED;
1496 }
1497 #endif
1498 }
1499
1500 pPatch->cbPatchBlockSize += pCpu->opsize;
1501
1502 /* Illegal instruction -> end of analysis phase for this code block */
1503 if (fIllegalInstr || patmIsIllegalInstr(pPatch, pCurInstrGC))
1504 {
1505 return VINF_SUCCESS;
1506 }
1507
1508 // Check for exit points
1509 switch (pCpu->pCurInstr->opcode)
1510 {
1511 case OP_ILLUD2:
1512 //This appears to be some kind of kernel panic in Linux 2.4; no point to analyse more
1513 Log(("Illegal opcode (0xf 0xb) -> return here\n"));
1514 return VINF_SUCCESS;
1515
1516 case OP_IRET:
1517 case OP_SYSEXIT: /* will fault or emulated in GC */
1518 case OP_RETN:
1519 return VINF_SUCCESS;
1520
1521 case OP_POPF:
1522 case OP_STI:
1523 return VWRN_CONTINUE_ANALYSIS;
1524 default:
1525 if (pCpu->pCurInstr->optype & (OPTYPE_PRIVILEGED_NOTRAP))
1526 {
1527 patmAddIllegalInstrRecord(pVM, pPatch, pCurInstrGC);
1528 return VINF_SUCCESS; /* exit point */
1529 }
1530 return VWRN_CONTINUE_ANALYSIS;
1531 }
1532
1533 return VWRN_CONTINUE_ANALYSIS;
1534}
1535
1536/**
1537 * Recompiles the instructions in a code block
1538 *
1539 * @returns VBox status code.
1540 * @param pVM The VM to operate on.
1541 * @param pCpu CPU disassembly state
1542 * @param pInstrGC Guest context pointer to privileged instruction
1543 * @param pCurInstrGC Guest context pointer to the current instruction
1544 * @param pUserData User pointer (callback specific)
1545 *
1546 */
1547static int patmRecompileCallback(PVM pVM, DISCPUSTATE *pCpu, GCPTRTYPE(uint8_t *) pInstrGC, GCPTRTYPE(uint8_t *) pCurInstrGC, void *pUserData)
1548{
1549 PPATCHINFO pPatch = (PPATCHINFO)pUserData;
1550 int rc = VINF_SUCCESS;
1551 bool fInhibitIRQInstr = false; /* did the instruction cause PATMFL_INHIBITIRQS to be set? */
1552
1553 LogFlow(("patmRecompileCallback %VGv %VGv\n", pInstrGC, pCurInstrGC));
1554
1555 if ( patmGuestGCPtrToPatchGCPtr(pVM, pPatch, pCurInstrGC) != 0
1556 && !(pPatch->flags & PATMFL_RECOMPILE_NEXT)) /* do not do this when the next instruction *must* be executed! */
1557 {
1558 /*
1559 * Been there, done that; so insert a jump (we don't want to duplicate code)
1560 * no need to record this instruction as it's glue code that never crashes (it had better not!)
1561 */
1562 Log(("patmRecompileCallback: jump to code we've recompiled before %VGv!\n", pCurInstrGC));
1563 return patmPatchGenRelJump(pVM, pPatch, pCurInstrGC, OP_JMP, !!(pCpu->prefix & PREFIX_OPSIZE));
1564 }
1565
1566 if (pPatch->flags & (PATMFL_DUPLICATE_FUNCTION))
1567 {
1568 rc = patmAnalyseFunctionCallback(pVM, pCpu, pInstrGC, pCurInstrGC, pUserData);
1569 }
1570 else
1571 rc = patmAnalyseBlockCallback(pVM, pCpu, pInstrGC, pCurInstrGC, pUserData);
1572
1573 if (VBOX_FAILURE(rc))
1574 return rc;
1575
1576 /** @note Never do a direct return unless a failure is encountered! */
1577
1578 /* Clear recompilation of next instruction flag; we are doing that right here. */
1579 if (pPatch->flags & PATMFL_RECOMPILE_NEXT)
1580 pPatch->flags &= ~PATMFL_RECOMPILE_NEXT;
1581
1582 /* Add lookup record for patch to guest address translation */
1583 patmr3AddP2GLookupRecord(pVM, pPatch, PATCHCODE_PTR_HC(pPatch) + pPatch->uCurPatchOffset, pCurInstrGC, PATM_LOOKUP_BOTHDIR);
1584
1585 /* Update lowest and highest instruction address for this patch */
1586 if (pCurInstrGC < pPatch->pInstrGCLowest)
1587 pPatch->pInstrGCLowest = pCurInstrGC;
1588 else
1589 if (pCurInstrGC > pPatch->pInstrGCHighest)
1590 pPatch->pInstrGCHighest = pCurInstrGC + pCpu->opsize;
1591
1592 /* Illegal instruction -> end of recompile phase for this code block. */
1593 if (patmIsIllegalInstr(pPatch, pCurInstrGC))
1594 {
1595 Log(("Illegal instruction at %VGv -> mark with int 3\n", pCurInstrGC));
1596 rc = patmPatchGenIllegalInstr(pVM, pPatch);
1597 goto end;
1598 }
1599
1600 /* For our first attempt, we'll handle only simple relative jumps (immediate offset coded in instruction).
1601 * Indirect calls are handled below.
1602 */
1603 if ( (pCpu->pCurInstr->optype & OPTYPE_CONTROLFLOW)
1604 && (pCpu->pCurInstr->opcode != OP_CALL || (pPatch->flags & PATMFL_SUPPORT_CALLS))
1605 && (OP_PARM_VTYPE(pCpu->pCurInstr->param1) == OP_PARM_J))
1606 {
1607 GCPTRTYPE(uint8_t *)pTargetGC = PATMResolveBranch(pCpu, pCurInstrGC);
1608 if (pTargetGC == 0)
1609 {
1610 Log(("We don't support far jumps here!! (%08X)\n", pCpu->param1.flags));
1611 return VERR_PATCHING_REFUSED;
1612 }
1613
1614 if (pCpu->pCurInstr->opcode == OP_CALL)
1615 {
1616 Assert(!PATMIsPatchGCAddr(pVM, pTargetGC));
1617 rc = patmPatchGenCall(pVM, pPatch, pCpu, pCurInstrGC, pTargetGC, false);
1618 if (VBOX_FAILURE(rc))
1619 goto end;
1620 }
1621 else
1622 rc = patmPatchGenRelJump(pVM, pPatch, pTargetGC, pCpu->pCurInstr->opcode, !!(pCpu->prefix & PREFIX_OPSIZE));
1623
1624 if (VBOX_SUCCESS(rc))
1625 rc = VWRN_CONTINUE_RECOMPILE;
1626
1627 goto end;
1628 }
1629
1630 switch (pCpu->pCurInstr->opcode)
1631 {
1632 case OP_CLI:
1633 {
1634 /* If a cli is found while duplicating instructions for another patch, then it's of vital importance to continue
1635 * until we've found the proper exit point(s).
1636 */
1637 if ( pCurInstrGC != pInstrGC
1638 && !(pPatch->flags & (PATMFL_DUPLICATE_FUNCTION))
1639 )
1640 {
1641 Log(("cli instruction found in other instruction patch block; force it to continue & find an exit point\n"));
1642 pPatch->flags &= ~(PATMFL_CHECK_SIZE | PATMFL_SINGLE_INSTRUCTION);
1643 }
1644 /* Set by irq inhibition; no longer valid now. */
1645 pPatch->flags &= ~PATMFL_GENERATE_JUMPTOGUEST;
1646
1647 rc = patmPatchGenCli(pVM, pPatch);
1648 if (VBOX_SUCCESS(rc))
1649 rc = VWRN_CONTINUE_RECOMPILE;
1650 break;
1651 }
1652
1653 case OP_MOV:
1654 if (pCpu->pCurInstr->optype & OPTYPE_POTENTIALLY_DANGEROUS)
1655 {
1656 /* mov ss, src? */
1657 if ( (pCpu->param1.flags & USE_REG_SEG)
1658 && (pCpu->param1.base.reg_seg == USE_REG_SS))
1659 {
1660 Log(("Force recompilation of next instruction for OP_MOV at %VGv\n", pCurInstrGC));
1661 pPatch->flags |= PATMFL_RECOMPILE_NEXT;
1662 /** @todo this could cause a fault (ring 0 selector being loaded in ring 1) */
1663 }
1664 else
1665 if ( (pCpu->param2.flags & USE_REG_SEG)
1666 && (pCpu->param2.base.reg_seg == USE_REG_SS)
1667 && (pCpu->param1.flags & (USE_REG_GEN32|USE_REG_GEN16))) /** @todo memory operand must in theory be handled too */
1668 {
1669 /* mov GPR, ss */
1670 rc = patmPatchGenMovFromSS(pVM, pPatch, pCpu, pCurInstrGC);
1671 if (VBOX_SUCCESS(rc))
1672 rc = VWRN_CONTINUE_RECOMPILE;
1673 break;
1674 }
1675 }
1676 goto duplicate_instr;
1677
1678 case OP_POP:
1679 if (pCpu->pCurInstr->param1 == OP_PARM_REG_SS)
1680 {
1681 Assert(pCpu->pCurInstr->optype & OPTYPE_INHIBIT_IRQS);
1682
1683 Log(("Force recompilation of next instruction for OP_MOV at %VGv\n", pCurInstrGC));
1684 pPatch->flags |= PATMFL_RECOMPILE_NEXT;
1685 }
1686 goto duplicate_instr;
1687
1688 case OP_STI:
1689 {
1690 RTGCPTR pNextInstrGC = 0; /* by default no inhibit irq */
1691
1692 /** In a sequence of instructions that inhibit irqs, only the first one actually inhibits irqs. */
1693 if (!(pPatch->flags & PATMFL_INHIBIT_IRQS))
1694 {
1695 pPatch->flags |= PATMFL_INHIBIT_IRQS | PATMFL_GENERATE_JUMPTOGUEST;
1696 fInhibitIRQInstr = true;
1697 pNextInstrGC = pCurInstrGC + pCpu->opsize;
1698 Log(("Inhibit irqs for instruction OP_STI at %VGv\n", pCurInstrGC));
1699 }
1700 rc = patmPatchGenSti(pVM, pPatch, pCurInstrGC, pNextInstrGC);
1701
1702 if (VBOX_SUCCESS(rc))
1703 {
1704 DISCPUSTATE cpu = *pCpu;
1705 unsigned opsize;
1706 int disret;
1707 GCPTRTYPE(uint8_t *) pNextInstrGC, pReturnInstrGC;
1708 HCPTRTYPE(uint8_t *) pNextInstrHC;
1709
1710 pPatch->flags |= PATMFL_FOUND_PATCHEND;
1711
1712 pNextInstrGC = pCurInstrGC + pCpu->opsize;
1713 pNextInstrHC = PATMGCVirtToHCVirt(pVM, pPatch, pNextInstrGC);
1714 if (pNextInstrHC == NULL)
1715 {
1716 AssertFailed();
1717 return VERR_PATCHING_REFUSED;
1718 }
1719
1720 // Disassemble the next instruction
1721 disret = PATMR3DISInstr(pVM, pPatch, &cpu, pNextInstrGC, pNextInstrHC, &opsize, NULL);
1722 if (disret == false)
1723 {
1724 AssertMsgFailed(("STI: Disassembly failed (probably page not present) -> return to caller\n"));
1725 return VERR_PATCHING_REFUSED;
1726 }
1727 pReturnInstrGC = pNextInstrGC + opsize;
1728
1729 if ( (pPatch->flags & (PATMFL_DUPLICATE_FUNCTION))
1730 || pReturnInstrGC <= pInstrGC
1731 || pReturnInstrGC - pInstrGC >= SIZEOF_NEARJUMP32
1732 )
1733 {
1734 /* Not an exit point for function duplication patches */
1735 if ( (pPatch->flags & PATMFL_DUPLICATE_FUNCTION)
1736 && VBOX_SUCCESS(rc))
1737 {
1738 pPatch->flags &= ~PATMFL_GENERATE_JUMPTOGUEST; /* Don't generate a jump back */
1739 rc = VWRN_CONTINUE_RECOMPILE;
1740 }
1741 else
1742 rc = VINF_SUCCESS; //exit point
1743 }
1744 else {
1745 Log(("PATM: sti occurred too soon; refusing patch!\n"));
1746 rc = VERR_PATCHING_REFUSED; //not allowed!!
1747 }
1748 }
1749 break;
1750 }
1751
1752 case OP_POPF:
1753 {
1754 bool fGenerateJmpBack = (pCurInstrGC + pCpu->opsize - pInstrGC >= SIZEOF_NEARJUMP32);
1755
1756 /* Not an exit point for IDT handler or function replacement patches */
1757 if (pPatch->flags & (PATMFL_IDTHANDLER|PATMFL_DUPLICATE_FUNCTION))
1758 fGenerateJmpBack = false;
1759
1760 rc = patmPatchGenPopf(pVM, pPatch, pCurInstrGC + pCpu->opsize, !!(pCpu->prefix & PREFIX_OPSIZE), fGenerateJmpBack);
1761 if (VBOX_SUCCESS(rc))
1762 {
1763 if (fGenerateJmpBack == false)
1764 {
1765 /* Not an exit point for IDT handler or function replacement patches */
1766 rc = VWRN_CONTINUE_RECOMPILE;
1767 }
1768 else
1769 {
1770 pPatch->flags |= PATMFL_FOUND_PATCHEND;
1771 rc = VINF_SUCCESS; /* exit point! */
1772 }
1773 }
1774 break;
1775 }
1776
1777 case OP_PUSHF:
1778 rc = patmPatchGenPushf(pVM, pPatch, !!(pCpu->prefix & PREFIX_OPSIZE));
1779 if (VBOX_SUCCESS(rc))
1780 rc = VWRN_CONTINUE_RECOMPILE;
1781 break;
1782
1783 case OP_PUSH:
1784 if (pCpu->pCurInstr->param1 == OP_PARM_REG_CS)
1785 {
1786 rc = patmPatchGenPushCS(pVM, pPatch);
1787 if (VBOX_SUCCESS(rc))
1788 rc = VWRN_CONTINUE_RECOMPILE;
1789 break;
1790 }
1791 goto duplicate_instr;
1792
1793 case OP_IRET:
1794 Log(("IRET at %VGv\n", pCurInstrGC));
1795 rc = patmPatchGenIret(pVM, pPatch, pCurInstrGC, !!(pCpu->prefix & PREFIX_OPSIZE));
1796 if (VBOX_SUCCESS(rc))
1797 {
1798 pPatch->flags |= PATMFL_FOUND_PATCHEND;
1799 rc = VINF_SUCCESS; /* exit point by definition */
1800 }
1801 break;
1802
1803 case OP_ILLUD2:
1804 /* This appears to be some kind of kernel panic in Linux 2.4; no point to continue */
1805 rc = patmPatchGenIllegalInstr(pVM, pPatch);
1806 if (VBOX_SUCCESS(rc))
1807 rc = VINF_SUCCESS; /* exit point by definition */
1808 Log(("Illegal opcode (0xf 0xb)\n"));
1809 break;
1810
1811 case OP_CPUID:
1812 rc = patmPatchGenCpuid(pVM, pPatch, pCurInstrGC);
1813 if (VBOX_SUCCESS(rc))
1814 rc = VWRN_CONTINUE_RECOMPILE;
1815 break;
1816
1817 case OP_STR:
1818 case OP_SLDT:
1819 rc = patmPatchGenSldtStr(pVM, pPatch, pCpu, pCurInstrGC);
1820 if (VBOX_SUCCESS(rc))
1821 rc = VWRN_CONTINUE_RECOMPILE;
1822 break;
1823
1824 case OP_SGDT:
1825 case OP_SIDT:
1826 rc = patmPatchGenSxDT(pVM, pPatch, pCpu, pCurInstrGC);
1827 if (VBOX_SUCCESS(rc))
1828 rc = VWRN_CONTINUE_RECOMPILE;
1829 break;
1830
1831 case OP_RETN:
1832 /* retn is an exit point for function patches */
1833 rc = patmPatchGenRet(pVM, pPatch, pCpu, pCurInstrGC);
1834 if (VBOX_SUCCESS(rc))
1835 rc = VINF_SUCCESS; /* exit point by definition */
1836 break;
1837
1838 case OP_SYSEXIT:
1839 /* Duplicate it, so it can be emulated in GC (or fault). */
1840 rc = patmPatchGenDuplicate(pVM, pPatch, pCpu, pCurInstrGC);
1841 if (VBOX_SUCCESS(rc))
1842 rc = VINF_SUCCESS; /* exit point by definition */
1843 break;
1844
1845 case OP_CALL:
1846 Assert(pPatch->flags & PATMFL_SUPPORT_INDIRECT_CALLS);
1847 /* In interrupt gate handlers it's possible to encounter jumps or calls when IF has been enabled again.
1848 * In that case we'll jump to the original instruction and continue from there. Otherwise an int 3 is executed.
1849 */
1850 Assert(pCpu->param1.size == 4 || pCpu->param1.size == 8);
1851 if (pPatch->flags & PATMFL_SUPPORT_INDIRECT_CALLS && pCpu->param1.size == 4 /* no far calls! */)
1852 {
1853 rc = patmPatchGenCall(pVM, pPatch, pCpu, pCurInstrGC, (RTGCPTR)0xDEADBEEF, true);
1854 if (VBOX_SUCCESS(rc))
1855 {
1856 rc = VWRN_CONTINUE_RECOMPILE;
1857 }
1858 break;
1859 }
1860 goto gen_illegal_instr;
1861
1862 case OP_JMP:
1863 Assert(pPatch->flags & PATMFL_SUPPORT_INDIRECT_CALLS);
1864 /* In interrupt gate handlers it's possible to encounter jumps or calls when IF has been enabled again.
1865 * In that case we'll jump to the original instruction and continue from there. Otherwise an int 3 is executed.
1866 */
1867 Assert(pCpu->param1.size == 4 || pCpu->param1.size == 8);
1868 if (pPatch->flags & PATMFL_SUPPORT_INDIRECT_CALLS && pCpu->param1.size == 4 /* no far jumps! */)
1869 {
1870 rc = patmPatchGenJump(pVM, pPatch, pCpu, pCurInstrGC);
1871 if (VBOX_SUCCESS(rc))
1872 rc = VINF_SUCCESS; /* end of branch */
1873 break;
1874 }
1875 goto gen_illegal_instr;
1876
1877 case OP_INT3:
1878 case OP_INT:
1879 case OP_INTO:
1880 goto gen_illegal_instr;
1881
1882 case OP_MOV_DR:
1883 /** @note: currently we let DRx writes cause a trap d; our trap handler will decide to interpret it or not. */
1884 if (pCpu->pCurInstr->param2 == OP_PARM_Dd)
1885 {
1886 rc = patmPatchGenMovDebug(pVM, pPatch, pCpu);
1887 if (VBOX_SUCCESS(rc))
1888 rc = VWRN_CONTINUE_RECOMPILE;
1889 break;
1890 }
1891 goto duplicate_instr;
1892
1893 case OP_MOV_CR:
1894 /** @note: currently we let CRx writes cause a trap d; our trap handler will decide to interpret it or not. */
1895 if (pCpu->pCurInstr->param2 == OP_PARM_Cd)
1896 {
1897 rc = patmPatchGenMovControl(pVM, pPatch, pCpu);
1898 if (VBOX_SUCCESS(rc))
1899 rc = VWRN_CONTINUE_RECOMPILE;
1900 break;
1901 }
1902 goto duplicate_instr;
1903
1904 default:
1905 if (pCpu->pCurInstr->optype & (OPTYPE_CONTROLFLOW | OPTYPE_PRIVILEGED_NOTRAP))
1906 {
1907gen_illegal_instr:
1908 rc = patmPatchGenIllegalInstr(pVM, pPatch);
1909 if (VBOX_SUCCESS(rc))
1910 rc = VINF_SUCCESS; /* exit point by definition */
1911 }
1912 else
1913 {
1914duplicate_instr:
1915 Log(("patmPatchGenDuplicate\n"));
1916 rc = patmPatchGenDuplicate(pVM, pPatch, pCpu, pCurInstrGC);
1917 if (VBOX_SUCCESS(rc))
1918 rc = VWRN_CONTINUE_RECOMPILE;
1919 }
1920 break;
1921 }
1922
1923end:
1924
1925 if ( !fInhibitIRQInstr
1926 && (pPatch->flags & PATMFL_INHIBIT_IRQS))
1927 {
1928 int rc2;
1929 RTGCPTR pNextInstrGC = pCurInstrGC + pCpu->opsize;
1930
1931 pPatch->flags &= ~PATMFL_INHIBIT_IRQS;
1932 Log(("Clear inhibit IRQ flag at %VGv\n", pCurInstrGC));
1933 if (pPatch->flags & PATMFL_GENERATE_JUMPTOGUEST)
1934 {
1935 Log(("patmRecompileCallback: generate jump back to guest (%VGv) after fused instruction\n", pNextInstrGC));
1936
1937 rc2 = patmPatchGenJumpToGuest(pVM, pPatch, pNextInstrGC, true /* clear inhibit irq flag */);
1938 pPatch->flags &= ~PATMFL_GENERATE_JUMPTOGUEST;
1939 rc = VINF_SUCCESS; /* end of the line */
1940 }
1941 else
1942 {
1943 rc2 = patmPatchGenClearInhibitIRQ(pVM, pPatch, pNextInstrGC);
1944 }
1945 if (VBOX_FAILURE(rc2))
1946 rc = rc2;
1947 }
1948
1949 if (VBOX_SUCCESS(rc))
1950 {
1951 // If single instruction patch, we've copied enough instructions *and* the current instruction is not a relative jump
1952 if ( (pPatch->flags & PATMFL_CHECK_SIZE)
1953 && pCurInstrGC + pCpu->opsize - pInstrGC >= SIZEOF_NEARJUMP32
1954 && !(pCpu->pCurInstr->optype & OPTYPE_RELATIVE_CONTROLFLOW)
1955 && !(pPatch->flags & PATMFL_RECOMPILE_NEXT) /* do not do this when the next instruction *must* be executed! */
1956 )
1957 {
1958 RTGCPTR pNextInstrGC = pCurInstrGC + pCpu->opsize;
1959
1960 // The end marker for this kind of patch is any instruction at a location outside our patch jump
1961 Log(("patmRecompileCallback: end found for single instruction patch at %VGv opsize %d\n", pNextInstrGC, pCpu->opsize));
1962
1963 rc = patmPatchGenJumpToGuest(pVM, pPatch, pNextInstrGC);
1964 AssertRC(rc);
1965 }
1966 }
1967 return rc;
1968}
1969
1970
1971#ifdef LOG_ENABLED
1972
1973/* Add a disasm jump record (temporary for prevent duplicate analysis)
1974 *
1975 * @param pVM The VM to operate on.
1976 * @param pPatch Patch structure ptr
1977 * @param pInstrGC Guest context pointer to privileged instruction
1978 *
1979 */
1980static void patmPatchAddDisasmJump(PVM pVM, PPATCHINFO pPatch, RTGCPTR pInstrGC)
1981{
1982 PAVLPVNODECORE pRec;
1983
1984 pRec = (PAVLPVNODECORE)MMR3HeapAllocZ(pVM, MM_TAG_PATM_PATCH, sizeof(*pRec));
1985 Assert(pRec);
1986 pRec->Key = (AVLPVKEY)pInstrGC;
1987
1988 int ret = RTAvlPVInsert(&pPatch->pTempInfo->DisasmJumpTree, pRec);
1989 Assert(ret);
1990}
1991
1992/**
1993 * Checks if jump target has been analysed before.
1994 *
1995 * @returns VBox status code.
1996 * @param pPatch Patch struct
1997 * @param pInstrGC Jump target
1998 *
1999 */
2000static bool patmIsKnownDisasmJump(PPATCHINFO pPatch, RTGCPTR pInstrGC)
2001{
2002 PAVLPVNODECORE pRec;
2003
2004 pRec = RTAvlPVGet(&pPatch->pTempInfo->DisasmJumpTree, (AVLPVKEY)pInstrGC);
2005 if (pRec)
2006 return true;
2007 return false;
2008}
2009
2010/**
2011 * For proper disassembly of the final patch block
2012 *
2013 * @returns VBox status code.
2014 * @param pVM The VM to operate on.
2015 * @param pCpu CPU disassembly state
2016 * @param pInstrGC Guest context pointer to privileged instruction
2017 * @param pCurInstrGC Guest context pointer to the current instruction
2018 * @param pUserData User pointer (callback specific)
2019 *
2020 */
2021int patmr3DisasmCallback(PVM pVM, DISCPUSTATE *pCpu, GCPTRTYPE(uint8_t *) pInstrGC, GCPTRTYPE(uint8_t *) pCurInstrGC, void *pUserData)
2022{
2023 PPATCHINFO pPatch = (PPATCHINFO)pUserData;
2024
2025 if (pCpu->pCurInstr->opcode == OP_INT3)
2026 {
2027 /* Could be an int3 inserted in a call patch. Check to be sure */
2028 DISCPUSTATE cpu;
2029 uint8_t *pOrgJumpHC;
2030 RTGCPTR pOrgJumpGC;
2031 uint32_t dummy;
2032
2033 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
2034 pOrgJumpGC = patmPatchGCPtr2GuestGCPtr(pVM, pPatch, pCurInstrGC);
2035 pOrgJumpHC = PATMGCVirtToHCVirt(pVM, pPatch, pOrgJumpGC);
2036
2037 bool disret = PATMR3DISInstr(pVM, pPatch, &cpu, pOrgJumpGC, pOrgJumpHC, &dummy, NULL);
2038 if (!disret || cpu.pCurInstr->opcode != OP_CALL || cpu.param1.size != 4 /* only near calls */)
2039 return VINF_SUCCESS;
2040
2041 return VWRN_CONTINUE_ANALYSIS;
2042 }
2043
2044 if ( pCpu->pCurInstr->opcode == OP_ILLUD2
2045 && PATMIsPatchGCAddr(pVM, pCurInstrGC))
2046 {
2047 /* the indirect call patch contains an 0xF/0xB illegal instr to call for assistance; check for this and continue */
2048 return VWRN_CONTINUE_ANALYSIS;
2049 }
2050
2051 if ( (pCpu->pCurInstr->opcode == OP_CALL && !(pPatch->flags & PATMFL_SUPPORT_CALLS))
2052 || pCpu->pCurInstr->opcode == OP_INT
2053 || pCpu->pCurInstr->opcode == OP_IRET
2054 || pCpu->pCurInstr->opcode == OP_RETN
2055 || pCpu->pCurInstr->opcode == OP_RETF
2056 )
2057 {
2058 return VINF_SUCCESS;
2059 }
2060
2061 if (pCpu->pCurInstr->opcode == OP_ILLUD2)
2062 return VINF_SUCCESS;
2063
2064 return VWRN_CONTINUE_ANALYSIS;
2065}
2066
2067
2068/**
2069 * Disassembles the code stream until the callback function detects a failure or decides everything is acceptable
2070 *
2071 * @returns VBox status code.
2072 * @param pVM The VM to operate on.
2073 * @param pInstrGC Guest context pointer to the initial privileged instruction
2074 * @param pCurInstrGC Guest context pointer to the current instruction
2075 * @param pfnPATMR3Disasm Callback for testing the disassembled instruction
2076 * @param pUserData User pointer (callback specific)
2077 *
2078 */
2079int patmr3DisasmCode(PVM pVM, GCPTRTYPE(uint8_t *) pInstrGC, GCPTRTYPE(uint8_t *) pCurInstrGC, PFN_PATMR3ANALYSE pfnPATMR3Disasm, void *pUserData)
2080{
2081 DISCPUSTATE cpu;
2082 PPATCHINFO pPatch = (PPATCHINFO)pUserData;
2083 int rc = VWRN_CONTINUE_ANALYSIS;
2084 uint32_t opsize, delta;
2085 HCPTRTYPE(uint8_t *)pCurInstrHC = 0;
2086 bool disret;
2087 char szOutput[256];
2088
2089 Assert(pCurInstrHC != PATCHCODE_PTR_HC(pPatch) || pPatch->pTempInfo->DisasmJumpTree == 0);
2090
2091 /* We need this to determine branch targets (and for disassembling). */
2092 delta = pVM->patm.s.pPatchMemGC - (uintptr_t)pVM->patm.s.pPatchMemHC;
2093
2094 while(rc == VWRN_CONTINUE_ANALYSIS)
2095 {
2096 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
2097
2098 pCurInstrHC = PATMGCVirtToHCVirt(pVM, pPatch, pCurInstrGC);
2099 if (pCurInstrHC == NULL)
2100 {
2101 rc = VERR_PATCHING_REFUSED;
2102 goto end;
2103 }
2104
2105 disret = PATMR3DISInstr(pVM, pPatch, &cpu, pCurInstrGC, pCurInstrHC, &opsize, szOutput, PATMREAD_RAWCODE);
2106 if (PATMIsPatchGCAddr(pVM, pCurInstrGC))
2107 {
2108 RTGCPTR pOrgInstrGC = patmPatchGCPtr2GuestGCPtr(pVM, pPatch, pCurInstrGC);
2109
2110 if (pOrgInstrGC != pPatch->pTempInfo->pLastDisasmInstrGC)
2111 Log(("DIS %VGv<-%s", pOrgInstrGC, szOutput));
2112 else
2113 Log(("DIS %s", szOutput));
2114
2115 pPatch->pTempInfo->pLastDisasmInstrGC = pOrgInstrGC;
2116 if (patmIsIllegalInstr(pPatch, pOrgInstrGC))
2117 {
2118 rc = VINF_SUCCESS;
2119 goto end;
2120 }
2121 }
2122 else
2123 Log(("DIS: %s", szOutput));
2124
2125 if (disret == false)
2126 {
2127 Log(("Disassembly failed (probably page not present) -> return to caller\n"));
2128 rc = VINF_SUCCESS;
2129 goto end;
2130 }
2131
2132 rc = pfnPATMR3Disasm(pVM, &cpu, pInstrGC, pCurInstrGC, pUserData);
2133 if (rc != VWRN_CONTINUE_ANALYSIS) {
2134 break; //done!
2135 }
2136
2137 /* For our first attempt, we'll handle only simple relative jumps and calls (immediate offset coded in instruction) */
2138 if ( (cpu.pCurInstr->optype & OPTYPE_CONTROLFLOW)
2139 && (OP_PARM_VTYPE(cpu.pCurInstr->param1) == OP_PARM_J)
2140 && cpu.pCurInstr->opcode != OP_CALL /* complete functions are replaced; don't bother here. */
2141 )
2142 {
2143 RTGCPTR pTargetGC = PATMResolveBranch(&cpu, pCurInstrGC);
2144 RTGCPTR pOrgTargetGC;
2145
2146 if (pTargetGC == 0)
2147 {
2148 Log(("We don't support far jumps here!! (%08X)\n", cpu.param1.flags));
2149 rc = VERR_PATCHING_REFUSED;
2150 break;
2151 }
2152
2153 if (!PATMIsPatchGCAddr(pVM, pTargetGC))
2154 {
2155 //jump back to guest code
2156 rc = VINF_SUCCESS;
2157 goto end;
2158 }
2159 pOrgTargetGC = PATMR3PatchToGCPtr(pVM, pTargetGC, 0);
2160
2161 if (patmIsCommonIDTHandlerPatch(pVM, pOrgTargetGC))
2162 {
2163 rc = VINF_SUCCESS;
2164 goto end;
2165 }
2166
2167 if (patmIsKnownDisasmJump(pPatch, pTargetGC) == false)
2168 {
2169 /* New jump, let's check it. */
2170 patmPatchAddDisasmJump(pVM, pPatch, pTargetGC);
2171
2172 if (cpu.pCurInstr->opcode == OP_CALL) pPatch->pTempInfo->nrCalls++;
2173 rc = patmr3DisasmCode(pVM, pInstrGC, pTargetGC, pfnPATMR3Disasm, pUserData);
2174 if (cpu.pCurInstr->opcode == OP_CALL) pPatch->pTempInfo->nrCalls--;
2175
2176 if (rc != VINF_SUCCESS) {
2177 break; //done!
2178 }
2179 }
2180 if (cpu.pCurInstr->opcode == OP_JMP)
2181 {
2182 /* Unconditional jump; return to caller. */
2183 rc = VINF_SUCCESS;
2184 goto end;
2185 }
2186
2187 rc = VWRN_CONTINUE_ANALYSIS;
2188 }
2189 pCurInstrGC += opsize;
2190 }
2191end:
2192 return rc;
2193}
2194
2195/**
2196 * Disassembles the code stream until the callback function detects a failure or decides everything is acceptable
2197 *
2198 * @returns VBox status code.
2199 * @param pVM The VM to operate on.
2200 * @param pInstrGC Guest context pointer to the initial privileged instruction
2201 * @param pCurInstrGC Guest context pointer to the current instruction
2202 * @param pfnPATMR3Disasm Callback for testing the disassembled instruction
2203 * @param pUserData User pointer (callback specific)
2204 *
2205 */
2206int patmr3DisasmCodeStream(PVM pVM, GCPTRTYPE(uint8_t *) pInstrGC, GCPTRTYPE(uint8_t *) pCurInstrGC, PFN_PATMR3ANALYSE pfnPATMR3Disasm, void *pUserData)
2207{
2208 PPATCHINFO pPatch = (PPATCHINFO)pUserData;
2209
2210 int rc = patmr3DisasmCode(pVM, pInstrGC, pCurInstrGC, pfnPATMR3Disasm, pUserData);
2211 /* Free all disasm jump records. */
2212 patmEmptyTree(pVM, &pPatch->pTempInfo->DisasmJumpTree);
2213 return rc;
2214}
2215
2216#endif /* LOG_ENABLED */
2217
2218/**
2219 * Detects it the specified address falls within a 5 byte jump generated for an active patch.
2220 * If so, this patch is permanently disabled.
2221 *
2222 * @param pVM The VM to operate on.
2223 * @param pInstrGC Guest context pointer to instruction
2224 * @param pConflictGC Guest context pointer to check
2225 *
2226 * @note also checks for patch hints to make sure they can never be enabled if a conflict is present.
2227 *
2228 */
2229PATMR3DECL(int) PATMR3DetectConflict(PVM pVM, RTGCPTR pInstrGC, RTGCPTR pConflictGC)
2230{
2231 PPATCHINFO pTargetPatch = PATMFindActivePatchByEntrypoint(pVM, pConflictGC, true /* include patch hints */);
2232 if (pTargetPatch)
2233 {
2234 return patmDisableUnusablePatch(pVM, pInstrGC, pConflictGC, pTargetPatch);
2235 }
2236 return VERR_PATCH_NO_CONFLICT;
2237}
2238
2239/**
2240 * Recompile the code stream until the callback function detects a failure or decides everything is acceptable
2241 *
2242 * @returns VBox status code.
2243 * @param pVM The VM to operate on.
2244 * @param pInstrGC Guest context pointer to privileged instruction
2245 * @param pCurInstrGC Guest context pointer to the current instruction
2246 * @param pfnPATMR3Recompile Callback for testing the disassembled instruction
2247 * @param pUserData User pointer (callback specific)
2248 *
2249 */
2250static int patmRecompileCodeStream(PVM pVM, GCPTRTYPE(uint8_t *) pInstrGC, GCPTRTYPE(uint8_t *) pCurInstrGC, PFN_PATMR3ANALYSE pfnPATMR3Recompile, void *pUserData)
2251{
2252 DISCPUSTATE cpu;
2253 PPATCHINFO pPatch = (PPATCHINFO)pUserData;
2254 int rc = VWRN_CONTINUE_ANALYSIS;
2255 uint32_t opsize;
2256 HCPTRTYPE(uint8_t *)pCurInstrHC = 0;
2257 bool disret;
2258#ifdef LOG_ENABLED
2259 char szOutput[256];
2260#endif
2261
2262 while (rc == VWRN_CONTINUE_RECOMPILE)
2263 {
2264 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
2265
2266 ////Log(("patmRecompileCodeStream %VGv %VGv\n", pInstrGC, pCurInstrGC));
2267
2268 pCurInstrHC = PATMGCVirtToHCVirt(pVM, pPatch, pCurInstrGC);
2269 if (pCurInstrHC == NULL)
2270 {
2271 rc = VERR_PATCHING_REFUSED; /* fatal in this case */
2272 goto end;
2273 }
2274#ifdef LOG_ENABLED
2275 disret = PATMR3DISInstr(pVM, pPatch, &cpu, pCurInstrGC, pCurInstrHC, &opsize, szOutput);
2276 Log(("Recompile: %s", szOutput));
2277#else
2278 disret = PATMR3DISInstr(pVM, pPatch, &cpu, pCurInstrGC, pCurInstrHC, &opsize, NULL);
2279#endif
2280 if (disret == false)
2281 {
2282 Log(("Disassembly failed (probably page not present) -> return to caller\n"));
2283
2284 /* Add lookup record for patch to guest address translation */
2285 patmr3AddP2GLookupRecord(pVM, pPatch, PATCHCODE_PTR_HC(pPatch) + pPatch->uCurPatchOffset, pCurInstrGC, PATM_LOOKUP_BOTHDIR);
2286 patmPatchGenIllegalInstr(pVM, pPatch);
2287 rc = VINF_SUCCESS; /* Note: don't fail here; we might refuse an important patch!! */
2288 goto end;
2289 }
2290
2291 rc = pfnPATMR3Recompile(pVM, &cpu, pInstrGC, pCurInstrGC, pUserData);
2292 if (rc != VWRN_CONTINUE_RECOMPILE)
2293 {
2294 /* If irqs are inhibited because of the current instruction, then we must make sure the next one is executed! */
2295 if ( rc == VINF_SUCCESS
2296 && (pPatch->flags & PATMFL_INHIBIT_IRQS))
2297 {
2298 DISCPUSTATE cpunext;
2299 uint32_t opsizenext;
2300 uint8_t *pNextInstrHC;
2301 RTGCPTR pNextInstrGC = pCurInstrGC + opsize;
2302
2303 Log(("patmRecompileCodeStream: irqs inhibited by instruction %VGv\n", pNextInstrGC));
2304
2305 /* Certain instructions (e.g. sti) force the next instruction to be executed before any interrupts can occur.
2306 * Recompile the next instruction as well
2307 */
2308 pNextInstrHC = PATMGCVirtToHCVirt(pVM, pPatch, pNextInstrGC);
2309 if (pNextInstrHC == NULL)
2310 {
2311 rc = VERR_PATCHING_REFUSED; /* fatal in this case */
2312 goto end;
2313 }
2314 cpunext.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
2315 disret = PATMR3DISInstr(pVM, pPatch, &cpunext, pNextInstrGC, pNextInstrHC, &opsizenext, NULL);
2316 if (disret == false)
2317 {
2318 rc = VERR_PATCHING_REFUSED; /* fatal in this case */
2319 goto end;
2320 }
2321 switch(cpunext.pCurInstr->opcode)
2322 {
2323 case OP_IRET: /* inhibit cleared in generated code */
2324 case OP_SYSEXIT: /* faults; inhibit should be cleared in HC handling */
2325 case OP_HLT:
2326 break; /* recompile these */
2327
2328 default:
2329 if (cpunext.pCurInstr->optype & OPTYPE_CONTROLFLOW)
2330 {
2331 Log(("Unexpected control flow instruction after inhibit irq instruction\n"));
2332
2333 rc = patmPatchGenJumpToGuest(pVM, pPatch, pNextInstrGC, true /* clear inhibit irq flag */);
2334 AssertRC(rc);
2335 pPatch->flags &= ~PATMFL_INHIBIT_IRQS;
2336 goto end; /** @todo should be ok to ignore instruction fusing in this case */
2337 }
2338 break;
2339 }
2340
2341 /** @note after a cli we must continue to a proper exit point */
2342 if (cpunext.pCurInstr->opcode != OP_CLI)
2343 {
2344 rc = pfnPATMR3Recompile(pVM, &cpunext, pInstrGC, pNextInstrGC, pUserData);
2345 if (VBOX_SUCCESS(rc))
2346 {
2347 rc = VINF_SUCCESS;
2348 goto end;
2349 }
2350 break;
2351 }
2352 else
2353 rc = VWRN_CONTINUE_RECOMPILE;
2354 }
2355 else
2356 break; /* done! */
2357 }
2358
2359 /** @todo continue with the instructions following the jump and then recompile the jump target code */
2360
2361
2362 /* For our first attempt, we'll handle only simple relative jumps and calls (immediate offset coded in instruction). */
2363 if ( (cpu.pCurInstr->optype & OPTYPE_CONTROLFLOW)
2364 && (OP_PARM_VTYPE(cpu.pCurInstr->param1) == OP_PARM_J)
2365 && cpu.pCurInstr->opcode != OP_CALL /* complete functions are replaced; don't bother here. */
2366 )
2367 {
2368 GCPTRTYPE(uint8_t *)addr = PATMResolveBranch(&cpu, pCurInstrGC);
2369 if (addr == 0)
2370 {
2371 Log(("We don't support far jumps here!! (%08X)\n", cpu.param1.flags));
2372 rc = VERR_PATCHING_REFUSED;
2373 break;
2374 }
2375
2376 Log(("Jump encountered target %VGv\n", addr));
2377
2378 /* We don't check if the branch target lies in a valid page as we've already done that in the analysis phase. */
2379 if (!(cpu.pCurInstr->optype & OPTYPE_UNCOND_CONTROLFLOW))
2380 {
2381 Log(("patmRecompileCodeStream continue passed conditional jump\n"));
2382 /* First we need to finish this linear code stream until the next exit point. */
2383 rc = patmRecompileCodeStream(pVM, pInstrGC, pCurInstrGC+opsize, pfnPATMR3Recompile, pUserData);
2384 if (VBOX_FAILURE(rc))
2385 {
2386 Log(("patmRecompileCodeStream fatal error %d\n", rc));
2387 break; //fatal error
2388 }
2389 }
2390
2391 if (patmGuestGCPtrToPatchGCPtr(pVM, pPatch, addr) == 0)
2392 {
2393 /* New code; let's recompile it. */
2394 Log(("patmRecompileCodeStream continue with jump\n"));
2395
2396 /*
2397 * If we are jumping to an existing patch (or within 5 bytes of the entrypoint), then we must temporarily disable
2398 * this patch so we can continue our analysis
2399 *
2400 * We rely on CSAM to detect and resolve conflicts
2401 */
2402 PPATCHINFO pTargetPatch = PATMFindActivePatchByEntrypoint(pVM, addr);
2403 if(pTargetPatch)
2404 {
2405 Log(("Found active patch at target %VGv (%VGv) -> temporarily disabling it!!\n", addr, pTargetPatch->pPrivInstrGC));
2406 PATMR3DisablePatch(pVM, pTargetPatch->pPrivInstrGC);
2407 }
2408
2409 if (cpu.pCurInstr->opcode == OP_CALL) pPatch->pTempInfo->nrCalls++;
2410 rc = patmRecompileCodeStream(pVM, pInstrGC, addr, pfnPATMR3Recompile, pUserData);
2411 if (cpu.pCurInstr->opcode == OP_CALL) pPatch->pTempInfo->nrCalls--;
2412
2413 if(pTargetPatch)
2414 {
2415 PATMR3EnablePatch(pVM, pTargetPatch->pPrivInstrGC);
2416 }
2417
2418 if (VBOX_FAILURE(rc))
2419 {
2420 Log(("patmRecompileCodeStream fatal error %d\n", rc));
2421 break; //done!
2422 }
2423 }
2424 /* Always return to caller here; we're done! */
2425 rc = VINF_SUCCESS;
2426 goto end;
2427 }
2428 else
2429 if (cpu.pCurInstr->optype & OPTYPE_UNCOND_CONTROLFLOW)
2430 {
2431 rc = VINF_SUCCESS;
2432 goto end;
2433 }
2434 pCurInstrGC += opsize;
2435 }
2436end:
2437 Assert(!(pPatch->flags & PATMFL_RECOMPILE_NEXT));
2438 return rc;
2439}
2440
2441
2442/**
2443 * Generate the jump from guest to patch code
2444 *
2445 * @returns VBox status code.
2446 * @param pVM The VM to operate on.
2447 * @param pPatch Patch record
2448 */
2449static int patmGenJumpToPatch(PVM pVM, PPATCHINFO pPatch, bool fAddFixup = true)
2450{
2451 uint8_t temp[8];
2452 uint8_t *pPB;
2453 int rc;
2454
2455 Assert(pPatch->cbPatchJump <= sizeof(temp));
2456 Assert(!(pPatch->flags & PATMFL_PATCHED_GUEST_CODE));
2457
2458 pPB = pPatch->pPrivInstrHC;
2459
2460#ifdef PATM_RESOLVE_CONFLICTS_WITH_JUMP_PATCHES
2461 if (pPatch->flags & PATMFL_JUMP_CONFLICT)
2462 {
2463 Assert(pPatch->pPatchJumpDestGC);
2464
2465 if (pPatch->cbPatchJump == SIZEOF_NEARJUMP32)
2466 {
2467 // jmp [PatchCode]
2468 if (fAddFixup)
2469 {
2470 if (patmPatchAddReloc32(pVM, pPatch, &pPB[1], FIXUP_REL_JMPTOPATCH, pPatch->pPrivInstrGC + pPatch->cbPatchJump, pPatch->pPatchJumpDestGC) != VINF_SUCCESS)
2471 {
2472 Log(("Relocation failed for the jump in the guest code!!\n"));
2473 return VERR_PATCHING_REFUSED;
2474 }
2475 }
2476
2477 temp[0] = pPatch->aPrivInstr[0]; //jump opcode copied from original instruction
2478 *(uint32_t *)&temp[1] = (uint32_t)pPatch->pPatchJumpDestGC - ((uint32_t)pPatch->pPrivInstrGC + pPatch->cbPatchJump); //return address
2479 }
2480 else
2481 if (pPatch->cbPatchJump == SIZEOF_NEAR_COND_JUMP32)
2482 {
2483 // jmp [PatchCode]
2484 if (fAddFixup)
2485 {
2486 if (patmPatchAddReloc32(pVM, pPatch, &pPB[2], FIXUP_REL_JMPTOPATCH, pPatch->pPrivInstrGC + pPatch->cbPatchJump, pPatch->pPatchJumpDestGC) != VINF_SUCCESS)
2487 {
2488 Log(("Relocation failed for the jump in the guest code!!\n"));
2489 return VERR_PATCHING_REFUSED;
2490 }
2491 }
2492
2493 temp[0] = pPatch->aPrivInstr[0]; //jump opcode copied from original instruction
2494 temp[1] = pPatch->aPrivInstr[1]; //jump opcode copied from original instruction
2495 *(uint32_t *)&temp[2] = (uint32_t)pPatch->pPatchJumpDestGC - ((uint32_t)pPatch->pPrivInstrGC + pPatch->cbPatchJump); //return address
2496 }
2497 else
2498 {
2499 Assert(0);
2500 return VERR_PATCHING_REFUSED;
2501 }
2502 }
2503 else
2504#endif
2505 {
2506 Assert(pPatch->cbPatchJump == SIZEOF_NEARJUMP32);
2507
2508 // jmp [PatchCode]
2509 if (fAddFixup)
2510 {
2511 if (patmPatchAddReloc32(pVM, pPatch, &pPB[1], FIXUP_REL_JMPTOPATCH, pPatch->pPrivInstrGC + SIZEOF_NEARJUMP32, PATCHCODE_PTR_GC(pPatch)) != VINF_SUCCESS)
2512 {
2513 Log(("Relocation failed for the jump in the guest code!!\n"));
2514 return VERR_PATCHING_REFUSED;
2515 }
2516 }
2517 temp[0] = 0xE9; //jmp
2518 *(uint32_t *)&temp[1] = (RTGCUINTPTR)PATCHCODE_PTR_GC(pPatch) - ((RTGCUINTPTR)pPatch->pPrivInstrGC + SIZEOF_NEARJUMP32); //return address
2519 }
2520 rc = PGMPhysWriteGCPtrDirty(pVM, pPatch->pPrivInstrGC, temp, pPatch->cbPatchJump);
2521 AssertRC(rc);
2522
2523 if (rc == VINF_SUCCESS)
2524 pPatch->flags |= PATMFL_PATCHED_GUEST_CODE;
2525
2526 return rc;
2527}
2528
2529/**
2530 * Remove the jump from guest to patch code
2531 *
2532 * @returns VBox status code.
2533 * @param pVM The VM to operate on.
2534 * @param pPatch Patch record
2535 */
2536static int patmRemoveJumpToPatch(PVM pVM, PPATCHINFO pPatch)
2537{
2538#ifdef DEBUG
2539 DISCPUSTATE cpu;
2540 char szOutput[256];
2541 uint32_t opsize, i = 0;
2542 bool disret;
2543
2544 while(i < pPatch->cbPrivInstr)
2545 {
2546 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
2547 disret = PATMR3DISInstr(pVM, pPatch, &cpu, pPatch->pPrivInstrGC + i, &pPatch->pPrivInstrHC[i], &opsize, szOutput);
2548 if (disret == false)
2549 break;
2550
2551 Log(("Org patch jump: %s", szOutput));
2552 Assert(opsize);
2553 i += opsize;
2554 }
2555#endif
2556
2557 /* Restore original code (privileged instruction + following instructions that were overwritten because of the 5/6 byte jmp). */
2558 int rc = PGMPhysWriteGCPtrDirty(pVM, pPatch->pPrivInstrGC, pPatch->aPrivInstr, pPatch->cbPatchJump);
2559#ifdef DEBUG
2560 if (rc == VINF_SUCCESS)
2561 {
2562 DISCPUSTATE cpu;
2563 char szOutput[256];
2564 uint32_t opsize, i = 0;
2565 bool disret;
2566
2567 while(i < pPatch->cbPrivInstr)
2568 {
2569 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
2570 disret = PATMR3DISInstr(pVM, pPatch, &cpu, pPatch->pPrivInstrGC + i, &pPatch->pPrivInstrHC[i], &opsize, szOutput);
2571 if (disret == false)
2572 break;
2573
2574 Log(("Org instr: %s", szOutput));
2575 Assert(opsize);
2576 i += opsize;
2577 }
2578 }
2579#endif
2580 pPatch->flags &= ~PATMFL_PATCHED_GUEST_CODE;
2581 return rc;
2582}
2583
2584/**
2585 * Generate the call from guest to patch code
2586 *
2587 * @returns VBox status code.
2588 * @param pVM The VM to operate on.
2589 * @param pPatch Patch record
2590 */
2591static int patmGenCallToPatch(PVM pVM, PPATCHINFO pPatch, RTGCPTR pTargetGC, bool fAddFixup = true)
2592{
2593 uint8_t temp[8];
2594 uint8_t *pPB;
2595 int rc;
2596
2597 Assert(pPatch->cbPatchJump <= sizeof(temp));
2598
2599 pPB = pPatch->pPrivInstrHC;
2600
2601 Assert(pPatch->cbPatchJump == SIZEOF_NEARJUMP32);
2602
2603 // jmp [PatchCode]
2604 if (fAddFixup)
2605 {
2606 if (patmPatchAddReloc32(pVM, pPatch, &pPB[1], FIXUP_REL_JMPTOPATCH, pPatch->pPrivInstrGC + SIZEOF_NEARJUMP32, pTargetGC) != VINF_SUCCESS)
2607 {
2608 Log(("Relocation failed for the jump in the guest code!!\n"));
2609 return VERR_PATCHING_REFUSED;
2610 }
2611 }
2612
2613 Assert(pPatch->aPrivInstr[0] == 0xE8 || pPatch->aPrivInstr[0] == 0xE9); /* call or jmp */
2614 temp[0] = pPatch->aPrivInstr[0];
2615 *(uint32_t *)&temp[1] = (uint32_t)pTargetGC - ((uint32_t)pPatch->pPrivInstrGC + SIZEOF_NEARJUMP32); //return address
2616
2617 rc = PGMPhysWriteGCPtrDirty(pVM, pPatch->pPrivInstrGC, temp, pPatch->cbPatchJump);
2618 AssertRC(rc);
2619
2620 return rc;
2621}
2622
2623
2624/**
2625 * Patch cli/sti pushf/popf instruction block at specified location
2626 *
2627 * @returns VBox status code.
2628 * @param pVM The VM to operate on.
2629 * @param pInstrGC Guest context point to privileged instruction
2630 * @param pInstrHC Host context point to privileged instruction
2631 * @param uOpcode Instruction opcode
2632 * @param uOpSize Size of starting instruction
2633 * @param pPatchRec Patch record
2634 *
2635 * @note returns failure if patching is not allowed or possible
2636 *
2637 */
2638PATMR3DECL(int) PATMR3PatchBlock(PVM pVM, RTGCPTR pInstrGC, HCPTRTYPE(uint8_t *) pInstrHC,
2639 uint32_t uOpcode, uint32_t uOpSize, PPATMPATCHREC pPatchRec)
2640{
2641 PPATCHINFO pPatch = &pPatchRec->patch;
2642 int rc = VERR_PATCHING_REFUSED;
2643 DISCPUSTATE cpu;
2644 uint32_t orgOffsetPatchMem = ~0;
2645 RTGCPTR pInstrStart;
2646#ifdef LOG_ENABLED
2647 uint32_t opsize;
2648 char szOutput[256];
2649 bool disret;
2650#endif
2651
2652 /* Save original offset (in case of failures later on) */
2653 /** @todo use the hypervisor heap (that has quite a few consequences for save/restore though) */
2654 orgOffsetPatchMem = pVM->patm.s.offPatchMem;
2655
2656 Assert(!(pPatch->flags & (PATMFL_GUEST_SPECIFIC|PATMFL_USER_MODE|PATMFL_TRAPHANDLER)));
2657 switch (uOpcode)
2658 {
2659 case OP_MOV:
2660 break;
2661
2662 case OP_CLI:
2663 case OP_PUSHF:
2664 /* We can 'call' a cli or pushf patch. It will either return to the original guest code when IF is set again, or fault. */
2665 /** @note special precautions are taken when disabling and enabling such patches. */
2666 pPatch->flags |= PATMFL_CALLABLE_AS_FUNCTION;
2667 break;
2668
2669 default:
2670 if (!(pPatch->flags & PATMFL_IDTHANDLER))
2671 {
2672 AssertMsg(0, ("PATMR3PatchBlock: Invalid opcode %x\n", uOpcode));
2673 return VERR_INVALID_PARAMETER;
2674 }
2675 }
2676
2677 if (PAGE_ADDRESS(pInstrGC) != PAGE_ADDRESS(pInstrGC + SIZEOF_NEARJUMP32))
2678 {
2679 STAM_COUNTER_INC(&pVM->patm.s.StatPageBoundaryCrossed);
2680#ifdef DEBUG_sandervl
2681//// AssertMsgFailed(("Patch jump would cross page boundary -> refuse!!\n"));
2682#endif
2683 rc = VERR_PATCHING_REFUSED;
2684 goto failure;
2685 }
2686
2687 pPatch->nrPatch2GuestRecs = 0;
2688 pInstrStart = pInstrGC;
2689
2690#ifdef PATM_ENABLE_CALL
2691 pPatch->flags |= PATMFL_SUPPORT_CALLS | PATMFL_SUPPORT_INDIRECT_CALLS;
2692#endif
2693
2694 pPatch->pPatchBlockOffset = pVM->patm.s.offPatchMem;
2695 pPatch->uCurPatchOffset = 0;
2696
2697 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
2698
2699 if ((pPatch->flags & (PATMFL_IDTHANDLER|PATMFL_IDTHANDLER_WITHOUT_ENTRYPOINT|PATMFL_SYSENTER)) == PATMFL_IDTHANDLER)
2700 {
2701 Assert(pPatch->flags & PATMFL_INTHANDLER);
2702
2703 /* Install fake cli patch (to clear the virtual IF and check int xx parameters) */
2704 rc = patmPatchGenIntEntry(pVM, pPatch, pInstrGC);
2705 if (VBOX_FAILURE(rc))
2706 goto failure;
2707 }
2708
2709 /***************************************************************************************************************************/
2710 /** @note We can't insert *any* code before a sysenter handler; some linux guests have an invalid stack at this point!!!!! */
2711 /***************************************************************************************************************************/
2712#ifdef VBOX_WITH_STATISTICS
2713 if (!(pPatch->flags & PATMFL_SYSENTER))
2714 {
2715 rc = patmPatchGenStats(pVM, pPatch, pInstrGC);
2716 if (VBOX_FAILURE(rc))
2717 goto failure;
2718 }
2719#endif
2720
2721 rc = patmRecompileCodeStream(pVM, pInstrGC, pInstrGC, patmRecompileCallback, pPatch);
2722 if (rc != VINF_SUCCESS)
2723 {
2724 Log(("PATMR3PatchCli: patmRecompileCodeStream failed with %d\n", rc));
2725 goto failure;
2726 }
2727
2728 /* Calculated during analysis. */
2729 if (pPatch->cbPatchBlockSize < SIZEOF_NEARJUMP32)
2730 {
2731 /* Most likely cause: we encountered an illegal instruction very early on. */
2732 /** @todo could turn it into an int3 callable patch. */
2733 Log(("PATMR3PatchBlock: patch block too small -> refuse\n"));
2734 rc = VERR_PATCHING_REFUSED;
2735 goto failure;
2736 }
2737
2738 /* size of patch block */
2739 pPatch->cbPatchBlockSize = pPatch->uCurPatchOffset;
2740
2741
2742 /* Update free pointer in patch memory. */
2743 pVM->patm.s.offPatchMem += pPatch->cbPatchBlockSize;
2744 /* Round to next 8 byte boundary. */
2745 pVM->patm.s.offPatchMem = RT_ALIGN_32(pVM->patm.s.offPatchMem, 8);
2746
2747 /*
2748 * Insert into patch to guest lookup tree
2749 */
2750 LogFlow(("Insert %VGv patch offset %VGv\n", pPatchRec->patch.pPrivInstrGC, pPatch->pPatchBlockOffset));
2751 pPatchRec->CoreOffset.Key = pPatch->pPatchBlockOffset;
2752 rc = RTAvloGCPtrInsert(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr, &pPatchRec->CoreOffset);
2753 AssertMsg(rc, ("RTAvlULInsert failed for %x\n", pPatchRec->CoreOffset.Key));
2754 if (!rc)
2755 {
2756 rc = VERR_PATCHING_REFUSED;
2757 goto failure;
2758 }
2759
2760 /* Note that patmr3SetBranchTargets can install additional patches!! */
2761 rc = patmr3SetBranchTargets(pVM, pPatch);
2762 if (rc != VINF_SUCCESS)
2763 {
2764 Log(("PATMR3PatchCli: patmr3SetBranchTargets failed with %d\n", rc));
2765 goto failure;
2766 }
2767
2768#ifdef LOG_ENABLED
2769 Log(("Patch code ----------------------------------------------------------\n"));
2770 patmr3DisasmCodeStream(pVM, PATCHCODE_PTR_GC(pPatch), PATCHCODE_PTR_GC(pPatch), patmr3DisasmCallback, pPatch);
2771 Log(("Patch code ends -----------------------------------------------------\n"));
2772#endif
2773
2774 /* make a copy of the guest code bytes that will be overwritten */
2775 pPatch->cbPatchJump = SIZEOF_NEARJUMP32;
2776
2777 rc = PGMPhysReadGCPtr(pVM, pPatch->aPrivInstr, pPatch->pPrivInstrGC, pPatch->cbPatchJump);
2778 AssertRC(rc);
2779
2780 if (pPatch->flags & PATMFL_INT3_REPLACEMENT_BLOCK)
2781 {
2782 /*uint8_t ASMInt3 = 0xCC; - unused */
2783
2784 Log(("PATMR3PatchBlock %VGv -> int 3 callable patch.\n", pPatch->pPrivInstrGC));
2785 /* Replace first opcode byte with 'int 3'. */
2786 rc = patmActivateInt3Patch(pVM, pPatch);
2787 if (VBOX_FAILURE(rc))
2788 goto failure;
2789
2790 Assert(!(pPatch->flags & PATMFL_MUST_INSTALL_PATCHJMP));
2791 pPatch->flags &= ~PATMFL_INSTR_HINT;
2792 STAM_COUNTER_INC(&pVM->patm.s.StatInt3Callable);
2793 }
2794 else
2795 if (!(pPatch->flags & PATMFL_IDTHANDLER))
2796 {
2797 pPatch->flags |= PATMFL_MUST_INSTALL_PATCHJMP;
2798
2799 /* now insert a jump in the guest code */
2800 rc = patmGenJumpToPatch(pVM, pPatch, true);
2801 AssertRC(rc);
2802 if (VBOX_FAILURE(rc))
2803 goto failure;
2804
2805 }
2806
2807#ifdef LOG_ENABLED
2808 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
2809 disret = PATMR3DISInstr(pVM, pPatch, &cpu, pPatch->pPrivInstrGC, pPatch->pPrivInstrHC, &opsize, szOutput, PATMREAD_RAWCODE);
2810 Log(("%s patch: %s", patmGetInstructionString(pPatch->opcode, pPatch->flags), szOutput));
2811#endif
2812
2813 patmEmptyTree(pVM, &pPatch->pTempInfo->IllegalInstrTree);
2814 pPatch->pTempInfo->nrIllegalInstr = 0;
2815
2816 Log(("Successfully installed %s patch at %VGv\n", patmGetInstructionString(pPatch->opcode, pPatch->flags), pInstrGC));
2817
2818 pPatch->uState = PATCH_ENABLED;
2819 return VINF_SUCCESS;
2820
2821failure:
2822 if (pPatchRec->CoreOffset.Key)
2823 RTAvloGCPtrRemove(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr, pPatchRec->CoreOffset.Key);
2824
2825 patmEmptyTree(pVM, &pPatch->FixupTree);
2826 pPatch->nrFixups = 0;
2827
2828 patmEmptyTree(pVM, &pPatch->JumpTree);
2829 pPatch->nrJumpRecs = 0;
2830
2831 patmEmptyTree(pVM, &pPatch->pTempInfo->IllegalInstrTree);
2832 pPatch->pTempInfo->nrIllegalInstr = 0;
2833
2834 /* Turn this cli patch into a dummy. */
2835 pPatch->uState = PATCH_REFUSED;
2836 pPatch->pPatchBlockOffset = 0;
2837
2838 // Give back the patch memory we no longer need
2839 Assert(orgOffsetPatchMem != (uint32_t)~0);
2840 pVM->patm.s.offPatchMem = orgOffsetPatchMem;
2841
2842 return rc;
2843}
2844
2845/**
2846 * Patch IDT handler
2847 *
2848 * @returns VBox status code.
2849 * @param pVM The VM to operate on.
2850 * @param pInstrGC Guest context point to privileged instruction
2851 * @param pInstrHC Host context point to privileged instruction
2852 * @param uOpSize Size of starting instruction
2853 * @param pPatchRec Patch record
2854 *
2855 * @note returns failure if patching is not allowed or possible
2856 *
2857 */
2858static int patmIdtHandler(PVM pVM, RTGCPTR pInstrGC, HCPTRTYPE(uint8_t *) pInstrHC,
2859 uint32_t uOpSize, PPATMPATCHREC pPatchRec)
2860{
2861 PPATCHINFO pPatch = &pPatchRec->patch;
2862 bool disret;
2863 DISCPUSTATE cpuPush, cpuJmp;
2864 uint32_t opsize;
2865 RTGCPTR pCurInstrGC = pInstrGC;
2866 uint8_t *pCurInstrHC = pInstrHC;
2867 uint32_t orgOffsetPatchMem = ~0;
2868
2869 /*
2870 * In Linux it's often the case that many interrupt handlers push a predefined value onto the stack
2871 * and then jump to a common entrypoint. In order not to waste a lot of memory, we will check for this
2872 * condition here and only patch the common entypoint once.
2873 */
2874 cpuPush.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
2875 disret = PATMR3DISInstr(pVM, pPatch, &cpuPush, pCurInstrGC, pCurInstrHC, &opsize, NULL);
2876 Assert(disret);
2877 if (disret && cpuPush.pCurInstr->opcode == OP_PUSH)
2878 {
2879 RTGCPTR pJmpInstrGC;
2880 int rc;
2881
2882 pCurInstrGC += opsize;
2883 pCurInstrHC = PATMGCVirtToHCVirt(pVM, pPatch, pCurInstrGC);
2884
2885 cpuJmp.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
2886 disret = PATMR3DISInstr(pVM, pPatch, &cpuJmp, pCurInstrGC, pCurInstrHC, &opsize, NULL);
2887 if ( disret
2888 && cpuJmp.pCurInstr->opcode == OP_JMP
2889 && (pJmpInstrGC = PATMResolveBranch(&cpuJmp, pCurInstrGC))
2890 )
2891 {
2892 PPATMPATCHREC pJmpPatch = (PPATMPATCHREC)RTAvloGCPtrGet(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pJmpInstrGC);
2893 if (pJmpPatch == 0)
2894 {
2895 /* Patch it first! */
2896 rc = PATMR3InstallPatch(pVM, pJmpInstrGC, pPatch->flags | PATMFL_IDTHANDLER_WITHOUT_ENTRYPOINT);
2897 if (rc != VINF_SUCCESS)
2898 goto failure;
2899 pJmpPatch = (PPATMPATCHREC)RTAvloGCPtrGet(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pJmpInstrGC);
2900 Assert(pJmpPatch);
2901 }
2902 if (pJmpPatch->patch.uState != PATCH_ENABLED)
2903 goto failure;
2904
2905 /* save original offset (in case of failures later on) */
2906 orgOffsetPatchMem = pVM->patm.s.offPatchMem;
2907
2908 pPatch->pPatchBlockOffset = pVM->patm.s.offPatchMem;
2909 pPatch->uCurPatchOffset = 0;
2910 pPatch->nrPatch2GuestRecs = 0;
2911
2912#ifdef VBOX_WITH_STATISTICS
2913 rc = patmPatchGenStats(pVM, pPatch, pInstrGC);
2914 if (VBOX_FAILURE(rc))
2915 goto failure;
2916#endif
2917
2918 /* Install fake cli patch (to clear the virtual IF) */
2919 rc = patmPatchGenIntEntry(pVM, pPatch, pInstrGC);
2920 if (VBOX_FAILURE(rc))
2921 goto failure;
2922
2923 /* Add lookup record for patch to guest address translation (for the push) */
2924 patmr3AddP2GLookupRecord(pVM, pPatch, PATCHCODE_PTR_HC(pPatch) + pPatch->uCurPatchOffset, pInstrGC, PATM_LOOKUP_BOTHDIR);
2925
2926 /* Duplicate push. */
2927 rc = patmPatchGenDuplicate(pVM, pPatch, &cpuPush, pInstrGC);
2928 if (VBOX_FAILURE(rc))
2929 goto failure;
2930
2931 /* Generate jump to common entrypoint. */
2932 rc = patmPatchGenPatchJump(pVM, pPatch, pCurInstrGC, PATCHCODE_PTR_GC(&pJmpPatch->patch));
2933 if (VBOX_FAILURE(rc))
2934 goto failure;
2935
2936 /* size of patch block */
2937 pPatch->cbPatchBlockSize = pPatch->uCurPatchOffset;
2938
2939 /* Update free pointer in patch memory. */
2940 pVM->patm.s.offPatchMem += pPatch->cbPatchBlockSize;
2941 /* Round to next 8 byte boundary */
2942 pVM->patm.s.offPatchMem = RT_ALIGN_32(pVM->patm.s.offPatchMem, 8);
2943
2944 /* There's no jump from guest to patch code. */
2945 pPatch->cbPatchJump = 0;
2946
2947
2948#ifdef LOG_ENABLED
2949 Log(("Patch code ----------------------------------------------------------\n"));
2950 patmr3DisasmCodeStream(pVM, PATCHCODE_PTR_GC(pPatch), PATCHCODE_PTR_GC(pPatch), patmr3DisasmCallback, pPatch);
2951 Log(("Patch code ends -----------------------------------------------------\n"));
2952#endif
2953 Log(("Successfully installed IDT handler patch at %VGv\n", pInstrGC));
2954
2955 /*
2956 * Insert into patch to guest lookup tree
2957 */
2958 LogFlow(("Insert %VGv patch offset %VGv\n", pPatchRec->patch.pPrivInstrGC, pPatch->pPatchBlockOffset));
2959 pPatchRec->CoreOffset.Key = pPatch->pPatchBlockOffset;
2960 rc = RTAvloGCPtrInsert(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr, &pPatchRec->CoreOffset);
2961 AssertMsg(rc, ("RTAvlULInsert failed for %x\n", pPatchRec->CoreOffset.Key));
2962
2963 pPatch->uState = PATCH_ENABLED;
2964
2965 return VINF_SUCCESS;
2966 }
2967 }
2968failure:
2969 /* Give back the patch memory we no longer need */
2970 if (orgOffsetPatchMem != (uint32_t)~0)
2971 pVM->patm.s.offPatchMem = orgOffsetPatchMem;
2972
2973 return PATMR3PatchBlock(pVM, pInstrGC, pInstrHC, OP_CLI, uOpSize, pPatchRec);
2974}
2975
2976/**
2977 * Install a trampoline to call a guest trap handler directly
2978 *
2979 * @returns VBox status code.
2980 * @param pVM The VM to operate on.
2981 * @param pInstrGC Guest context point to privileged instruction
2982 * @param pPatchRec Patch record
2983 *
2984 */
2985static int patmInstallTrapTrampoline(PVM pVM, RTGCPTR pInstrGC, PPATMPATCHREC pPatchRec)
2986{
2987 PPATCHINFO pPatch = &pPatchRec->patch;
2988 int rc = VERR_PATCHING_REFUSED;
2989 uint32_t orgOffsetPatchMem = ~0;
2990#ifdef LOG_ENABLED
2991 bool disret;
2992 DISCPUSTATE cpu;
2993 uint32_t opsize;
2994 char szOutput[256];
2995#endif
2996
2997 // save original offset (in case of failures later on)
2998 orgOffsetPatchMem = pVM->patm.s.offPatchMem;
2999
3000 pPatch->pPatchBlockOffset = pVM->patm.s.offPatchMem;
3001 pPatch->uCurPatchOffset = 0;
3002 pPatch->nrPatch2GuestRecs = 0;
3003
3004#ifdef VBOX_WITH_STATISTICS
3005 rc = patmPatchGenStats(pVM, pPatch, pInstrGC);
3006 if (VBOX_FAILURE(rc))
3007 goto failure;
3008#endif
3009
3010 rc = patmPatchGenTrapEntry(pVM, pPatch, pInstrGC);
3011 if (VBOX_FAILURE(rc))
3012 goto failure;
3013
3014 /* size of patch block */
3015 pPatch->cbPatchBlockSize = pPatch->uCurPatchOffset;
3016
3017 /* Update free pointer in patch memory. */
3018 pVM->patm.s.offPatchMem += pPatch->cbPatchBlockSize;
3019 /* Round to next 8 byte boundary */
3020 pVM->patm.s.offPatchMem = RT_ALIGN_32(pVM->patm.s.offPatchMem, 8);
3021
3022 /* There's no jump from guest to patch code. */
3023 pPatch->cbPatchJump = 0;
3024
3025#ifdef LOG_ENABLED
3026 Log(("Patch code ----------------------------------------------------------\n"));
3027 patmr3DisasmCodeStream(pVM, PATCHCODE_PTR_GC(pPatch), PATCHCODE_PTR_GC(pPatch), patmr3DisasmCallback, pPatch);
3028 Log(("Patch code ends -----------------------------------------------------\n"));
3029#endif
3030
3031#ifdef LOG_ENABLED
3032 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
3033 disret = PATMR3DISInstr(pVM, pPatch, &cpu, pPatch->pPrivInstrGC, pPatch->pPrivInstrHC, &opsize, szOutput);
3034 Log(("TRAP handler patch: %s", szOutput));
3035#endif
3036 Log(("Successfully installed Trap Trampoline patch at %VGv\n", pInstrGC));
3037
3038 /*
3039 * Insert into patch to guest lookup tree
3040 */
3041 LogFlow(("Insert %VGv patch offset %VGv\n", pPatchRec->patch.pPrivInstrGC, pPatch->pPatchBlockOffset));
3042 pPatchRec->CoreOffset.Key = pPatch->pPatchBlockOffset;
3043 rc = RTAvloGCPtrInsert(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr, &pPatchRec->CoreOffset);
3044 AssertMsg(rc, ("RTAvlULInsert failed for %x\n", pPatchRec->CoreOffset.Key));
3045
3046 pPatch->uState = PATCH_ENABLED;
3047 return VINF_SUCCESS;
3048
3049failure:
3050 AssertMsgFailed(("Failed to install trap handler trampoline!!\n"));
3051
3052 /* Turn this cli patch into a dummy. */
3053 pPatch->uState = PATCH_REFUSED;
3054 pPatch->pPatchBlockOffset = 0;
3055
3056 /* Give back the patch memory we no longer need */
3057 Assert(orgOffsetPatchMem != (uint32_t)~0);
3058 pVM->patm.s.offPatchMem = orgOffsetPatchMem;
3059
3060 return rc;
3061}
3062
3063
3064#ifdef DEBUG
3065/**
3066 * Check if the instruction is patched as a common idt handler
3067 *
3068 * @returns true or false
3069 * @param pVM The VM to operate on.
3070 * @param pInstrGC Guest context point to the instruction
3071 *
3072 */
3073static bool patmIsCommonIDTHandlerPatch(PVM pVM, RTGCPTR pInstrGC)
3074{
3075 PPATMPATCHREC pRec;
3076
3077 pRec = (PPATMPATCHREC)RTAvloGCPtrGet(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pInstrGC);
3078 if (pRec && pRec->patch.flags & PATMFL_IDTHANDLER_WITHOUT_ENTRYPOINT)
3079 return true;
3080 return false;
3081}
3082#endif //DEBUG
3083
3084
3085/**
3086 * Duplicates a complete function
3087 *
3088 * @returns VBox status code.
3089 * @param pVM The VM to operate on.
3090 * @param pInstrGC Guest context point to privileged instruction
3091 * @param pPatchRec Patch record
3092 *
3093 */
3094static int patmDuplicateFunction(PVM pVM, RTGCPTR pInstrGC, PPATMPATCHREC pPatchRec)
3095{
3096 PPATCHINFO pPatch = &pPatchRec->patch;
3097 int rc = VERR_PATCHING_REFUSED;
3098 DISCPUSTATE cpu;
3099 uint32_t orgOffsetPatchMem = ~0;
3100
3101 Log(("patmDuplicateFunction %VGv\n", pInstrGC));
3102 /* Save original offset (in case of failures later on). */
3103 orgOffsetPatchMem = pVM->patm.s.offPatchMem;
3104
3105 /* We will not go on indefinitely with call instruction handling. */
3106 if (pVM->patm.s.ulCallDepth > PATM_MAX_CALL_DEPTH)
3107 {
3108 Log(("patmDuplicateFunction: maximum callback depth reached!!\n"));
3109 return VERR_PATCHING_REFUSED;
3110 }
3111
3112 pVM->patm.s.ulCallDepth++;
3113
3114#ifdef PATM_ENABLE_CALL
3115 pPatch->flags |= PATMFL_SUPPORT_CALLS | PATMFL_SUPPORT_INDIRECT_CALLS;
3116#endif
3117
3118 Assert(pPatch->flags & (PATMFL_DUPLICATE_FUNCTION));
3119
3120 pPatch->nrPatch2GuestRecs = 0;
3121 pPatch->pPatchBlockOffset = pVM->patm.s.offPatchMem;
3122 pPatch->uCurPatchOffset = 0;
3123
3124 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
3125
3126 /** @note Set the PATM interrupt flag here; it was cleared before the patched call. (!!!) */
3127 rc = patmPatchGenSetPIF(pVM, pPatch, pInstrGC);
3128 if (VBOX_FAILURE(rc))
3129 goto failure;
3130
3131#ifdef VBOX_WITH_STATISTICS
3132 rc = patmPatchGenStats(pVM, pPatch, pInstrGC);
3133 if (VBOX_FAILURE(rc))
3134 goto failure;
3135#endif
3136 rc = patmRecompileCodeStream(pVM, pInstrGC, pInstrGC, patmRecompileCallback, pPatch);
3137 if (rc != VINF_SUCCESS)
3138 {
3139 Log(("PATMR3PatchCli: patmRecompileCodeStream failed with %d\n", rc));
3140 goto failure;
3141 }
3142
3143 //size of patch block
3144 pPatch->cbPatchBlockSize = pPatch->uCurPatchOffset;
3145
3146 //update free pointer in patch memory
3147 pVM->patm.s.offPatchMem += pPatch->cbPatchBlockSize;
3148 /* Round to next 8 byte boundary. */
3149 pVM->patm.s.offPatchMem = RT_ALIGN_32(pVM->patm.s.offPatchMem, 8);
3150
3151 pPatch->uState = PATCH_ENABLED;
3152
3153 /*
3154 * Insert into patch to guest lookup tree
3155 */
3156 LogFlow(("Insert %VGv patch offset %VGv\n", pPatchRec->patch.pPrivInstrGC, pPatch->pPatchBlockOffset));
3157 pPatchRec->CoreOffset.Key = pPatch->pPatchBlockOffset;
3158 rc = RTAvloGCPtrInsert(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr, &pPatchRec->CoreOffset);
3159 AssertMsg(rc, ("RTAvloGCPtrInsert failed for %x\n", pPatchRec->CoreOffset.Key));
3160 if (!rc)
3161 {
3162 rc = VERR_PATCHING_REFUSED;
3163 goto failure;
3164 }
3165
3166 /* Note that patmr3SetBranchTargets can install additional patches!! */
3167 rc = patmr3SetBranchTargets(pVM, pPatch);
3168 if (rc != VINF_SUCCESS)
3169 {
3170 Log(("PATMR3PatchCli: patmr3SetBranchTargets failed with %d\n", rc));
3171 goto failure;
3172 }
3173
3174#ifdef LOG_ENABLED
3175 Log(("Patch code ----------------------------------------------------------\n"));
3176 patmr3DisasmCodeStream(pVM, PATCHCODE_PTR_GC(pPatch), PATCHCODE_PTR_GC(pPatch), patmr3DisasmCallback, pPatch);
3177 Log(("Patch code ends -----------------------------------------------------\n"));
3178#endif
3179
3180 Log(("Successfully installed function duplication patch at %VGv\n", pInstrGC));
3181
3182 patmEmptyTree(pVM, &pPatch->pTempInfo->IllegalInstrTree);
3183 pPatch->pTempInfo->nrIllegalInstr = 0;
3184
3185 pVM->patm.s.ulCallDepth--;
3186 STAM_COUNTER_INC(&pVM->patm.s.StatInstalledFunctionPatches);
3187 return VINF_SUCCESS;
3188
3189failure:
3190 if (pPatchRec->CoreOffset.Key)
3191 RTAvloGCPtrRemove(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr, pPatchRec->CoreOffset.Key);
3192
3193 patmEmptyTree(pVM, &pPatch->FixupTree);
3194 pPatch->nrFixups = 0;
3195
3196 patmEmptyTree(pVM, &pPatch->JumpTree);
3197 pPatch->nrJumpRecs = 0;
3198
3199 patmEmptyTree(pVM, &pPatch->pTempInfo->IllegalInstrTree);
3200 pPatch->pTempInfo->nrIllegalInstr = 0;
3201
3202 /* Turn this cli patch into a dummy. */
3203 pPatch->uState = PATCH_REFUSED;
3204 pPatch->pPatchBlockOffset = 0;
3205
3206 // Give back the patch memory we no longer need
3207 Assert(orgOffsetPatchMem != (uint32_t)~0);
3208 pVM->patm.s.offPatchMem = orgOffsetPatchMem;
3209
3210 pVM->patm.s.ulCallDepth--;
3211 Log(("patmDupicateFunction %VGv failed!!\n", pInstrGC));
3212 return rc;
3213}
3214
3215/**
3216 * Creates trampoline code to jump inside an existing patch
3217 *
3218 * @returns VBox status code.
3219 * @param pVM The VM to operate on.
3220 * @param pInstrGC Guest context point to privileged instruction
3221 * @param pPatchRec Patch record
3222 *
3223 */
3224static int patmCreateTrampoline(PVM pVM, RTGCPTR pInstrGC, PPATMPATCHREC pPatchRec)
3225{
3226 PPATCHINFO pPatch = &pPatchRec->patch;
3227 RTGCPTR pPage, pPatchTargetGC = 0;
3228 uint32_t orgOffsetPatchMem = ~0;
3229 int rc = VERR_PATCHING_REFUSED;
3230
3231 Log(("patmCreateTrampoline %VGv\n", pInstrGC));
3232 /* Save original offset (in case of failures later on). */
3233 orgOffsetPatchMem = pVM->patm.s.offPatchMem;
3234
3235 /* First we check if the duplicate function target lies in some existing function patch already. Will save some space. */
3236 /** @todo we already checked this before */
3237 pPage = pInstrGC & PAGE_BASE_GC_MASK;
3238
3239 PPATMPATCHPAGE pPatchPage = (PPATMPATCHPAGE)RTAvloGCPtrGet(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPage, (RTGCPTR)pPage);
3240 if (pPatchPage)
3241 {
3242 uint32_t i;
3243
3244 for (i=0;i<pPatchPage->cCount;i++)
3245 {
3246 if (pPatchPage->aPatch[i])
3247 {
3248 PPATCHINFO pPatch = pPatchPage->aPatch[i];
3249
3250 if ( (pPatch->flags & PATMFL_DUPLICATE_FUNCTION)
3251 && pPatch->uState == PATCH_ENABLED)
3252 {
3253 pPatchTargetGC = patmGuestGCPtrToPatchGCPtr(pVM, pPatch, pInstrGC);
3254 if (pPatchTargetGC)
3255 {
3256 uint32_t offsetPatch = pPatchTargetGC - pVM->patm.s.pPatchMemGC;
3257 PRECPATCHTOGUEST pPatchToGuestRec = (PRECPATCHTOGUEST)RTAvlU32GetBestFit(&pPatch->Patch2GuestAddrTree, offsetPatch, false);
3258 Assert(pPatchToGuestRec);
3259
3260 pPatchToGuestRec->fJumpTarget = true;
3261 Assert(pPatchTargetGC != pPatch->pPrivInstrGC);
3262 Log(("patmCreateTrampoline: generating jump to code inside patch at %VGv\n", pPatch->pPrivInstrGC));
3263 pPatch->flags |= PATMFL_EXTERNAL_JUMP_INSIDE;
3264 break;
3265 }
3266 }
3267 }
3268 }
3269 }
3270 AssertReturn(pPatchPage && pPatchTargetGC, VERR_PATCHING_REFUSED);
3271
3272 pPatch->nrPatch2GuestRecs = 0;
3273 pPatch->pPatchBlockOffset = pVM->patm.s.offPatchMem;
3274 pPatch->uCurPatchOffset = 0;
3275
3276 /** @note Set the PATM interrupt flag here; it was cleared before the patched call. (!!!) */
3277 rc = patmPatchGenSetPIF(pVM, pPatch, pInstrGC);
3278 if (VBOX_FAILURE(rc))
3279 goto failure;
3280
3281#ifdef VBOX_WITH_STATISTICS
3282 rc = patmPatchGenStats(pVM, pPatch, pInstrGC);
3283 if (VBOX_FAILURE(rc))
3284 goto failure;
3285#endif
3286
3287 rc = patmPatchGenPatchJump(pVM, pPatch, pInstrGC, pPatchTargetGC);
3288 if (VBOX_FAILURE(rc))
3289 goto failure;
3290
3291 /*
3292 * Insert into patch to guest lookup tree
3293 */
3294 LogFlow(("Insert %VGv patch offset %VGv\n", pPatchRec->patch.pPrivInstrGC, pPatch->pPatchBlockOffset));
3295 pPatchRec->CoreOffset.Key = pPatch->pPatchBlockOffset;
3296 rc = RTAvloGCPtrInsert(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr, &pPatchRec->CoreOffset);
3297 AssertMsg(rc, ("RTAvloGCPtrInsert failed for %x\n", pPatchRec->CoreOffset.Key));
3298 if (!rc)
3299 {
3300 rc = VERR_PATCHING_REFUSED;
3301 goto failure;
3302 }
3303
3304 /* size of patch block */
3305 pPatch->cbPatchBlockSize = pPatch->uCurPatchOffset;
3306
3307 /* Update free pointer in patch memory. */
3308 pVM->patm.s.offPatchMem += pPatch->cbPatchBlockSize;
3309 /* Round to next 8 byte boundary */
3310 pVM->patm.s.offPatchMem = RT_ALIGN_32(pVM->patm.s.offPatchMem, 8);
3311
3312 /* There's no jump from guest to patch code. */
3313 pPatch->cbPatchJump = 0;
3314
3315 /* Enable the patch. */
3316 pPatch->uState = PATCH_ENABLED;
3317 /* We allow this patch to be called as a function. */
3318 pPatch->flags |= PATMFL_CALLABLE_AS_FUNCTION;
3319 STAM_COUNTER_INC(&pVM->patm.s.StatInstalledTrampoline);
3320 return VINF_SUCCESS;
3321
3322failure:
3323 if (pPatchRec->CoreOffset.Key)
3324 RTAvloGCPtrRemove(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr, pPatchRec->CoreOffset.Key);
3325
3326 patmEmptyTree(pVM, &pPatch->FixupTree);
3327 pPatch->nrFixups = 0;
3328
3329 patmEmptyTree(pVM, &pPatch->JumpTree);
3330 pPatch->nrJumpRecs = 0;
3331
3332 patmEmptyTree(pVM, &pPatch->pTempInfo->IllegalInstrTree);
3333 pPatch->pTempInfo->nrIllegalInstr = 0;
3334
3335 /* Turn this cli patch into a dummy. */
3336 pPatch->uState = PATCH_REFUSED;
3337 pPatch->pPatchBlockOffset = 0;
3338
3339 // Give back the patch memory we no longer need
3340 Assert(orgOffsetPatchMem != (uint32_t)~0);
3341 pVM->patm.s.offPatchMem = orgOffsetPatchMem;
3342
3343 return rc;
3344}
3345
3346
3347/**
3348 * Patch branch target function for call/jump at specified location.
3349 * (in responds to a VINF_PATM_DUPLICATE_FUNCTION GC exit reason)
3350 *
3351 * @returns VBox status code.
3352 * @param pVM The VM to operate on.
3353 * @param pCtx Guest context
3354 *
3355 */
3356PATMR3DECL(int) PATMR3DuplicateFunctionRequest(PVM pVM, PCPUMCTX pCtx)
3357{
3358 RTGCPTR pBranchTarget, pPage;
3359 int rc;
3360 RTGCPTR pPatchTargetGC = 0;
3361
3362 pBranchTarget = pCtx->edx;
3363 pBranchTarget = SELMToFlat(pVM, pCtx->eflags, pCtx->cs, &pCtx->csHid, pBranchTarget);
3364
3365 /* First we check if the duplicate function target lies in some existing function patch already. Will save some space. */
3366 pPage = pBranchTarget & PAGE_BASE_GC_MASK;
3367
3368 PPATMPATCHPAGE pPatchPage = (PPATMPATCHPAGE)RTAvloGCPtrGet(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPage, (RTGCPTR)pPage);
3369 if (pPatchPage)
3370 {
3371 uint32_t i;
3372
3373 for (i=0;i<pPatchPage->cCount;i++)
3374 {
3375 if (pPatchPage->aPatch[i])
3376 {
3377 PPATCHINFO pPatch = pPatchPage->aPatch[i];
3378
3379 if ( (pPatch->flags & PATMFL_DUPLICATE_FUNCTION)
3380 && pPatch->uState == PATCH_ENABLED)
3381 {
3382 pPatchTargetGC = patmGuestGCPtrToPatchGCPtr(pVM, pPatch, pBranchTarget);
3383 if (pPatchTargetGC)
3384 {
3385 STAM_COUNTER_INC(&pVM->patm.s.StatDuplicateUseExisting);
3386 break;
3387 }
3388 }
3389 }
3390 }
3391 }
3392
3393 if (pPatchTargetGC)
3394 {
3395 /* Create a trampoline that also sets PATM_INTERRUPTFLAG. */
3396 rc = PATMR3InstallPatch(pVM, pBranchTarget, PATMFL_CODE32 | PATMFL_TRAMPOLINE);
3397 }
3398 else
3399 {
3400 rc = PATMR3InstallPatch(pVM, pBranchTarget, PATMFL_CODE32 | PATMFL_DUPLICATE_FUNCTION);
3401 }
3402
3403 if (rc == VINF_SUCCESS)
3404 {
3405 pPatchTargetGC = PATMR3QueryPatchGCPtr(pVM, pBranchTarget);
3406 Assert(pPatchTargetGC);
3407 }
3408
3409 if (pPatchTargetGC)
3410 {
3411 pCtx->eax = pPatchTargetGC;
3412 pCtx->eax = pCtx->eax - (RTGCUINTPTR)pVM->patm.s.pPatchMemGC; /* make it relative */
3413 }
3414 else
3415 {
3416 /* We add a dummy entry into the lookup cache so we won't get bombarded with the same requests over and over again. */
3417 pCtx->eax = 0;
3418 STAM_COUNTER_INC(&pVM->patm.s.StatDuplicateREQFailed);
3419 }
3420 Assert(PATMIsPatchGCAddr(pVM, pCtx->edi));
3421 rc = PATMAddBranchToLookupCache(pVM, pCtx->edi, pBranchTarget, pCtx->eax);
3422 AssertRC(rc);
3423
3424 pCtx->eip += PATM_ILLEGAL_INSTR_SIZE;
3425 STAM_COUNTER_INC(&pVM->patm.s.StatDuplicateREQSuccess);
3426 return VINF_SUCCESS;
3427}
3428
3429/**
3430 * Replaces a function call by a call to an existing function duplicate (or jmp -> jmp)
3431 *
3432 * @returns VBox status code.
3433 * @param pVM The VM to operate on.
3434 * @param pCpu Disassembly CPU structure ptr
3435 * @param pInstrGC Guest context point to privileged instruction
3436 * @param pPatch Patch record
3437 *
3438 */
3439static int patmReplaceFunctionCall(PVM pVM, DISCPUSTATE *pCpu, RTGCPTR pInstrGC, PPATCHINFO pPatch)
3440{
3441 int rc = VERR_PATCHING_REFUSED;
3442 DISCPUSTATE cpu;
3443 RTGCPTR pTargetGC;
3444 PPATMPATCHREC pPatchFunction;
3445 uint32_t opsize;
3446 bool disret;
3447#ifdef LOG_ENABLED
3448 char szOutput[256];
3449#endif
3450
3451 Assert(pPatch->flags & PATMFL_REPLACE_FUNCTION_CALL);
3452 Assert((pCpu->pCurInstr->opcode == OP_CALL || pCpu->pCurInstr->opcode == OP_JMP) && pCpu->opsize == SIZEOF_NEARJUMP32);
3453
3454 if ((pCpu->pCurInstr->opcode != OP_CALL && pCpu->pCurInstr->opcode != OP_JMP) || pCpu->opsize != SIZEOF_NEARJUMP32)
3455 {
3456 rc = VERR_PATCHING_REFUSED;
3457 goto failure;
3458 }
3459
3460 pTargetGC = PATMResolveBranch(pCpu, pInstrGC);
3461 if (pTargetGC == 0)
3462 {
3463 Log(("We don't support far jumps here!! (%08X)\n", pCpu->param1.flags));
3464 rc = VERR_PATCHING_REFUSED;
3465 goto failure;
3466 }
3467
3468 pPatchFunction = (PPATMPATCHREC)RTAvloGCPtrGet(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pTargetGC);
3469 if (pPatchFunction == NULL)
3470 {
3471 for(;;)
3472 {
3473 /* It could be an indirect call (call -> jmp dest).
3474 * Note that it's dangerous to assume the jump will never change...
3475 */
3476 uint8_t *pTmpInstrHC;
3477
3478 pTmpInstrHC = PATMGCVirtToHCVirt(pVM, pPatch, pTargetGC);
3479 Assert(pTmpInstrHC);
3480 if (pTmpInstrHC == 0)
3481 break;
3482
3483 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
3484 disret = PATMR3DISInstr(pVM, pPatch, &cpu, pTargetGC, pTmpInstrHC, &opsize, NULL);
3485 if (disret == false || cpu.pCurInstr->opcode != OP_JMP)
3486 break;
3487
3488 pTargetGC = PATMResolveBranch(&cpu, pTargetGC);
3489 if (pTargetGC == 0)
3490 {
3491 break;
3492 }
3493
3494 pPatchFunction = (PPATMPATCHREC)RTAvloGCPtrGet(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pTargetGC);
3495 break;
3496 }
3497 if (pPatchFunction == 0)
3498 {
3499 AssertMsgFailed(("Unable to find duplicate function %VGv\n", pTargetGC));
3500 rc = VERR_PATCHING_REFUSED;
3501 goto failure;
3502 }
3503 }
3504
3505 // make a copy of the guest code bytes that will be overwritten
3506 pPatch->cbPatchJump = SIZEOF_NEARJUMP32;
3507
3508 rc = PGMPhysReadGCPtr(pVM, pPatch->aPrivInstr, pPatch->pPrivInstrGC, pPatch->cbPatchJump);
3509 AssertRC(rc);
3510
3511 /* Now replace the original call in the guest code */
3512 rc = patmGenCallToPatch(pVM, pPatch, PATCHCODE_PTR_GC(&pPatchFunction->patch), true);
3513 AssertRC(rc);
3514 if (VBOX_FAILURE(rc))
3515 goto failure;
3516
3517 /* Lowest and highest address for write monitoring. */
3518 pPatch->pInstrGCLowest = pInstrGC;
3519 pPatch->pInstrGCHighest = pInstrGC + pCpu->opsize;
3520
3521#ifdef LOG_ENABLED
3522 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
3523 disret = PATMR3DISInstr(pVM, pPatch, &cpu, pPatch->pPrivInstrGC, pPatch->pPrivInstrHC, &opsize, szOutput);
3524 Log(("Call patch: %s", szOutput));
3525#endif
3526
3527 Log(("Successfully installed function replacement patch at %VGv\n", pInstrGC));
3528
3529 pPatch->uState = PATCH_ENABLED;
3530 return VINF_SUCCESS;
3531
3532failure:
3533 /* Turn this patch into a dummy. */
3534 pPatch->uState = PATCH_REFUSED;
3535
3536 return rc;
3537}
3538
3539/**
3540 * Replace the address in an MMIO instruction with the cached version.
3541 *
3542 * @returns VBox status code.
3543 * @param pVM The VM to operate on.
3544 * @param pInstrGC Guest context point to privileged instruction
3545 * @param pCpu Disassembly CPU structure ptr
3546 * @param pPatch Patch record
3547 *
3548 * @note returns failure if patching is not allowed or possible
3549 *
3550 */
3551static int patmPatchMMIOInstr(PVM pVM, RTGCPTR pInstrGC, DISCPUSTATE *pCpu, PPATCHINFO pPatch)
3552{
3553 uint8_t *pPB;
3554 int rc = VERR_PATCHING_REFUSED;
3555#ifdef LOG_ENABLED
3556 DISCPUSTATE cpu;
3557 uint32_t opsize;
3558 bool disret;
3559 char szOutput[256];
3560#endif
3561
3562 Assert(pVM->patm.s.mmio.pCachedData);
3563 if (!pVM->patm.s.mmio.pCachedData)
3564 goto failure;
3565
3566 if (pCpu->param2.flags != USE_DISPLACEMENT32)
3567 goto failure;
3568
3569 pPB = pPatch->pPrivInstrHC;
3570
3571 /* Add relocation record for cached data access. */
3572 if (patmPatchAddReloc32(pVM, pPatch, &pPB[pCpu->opsize - sizeof(RTGCPTR)], FIXUP_ABSOLUTE, pPatch->pPrivInstrGC, pVM->patm.s.mmio.pCachedData) != VINF_SUCCESS)
3573 {
3574 Log(("Relocation failed for cached mmio address!!\n"));
3575 return VERR_PATCHING_REFUSED;
3576 }
3577#ifdef LOG_ENABLED
3578 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
3579 disret = PATMR3DISInstr(pVM, pPatch, &cpu, pPatch->pPrivInstrGC, pPatch->pPrivInstrHC, &opsize, szOutput);
3580 Log(("MMIO patch old instruction: %s", szOutput));
3581#endif
3582
3583 /* Save original instruction. */
3584 rc = PGMPhysReadGCPtr(pVM, pPatch->aPrivInstr, pPatch->pPrivInstrGC, pPatch->cbPrivInstr);
3585 AssertRC(rc);
3586
3587 pPatch->cbPatchJump = pPatch->cbPrivInstr; /* bit of a misnomer in this case; size of replacement instruction. */
3588
3589 /* Replace address with that of the cached item. */
3590 rc = PGMPhysWriteGCPtrDirty(pVM, pInstrGC + pCpu->opsize - sizeof(RTGCPTR), &pVM->patm.s.mmio.pCachedData, sizeof(RTGCPTR));
3591 AssertRC(rc);
3592 if (VBOX_FAILURE(rc))
3593 {
3594 goto failure;
3595 }
3596
3597#ifdef LOG_ENABLED
3598 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
3599 disret = PATMR3DISInstr(pVM, pPatch, &cpu, pPatch->pPrivInstrGC, pPatch->pPrivInstrHC, &opsize, szOutput);
3600 Log(("MMIO patch: %s", szOutput));
3601#endif
3602 pVM->patm.s.mmio.pCachedData = 0;
3603 pVM->patm.s.mmio.GCPhys = 0;
3604 pPatch->uState = PATCH_ENABLED;
3605 return VINF_SUCCESS;
3606
3607failure:
3608 /* Turn this patch into a dummy. */
3609 pPatch->uState = PATCH_REFUSED;
3610
3611 return rc;
3612}
3613
3614
3615/**
3616 * Replace the address in an MMIO instruction with the cached version. (instruction is part of an existing patch)
3617 *
3618 * @returns VBox status code.
3619 * @param pVM The VM to operate on.
3620 * @param pInstrGC Guest context point to privileged instruction
3621 * @param pPatch Patch record
3622 *
3623 * @note returns failure if patching is not allowed or possible
3624 *
3625 */
3626static int patmPatchPATMMMIOInstr(PVM pVM, RTGCPTR pInstrGC, PPATCHINFO pPatch)
3627{
3628 DISCPUSTATE cpu;
3629 uint32_t opsize;
3630 bool disret;
3631 uint8_t *pInstrHC;
3632#ifdef LOG_ENABLED
3633 char szOutput[256];
3634#endif
3635
3636 AssertReturn(pVM->patm.s.mmio.pCachedData, VERR_INVALID_PARAMETER);
3637
3638 /* Convert GC to HC address. */
3639 pInstrHC = patmPatchGCPtr2PatchHCPtr(pVM, pInstrGC);
3640 AssertReturn(pInstrHC, VERR_PATCHING_REFUSED);
3641
3642 /* Disassemble mmio instruction. */
3643 cpu.mode = pPatch->uOpMode;
3644 disret = PATMR3DISInstr(pVM, pPatch, &cpu, pInstrGC, pInstrHC, &opsize, NULL);
3645 if (disret == false)
3646 {
3647 Log(("Disassembly failed (probably page not present) -> return to caller\n"));
3648 return VERR_PATCHING_REFUSED;
3649 }
3650
3651 AssertMsg(opsize <= MAX_INSTR_SIZE, ("privileged instruction too big %d!!\n", opsize));
3652 if (opsize > MAX_INSTR_SIZE)
3653 return VERR_PATCHING_REFUSED;
3654 if (cpu.param2.flags != USE_DISPLACEMENT32)
3655 return VERR_PATCHING_REFUSED;
3656
3657 /* Add relocation record for cached data access. */
3658 if (patmPatchAddReloc32(pVM, pPatch, &pInstrHC[cpu.opsize - sizeof(RTGCPTR)], FIXUP_ABSOLUTE) != VINF_SUCCESS)
3659 {
3660 Log(("Relocation failed for cached mmio address!!\n"));
3661 return VERR_PATCHING_REFUSED;
3662 }
3663 /* Replace address with that of the cached item. */
3664 *(RTGCPTR *)&pInstrHC[cpu.opsize - sizeof(RTGCPTR)] = pVM->patm.s.mmio.pCachedData;
3665
3666 /* Lowest and highest address for write monitoring. */
3667 pPatch->pInstrGCLowest = pInstrGC;
3668 pPatch->pInstrGCHighest = pInstrGC + cpu.opsize;
3669
3670#ifdef LOG_ENABLED
3671 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
3672 disret = PATMR3DISInstr(pVM, pPatch, &cpu, pInstrGC, pInstrHC, &opsize, szOutput);
3673 Log(("MMIO patch: %s", szOutput));
3674#endif
3675
3676 pVM->patm.s.mmio.pCachedData = 0;
3677 pVM->patm.s.mmio.GCPhys = 0;
3678 return VINF_SUCCESS;
3679}
3680
3681/**
3682 * Activates an int3 patch
3683 *
3684 * @returns VBox status code.
3685 * @param pVM The VM to operate on.
3686 * @param pPatch Patch record
3687 */
3688static int patmActivateInt3Patch(PVM pVM, PPATCHINFO pPatch)
3689{
3690 uint8_t ASMInt3 = 0xCC;
3691 int rc;
3692
3693 Assert(pPatch->flags & (PATMFL_INT3_REPLACEMENT|PATMFL_INT3_REPLACEMENT_BLOCK));
3694 Assert(pPatch->uState != PATCH_ENABLED);
3695
3696 /* Replace first opcode byte with 'int 3'. */
3697 rc = PGMPhysWriteGCPtrDirty(pVM, pPatch->pPrivInstrGC, &ASMInt3, sizeof(ASMInt3));
3698 AssertRC(rc);
3699
3700 pPatch->cbPatchJump = sizeof(ASMInt3);
3701
3702 return rc;
3703}
3704
3705/**
3706 * Deactivates an int3 patch
3707 *
3708 * @returns VBox status code.
3709 * @param pVM The VM to operate on.
3710 * @param pPatch Patch record
3711 */
3712static int patmDeactivateInt3Patch(PVM pVM, PPATCHINFO pPatch)
3713{
3714 uint8_t ASMInt3 = 0xCC;
3715 int rc;
3716
3717 Assert(pPatch->flags & (PATMFL_INT3_REPLACEMENT|PATMFL_INT3_REPLACEMENT_BLOCK));
3718 Assert(pPatch->uState == PATCH_ENABLED || pPatch->uState == PATCH_DIRTY);
3719
3720 /* Restore first opcode byte. */
3721 rc = PGMPhysWriteGCPtrDirty(pVM, pPatch->pPrivInstrGC, pPatch->aPrivInstr, sizeof(ASMInt3));
3722 AssertRC(rc);
3723 return rc;
3724}
3725
3726/**
3727 * Replace an instruction with a breakpoint (0xCC), that is handled dynamically in the guest context.
3728 *
3729 * @returns VBox status code.
3730 * @param pVM The VM to operate on.
3731 * @param pInstrGC Guest context point to privileged instruction
3732 * @param pInstrHC Host context point to privileged instruction
3733 * @param pCpu Disassembly CPU structure ptr
3734 * @param pPatch Patch record
3735 *
3736 * @note returns failure if patching is not allowed or possible
3737 *
3738 */
3739PATMR3DECL(int) PATMR3PatchInstrInt3(PVM pVM, RTGCPTR pInstrGC, HCPTRTYPE(uint8_t *) pInstrHC, DISCPUSTATE *pCpu, PPATCHINFO pPatch)
3740{
3741 uint8_t ASMInt3 = 0xCC;
3742 int rc;
3743
3744 /** @note Do not use patch memory here! It might called during patch installation too. */
3745
3746#ifdef LOG_ENABLED
3747 DISCPUSTATE cpu;
3748 char szOutput[256];
3749 uint32_t opsize;
3750
3751 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
3752 PATMR3DISInstr(pVM, pPatch, &cpu, pInstrGC, pInstrHC, &opsize, szOutput);
3753 Log(("PATMR3PatchInstrInt3: %s", szOutput));
3754#endif
3755
3756 /* Save the original instruction. */
3757 rc = PGMPhysReadGCPtr(pVM, pPatch->aPrivInstr, pPatch->pPrivInstrGC, pPatch->cbPrivInstr);
3758 AssertRC(rc);
3759 pPatch->cbPatchJump = sizeof(ASMInt3); /* bit of a misnomer in this case; size of replacement instruction. */
3760
3761 pPatch->flags |= PATMFL_INT3_REPLACEMENT;
3762
3763 /* Replace first opcode byte with 'int 3'. */
3764 rc = patmActivateInt3Patch(pVM, pPatch);
3765 if (VBOX_FAILURE(rc))
3766 goto failure;
3767
3768 /* Lowest and highest address for write monitoring. */
3769 pPatch->pInstrGCLowest = pInstrGC;
3770 pPatch->pInstrGCHighest = pInstrGC + pCpu->opsize;
3771
3772 pPatch->uState = PATCH_ENABLED;
3773 return VINF_SUCCESS;
3774
3775failure:
3776 /* Turn this patch into a dummy. */
3777 return VERR_PATCHING_REFUSED;
3778}
3779
3780#ifdef PATM_RESOLVE_CONFLICTS_WITH_JUMP_PATCHES
3781/**
3782 * Patch a jump instruction at specified location
3783 *
3784 * @returns VBox status code.
3785 * @param pVM The VM to operate on.
3786 * @param pInstrGC Guest context point to privileged instruction
3787 * @param pInstrHC Host context point to privileged instruction
3788 * @param pCpu Disassembly CPU structure ptr
3789 * @param pPatchRec Patch record
3790 *
3791 * @note returns failure if patching is not allowed or possible
3792 *
3793 */
3794int patmPatchJump(PVM pVM, RTGCPTR pInstrGC, HCPTRTYPE(uint8_t *) pInstrHC, DISCPUSTATE *pCpu, PPATMPATCHREC pPatchRec)
3795{
3796 PPATCHINFO pPatch = &pPatchRec->patch;
3797 int rc = VERR_PATCHING_REFUSED;
3798#ifdef LOG_ENABLED
3799 bool disret;
3800 DISCPUSTATE cpu;
3801 uint32_t opsize;
3802 char szOutput[256];
3803#endif
3804
3805 pPatch->pPatchBlockOffset = 0; /* doesn't use patch memory */
3806 pPatch->uCurPatchOffset = 0;
3807 pPatch->cbPatchBlockSize = 0;
3808 pPatch->flags |= PATMFL_SINGLE_INSTRUCTION;
3809
3810 /*
3811 * Instruction replacements such as these should never be interrupted. I've added code to EM.cpp to
3812 * make sure this never happens. (unless a trap is triggered (intentionally or not))
3813 */
3814 switch (pCpu->pCurInstr->opcode)
3815 {
3816 case OP_JO:
3817 case OP_JNO:
3818 case OP_JC:
3819 case OP_JNC:
3820 case OP_JE:
3821 case OP_JNE:
3822 case OP_JBE:
3823 case OP_JNBE:
3824 case OP_JS:
3825 case OP_JNS:
3826 case OP_JP:
3827 case OP_JNP:
3828 case OP_JL:
3829 case OP_JNL:
3830 case OP_JLE:
3831 case OP_JNLE:
3832 case OP_JMP:
3833 Assert(pPatch->flags & PATMFL_JUMP_CONFLICT);
3834 Assert(pCpu->param1.flags & USE_IMMEDIATE32_REL);
3835 if (!(pCpu->param1.flags & USE_IMMEDIATE32_REL))
3836 goto failure;
3837
3838 Assert(pCpu->opsize == SIZEOF_NEARJUMP32 || pCpu->opsize == SIZEOF_NEAR_COND_JUMP32);
3839 if (pCpu->opsize != SIZEOF_NEARJUMP32 && pCpu->opsize != SIZEOF_NEAR_COND_JUMP32)
3840 goto failure;
3841
3842 if (PAGE_ADDRESS(pInstrGC) != PAGE_ADDRESS(pInstrGC + pCpu->opsize))
3843 {
3844 STAM_COUNTER_INC(&pVM->patm.s.StatPageBoundaryCrossed);
3845 AssertMsgFailed(("Patch jump would cross page boundary -> refuse!!\n"));
3846 rc = VERR_PATCHING_REFUSED;
3847 goto failure;
3848 }
3849
3850 break;
3851
3852 default:
3853 goto failure;
3854 }
3855
3856 // make a copy of the guest code bytes that will be overwritten
3857 Assert(pCpu->opsize <= sizeof(pPatch->aPrivInstr));
3858 Assert(pCpu->opsize >= SIZEOF_NEARJUMP32);
3859 pPatch->cbPatchJump = pCpu->opsize;
3860
3861 rc = PGMPhysReadGCPtr(pVM, pPatch->aPrivInstr, pPatch->pPrivInstrGC, pPatch->cbPatchJump);
3862 AssertRC(rc);
3863
3864 /* Now insert a jump in the guest code. */
3865 /*
3866 * A conflict jump patch needs to be treated differently; we'll just replace the relative jump address with one that
3867 * references the target instruction in the conflict patch.
3868 */
3869 RTGCPTR pJmpDest = PATMR3GuestGCPtrToPatchGCPtr(pVM, pInstrGC + pCpu->opsize + (int32_t)pCpu->param1.parval);
3870
3871 AssertMsg(pJmpDest, ("PATMR3GuestGCPtrToPatchGCPtr failed for %VGv\n", pInstrGC + pCpu->opsize + (int32_t)pCpu->param1.parval));
3872 pPatch->pPatchJumpDestGC = pJmpDest;
3873
3874 rc = patmGenJumpToPatch(pVM, pPatch, true);
3875 AssertRC(rc);
3876 if (VBOX_FAILURE(rc))
3877 goto failure;
3878
3879 pPatch->flags |= PATMFL_MUST_INSTALL_PATCHJMP;
3880
3881#ifdef LOG_ENABLED
3882 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
3883 disret = PATMR3DISInstr(pVM, pPatch, &cpu, pPatch->pPrivInstrGC, pPatch->pPrivInstrHC, &opsize, szOutput);
3884 Log(("%s patch: %s", patmGetInstructionString(pPatch->opcode, pPatch->flags), szOutput));
3885#endif
3886
3887 Log(("Successfully installed %s patch at %VGv\n", patmGetInstructionString(pPatch->opcode, pPatch->flags), pInstrGC));
3888
3889 STAM_COUNTER_INC(&pVM->patm.s.StatInstalledJump);
3890
3891 /* Lowest and highest address for write monitoring. */
3892 pPatch->pInstrGCLowest = pInstrGC;
3893 pPatch->pInstrGCHighest = pInstrGC + pPatch->cbPatchJump;
3894
3895 pPatch->uState = PATCH_ENABLED;
3896 return VINF_SUCCESS;
3897
3898failure:
3899 /* Turn this cli patch into a dummy. */
3900 pPatch->uState = PATCH_REFUSED;
3901
3902 return rc;
3903}
3904#endif /* PATM_RESOLVE_CONFLICTS_WITH_JUMP_PATCHES */
3905
3906
3907/**
3908 * Gives hint to PATM about supervisor guest instructions
3909 *
3910 * @returns VBox status code.
3911 * @param pVM The VM to operate on.
3912 * @param pInstr Guest context point to privileged instruction
3913 * @param flags Patch flags
3914 */
3915PATMR3DECL(int) PATMR3AddHint(PVM pVM, RTGCPTR pInstrGC, uint32_t flags)
3916{
3917 Assert(pInstrGC);
3918 Assert(flags == PATMFL_CODE32);
3919
3920 Log(("PATMR3AddHint %VGv\n", pInstrGC));
3921 return PATMR3InstallPatch(pVM, pInstrGC, PATMFL_CODE32 | PATMFL_INSTR_HINT);
3922}
3923
3924/**
3925 * Patch privileged instruction at specified location
3926 *
3927 * @returns VBox status code.
3928 * @param pVM The VM to operate on.
3929 * @param pInstr Guest context point to privileged instruction (0:32 flat address)
3930 * @param flags Patch flags
3931 *
3932 * @note returns failure if patching is not allowed or possible
3933 */
3934PATMR3DECL(int) PATMR3InstallPatch(PVM pVM, RTGCPTR pInstrGC, uint64_t flags)
3935{
3936 DISCPUSTATE cpu;
3937 HCPTRTYPE(uint8_t *) pInstrHC;
3938 uint32_t opsize;
3939 PPATMPATCHREC pPatchRec;
3940 PCPUMCTX pCtx = 0;
3941 bool disret;
3942 int rc;
3943
3944 if (!pVM || pInstrGC == 0 || (flags & ~(PATMFL_CODE32|PATMFL_IDTHANDLER|PATMFL_INTHANDLER|PATMFL_SYSENTER|PATMFL_TRAPHANDLER|PATMFL_DUPLICATE_FUNCTION|PATMFL_REPLACE_FUNCTION_CALL|PATMFL_GUEST_SPECIFIC|PATMFL_INT3_REPLACEMENT|PATMFL_TRAPHANDLER_WITH_ERRORCODE|PATMFL_IDTHANDLER_WITHOUT_ENTRYPOINT|PATMFL_MMIO_ACCESS|PATMFL_TRAMPOLINE|PATMFL_INSTR_HINT|PATMFL_JUMP_CONFLICT)))
3945 {
3946 AssertFailed();
3947 return VERR_INVALID_PARAMETER;
3948 }
3949
3950 if (PATMIsEnabled(pVM) == false)
3951 return VERR_PATCHING_REFUSED;
3952
3953 /* Test for patch conflict only with patches that actually change guest code. */
3954 if (!(flags & (PATMFL_GUEST_SPECIFIC|PATMFL_IDTHANDLER|PATMFL_INTHANDLER|PATMFL_TRAMPOLINE)))
3955 {
3956 PPATCHINFO pConflictPatch = PATMFindActivePatchByEntrypoint(pVM, pInstrGC);
3957 AssertReleaseMsg(pConflictPatch == 0, ("Unable to patch overwritten instruction at %VGv (%VGv)\n", pInstrGC, pConflictPatch->pPrivInstrGC));
3958 if (pConflictPatch != 0)
3959 return VERR_PATCHING_REFUSED;
3960 }
3961
3962 if (!(flags & PATMFL_CODE32))
3963 {
3964 /** @todo Only 32 bits code right now */
3965 AssertMsgFailed(("PATMR3InstallPatch: We don't support 16 bits code at this moment!!\n"));
3966 return VERR_NOT_IMPLEMENTED;
3967 }
3968
3969 /* We ran out of patch memory; don't bother anymore. */
3970 if (pVM->patm.s.fOutOfMemory == true)
3971 return VERR_PATCHING_REFUSED;
3972
3973 /* Make sure the code selector is wide open; otherwise refuse. */
3974 CPUMQueryGuestCtxPtr(pVM, &pCtx);
3975 if (CPUMGetGuestCPL(pVM, CPUMCTX2CORE(pCtx)) == 0)
3976 {
3977 RTGCPTR pInstrGCFlat = SELMToFlat(pVM, pCtx->eflags, pCtx->cs, &pCtx->csHid, pInstrGC);
3978 if (pInstrGCFlat != pInstrGC)
3979 {
3980 Log(("PATMR3InstallPatch: code selector not wide open: %04x:%VGv != %VGv eflags=%08x\n", pCtx->cs, pInstrGCFlat, pInstrGC, pCtx->eflags.u32));
3981 return VERR_PATCHING_REFUSED;
3982 }
3983 }
3984
3985 /** @note the OpenBSD specific check will break if we allow additional patches to be installed (int 3)) */
3986 if (!(flags & PATMFL_GUEST_SPECIFIC))
3987 {
3988 /* New code. Make sure CSAM has a go at it first. */
3989 CSAMR3CheckCode(pVM, pInstrGC);
3990 }
3991
3992 /** @note obsolete */
3993 if ( PATMIsPatchGCAddr(pVM, pInstrGC)
3994 && (flags & PATMFL_MMIO_ACCESS))
3995 {
3996 RTGCUINTPTR offset;
3997 void *pvPatchCoreOffset;
3998
3999 /* Find the patch record. */
4000 offset = pInstrGC - pVM->patm.s.pPatchMemGC;
4001 pvPatchCoreOffset = RTAvloGCPtrGetBestFit(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr, offset, false);
4002 if (pvPatchCoreOffset == NULL)
4003 {
4004 AssertMsgFailed(("PATMR3InstallPatch: patch not found at address %VGv!!\n", pInstrGC));
4005 return VERR_PATCH_NOT_FOUND; //fatal error
4006 }
4007 pPatchRec = PATM_PATCHREC_FROM_COREOFFSET(pvPatchCoreOffset);
4008
4009 return patmPatchPATMMMIOInstr(pVM, pInstrGC, &pPatchRec->patch);
4010 }
4011
4012 AssertReturn(!PATMIsPatchGCAddr(pVM, pInstrGC), VERR_PATCHING_REFUSED);
4013
4014 pPatchRec = (PPATMPATCHREC)RTAvloGCPtrGet(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pInstrGC);
4015 if (pPatchRec)
4016 {
4017 Assert(!(flags & PATMFL_TRAMPOLINE));
4018
4019 /* Hints about existing patches are ignored. */
4020 if (flags & PATMFL_INSTR_HINT)
4021 return VERR_PATCHING_REFUSED;
4022
4023 if (pPatchRec->patch.uState == PATCH_DISABLE_PENDING)
4024 {
4025 Log(("PATMR3InstallPatch: disable operation is pending for patch at %VGv\n", pPatchRec->patch.pPrivInstrGC));
4026 PATMR3DisablePatch(pVM, pPatchRec->patch.pPrivInstrGC);
4027 Assert(pPatchRec->patch.uState == PATCH_DISABLED);
4028 }
4029
4030 if (pPatchRec->patch.uState == PATCH_DISABLED)
4031 {
4032 /* A patch, for which we previously received a hint, will be enabled and turned into a normal patch. */
4033 if (pPatchRec->patch.flags & PATMFL_INSTR_HINT)
4034 {
4035 Log(("Enabling HINTED patch %VGv\n", pInstrGC));
4036 pPatchRec->patch.flags &= ~PATMFL_INSTR_HINT;
4037 }
4038 else
4039 Log(("Enabling patch %VGv again\n", pInstrGC));
4040
4041 /** @todo we shouldn't disable and enable patches too often (it's relatively cheap, but pointless if it always happens) */
4042 rc = PATMR3EnablePatch(pVM, pInstrGC);
4043 if (VBOX_SUCCESS(rc))
4044 return VWRN_PATCH_ENABLED;
4045
4046 return rc;
4047 }
4048 if ( pPatchRec->patch.uState == PATCH_ENABLED
4049 || pPatchRec->patch.uState == PATCH_DIRTY)
4050 {
4051 /*
4052 * The patch might have been overwritten.
4053 */
4054 STAM_COUNTER_INC(&pVM->patm.s.StatOverwritten);
4055 if (pPatchRec->patch.uState != PATCH_REFUSED && pPatchRec->patch.uState != PATCH_UNUSABLE)
4056 {
4057 /* Patch must have been overwritten; remove it and pretend nothing happened. */
4058 Log(("Patch an existing patched instruction?!? (%VGv)\n", pInstrGC));
4059 if (pPatchRec->patch.flags & (PATMFL_DUPLICATE_FUNCTION|PATMFL_IDTHANDLER|PATMFL_MMIO_ACCESS|PATMFL_INT3_REPLACEMENT|PATMFL_INT3_REPLACEMENT_BLOCK))
4060 {
4061 if (flags & PATMFL_IDTHANDLER)
4062 pPatchRec->patch.flags |= (flags & (PATMFL_IDTHANDLER|PATMFL_TRAPHANDLER|PATMFL_INTHANDLER)); /* update the type */
4063
4064 return VERR_PATM_ALREADY_PATCHED; /* already done once */
4065 }
4066 }
4067 PATMR3RemovePatch(pVM, pInstrGC);
4068 }
4069 else
4070 {
4071 AssertMsg(pPatchRec->patch.uState == PATCH_REFUSED || pPatchRec->patch.uState == PATCH_UNUSABLE, ("Patch an existing patched instruction?!? (%VGv, state=%d)\n", pInstrGC, pPatchRec->patch.uState));
4072 /* already tried it once! */
4073 return VERR_PATCHING_REFUSED;
4074 }
4075 }
4076
4077 rc = MMHyperAlloc(pVM, sizeof(PATMPATCHREC), 0, MM_TAG_PATM_PATCH, (void **)&pPatchRec);
4078 if (VBOX_FAILURE(rc))
4079 {
4080 Log(("Out of memory!!!!\n"));
4081 return VERR_NO_MEMORY;
4082 }
4083 pPatchRec->Core.Key = pInstrGC;
4084 pPatchRec->patch.uState = PATCH_REFUSED; //default
4085 rc = RTAvloGCPtrInsert(&pVM->patm.s.PatchLookupTreeHC->PatchTree, &pPatchRec->Core);
4086 Assert(rc);
4087
4088 RTGCPHYS GCPhys;
4089 rc = PGMGstGetPage(pVM, pInstrGC, NULL, &GCPhys);
4090 if (rc != VINF_SUCCESS)
4091 {
4092 Log(("PGMGstGetPage failed with %Vrc\n", rc));
4093 return rc;
4094 }
4095 /* Disallow patching instructions inside ROM code; complete function duplication is allowed though. */
4096 if ( !(flags & (PATMFL_DUPLICATE_FUNCTION|PATMFL_TRAMPOLINE))
4097 && !PGMPhysIsGCPhysNormal(pVM, GCPhys))
4098 {
4099 Log(("Code at %RGv (phys %RGp) is in a ROM, MMIO or invalid page - refused\n", pInstrGC, GCPhys));
4100 return VERR_PATCHING_REFUSED;
4101 }
4102 GCPhys = GCPhys + (pInstrGC & PAGE_OFFSET_MASK);
4103 rc = PGMPhysGCPhys2HCPtr(pVM, GCPhys, MAX_INSTR_SIZE, (void **)&pInstrHC);
4104 AssertRCReturn(rc, rc);
4105
4106 pPatchRec->patch.pPrivInstrHC = pInstrHC;
4107 pPatchRec->patch.pPrivInstrGC = pInstrGC;
4108 pPatchRec->patch.flags = flags;
4109 pPatchRec->patch.uOpMode = (flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
4110
4111 pPatchRec->patch.pInstrGCLowest = pInstrGC;
4112 pPatchRec->patch.pInstrGCHighest = pInstrGC;
4113
4114 if (!(pPatchRec->patch.flags & (PATMFL_DUPLICATE_FUNCTION | PATMFL_IDTHANDLER | PATMFL_SYSENTER | PATMFL_TRAMPOLINE)))
4115 {
4116 /*
4117 * Close proximity to an unusable patch is a possible hint that this patch would turn out to be dangerous too!
4118 */
4119 PPATMPATCHREC pPatchNear = (PPATMPATCHREC)RTAvloGCPtrGetBestFit(&pVM->patm.s.PatchLookupTreeHC->PatchTree, (pInstrGC + SIZEOF_NEARJUMP32 - 1), false);
4120 if (pPatchNear)
4121 {
4122 if (pPatchNear->patch.uState == PATCH_UNUSABLE && pInstrGC < pPatchNear->patch.pPrivInstrGC && pInstrGC + SIZEOF_NEARJUMP32 > pPatchNear->patch.pPrivInstrGC)
4123 {
4124 Log(("Dangerous patch; would overwrite the ususable patch at %VGv\n", pPatchNear->patch.pPrivInstrGC));
4125
4126 pPatchRec->patch.uState = PATCH_UNUSABLE;
4127 /*
4128 * Leave the new patch active as it's marked unusable; to prevent us from checking it over and over again
4129 */
4130 return VERR_PATCHING_REFUSED;
4131 }
4132 }
4133 }
4134
4135 pPatchRec->patch.pTempInfo = (PPATCHINFOTEMP)MMR3HeapAllocZ(pVM, MM_TAG_PATM_PATCH, sizeof(PATCHINFOTEMP));
4136 if (pPatchRec->patch.pTempInfo == 0)
4137 {
4138 Log(("Out of memory!!!!\n"));
4139 return VERR_NO_MEMORY;
4140 }
4141
4142 cpu.mode = pPatchRec->patch.uOpMode;
4143 disret = PATMR3DISInstr(pVM, &pPatchRec->patch, &cpu, pInstrGC, pInstrHC, &opsize, NULL);
4144 if (disret == false)
4145 {
4146 Log(("Disassembly failed (probably page not present) -> return to caller\n"));
4147 return VERR_PATCHING_REFUSED;
4148 }
4149
4150 AssertMsg(opsize <= MAX_INSTR_SIZE, ("privileged instruction too big %d!!\n", opsize));
4151 if (opsize > MAX_INSTR_SIZE)
4152 {
4153 return VERR_PATCHING_REFUSED;
4154 }
4155
4156 pPatchRec->patch.cbPrivInstr = opsize;
4157 pPatchRec->patch.opcode = cpu.pCurInstr->opcode;
4158
4159 /* Restricted hinting for now. */
4160 Assert(!(flags & PATMFL_INSTR_HINT) || cpu.pCurInstr->opcode == OP_CLI);
4161
4162 /* Allocate statistics slot */
4163 if (pVM->patm.s.uCurrentPatchIdx < PATM_STAT_MAX_COUNTERS)
4164 {
4165 pPatchRec->patch.uPatchIdx = pVM->patm.s.uCurrentPatchIdx++;
4166 }
4167 else
4168 {
4169 Log(("WARNING: Patch index wrap around!!\n"));
4170 pPatchRec->patch.uPatchIdx = PATM_STAT_INDEX_DUMMY;
4171 }
4172
4173 if (pPatchRec->patch.flags & PATMFL_TRAPHANDLER)
4174 {
4175 rc = patmInstallTrapTrampoline(pVM, pInstrGC, pPatchRec);
4176 }
4177 else
4178 if (pPatchRec->patch.flags & (PATMFL_DUPLICATE_FUNCTION ))
4179 {
4180 rc = patmDuplicateFunction(pVM, pInstrGC, pPatchRec);
4181 }
4182 else
4183 if (pPatchRec->patch.flags & PATMFL_TRAMPOLINE)
4184 {
4185 rc = patmCreateTrampoline(pVM, pInstrGC, pPatchRec);
4186 }
4187 else
4188 if (pPatchRec->patch.flags & PATMFL_REPLACE_FUNCTION_CALL)
4189 {
4190 rc = patmReplaceFunctionCall(pVM, &cpu, pInstrGC, &pPatchRec->patch);
4191 }
4192 else
4193 if (pPatchRec->patch.flags & PATMFL_INT3_REPLACEMENT)
4194 {
4195 rc = PATMR3PatchInstrInt3(pVM, pInstrGC, pInstrHC, &cpu, &pPatchRec->patch);
4196 }
4197 else
4198 if (pPatchRec->patch.flags & PATMFL_MMIO_ACCESS)
4199 {
4200 rc = patmPatchMMIOInstr(pVM, pInstrGC, &cpu, &pPatchRec->patch);
4201 }
4202 else
4203 if (pPatchRec->patch.flags & (PATMFL_IDTHANDLER|PATMFL_SYSENTER))
4204 {
4205 if (pPatchRec->patch.flags & PATMFL_SYSENTER)
4206 pPatchRec->patch.flags |= PATMFL_IDTHANDLER; /* we treat a sysenter handler as an IDT handler */
4207
4208 rc = patmIdtHandler(pVM, pInstrGC, pInstrHC, opsize, pPatchRec);
4209#ifdef VBOX_WITH_STATISTICS
4210 if ( rc == VINF_SUCCESS
4211 && (pPatchRec->patch.flags & PATMFL_SYSENTER))
4212 {
4213 pVM->patm.s.uSysEnterPatchIdx = pPatchRec->patch.uPatchIdx;
4214 }
4215#endif
4216 }
4217 else
4218 if (pPatchRec->patch.flags & PATMFL_GUEST_SPECIFIC)
4219 {
4220 switch (cpu.pCurInstr->opcode)
4221 {
4222 case OP_SYSENTER:
4223 case OP_PUSH:
4224 rc = PATMInstallGuestSpecificPatch(pVM, &cpu, pInstrGC, pInstrHC, pPatchRec);
4225 if (rc == VINF_SUCCESS)
4226 {
4227 if (rc == VINF_SUCCESS)
4228 Log(("PATMR3InstallPatch GUEST: %s %VGv code32=%d\n", patmGetInstructionString(pPatchRec->patch.opcode, pPatchRec->patch.flags), pInstrGC, (flags & PATMFL_CODE32) ? 1 : 0));
4229 return rc;
4230 }
4231 break;
4232
4233 default:
4234 rc = VERR_NOT_IMPLEMENTED;
4235 break;
4236 }
4237 }
4238 else
4239 {
4240 switch (cpu.pCurInstr->opcode)
4241 {
4242 case OP_SYSENTER:
4243 rc = PATMInstallGuestSpecificPatch(pVM, &cpu, pInstrGC, pInstrHC, pPatchRec);
4244 if (rc == VINF_SUCCESS)
4245 {
4246 Log(("PATMR3InstallPatch GUEST: %s %VGv code32=%d\n", patmGetInstructionString(pPatchRec->patch.opcode, pPatchRec->patch.flags), pInstrGC, (flags & PATMFL_CODE32) ? 1 : 0));
4247 return VINF_SUCCESS;
4248 }
4249 break;
4250
4251#ifdef PATM_RESOLVE_CONFLICTS_WITH_JUMP_PATCHES
4252 case OP_JO:
4253 case OP_JNO:
4254 case OP_JC:
4255 case OP_JNC:
4256 case OP_JE:
4257 case OP_JNE:
4258 case OP_JBE:
4259 case OP_JNBE:
4260 case OP_JS:
4261 case OP_JNS:
4262 case OP_JP:
4263 case OP_JNP:
4264 case OP_JL:
4265 case OP_JNL:
4266 case OP_JLE:
4267 case OP_JNLE:
4268 case OP_JECXZ:
4269 case OP_LOOP:
4270 case OP_LOOPNE:
4271 case OP_LOOPE:
4272 case OP_JMP:
4273 if (pPatchRec->patch.flags & PATMFL_JUMP_CONFLICT)
4274 {
4275 rc = patmPatchJump(pVM, pInstrGC, pInstrHC, &cpu, pPatchRec);
4276 break;
4277 }
4278 return VERR_NOT_IMPLEMENTED;
4279#endif
4280
4281 case OP_PUSHF:
4282 case OP_CLI:
4283 Log(("PATMR3InstallPatch %s %VGv code32=%d\n", patmGetInstructionString(pPatchRec->patch.opcode, pPatchRec->patch.flags), pInstrGC, (flags & PATMFL_CODE32) ? 1 : 0));
4284 rc = PATMR3PatchBlock(pVM, pInstrGC, pInstrHC, cpu.pCurInstr->opcode, opsize, pPatchRec);
4285 break;
4286
4287 case OP_STR:
4288 case OP_SGDT:
4289 case OP_SLDT:
4290 case OP_SIDT:
4291 case OP_CPUID:
4292 case OP_LSL:
4293 case OP_LAR:
4294 case OP_SMSW:
4295 case OP_VERW:
4296 case OP_VERR:
4297 case OP_IRET:
4298 rc = PATMR3PatchInstrInt3(pVM, pInstrGC, pInstrHC, &cpu, &pPatchRec->patch);
4299 break;
4300
4301 default:
4302 return VERR_NOT_IMPLEMENTED;
4303 }
4304 }
4305
4306 if (rc != VINF_SUCCESS)
4307 {
4308 if (pPatchRec && pPatchRec->patch.nrPatch2GuestRecs)
4309 {
4310 patmEmptyTreeU32(pVM, &pPatchRec->patch.Patch2GuestAddrTree);
4311 pPatchRec->patch.nrPatch2GuestRecs = 0;
4312 }
4313 pVM->patm.s.uCurrentPatchIdx--;
4314 }
4315 else
4316 {
4317 rc = patmInsertPatchPages(pVM, &pPatchRec->patch);
4318 AssertRCReturn(rc, rc);
4319
4320 /* Keep track upper and lower boundaries of patched instructions */
4321 if (pPatchRec->patch.pInstrGCLowest < pVM->patm.s.pPatchedInstrGCLowest)
4322 pVM->patm.s.pPatchedInstrGCLowest = pPatchRec->patch.pInstrGCLowest;
4323 if (pPatchRec->patch.pInstrGCHighest > pVM->patm.s.pPatchedInstrGCHighest)
4324 pVM->patm.s.pPatchedInstrGCHighest = pPatchRec->patch.pInstrGCHighest;
4325
4326 Log(("Patch lowest %VGv highest %VGv\n", pPatchRec->patch.pInstrGCLowest, pPatchRec->patch.pInstrGCHighest));
4327 Log(("Global lowest %VGv highest %VGv\n", pVM->patm.s.pPatchedInstrGCLowest, pVM->patm.s.pPatchedInstrGCHighest));
4328
4329 STAM_COUNTER_ADD(&pVM->patm.s.StatInstalled, 1);
4330 STAM_COUNTER_ADD(&pVM->patm.s.StatPATMMemoryUsed, pPatchRec->patch.cbPatchBlockSize);
4331
4332 rc = VINF_SUCCESS;
4333
4334 /* Patch hints are not enabled by default. Only when the are actually encountered. */
4335 if (pPatchRec->patch.flags & PATMFL_INSTR_HINT)
4336 {
4337 rc = PATMR3DisablePatch(pVM, pInstrGC);
4338 AssertRCReturn(rc, rc);
4339 }
4340
4341#ifdef VBOX_WITH_STATISTICS
4342 /* Register statistics counter */
4343 if (PATM_STAT_INDEX_IS_VALID(pPatchRec->patch.uPatchIdx))
4344 {
4345 STAMR3RegisterCallback(pVM, &pPatchRec->patch, STAMVISIBILITY_NOT_GUI, STAMUNIT_GOOD_BAD, patmResetStat, patmPrintStat, "Patch statistics",
4346 "/PATM/Stats/Patch/0x%VGv", pPatchRec->patch.pPrivInstrGC);
4347#ifndef DEBUG_sandervl
4348 /* Full breakdown for the GUI. */
4349 STAMR3RegisterF(pVM, &pVM->patm.s.pStatsHC[pPatchRec->patch.uPatchIdx], STAMTYPE_RATIO_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_GOOD_BAD, PATMPatchType(pVM, &pPatchRec->patch),
4350 "/PATM/Stats/PatchBD/0x%VGv", pPatchRec->patch.pPrivInstrGC);
4351 STAMR3RegisterF(pVM, &pPatchRec->patch.cbPatchBlockSize,STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_BYTES, NULL, "/PATM/Stats/PatchBD/0x%VGv/cbPatchBlockSize", pPatchRec->patch.pPrivInstrGC);
4352 STAMR3RegisterF(pVM, &pPatchRec->patch.cbPatchJump, STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_BYTES, NULL, "/PATM/Stats/PatchBD/0x%VGv/cbPatchJump", pPatchRec->patch.pPrivInstrGC);
4353 STAMR3RegisterF(pVM, &pPatchRec->patch.cbPrivInstr, STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_BYTES, NULL, "/PATM/Stats/PatchBD/0x%VGv/cbPrivInstr", pPatchRec->patch.pPrivInstrGC);
4354 STAMR3RegisterF(pVM, &pPatchRec->patch.cCodeWrites, STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_OCCURENCES, NULL, "/PATM/Stats/PatchBD/0x%VGv/cCodeWrites", pPatchRec->patch.pPrivInstrGC);
4355 STAMR3RegisterF(pVM, &pPatchRec->patch.cInvalidWrites, STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_OCCURENCES, NULL, "/PATM/Stats/PatchBD/0x%VGv/cInvalidWrites", pPatchRec->patch.pPrivInstrGC);
4356 STAMR3RegisterF(pVM, &pPatchRec->patch.cTraps, STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_OCCURENCES, NULL, "/PATM/Stats/PatchBD/0x%VGv/cTraps", pPatchRec->patch.pPrivInstrGC);
4357 STAMR3RegisterF(pVM, &pPatchRec->patch.flags, STAMTYPE_X32, STAMVISIBILITY_ALWAYS, STAMUNIT_NONE, NULL, "/PATM/Stats/PatchBD/0x%VGv/flags", pPatchRec->patch.pPrivInstrGC);
4358 STAMR3RegisterF(pVM, &pPatchRec->patch.nrJumpRecs, STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_OCCURENCES, NULL, "/PATM/Stats/PatchBD/0x%VGv/nrJumpRecs", pPatchRec->patch.pPrivInstrGC);
4359 STAMR3RegisterF(pVM, &pPatchRec->patch.nrFixups, STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_OCCURENCES, NULL, "/PATM/Stats/PatchBD/0x%VGv/nrFixups", pPatchRec->patch.pPrivInstrGC);
4360 STAMR3RegisterF(pVM, &pPatchRec->patch.opcode, STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_OCCURENCES, NULL, "/PATM/Stats/PatchBD/0x%VGv/opcode", pPatchRec->patch.pPrivInstrGC);
4361 STAMR3RegisterF(pVM, &pPatchRec->patch.uOldState, STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_NONE, NULL, "/PATM/Stats/PatchBD/0x%VGv/uOldState", pPatchRec->patch.pPrivInstrGC);
4362 STAMR3RegisterF(pVM, &pPatchRec->patch.uOpMode, STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_NONE, NULL, "/PATM/Stats/PatchBD/0x%VGv/uOpMode", pPatchRec->patch.pPrivInstrGC);
4363 /// @todo change the state to be a callback so we can get a state mnemonic instead.
4364 STAMR3RegisterF(pVM, &pPatchRec->patch.uState, STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_NONE, NULL, "/PATM/Stats/PatchBD/0x%VGv/uState", pPatchRec->patch.pPrivInstrGC);
4365#endif
4366 }
4367#endif
4368 }
4369 return rc;
4370}
4371
4372/**
4373 * Query instruction size
4374 *
4375 * @returns VBox status code.
4376 * @param pVM The VM to operate on.
4377 * @param pPatch Patch record
4378 * @param pInstrGC Instruction address
4379 */
4380static uint32_t patmGetInstrSize(PVM pVM, PPATCHINFO pPatch, RTGCPTR pInstrGC)
4381{
4382 uint8_t *pInstrHC;
4383
4384 int rc = PGMPhysGCPtr2HCPtr(pVM, pInstrGC, (RTHCPTR *)&pInstrHC);
4385 if (rc == VINF_SUCCESS)
4386 {
4387 DISCPUSTATE cpu;
4388 bool disret;
4389 uint32_t opsize;
4390
4391 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
4392 disret = PATMR3DISInstr(pVM, pPatch, &cpu, pInstrGC, pInstrHC, &opsize, NULL, PATMREAD_ORGCODE | PATMREAD_NOCHECK);
4393 if (disret)
4394 return opsize;
4395 }
4396 return 0;
4397}
4398
4399/**
4400 * Add patch to page record
4401 *
4402 * @returns VBox status code.
4403 * @param pVM The VM to operate on.
4404 * @param pPage Page address
4405 * @param pPatch Patch record
4406 */
4407int patmAddPatchToPage(PVM pVM, RTGCUINTPTR pPage, PPATCHINFO pPatch)
4408{
4409 PPATMPATCHPAGE pPatchPage;
4410 int rc;
4411
4412 Log(("patmAddPatchToPage: insert patch %VHv to page %VGv\n", pPatch, pPage));
4413
4414 pPatchPage = (PPATMPATCHPAGE)RTAvloGCPtrGet(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPage, pPage);
4415 if (pPatchPage)
4416 {
4417 Assert(pPatchPage->cCount <= pPatchPage->cMaxPatches);
4418 if (pPatchPage->cCount == pPatchPage->cMaxPatches)
4419 {
4420 uint32_t cMaxPatchesOld = pPatchPage->cMaxPatches;
4421 PPATCHINFO *paPatchOld = pPatchPage->aPatch;
4422
4423 pPatchPage->cMaxPatches += PATMPATCHPAGE_PREALLOC_INCREMENT;
4424 rc = MMHyperAlloc(pVM, sizeof(PPATCHINFO)*pPatchPage->cMaxPatches, 0, MM_TAG_PATM_PATCH, (void **)&pPatchPage->aPatch);
4425 if (VBOX_FAILURE(rc))
4426 {
4427 Log(("Out of memory!!!!\n"));
4428 return VERR_NO_MEMORY;
4429 }
4430 memcpy(pPatchPage->aPatch, paPatchOld, cMaxPatchesOld*sizeof(PPATCHINFO));
4431 MMHyperFree(pVM, paPatchOld);
4432 }
4433 pPatchPage->aPatch[pPatchPage->cCount] = pPatch;
4434 pPatchPage->cCount++;
4435 }
4436 else
4437 {
4438 rc = MMHyperAlloc(pVM, sizeof(PATMPATCHPAGE), 0, MM_TAG_PATM_PATCH, (void **)&pPatchPage);
4439 if (VBOX_FAILURE(rc))
4440 {
4441 Log(("Out of memory!!!!\n"));
4442 return VERR_NO_MEMORY;
4443 }
4444 pPatchPage->Core.Key = pPage;
4445 pPatchPage->cCount = 1;
4446 pPatchPage->cMaxPatches = PATMPATCHPAGE_PREALLOC_INCREMENT;
4447
4448 rc = MMHyperAlloc(pVM, sizeof(PPATCHINFO)*PATMPATCHPAGE_PREALLOC_INCREMENT, 0, MM_TAG_PATM_PATCH, (void **)&pPatchPage->aPatch);
4449 if (VBOX_FAILURE(rc))
4450 {
4451 Log(("Out of memory!!!!\n"));
4452 MMHyperFree(pVM, pPatchPage);
4453 return VERR_NO_MEMORY;
4454 }
4455 pPatchPage->aPatch[0] = pPatch;
4456
4457 rc = RTAvloGCPtrInsert(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPage, &pPatchPage->Core);
4458 Assert(rc);
4459 pVM->patm.s.cPageRecords++;
4460
4461 STAM_COUNTER_INC(&pVM->patm.s.StatPatchPageInserted);
4462 }
4463 CSAMR3MonitorPage(pVM, pPage, CSAM_TAG_PATM);
4464
4465 /* Get the closest guest instruction (from below) */
4466 PRECGUESTTOPATCH pGuestToPatchRec = (PRECGUESTTOPATCH)RTAvlGCPtrGetBestFit(&pPatch->Guest2PatchAddrTree, pPage, true);
4467 Assert(pGuestToPatchRec);
4468 if (pGuestToPatchRec)
4469 {
4470 if ( pPatchPage->pLowestAddrGC == 0
4471 || pPatchPage->pLowestAddrGC > (RTGCPTR)pGuestToPatchRec->Core.Key)
4472 {
4473 RTGCUINTPTR offset;
4474
4475 pPatchPage->pLowestAddrGC = (RTGCPTR)pGuestToPatchRec->Core.Key;
4476
4477 offset = pPatchPage->pLowestAddrGC & PAGE_OFFSET_MASK;
4478 /* If we're too close to the page boundary, then make sure an instruction from the previous page doesn't cross the boundary itself. */
4479 if (offset && offset < MAX_INSTR_SIZE)
4480 {
4481 /* Get the closest guest instruction (from above) */
4482 pGuestToPatchRec = (PRECGUESTTOPATCH)RTAvlGCPtrGetBestFit(&pPatch->Guest2PatchAddrTree, pPage-1, false);
4483
4484 if (pGuestToPatchRec)
4485 {
4486 uint32_t size = patmGetInstrSize(pVM, pPatch, (RTGCPTR)pGuestToPatchRec->Core.Key);
4487 if ((RTGCUINTPTR)pGuestToPatchRec->Core.Key + size > pPage)
4488 pPatchPage->pLowestAddrGC = pPage;
4489 }
4490 }
4491 }
4492 }
4493
4494 /* Get the closest guest instruction (from above) */
4495 pGuestToPatchRec = (PRECGUESTTOPATCH)RTAvlGCPtrGetBestFit(&pPatch->Guest2PatchAddrTree, pPage+PAGE_SIZE-1, false);
4496 Assert(pGuestToPatchRec);
4497 if (pGuestToPatchRec)
4498 {
4499 if ( pPatchPage->pHighestAddrGC == 0
4500 || pPatchPage->pHighestAddrGC < (RTGCPTR)pGuestToPatchRec->Core.Key)
4501 {
4502 pPatchPage->pHighestAddrGC = (RTGCPTR)pGuestToPatchRec->Core.Key;
4503 /* Increase by instruction size. */
4504 uint32_t size = patmGetInstrSize(pVM, pPatch, pPatchPage->pHighestAddrGC);
4505//// Assert(size);
4506 pPatchPage->pHighestAddrGC += size;
4507 }
4508 }
4509
4510 return VINF_SUCCESS;
4511}
4512
4513/**
4514 * Remove patch from page record
4515 *
4516 * @returns VBox status code.
4517 * @param pVM The VM to operate on.
4518 * @param pPage Page address
4519 * @param pPatch Patch record
4520 */
4521int patmRemovePatchFromPage(PVM pVM, RTGCUINTPTR pPage, PPATCHINFO pPatch)
4522{
4523 PPATMPATCHPAGE pPatchPage;
4524 int rc;
4525
4526 pPatchPage = (PPATMPATCHPAGE)RTAvloGCPtrGet(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPage, pPage);
4527 Assert(pPatchPage);
4528
4529 if (!pPatchPage)
4530 return VERR_INVALID_PARAMETER;
4531
4532 Assert(pPatchPage->cCount <= pPatchPage->cMaxPatches);
4533
4534 Log(("patmRemovePatchPage: remove patch %VHv from page %VGv\n", pPatch, pPage));
4535 if (pPatchPage->cCount > 1)
4536 {
4537 uint32_t i;
4538
4539 /* Used by multiple patches */
4540 for (i=0;i<pPatchPage->cCount;i++)
4541 {
4542 if (pPatchPage->aPatch[i] == pPatch)
4543 {
4544 pPatchPage->aPatch[i] = 0;
4545 break;
4546 }
4547 }
4548 /* close the gap between the remaining pointers. */
4549 if (i < pPatchPage->cCount - 1)
4550 {
4551 memcpy(&pPatchPage->aPatch[i], &pPatchPage->aPatch[i+1], sizeof(PPATCHINFO)*(pPatchPage->cCount - (i+1)));
4552 }
4553 AssertMsg(i < pPatchPage->cCount, ("Unable to find patch %VHv in page %VGv\n", pPatch, pPage));
4554
4555 pPatchPage->cCount--;
4556 }
4557 else
4558 {
4559 PPATMPATCHPAGE pPatchNode;
4560
4561 Log(("patmRemovePatchFromPage %VGv\n", pPage));
4562
4563 STAM_COUNTER_INC(&pVM->patm.s.StatPatchPageRemoved);
4564 pPatchNode = (PPATMPATCHPAGE)RTAvloGCPtrRemove(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPage, pPage);
4565 Assert(pPatchNode && pPatchNode == pPatchPage);
4566
4567 Assert(pPatchPage->aPatch);
4568 rc = MMHyperFree(pVM, pPatchPage->aPatch);
4569 AssertRC(rc);
4570 rc = MMHyperFree(pVM, pPatchPage);
4571 AssertRC(rc);
4572 pVM->patm.s.cPageRecords--;
4573 }
4574 return VINF_SUCCESS;
4575}
4576
4577/**
4578 * Insert page records for all guest pages that contain instructions that were recompiled for this patch
4579 *
4580 * @returns VBox status code.
4581 * @param pVM The VM to operate on.
4582 * @param pPatch Patch record
4583 */
4584int patmInsertPatchPages(PVM pVM, PPATCHINFO pPatch)
4585{
4586 int rc;
4587 RTGCUINTPTR pPatchPageStart, pPatchPageEnd, pPage;
4588
4589 /* Insert the pages that contain patched instructions into a lookup tree for detecting self-modifying code. */
4590 pPatchPageStart = (RTGCUINTPTR)pPatch->pInstrGCLowest & PAGE_BASE_GC_MASK;
4591 pPatchPageEnd = (RTGCUINTPTR)pPatch->pInstrGCHighest & PAGE_BASE_GC_MASK;
4592
4593 /** @todo optimize better (large gaps between current and next used page) */
4594 for(pPage = pPatchPageStart; pPage <= pPatchPageEnd; pPage += PAGE_SIZE)
4595 {
4596 /* Get the closest guest instruction (from above) */
4597 PRECGUESTTOPATCH pGuestToPatchRec = (PRECGUESTTOPATCH)RTAvlGCPtrGetBestFit(&pPatch->Guest2PatchAddrTree, pPage, true);
4598 if ( pGuestToPatchRec
4599 && PAGE_ADDRESS(pGuestToPatchRec->Core.Key) == PAGE_ADDRESS(pPage)
4600 )
4601 {
4602 /* Code in page really patched -> add record */
4603 rc = patmAddPatchToPage(pVM, pPage, pPatch);
4604 AssertRC(rc);
4605 }
4606 }
4607 pPatch->flags |= PATMFL_CODE_MONITORED;
4608 return VINF_SUCCESS;
4609}
4610
4611/**
4612 * Remove page records for all guest pages that contain instructions that were recompiled for this patch
4613 *
4614 * @returns VBox status code.
4615 * @param pVM The VM to operate on.
4616 * @param pPatch Patch record
4617 */
4618int patmRemovePatchPages(PVM pVM, PPATCHINFO pPatch)
4619{
4620 int rc;
4621 RTGCUINTPTR pPatchPageStart, pPatchPageEnd, pPage;
4622
4623 /* Insert the pages that contain patched instructions into a lookup tree for detecting self-modifying code. */
4624 pPatchPageStart = (RTGCUINTPTR)pPatch->pInstrGCLowest & PAGE_BASE_GC_MASK;
4625 pPatchPageEnd = (RTGCUINTPTR)pPatch->pInstrGCHighest & PAGE_BASE_GC_MASK;
4626
4627 for(pPage = pPatchPageStart; pPage <= pPatchPageEnd; pPage += PAGE_SIZE)
4628 {
4629 /* Get the closest guest instruction (from above) */
4630 PRECGUESTTOPATCH pGuestToPatchRec = (PRECGUESTTOPATCH)RTAvlGCPtrGetBestFit(&pPatch->Guest2PatchAddrTree, pPage, true);
4631 if ( pGuestToPatchRec
4632 && PAGE_ADDRESS(pGuestToPatchRec->Core.Key) == PAGE_ADDRESS(pPage) /** @todo bird: PAGE_ADDRESS is for the current context really. check out these. */
4633 )
4634 {
4635 /* Code in page really patched -> remove record */
4636 rc = patmRemovePatchFromPage(pVM, pPage, pPatch);
4637 AssertRC(rc);
4638 }
4639 }
4640 pPatch->flags &= ~PATMFL_CODE_MONITORED;
4641 return VINF_SUCCESS;
4642}
4643
4644/**
4645 * Notifies PATM about a (potential) write to code that has been patched.
4646 *
4647 * @returns VBox status code.
4648 * @param pVM The VM to operate on.
4649 * @param GCPtr GC pointer to write address
4650 * @param cbWrite Nr of bytes to write
4651 *
4652 */
4653PATMR3DECL(int) PATMR3PatchWrite(PVM pVM, RTGCPTR GCPtr, uint32_t cbWrite)
4654{
4655 RTGCUINTPTR pWritePageStart, pWritePageEnd, pPage;
4656
4657 Log(("PATMR3PatchWrite %VGv %x\n", GCPtr, cbWrite));
4658
4659 Assert(VM_IS_EMT(pVM));
4660
4661 /* Quick boundary check */
4662 if ( GCPtr < pVM->patm.s.pPatchedInstrGCLowest
4663 || GCPtr > pVM->patm.s.pPatchedInstrGCHighest
4664 )
4665 return VINF_SUCCESS;
4666
4667 STAM_PROFILE_ADV_START(&pVM->patm.s.StatPatchWrite, a);
4668
4669 pWritePageStart = (RTGCUINTPTR)GCPtr & PAGE_BASE_GC_MASK;
4670 pWritePageEnd = ((RTGCUINTPTR)GCPtr + cbWrite - 1) & PAGE_BASE_GC_MASK;
4671
4672 for (pPage = pWritePageStart; pPage <= pWritePageEnd; pPage += PAGE_SIZE)
4673 {
4674loop_start:
4675 PPATMPATCHPAGE pPatchPage = (PPATMPATCHPAGE)RTAvloGCPtrGet(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPage, (RTGCPTR)pPage);
4676 if (pPatchPage)
4677 {
4678 uint32_t i;
4679 bool fValidPatchWrite = false;
4680
4681 for (i=0;i<pPatchPage->cCount;i++)
4682 {
4683 if (pPatchPage->aPatch[i])
4684 {
4685 PPATCHINFO pPatch = pPatchPage->aPatch[i];
4686 RTGCPTR pPatchInstrGC;
4687 //unused: bool fForceBreak = false;
4688
4689 Assert(pPatchPage->aPatch[i]->flags & PATMFL_CODE_MONITORED);
4690 /** @todo inefficient and includes redundant checks for multiple pages. */
4691 for (uint32_t j=0; j<cbWrite; j++)
4692 {
4693 RTGCPTR pGuestPtrGC = (RTGCPTR)((RTGCUINTPTR)GCPtr + j);
4694
4695 if ( pPatch->cbPatchJump
4696 && pGuestPtrGC >= pPatch->pPrivInstrGC
4697 && pGuestPtrGC < pPatch->pPrivInstrGC + pPatch->cbPatchJump)
4698 {
4699 /* The guest is about to overwrite the 5 byte jump to patch code. Remove the patch. */
4700 Log(("PATMR3PatchWrite: overwriting jump to patch code -> remove patch.\n"));
4701 int rc = PATMR3RemovePatch(pVM, pPatch->pPrivInstrGC);
4702 AssertRC(rc);
4703
4704 /** @note jump back to the start as the pPatchPage has been deleted or changed */
4705 goto loop_start;
4706 }
4707
4708 pPatchInstrGC = patmGuestGCPtrToPatchGCPtr(pVM, pPatch, pGuestPtrGC);
4709 if (pPatchInstrGC)
4710 {
4711 uint32_t PatchOffset = pPatchInstrGC - pVM->patm.s.pPatchMemGC; /* Offset in memory reserved for PATM. */
4712
4713 fValidPatchWrite = true;
4714
4715 PRECPATCHTOGUEST pPatchToGuestRec = (PRECPATCHTOGUEST)RTAvlU32Get(&pPatch->Patch2GuestAddrTree, PatchOffset);
4716 Assert(pPatchToGuestRec);
4717 if (pPatchToGuestRec && !pPatchToGuestRec->fDirty)
4718 {
4719 Log(("PATMR3PatchWrite: Found patched instruction %VGv -> %VGv\n", pGuestPtrGC, pPatchInstrGC));
4720
4721 if (++pPatch->cCodeWrites > PATM_MAX_CODE_WRITES)
4722 {
4723 LogRel(("PATM: Disable block at %VGv - write %VGv-%VGv\n", pPatch->pPrivInstrGC, pGuestPtrGC, pGuestPtrGC+cbWrite));
4724
4725 PATMR3MarkDirtyPatch(pVM, pPatch);
4726
4727 /** @note jump back to the start as the pPatchPage has been deleted or changed */
4728 goto loop_start;
4729 }
4730 else
4731 {
4732 /* Replace the patch instruction with a breakpoint; when it's hit, then we'll attempt to recompile the instruction again. */
4733 uint8_t *pInstrHC = patmPatchGCPtr2PatchHCPtr(pVM, pPatchInstrGC);
4734
4735 pPatchToGuestRec->u8DirtyOpcode = *pInstrHC;
4736 pPatchToGuestRec->fDirty = true;
4737
4738 *pInstrHC = 0xCC;
4739
4740 STAM_COUNTER_INC(&pVM->patm.s.StatInstrDirty);
4741 }
4742 }
4743 /* else already marked dirty */
4744 }
4745 }
4746 }
4747 } /* for each patch */
4748
4749 if (fValidPatchWrite == false)
4750 {
4751 /* Write to a part of the page that either:
4752 * - doesn't contain any code (shared code/data); rather unlikely
4753 * - old code page that's no longer in active use.
4754 */
4755invalid_write_loop_start:
4756 pPatchPage = (PPATMPATCHPAGE)RTAvloGCPtrGet(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPage, (RTGCPTR)pPage);
4757
4758 if (pPatchPage)
4759 {
4760 for (i=0;i<pPatchPage->cCount;i++)
4761 {
4762 PPATCHINFO pPatch = pPatchPage->aPatch[i];
4763
4764 if (pPatch->cInvalidWrites > PATM_MAX_INVALID_WRITES)
4765 {
4766 /** @note possibly dangerous assumption that all future writes will be harmless. */
4767 if (pPatch->flags & PATMFL_IDTHANDLER)
4768 {
4769 LogRel(("PATM: Stop monitoring IDT handler pages at %VGv - invalid write %VGv-%VGv \n", pPatch->pPrivInstrGC, GCPtr, GCPtr+cbWrite));
4770
4771 Assert(pPatch->flags & PATMFL_CODE_MONITORED);
4772 int rc = patmRemovePatchPages(pVM, pPatch);
4773 AssertRC(rc);
4774 }
4775 else
4776 {
4777 LogRel(("PATM: Disable block at %VGv - invalid write %VGv-%VGv \n", pPatch->pPrivInstrGC, GCPtr, GCPtr+cbWrite));
4778 PATMR3MarkDirtyPatch(pVM, pPatch);
4779 }
4780 /** @note jump back to the start as the pPatchPage has been deleted or changed */
4781 goto invalid_write_loop_start;
4782 }
4783 } /* for */
4784 }
4785 }
4786 }
4787 }
4788 STAM_PROFILE_ADV_STOP(&pVM->patm.s.StatPatchWrite, a);
4789 return VINF_SUCCESS;
4790
4791}
4792
4793/**
4794 * Disable all patches in a flushed page
4795 *
4796 * @returns VBox status code
4797 * @param pVM The VM to operate on.
4798 * @param addr GC address of the page to flush
4799 */
4800/** @note Currently only called by CSAMR3FlushPage; optimization to avoid having to double check if the physical address has changed
4801 */
4802PATMR3DECL(int) PATMR3FlushPage(PVM pVM, RTGCPTR addr)
4803{
4804 addr &= PAGE_BASE_GC_MASK;
4805
4806 PPATMPATCHPAGE pPatchPage = (PPATMPATCHPAGE)RTAvloGCPtrGet(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPage, addr);
4807 if (pPatchPage)
4808 {
4809 int i;
4810
4811 /* From top to bottom as the array is modified by PATMR3MarkDirtyPatch. */
4812 for (i=(int)pPatchPage->cCount-1;i>=0;i--)
4813 {
4814 if (pPatchPage->aPatch[i])
4815 {
4816 PPATCHINFO pPatch = pPatchPage->aPatch[i];
4817
4818 Log(("PATMR3FlushPage %VGv remove patch at %VGv\n", addr, pPatch->pPrivInstrGC));
4819 PATMR3MarkDirtyPatch(pVM, pPatch);
4820 }
4821 }
4822 STAM_COUNTER_INC(&pVM->patm.s.StatFlushed);
4823 }
4824 return VINF_SUCCESS;
4825}
4826
4827/**
4828 * Checks if the instructions at the specified address has been patched already.
4829 *
4830 * @returns boolean, patched or not
4831 * @param pVM The VM to operate on.
4832 * @param pInstrGC Guest context pointer to instruction
4833 */
4834PATMR3DECL(bool) PATMR3HasBeenPatched(PVM pVM, RTGCPTR pInstrGC)
4835{
4836 PPATMPATCHREC pPatchRec;
4837 pPatchRec = (PPATMPATCHREC)RTAvloGCPtrGet(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pInstrGC);
4838 if (pPatchRec && pPatchRec->patch.uState == PATCH_ENABLED)
4839 return true;
4840 return false;
4841}
4842
4843/**
4844 * Query the opcode of the original code that was overwritten by the 5 bytes patch jump
4845 *
4846 * @returns VBox status code.
4847 * @param pVM The VM to operate on.
4848 * @param pInstrGC GC address of instr
4849 * @param pByte opcode byte pointer (OUT)
4850 *
4851 */
4852PATMR3DECL(int) PATMR3QueryOpcode(PVM pVM, RTGCPTR pInstrGC, uint8_t *pByte)
4853{
4854 PPATMPATCHREC pPatchRec;
4855
4856 /** @todo this will not work for aliased pages! (never has, but so far not a problem for us) */
4857
4858 /* Shortcut. */
4859 if ( !PATMIsEnabled(pVM)
4860 || pInstrGC < pVM->patm.s.pPatchedInstrGCLowest
4861 || pInstrGC > pVM->patm.s.pPatchedInstrGCHighest)
4862 {
4863 return VERR_PATCH_NOT_FOUND;
4864 }
4865
4866 pPatchRec = (PPATMPATCHREC)RTAvloGCPtrGetBestFit(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pInstrGC, false);
4867 // if the patch is enabled and the pointer lies within 5 bytes of this priv instr ptr, then we've got a hit!
4868 if ( pPatchRec
4869 && pPatchRec->patch.uState == PATCH_ENABLED
4870 && pInstrGC >= pPatchRec->patch.pPrivInstrGC
4871 && pInstrGC < pPatchRec->patch.pPrivInstrGC + pPatchRec->patch.cbPatchJump)
4872 {
4873 RTGCPTR offset = pInstrGC - pPatchRec->patch.pPrivInstrGC;
4874 *pByte = pPatchRec->patch.aPrivInstr[offset];
4875
4876 if (pPatchRec->patch.cbPatchJump == 1)
4877 {
4878 Log(("PATMR3QueryOpcode: returning opcode %2X for instruction at %VGv\n", *pByte, pInstrGC));
4879 }
4880 STAM_COUNTER_ADD(&pVM->patm.s.StatNrOpcodeRead, 1);
4881 return VINF_SUCCESS;
4882 }
4883 return VERR_PATCH_NOT_FOUND;
4884}
4885
4886/**
4887 * Disable patch for privileged instruction at specified location
4888 *
4889 * @returns VBox status code.
4890 * @param pVM The VM to operate on.
4891 * @param pInstr Guest context point to privileged instruction
4892 *
4893 * @note returns failure if patching is not allowed or possible
4894 *
4895 */
4896PATMR3DECL(int) PATMR3DisablePatch(PVM pVM, RTGCPTR pInstrGC)
4897{
4898 PPATMPATCHREC pPatchRec;
4899 PPATCHINFO pPatch;
4900
4901 Log(("PATMR3DisablePatch: %VGv\n", pInstrGC));
4902 pPatchRec = (PPATMPATCHREC)RTAvloGCPtrGet(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pInstrGC);
4903 if (pPatchRec)
4904 {
4905 int rc = VINF_SUCCESS;
4906
4907 pPatch = &pPatchRec->patch;
4908
4909 /* Already disabled? */
4910 if (pPatch->uState == PATCH_DISABLED)
4911 return VINF_SUCCESS;
4912
4913 /* Clear the IDT entries for the patch we're disabling. */
4914 /** @note very important as we clear IF in the patch itself */
4915 /** @todo this needs to be changed */
4916 if (pPatch->flags & PATMFL_IDTHANDLER)
4917 {
4918 uint32_t iGate;
4919
4920 iGate = TRPMR3QueryGateByHandler(pVM, PATCHCODE_PTR_GC(pPatch));
4921 if (iGate != (uint32_t)~0)
4922 {
4923 TRPMR3SetGuestTrapHandler(pVM, iGate, TRPM_INVALID_HANDLER);
4924 LogRel(("PATM: Disabling IDT %x patch handler %VGv\n", iGate, pInstrGC));
4925 }
4926 }
4927
4928 /* Mark the entry with a breakpoint in case somebody else calls it later on (cli patch used as a function, function, trampoline or idt patches) */
4929 if ( pPatch->pPatchBlockOffset
4930 && pPatch->uState == PATCH_ENABLED)
4931 {
4932 Log(("Invalidate patch at %VGv (HC=%VGv)\n", PATCHCODE_PTR_GC(pPatch), PATCHCODE_PTR_HC(pPatch)));
4933 pPatch->bDirtyOpcode = *PATCHCODE_PTR_HC(pPatch);
4934 *PATCHCODE_PTR_HC(pPatch) = 0xCC;
4935 }
4936
4937 /* IDT or function patches haven't changed any guest code. */
4938 if (pPatch->flags & PATMFL_PATCHED_GUEST_CODE)
4939 {
4940 Assert(pPatch->flags & PATMFL_MUST_INSTALL_PATCHJMP);
4941 Assert(!(pPatch->flags & (PATMFL_DUPLICATE_FUNCTION|PATMFL_IDTHANDLER|PATMFL_TRAMPOLINE|PATMFL_INT3_REPLACEMENT|PATMFL_INT3_REPLACEMENT_BLOCK)));
4942
4943 if (pPatch->uState != PATCH_REFUSED)
4944 {
4945 AssertMsg(pPatch->pPrivInstrHC, ("Invalid HC pointer?!? (%VGv)\n", pInstrGC));
4946 Assert(pPatch->cbPatchJump);
4947
4948 /** pPrivInstrHC is probably not valid anymore */
4949 rc = PGMPhysGCPtr2HCPtr(pVM, pPatchRec->patch.pPrivInstrGC, (PRTHCPTR)&pPatchRec->patch.pPrivInstrHC);
4950 if (rc == VINF_SUCCESS)
4951 {
4952 uint8_t temp[16];
4953
4954 Assert(pPatch->cbPatchJump < sizeof(temp));
4955
4956 /* Let's first check if the guest code is still the same. */
4957 rc = PGMPhysReadGCPtr(pVM, temp, pPatch->pPrivInstrGC, pPatch->cbPatchJump);
4958 Assert(rc == VINF_SUCCESS || rc == VERR_PAGE_TABLE_NOT_PRESENT || rc == VERR_PAGE_NOT_PRESENT);
4959 if (rc == VINF_SUCCESS)
4960 {
4961 RTGCINTPTR displ = (RTGCUINTPTR)PATCHCODE_PTR_GC(pPatch) - ((RTGCUINTPTR)pPatch->pPrivInstrGC + SIZEOF_NEARJUMP32);
4962
4963 if ( temp[0] != 0xE9 /* jmp opcode */
4964 || *(RTGCINTPTR *)(&temp[1]) != displ
4965 )
4966 {
4967 Log(("PATMR3DisablePatch: Can't disable a patch who's guest code has changed!!\n"));
4968 STAM_COUNTER_INC(&pVM->patm.s.StatOverwritten);
4969 /* Remove it completely */
4970 pPatch->uState = PATCH_DISABLED; /* don't call PATMR3DisablePatch again */
4971 rc = PATMR3RemovePatch(pVM, pInstrGC);
4972 AssertRC(rc);
4973 return VWRN_PATCH_REMOVED;
4974 }
4975 }
4976 patmRemoveJumpToPatch(pVM, pPatch);
4977
4978 }
4979 else
4980 {
4981 Log(("PATMR3DisablePatch: unable to disable patch -> mark PATCH_DISABLE_PENDING\n"));
4982 pPatch->uState = PATCH_DISABLE_PENDING;
4983 }
4984 }
4985 else
4986 {
4987 AssertMsgFailed(("Patch was refused!\n"));
4988 return VERR_PATCH_ALREADY_DISABLED;
4989 }
4990 }
4991 else
4992 if (pPatch->flags & (PATMFL_INT3_REPLACEMENT|PATMFL_INT3_REPLACEMENT_BLOCK))
4993 {
4994 uint8_t temp[16];
4995
4996 Assert(pPatch->cbPatchJump < sizeof(temp));
4997
4998 /* Let's first check if the guest code is still the same. */
4999 rc = PGMPhysReadGCPtr(pVM, temp, pPatch->pPrivInstrGC, pPatch->cbPatchJump);
5000 Assert(rc == VINF_SUCCESS || rc == VERR_PAGE_TABLE_NOT_PRESENT || rc == VERR_PAGE_NOT_PRESENT);
5001 if (rc == VINF_SUCCESS)
5002 {
5003 if (temp[0] != 0xCC)
5004 {
5005 Log(("PATMR3DisablePatch: Can't disable a patch who's guest code has changed!!\n"));
5006 STAM_COUNTER_INC(&pVM->patm.s.StatOverwritten);
5007 /* Remove it completely */
5008 pPatch->uState = PATCH_DISABLED; /* don't call PATMR3DisablePatch again */
5009 rc = PATMR3RemovePatch(pVM, pInstrGC);
5010 AssertRC(rc);
5011 return VWRN_PATCH_REMOVED;
5012 }
5013 patmDeactivateInt3Patch(pVM, pPatch);
5014 }
5015 }
5016
5017 if (rc == VINF_SUCCESS)
5018 {
5019 /* Save old state and mark this one as disabled (so it can be enabled later on). */
5020 if (pPatch->uState == PATCH_DISABLE_PENDING)
5021 {
5022 /* Just to be safe, let's make sure this one can never be reused; the patch might be marked dirty already (int3 at start) */
5023 pPatch->uState = PATCH_UNUSABLE;
5024 }
5025 else
5026 if (pPatch->uState != PATCH_DIRTY)
5027 {
5028 pPatch->uOldState = pPatch->uState;
5029 pPatch->uState = PATCH_DISABLED;
5030 }
5031 STAM_COUNTER_ADD(&pVM->patm.s.StatDisabled, 1);
5032 }
5033
5034 Log(("PATMR3DisablePatch: disabled patch at %VGv\n", pInstrGC));
5035 return VINF_SUCCESS;
5036 }
5037 Log(("Patch not found!\n"));
5038 return VERR_PATCH_NOT_FOUND;
5039}
5040
5041/**
5042 * Permanently disable patch for privileged instruction at specified location
5043 *
5044 * @returns VBox status code.
5045 * @param pVM The VM to operate on.
5046 * @param pInstr Guest context instruction pointer
5047 * @param pConflictAddr Guest context pointer which conflicts with specified patch
5048 * @param pConflictPatch Conflicting patch
5049 *
5050 */
5051static int patmDisableUnusablePatch(PVM pVM, RTGCPTR pInstrGC, RTGCPTR pConflictAddr, PPATCHINFO pConflictPatch)
5052{
5053#ifdef PATM_RESOLVE_CONFLICTS_WITH_JUMP_PATCHES
5054 PATCHINFO patch = {0};
5055 DISCPUSTATE cpu;
5056 HCPTRTYPE(uint8_t *) pInstrHC;
5057 uint32_t opsize;
5058 bool disret;
5059 int rc;
5060
5061 pInstrHC = PATMGCVirtToHCVirt(pVM, &patch, pInstrGC);
5062 cpu.mode = (pConflictPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
5063 disret = PATMR3DISInstr(pVM, &patch, &cpu, pInstrGC, pInstrHC, &opsize, NULL);
5064 /*
5065 * If it's a 5 byte relative jump, then we can work around the problem by replacing the 32 bits relative offset
5066 * with one that jumps right into the conflict patch.
5067 * Otherwise we must disable the conflicting patch to avoid serious problems.
5068 */
5069 if ( disret == true
5070 && (pConflictPatch->flags & PATMFL_CODE32)
5071 && (cpu.pCurInstr->opcode == OP_JMP || (cpu.pCurInstr->optype & OPTYPE_COND_CONTROLFLOW))
5072 && (cpu.param1.flags & USE_IMMEDIATE32_REL))
5073 {
5074 /* Hint patches must be enabled first. */
5075 if (pConflictPatch->flags & PATMFL_INSTR_HINT)
5076 {
5077 Log(("Enabling HINTED patch %VGv\n", pConflictPatch->pPrivInstrGC));
5078 pConflictPatch->flags &= ~PATMFL_INSTR_HINT;
5079 rc = PATMR3EnablePatch(pVM, pConflictPatch->pPrivInstrGC);
5080 Assert(rc == VINF_SUCCESS || rc == VERR_PATCH_NOT_FOUND);
5081 /* Enabling might fail if the patched code has changed in the meantime. */
5082 if (rc != VINF_SUCCESS)
5083 return rc;
5084 }
5085
5086 rc = PATMR3InstallPatch(pVM, pInstrGC, PATMFL_CODE32 | PATMFL_JUMP_CONFLICT);
5087 if (VBOX_SUCCESS(rc))
5088 {
5089 Log(("PATM -> CONFLICT: Installed JMP patch for patch conflict at %VGv\n", pInstrGC));
5090 STAM_COUNTER_INC(&pVM->patm.s.StatFixedConflicts);
5091 return VINF_SUCCESS;
5092 }
5093 }
5094#endif
5095
5096 if (pConflictPatch->opcode == OP_CLI)
5097 {
5098 /* Turn it into an int3 patch; our GC trap handler will call the generated code manually. */
5099 Log(("PATM -> CONFLICT: Found active patch at instruction %VGv with target %VGv -> turn into int 3 patch!!\n", pInstrGC, pConflictPatch->pPrivInstrGC));
5100 int rc = PATMR3DisablePatch(pVM, pConflictPatch->pPrivInstrGC);
5101 if (rc == VWRN_PATCH_REMOVED)
5102 return VINF_SUCCESS;
5103 if (VBOX_SUCCESS(rc))
5104 {
5105 pConflictPatch->flags &= ~(PATMFL_MUST_INSTALL_PATCHJMP|PATMFL_INSTR_HINT);
5106 pConflictPatch->flags |= PATMFL_INT3_REPLACEMENT_BLOCK;
5107 rc = PATMR3EnablePatch(pVM, pConflictPatch->pPrivInstrGC);
5108 if (rc == VERR_PATCH_NOT_FOUND)
5109 return VINF_SUCCESS; /* removed already */
5110
5111 AssertRC(rc);
5112 if (VBOX_SUCCESS(rc))
5113 {
5114 STAM_COUNTER_INC(&pVM->patm.s.StatInt3Callable);
5115 return VINF_SUCCESS;
5116 }
5117 }
5118 /* else turned into unusable patch (see below) */
5119 }
5120 else
5121 {
5122 Log(("PATM -> CONFLICT: Found active patch at instruction %VGv with target %VGv -> DISABLING it!!\n", pInstrGC, pConflictPatch->pPrivInstrGC));
5123 int rc = PATMR3DisablePatch(pVM, pConflictPatch->pPrivInstrGC);
5124 if (rc == VWRN_PATCH_REMOVED)
5125 return VINF_SUCCESS;
5126 }
5127
5128 /* No need to monitor the code anymore. */
5129 if (pConflictPatch->flags & PATMFL_CODE_MONITORED)
5130 {
5131 int rc = patmRemovePatchPages(pVM, pConflictPatch);
5132 AssertRC(rc);
5133 }
5134 pConflictPatch->uState = PATCH_UNUSABLE;
5135 STAM_COUNTER_INC(&pVM->patm.s.StatUnusable);
5136 return VERR_PATCH_DISABLED;
5137}
5138
5139/**
5140 * Enable patch for privileged instruction at specified location
5141 *
5142 * @returns VBox status code.
5143 * @param pVM The VM to operate on.
5144 * @param pInstr Guest context point to privileged instruction
5145 *
5146 * @note returns failure if patching is not allowed or possible
5147 *
5148 */
5149PATMR3DECL(int) PATMR3EnablePatch(PVM pVM, RTGCPTR pInstrGC)
5150{
5151 PPATMPATCHREC pPatchRec;
5152 PPATCHINFO pPatch;
5153
5154 Log(("PATMR3EnablePatch %VGv\n", pInstrGC));
5155 pPatchRec = (PPATMPATCHREC)RTAvloGCPtrGet(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pInstrGC);
5156 if (pPatchRec)
5157 {
5158 int rc = VINF_SUCCESS;
5159
5160 pPatch = &pPatchRec->patch;
5161
5162 if (pPatch->uState == PATCH_DISABLED)
5163 {
5164 if (pPatch->flags & PATMFL_MUST_INSTALL_PATCHJMP)
5165 {
5166 Assert(!(pPatch->flags & PATMFL_PATCHED_GUEST_CODE));
5167 /** @todo -> pPrivInstrHC is probably not valid anymore */
5168 rc = PGMPhysGCPtr2HCPtr(pVM, pPatchRec->patch.pPrivInstrGC, (PRTHCPTR)&pPatchRec->patch.pPrivInstrHC);
5169 if (rc == VINF_SUCCESS)
5170 {
5171#ifdef DEBUG
5172 DISCPUSTATE cpu;
5173 char szOutput[256];
5174 uint32_t opsize, i = 0;
5175#endif
5176 uint8_t temp[16];
5177
5178 Assert(pPatch->cbPatchJump < sizeof(temp));
5179
5180 // let's first check if the guest code is still the same
5181 int rc = PGMPhysReadGCPtr(pVM, temp, pPatch->pPrivInstrGC, pPatch->cbPatchJump);
5182 AssertRC(rc);
5183
5184 if (memcmp(temp, pPatch->aPrivInstr, pPatch->cbPatchJump))
5185 {
5186 Log(("PATMR3EnablePatch: Can't enable a patch who's guest code has changed!!\n"));
5187 STAM_COUNTER_INC(&pVM->patm.s.StatOverwritten);
5188 /* Remove it completely */
5189 PATMR3RemovePatch(pVM, pInstrGC);
5190 return VERR_PATCH_NOT_FOUND;
5191 }
5192
5193 rc = patmGenJumpToPatch(pVM, pPatch, false);
5194 AssertRC(rc);
5195 if (VBOX_FAILURE(rc))
5196 return rc;
5197
5198#ifdef DEBUG
5199 bool disret;
5200 i = 0;
5201 while(i < pPatch->cbPatchJump)
5202 {
5203 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
5204 disret = PATMR3DISInstr(pVM, pPatch, &cpu, pPatch->pPrivInstrGC + i, &pPatch->pPrivInstrHC[i], &opsize, szOutput);
5205 Log(("Renewed patch instr: %s", szOutput));
5206 i += opsize;
5207 }
5208#endif
5209 }
5210 }
5211 else
5212 if (pPatch->flags & (PATMFL_INT3_REPLACEMENT|PATMFL_INT3_REPLACEMENT_BLOCK))
5213 {
5214 uint8_t temp[16];
5215
5216 Assert(pPatch->cbPatchJump < sizeof(temp));
5217
5218 /* Let's first check if the guest code is still the same. */
5219 int rc = PGMPhysReadGCPtr(pVM, temp, pPatch->pPrivInstrGC, pPatch->cbPatchJump);
5220 AssertRC(rc);
5221
5222 if (memcmp(temp, pPatch->aPrivInstr, pPatch->cbPatchJump))
5223 {
5224 Log(("PATMR3EnablePatch: Can't enable a patch who's guest code has changed!!\n"));
5225 STAM_COUNTER_INC(&pVM->patm.s.StatOverwritten);
5226 PATMR3RemovePatch(pVM, pInstrGC);
5227 return VERR_PATCH_NOT_FOUND;
5228 }
5229
5230 rc = patmActivateInt3Patch(pVM, pPatch);
5231 if (VBOX_FAILURE(rc))
5232 return rc;
5233 }
5234
5235 pPatch->uState = pPatch->uOldState; //restore state
5236
5237 /* Restore the entry breakpoint with the original opcode (see PATMR3DisablePatch). */
5238 if (pPatch->pPatchBlockOffset)
5239 {
5240 *PATCHCODE_PTR_HC(pPatch) = pPatch->bDirtyOpcode;
5241 }
5242
5243 STAM_COUNTER_ADD(&pVM->patm.s.StatEnabled, 1);
5244 }
5245 else
5246 Log(("PATMR3EnablePatch: Unable to enable patch %VGv with state %d\n", pInstrGC, pPatch->uState));
5247
5248 return rc;
5249 }
5250 return VERR_PATCH_NOT_FOUND;
5251}
5252
5253/**
5254 * Remove patch for privileged instruction at specified location
5255 *
5256 * @returns VBox status code.
5257 * @param pVM The VM to operate on.
5258 * @param pPatchRec Patch record
5259 * @param fForceRemove Remove *all* patches
5260 */
5261int PATMRemovePatch(PVM pVM, PPATMPATCHREC pPatchRec, bool fForceRemove)
5262{
5263 PPATCHINFO pPatch;
5264
5265 pPatch = &pPatchRec->patch;
5266
5267 /* Strictly forbidden to remove such patches. There can be dependencies!! */
5268 AssertReturn(fForceRemove || !(pPatch->flags & (PATMFL_DUPLICATE_FUNCTION)), VERR_ACCESS_DENIED);
5269
5270 /** @note NEVER EVER REUSE PATCH MEMORY */
5271 /** @note PATMR3DisablePatch put a breakpoint (0xCC) at the entry of this patch */
5272
5273 if (pPatchRec->patch.pPatchBlockOffset)
5274 {
5275 PAVLOGCPTRNODECORE pNode;
5276
5277 pNode = RTAvloGCPtrRemove(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr, pPatchRec->patch.pPatchBlockOffset);
5278 Assert(pNode);
5279 }
5280
5281 if (pPatchRec->patch.flags & PATMFL_CODE_MONITORED)
5282 {
5283 int rc = patmRemovePatchPages(pVM, &pPatchRec->patch);
5284 AssertRC(rc);
5285 }
5286
5287#ifdef VBOX_WITH_STATISTICS
5288 if (PATM_STAT_INDEX_IS_VALID(pPatchRec->patch.uPatchIdx))
5289 {
5290 STAMR3Deregister(pVM, &pPatchRec->patch);
5291#ifndef DEBUG_sandervl
5292 STAMR3Deregister(pVM, &pVM->patm.s.pStatsHC[pPatchRec->patch.uPatchIdx]);
5293 STAMR3Deregister(pVM, &pPatchRec->patch.cbPatchBlockSize);
5294 STAMR3Deregister(pVM, &pPatchRec->patch.cbPatchJump);
5295 STAMR3Deregister(pVM, &pPatchRec->patch.cbPrivInstr);
5296 STAMR3Deregister(pVM, &pPatchRec->patch.cCodeWrites);
5297 STAMR3Deregister(pVM, &pPatchRec->patch.cInvalidWrites);
5298 STAMR3Deregister(pVM, &pPatchRec->patch.cTraps);
5299 STAMR3Deregister(pVM, &pPatchRec->patch.flags);
5300 STAMR3Deregister(pVM, &pPatchRec->patch.nrJumpRecs);
5301 STAMR3Deregister(pVM, &pPatchRec->patch.nrFixups);
5302 STAMR3Deregister(pVM, &pPatchRec->patch.opcode);
5303 STAMR3Deregister(pVM, &pPatchRec->patch.uState);
5304 STAMR3Deregister(pVM, &pPatchRec->patch.uOldState);
5305 STAMR3Deregister(pVM, &pPatchRec->patch.uOpMode);
5306#endif
5307 }
5308#endif
5309
5310 /** @note no need to free Guest2PatchAddrTree as those records share memory with Patch2GuestAddrTree records. */
5311 patmEmptyTreeU32(pVM, &pPatch->Patch2GuestAddrTree);
5312 pPatch->nrPatch2GuestRecs = 0;
5313 Assert(pPatch->Patch2GuestAddrTree == 0);
5314
5315 patmEmptyTree(pVM, &pPatch->FixupTree);
5316 pPatch->nrFixups = 0;
5317 Assert(pPatch->FixupTree == 0);
5318
5319 if (pPatchRec->patch.pTempInfo)
5320 MMR3HeapFree(pPatchRec->patch.pTempInfo);
5321
5322 /** @note might fail, because it has already been removed (e.g. during reset). */
5323 RTAvloGCPtrRemove(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pPatchRec->Core.Key);
5324
5325 /* Free the patch record */
5326 MMHyperFree(pVM, pPatchRec);
5327 return VINF_SUCCESS;
5328}
5329
5330/**
5331 * Attempt to refresh the patch by recompiling its entire code block
5332 *
5333 * @returns VBox status code.
5334 * @param pVM The VM to operate on.
5335 * @param pPatchRec Patch record
5336 */
5337int patmR3RefreshPatch(PVM pVM, PPATMPATCHREC pPatchRec)
5338{
5339 PPATCHINFO pPatch;
5340 int rc;
5341 RTGCPTR pInstrGC = pPatchRec->patch.pPrivInstrGC;
5342
5343 Log(("patmR3RefreshPatch: attempt to refresh patch at %VGv\n", pInstrGC));
5344
5345 pPatch = &pPatchRec->patch;
5346 AssertReturn(pPatch->flags & (PATMFL_DUPLICATE_FUNCTION|PATMFL_IDTHANDLER|PATMFL_TRAPHANDLER), VERR_PATCHING_REFUSED);
5347 AssertReturn(!(pPatch->flags & PATMFL_EXTERNAL_JUMP_INSIDE), VERR_PATCHING_REFUSED);
5348
5349 /** Note: quite ugly to enable/disable/remove/insert old and new patches, but there's no easy way around it. */
5350
5351 rc = PATMR3DisablePatch(pVM, pInstrGC);
5352 AssertRC(rc);
5353
5354 /** Kick it out of the lookup tree to make sure PATMR3InstallPatch doesn't fail (hack alert) */
5355 RTAvloGCPtrRemove(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pPatchRec->Core.Key);
5356#ifdef VBOX_WITH_STATISTICS
5357 if (PATM_STAT_INDEX_IS_VALID(pPatchRec->patch.uPatchIdx))
5358 {
5359 STAMR3Deregister(pVM, &pPatchRec->patch);
5360#ifndef DEBUG_sandervl
5361 STAMR3Deregister(pVM, &pVM->patm.s.pStatsHC[pPatchRec->patch.uPatchIdx]);
5362 STAMR3Deregister(pVM, &pPatchRec->patch.cbPatchBlockSize);
5363 STAMR3Deregister(pVM, &pPatchRec->patch.cbPatchJump);
5364 STAMR3Deregister(pVM, &pPatchRec->patch.cbPrivInstr);
5365 STAMR3Deregister(pVM, &pPatchRec->patch.cCodeWrites);
5366 STAMR3Deregister(pVM, &pPatchRec->patch.cInvalidWrites);
5367 STAMR3Deregister(pVM, &pPatchRec->patch.cTraps);
5368 STAMR3Deregister(pVM, &pPatchRec->patch.flags);
5369 STAMR3Deregister(pVM, &pPatchRec->patch.nrJumpRecs);
5370 STAMR3Deregister(pVM, &pPatchRec->patch.nrFixups);
5371 STAMR3Deregister(pVM, &pPatchRec->patch.opcode);
5372 STAMR3Deregister(pVM, &pPatchRec->patch.uState);
5373 STAMR3Deregister(pVM, &pPatchRec->patch.uOldState);
5374 STAMR3Deregister(pVM, &pPatchRec->patch.uOpMode);
5375#endif
5376 }
5377#endif
5378
5379 /** Note: We don't attempt to reuse patch memory here as it's quite common that the new code block requires more memory. */
5380
5381 /* Attempt to install a new patch. */
5382 rc = PATMR3InstallPatch(pVM, pInstrGC, pPatch->flags & (PATMFL_CODE32|PATMFL_IDTHANDLER|PATMFL_INTHANDLER|PATMFL_TRAPHANDLER|PATMFL_DUPLICATE_FUNCTION|PATMFL_TRAPHANDLER_WITH_ERRORCODE|PATMFL_IDTHANDLER_WITHOUT_ENTRYPOINT));
5383 if (VBOX_SUCCESS(rc))
5384 {
5385 RTGCPTR pPatchTargetGC;
5386 PPATMPATCHREC pNewPatchRec;
5387
5388 /* Determine target address in new patch */
5389 pPatchTargetGC = PATMR3QueryPatchGCPtr(pVM, pInstrGC);
5390 Assert(pPatchTargetGC);
5391 if (!pPatchTargetGC)
5392 {
5393 rc = VERR_PATCHING_REFUSED;
5394 goto failure;
5395 }
5396
5397 /* Reset offset into patch memory to put the next code blocks right at the beginning. */
5398 pPatch->uCurPatchOffset = 0;
5399
5400 /* insert jump to new patch in old patch block */
5401 rc = patmPatchGenPatchJump(pVM, pPatch, pInstrGC, pPatchTargetGC, false /* no lookup record */);
5402 if (VBOX_FAILURE(rc))
5403 goto failure;
5404
5405 pNewPatchRec = (PPATMPATCHREC)RTAvloGCPtrGet(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pInstrGC);
5406 Assert(pNewPatchRec); /* can't fail */
5407
5408 /* Remove old patch (only do that when everything is finished) */
5409 int rc2 = PATMRemovePatch(pVM, pPatchRec, true /* force removal */);
5410 AssertRC(rc2);
5411
5412 /* Put the new patch back into the tree, because removing the old one kicked this one out. (hack alert) */
5413 RTAvloGCPtrInsert(&pVM->patm.s.PatchLookupTreeHC->PatchTree, &pNewPatchRec->Core);
5414
5415 LogRel(("PATM: patmR3RefreshPatch: succeeded to refresh patch at %VGv \n", pInstrGC));
5416 STAM_COUNTER_INC(&pVM->patm.s.StatPatchRefreshSuccess);
5417 }
5418
5419failure:
5420 if (VBOX_FAILURE(rc))
5421 {
5422 LogRel(("PATM: patmR3RefreshPatch: failed to refresh patch at %VGv. Reactiving old one. \n", pInstrGC));
5423
5424 /* Remove the new inactive patch */
5425 rc = PATMR3RemovePatch(pVM, pInstrGC);
5426 AssertRC(rc);
5427
5428 /* Put the old patch back into the tree (or else it won't be saved) (hack alert) */
5429 RTAvloGCPtrInsert(&pVM->patm.s.PatchLookupTreeHC->PatchTree, &pPatchRec->Core);
5430
5431 /* Enable again in case the dirty instruction is near the end and there are safe code paths. */
5432 int rc2 = PATMR3EnablePatch(pVM, pInstrGC);
5433 AssertRC(rc2);
5434
5435 STAM_COUNTER_INC(&pVM->patm.s.StatPatchRefreshFailed);
5436 }
5437 return rc;
5438}
5439
5440/**
5441 * Find patch for privileged instruction at specified location
5442 *
5443 * @returns Patch structure pointer if found; else NULL
5444 * @param pVM The VM to operate on.
5445 * @param pInstr Guest context point to instruction that might lie within 5 bytes of an existing patch jump
5446 * @param fIncludeHints Include hinted patches or not
5447 *
5448 */
5449PPATCHINFO PATMFindActivePatchByEntrypoint(PVM pVM, RTGCPTR pInstrGC, bool fIncludeHints)
5450{
5451 PPATMPATCHREC pPatchRec = (PPATMPATCHREC)RTAvloGCPtrGetBestFit(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pInstrGC, false);
5452 /* if the patch is enabled, the pointer is not indentical to the privileged patch ptr and it lies within 5 bytes of this priv instr ptr, then we've got a hit! */
5453 if (pPatchRec)
5454 {
5455 if ( pPatchRec->patch.uState == PATCH_ENABLED
5456 && (pPatchRec->patch.flags & PATMFL_PATCHED_GUEST_CODE)
5457 && pInstrGC > pPatchRec->patch.pPrivInstrGC
5458 && pInstrGC < pPatchRec->patch.pPrivInstrGC + pPatchRec->patch.cbPatchJump)
5459 {
5460 Log(("Found active patch at %VGv (org %VGv)\n", pInstrGC, pPatchRec->patch.pPrivInstrGC));
5461 return &pPatchRec->patch;
5462 }
5463 else
5464 if ( fIncludeHints
5465 && pPatchRec->patch.uState == PATCH_DISABLED
5466 && (pPatchRec->patch.flags & PATMFL_INSTR_HINT)
5467 && pInstrGC > pPatchRec->patch.pPrivInstrGC
5468 && pInstrGC < pPatchRec->patch.pPrivInstrGC + pPatchRec->patch.cbPatchJump)
5469 {
5470 Log(("Found HINT patch at %VGv (org %VGv)\n", pInstrGC, pPatchRec->patch.pPrivInstrGC));
5471 return &pPatchRec->patch;
5472 }
5473 }
5474 return NULL;
5475}
5476
5477/**
5478 * Checks whether the GC address is inside a generated patch jump
5479 *
5480 * @returns true -> yes, false -> no
5481 * @param pVM The VM to operate on.
5482 * @param pAddr Guest context address
5483 * @param pPatchAddr Guest context patch address (if true)
5484 */
5485PATMR3DECL(bool) PATMR3IsInsidePatchJump(PVM pVM, RTGCPTR pAddr, PRTGCPTR pPatchAddr)
5486{
5487 RTGCPTR addr;
5488 PPATCHINFO pPatch;
5489
5490 if (PATMIsEnabled(pVM) == false)
5491 return false;
5492
5493 if (pPatchAddr == NULL)
5494 pPatchAddr = &addr;
5495
5496 *pPatchAddr = 0;
5497
5498 pPatch = PATMFindActivePatchByEntrypoint(pVM, pAddr);
5499 if (pPatch)
5500 {
5501 *pPatchAddr = pPatch->pPrivInstrGC;
5502 }
5503 return *pPatchAddr == 0 ? false : true;
5504}
5505
5506/**
5507 * Remove patch for privileged instruction at specified location
5508 *
5509 * @returns VBox status code.
5510 * @param pVM The VM to operate on.
5511 * @param pInstr Guest context point to privileged instruction
5512 *
5513 * @note returns failure if patching is not allowed or possible
5514 *
5515 */
5516PATMR3DECL(int) PATMR3RemovePatch(PVM pVM, RTGCPTR pInstrGC)
5517{
5518 PPATMPATCHREC pPatchRec;
5519
5520 pPatchRec = (PPATMPATCHREC)RTAvloGCPtrGet(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pInstrGC);
5521 if (pPatchRec)
5522 {
5523 int rc = PATMR3DisablePatch(pVM, pInstrGC);
5524 if (rc == VWRN_PATCH_REMOVED)
5525 return VINF_SUCCESS;
5526 return PATMRemovePatch(pVM, pPatchRec, false);
5527 }
5528 AssertFailed();
5529 return VERR_PATCH_NOT_FOUND;
5530}
5531
5532/**
5533 * Mark patch as dirty
5534 *
5535 * @returns VBox status code.
5536 * @param pVM The VM to operate on.
5537 * @param pPatch Patch record
5538 *
5539 * @note returns failure if patching is not allowed or possible
5540 *
5541 */
5542PATMR3DECL(int) PATMR3MarkDirtyPatch(PVM pVM, PPATCHINFO pPatch)
5543{
5544 if (pPatch->pPatchBlockOffset)
5545 {
5546 Log(("Invalidate patch at %VGv (HC=%VGv)\n", PATCHCODE_PTR_GC(pPatch), PATCHCODE_PTR_HC(pPatch)));
5547 pPatch->bDirtyOpcode = *PATCHCODE_PTR_HC(pPatch);
5548 *PATCHCODE_PTR_HC(pPatch) = 0xCC;
5549 }
5550
5551 STAM_COUNTER_INC(&pVM->patm.s.StatDirty);
5552 /* Put back the replaced instruction. */
5553 int rc = PATMR3DisablePatch(pVM, pPatch->pPrivInstrGC);
5554 if (rc == VWRN_PATCH_REMOVED)
5555 return VINF_SUCCESS;
5556
5557 /** @note we don't restore patch pages for patches that are not enabled! */
5558 /** @note be careful when changing this behaviour!! */
5559
5560 /* The patch pages are no longer marked for self-modifying code detection */
5561 if (pPatch->flags & PATMFL_CODE_MONITORED)
5562 {
5563 int rc = patmRemovePatchPages(pVM, pPatch);
5564 AssertRCReturn(rc, rc);
5565 }
5566 pPatch->uState = PATCH_DIRTY;
5567
5568 /* Paranoia; make sure this patch is not somewhere in the callchain, so prevent ret instructions from succeeding. */
5569 CTXSUFF(pVM->patm.s.pGCState)->Psp = PATM_STACK_SIZE;
5570
5571 return VINF_SUCCESS;
5572}
5573
5574/**
5575 * Query the corresponding GC instruction pointer from a pointer inside the patch block itself
5576 *
5577 * @returns VBox status code.
5578 * @param pVM The VM to operate on.
5579 * @param pPatch Patch block structure pointer
5580 * @param pPatchGC GC address in patch block
5581 */
5582RTGCPTR patmPatchGCPtr2GuestGCPtr(PVM pVM, PPATCHINFO pPatch, GCPTRTYPE(uint8_t *) pPatchGC)
5583{
5584 Assert(pPatch->Patch2GuestAddrTree);
5585 /* Get the closest record from below. */
5586 PRECPATCHTOGUEST pPatchToGuestRec = (PRECPATCHTOGUEST)RTAvlU32GetBestFit(&pPatch->Patch2GuestAddrTree, pPatchGC - pVM->patm.s.pPatchMemGC, false);
5587 if (pPatchToGuestRec)
5588 return pPatchToGuestRec->pOrgInstrGC;
5589
5590 return 0;
5591}
5592
5593/* Converts Guest code GC ptr to Patch code GC ptr (if found)
5594 *
5595 * @returns corresponding GC pointer in patch block
5596 * @param pVM The VM to operate on.
5597 * @param pPatch Current patch block pointer
5598 * @param pInstrGC Guest context pointer to privileged instruction
5599 *
5600 */
5601RTGCPTR patmGuestGCPtrToPatchGCPtr(PVM pVM, PPATCHINFO pPatch, GCPTRTYPE(uint8_t*) pInstrGC)
5602{
5603 if (pPatch->Guest2PatchAddrTree)
5604 {
5605 PRECGUESTTOPATCH pGuestToPatchRec = (PRECGUESTTOPATCH)RTAvlGCPtrGet(&pPatch->Guest2PatchAddrTree, pInstrGC);
5606 if (pGuestToPatchRec)
5607 return pVM->patm.s.pPatchMemGC + pGuestToPatchRec->PatchOffset;
5608 }
5609
5610 return 0;
5611}
5612
5613/* Converts Guest code GC ptr to Patch code GC ptr (if found)
5614 *
5615 * @returns corresponding GC pointer in patch block
5616 * @param pVM The VM to operate on.
5617 * @param pInstrGC Guest context pointer to privileged instruction
5618 *
5619 */
5620PATMR3DECL(RTGCPTR) PATMR3GuestGCPtrToPatchGCPtr(PVM pVM, GCPTRTYPE(uint8_t*)pInstrGC)
5621{
5622 PPATMPATCHREC pPatchRec = (PPATMPATCHREC)RTAvloGCPtrGetBestFit(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pInstrGC, false);
5623 if (pPatchRec && pPatchRec->patch.uState == PATCH_ENABLED && pInstrGC >= pPatchRec->patch.pPrivInstrGC)
5624 {
5625 return patmGuestGCPtrToPatchGCPtr(pVM, &pPatchRec->patch, pInstrGC);
5626 }
5627 return 0;
5628}
5629
5630/**
5631 * Query the corresponding GC instruction pointer from a pointer inside the patch block itself
5632 *
5633 * @returns original GC instruction pointer or 0 if not found
5634 * @param pVM The VM to operate on.
5635 * @param pPatchGC GC address in patch block
5636 * @param pEnmState State of the translated address (out)
5637 *
5638 */
5639PATMR3DECL(RTGCPTR) PATMR3PatchToGCPtr(PVM pVM, RTGCPTR pPatchGC, PATMTRANSSTATE *pEnmState)
5640{
5641 PPATMPATCHREC pPatchRec;
5642 void *pvPatchCoreOffset;
5643 RTGCPTR pPrivInstrGC;
5644
5645 Assert(PATMIsPatchGCAddr(pVM, pPatchGC));
5646 pvPatchCoreOffset = RTAvloGCPtrGetBestFit(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr, pPatchGC - pVM->patm.s.pPatchMemGC, false);
5647 if (pvPatchCoreOffset == 0)
5648 {
5649 Log(("PATMR3PatchToGCPtr failed for %VGv offset %x\n", pPatchGC, pPatchGC - pVM->patm.s.pPatchMemGC));
5650 return 0;
5651 }
5652 pPatchRec = PATM_PATCHREC_FROM_COREOFFSET(pvPatchCoreOffset);
5653 pPrivInstrGC = patmPatchGCPtr2GuestGCPtr(pVM, &pPatchRec->patch, pPatchGC);
5654 if (pEnmState)
5655 {
5656 AssertMsg(pPrivInstrGC && ( pPatchRec->patch.uState == PATCH_ENABLED
5657 || pPatchRec->patch.uState == PATCH_DIRTY
5658 || pPatchRec->patch.uState == PATCH_DISABLE_PENDING
5659 || pPatchRec->patch.uState == PATCH_UNUSABLE),
5660 ("pPrivInstrGC=%VGv uState=%d\n", pPrivInstrGC, pPatchRec->patch.uState));
5661
5662 if ( !pPrivInstrGC
5663 || pPatchRec->patch.uState == PATCH_UNUSABLE
5664 || pPatchRec->patch.uState == PATCH_REFUSED)
5665 {
5666 pPrivInstrGC = 0;
5667 *pEnmState = PATMTRANS_FAILED;
5668 }
5669 else
5670 if (pVM->patm.s.pGCStateHC->GCPtrInhibitInterrupts == pPrivInstrGC)
5671 {
5672 *pEnmState = PATMTRANS_INHIBITIRQ;
5673 }
5674 else
5675 if ( pPatchRec->patch.uState == PATCH_ENABLED
5676 && !(pPatchRec->patch.flags & (PATMFL_DUPLICATE_FUNCTION|PATMFL_IDTHANDLER|PATMFL_TRAMPOLINE))
5677 && pPrivInstrGC > pPatchRec->patch.pPrivInstrGC
5678 && pPrivInstrGC < pPatchRec->patch.pPrivInstrGC + pPatchRec->patch.cbPatchJump)
5679 {
5680 *pEnmState = PATMTRANS_OVERWRITTEN;
5681 }
5682 else
5683 if (PATMFindActivePatchByEntrypoint(pVM, pPrivInstrGC))
5684 {
5685 *pEnmState = PATMTRANS_OVERWRITTEN;
5686 }
5687 else
5688 if (pPrivInstrGC == pPatchRec->patch.pPrivInstrGC)
5689 {
5690 *pEnmState = PATMTRANS_PATCHSTART;
5691 }
5692 else
5693 *pEnmState = PATMTRANS_SAFE;
5694 }
5695 return pPrivInstrGC;
5696}
5697
5698/**
5699 * Returns the GC pointer of the patch for the specified GC address
5700 *
5701 * @returns VBox status code.
5702 * @param pVM The VM to operate on.
5703 * @param pAddrGC Guest context address
5704 */
5705PATMR3DECL(RTGCPTR) PATMR3QueryPatchGCPtr(PVM pVM, RTGCPTR pAddrGC)
5706{
5707 PPATMPATCHREC pPatchRec;
5708
5709 // Find the patch record
5710 pPatchRec = (PPATMPATCHREC)RTAvloGCPtrGet(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pAddrGC);
5711 /** @todo we should only use patches that are enabled! always did this, but it's incorrect! */
5712 if (pPatchRec && (pPatchRec->patch.uState == PATCH_ENABLED || pPatchRec->patch.uState == PATCH_DIRTY))
5713 return PATCHCODE_PTR_GC(&pPatchRec->patch);
5714
5715 return 0;
5716}
5717
5718/**
5719 * Attempt to recover dirty instructions
5720 *
5721 * @returns VBox status code.
5722 * @param pVM The VM to operate on.
5723 * @param pCtx CPU context
5724 * @param pPatch Patch record
5725 * @param pPatchToGuestRec Patch to guest address record
5726 * @param pEip GC pointer of trapping instruction
5727 */
5728static int patmR3HandleDirtyInstr(PVM pVM, PCPUMCTX pCtx, PPATMPATCHREC pPatch, PRECPATCHTOGUEST pPatchToGuestRec, RTGCPTR pEip)
5729{
5730 DISCPUSTATE CpuOld, CpuNew;
5731 uint8_t *pPatchInstrHC, *pCurPatchInstrHC;
5732 int rc;
5733 RTGCPTR pCurInstrGC, pCurPatchInstrGC;
5734 uint32_t cbDirty;
5735 PRECPATCHTOGUEST pRec;
5736
5737 Log(("patmR3HandleDirtyInstr: dirty instruction at %VGv (%VGv)\n", pEip, pPatchToGuestRec->pOrgInstrGC));
5738
5739 pRec = pPatchToGuestRec;
5740 pCurInstrGC = pPatchToGuestRec->pOrgInstrGC;
5741 pCurPatchInstrGC = pEip;
5742 cbDirty = 0;
5743 pPatchInstrHC = patmPatchGCPtr2PatchHCPtr(pVM, pCurPatchInstrGC);
5744
5745 /* Find all adjacent dirty instructions */
5746 while (true)
5747 {
5748 if (pRec->fJumpTarget)
5749 {
5750 LogRel(("PATM: patmR3HandleDirtyInstr: dirty instruction at %VGv (%VGv) ignored, because instruction in function was reused as target of jump\n", pEip, pPatchToGuestRec->pOrgInstrGC));
5751 pRec->fDirty = false;
5752 return VERR_PATCHING_REFUSED;
5753 }
5754
5755 /* Restore original instruction opcode byte so we can check if the write was indeed safe. */
5756 pCurPatchInstrHC = patmPatchGCPtr2PatchHCPtr(pVM, pCurPatchInstrGC);
5757 *pCurPatchInstrHC = pRec->u8DirtyOpcode;
5758
5759 /* Only harmless instructions are acceptable. */
5760 rc = CPUMR3DisasmInstrCPU(pVM, pCtx, pCurPatchInstrGC, &CpuOld, 0);
5761 if ( VBOX_FAILURE(rc)
5762 || !(CpuOld.pCurInstr->optype & OPTYPE_HARMLESS))
5763 break;
5764
5765#ifdef DEBUG
5766 char szBuf[256];
5767 szBuf[0] = '\0';
5768 DBGFR3DisasInstr(pVM, pCtx->cs, pCurPatchInstrGC, szBuf, sizeof(szBuf));
5769 Log(("DIRTY: %s\n", szBuf));
5770#endif
5771 /** Remove old lookup record. */
5772 patmr3RemoveP2GLookupRecord(pVM, &pPatch->patch, pCurPatchInstrGC);
5773
5774 pCurPatchInstrGC += CpuOld.opsize;
5775 cbDirty += CpuOld.opsize;
5776
5777 /* Mark as clean; if we fail we'll let it always fault. */
5778 pRec->fDirty = false;
5779
5780 /* Let's see if there's another dirty instruction right after. */
5781 pRec = (PRECPATCHTOGUEST)RTAvlU32GetBestFit(&pPatch->patch.Patch2GuestAddrTree, pCurPatchInstrGC - pVM->patm.s.pPatchMemGC, true);
5782 if (!pRec || !pRec->fDirty)
5783 break; /* no more dirty instructions */
5784 }
5785
5786 if ( VBOX_SUCCESS(rc)
5787 && (CpuOld.pCurInstr->optype & OPTYPE_HARMLESS)
5788 )
5789 {
5790 uint32_t cbLeft;
5791
5792 pCurPatchInstrHC = pPatchInstrHC;
5793 pCurPatchInstrGC = pEip;
5794 cbLeft = cbDirty;
5795
5796 while (cbLeft && VBOX_SUCCESS(rc))
5797 {
5798 bool fValidInstr;
5799
5800 rc = CPUMR3DisasmInstrCPU(pVM, pCtx, pCurInstrGC, &CpuNew, 0);
5801
5802 fValidInstr = !!(CpuNew.pCurInstr->optype & OPTYPE_HARMLESS);
5803 if ( !fValidInstr
5804 && (CpuNew.pCurInstr->optype & OPTYPE_RELATIVE_CONTROLFLOW)
5805 )
5806 {
5807 RTGCPTR pTargetGC = PATMResolveBranch(&CpuNew, pCurInstrGC);
5808
5809 if ( pTargetGC >= pPatchToGuestRec->pOrgInstrGC
5810 && pTargetGC <= pPatchToGuestRec->pOrgInstrGC + cbDirty
5811 )
5812 {
5813 /* A relative jump to an instruction inside or to the end of the dirty block is acceptable. */
5814 fValidInstr = true;
5815 }
5816 }
5817
5818 /* If the instruction is completely harmless (which implies a 1:1 patch copy). */
5819 if ( rc == VINF_SUCCESS
5820 && CpuNew.opsize <= cbLeft /* must still fit */
5821 && fValidInstr
5822 )
5823 {
5824#ifdef DEBUG
5825 char szBuf[256];
5826 szBuf[0] = '\0';
5827 DBGFR3DisasInstr(pVM, pCtx->cs, pCurInstrGC, szBuf, sizeof(szBuf));
5828 Log(("NEW: %s\n", szBuf));
5829#endif
5830
5831 /* Copy the new instruction. */
5832 rc = PGMPhysReadGCPtr(pVM, pCurPatchInstrHC, pCurInstrGC, CpuNew.opsize);
5833 AssertRC(rc);
5834
5835 /* Add a new lookup record for the duplicated instruction. */
5836 patmr3AddP2GLookupRecord(pVM, &pPatch->patch, pCurPatchInstrHC, pCurInstrGC, PATM_LOOKUP_BOTHDIR);
5837 }
5838 else
5839 {
5840#ifdef DEBUG
5841 char szBuf[256];
5842 szBuf[0] = '\0';
5843 DBGFR3DisasInstr(pVM, pCtx->cs, pCurInstrGC, szBuf, sizeof(szBuf));
5844 Log(("NEW: %s (FAILED)\n", szBuf));
5845#endif
5846 /* Restore the old lookup record for the duplicated instruction. */
5847 patmr3AddP2GLookupRecord(pVM, &pPatch->patch, pCurPatchInstrHC, pCurInstrGC, PATM_LOOKUP_BOTHDIR);
5848
5849 /** @todo in theory we need to restore the lookup records for the remaining dirty instructions too! */
5850 rc = VERR_PATCHING_REFUSED;
5851 break;
5852 }
5853 pCurInstrGC += CpuNew.opsize;
5854 pCurPatchInstrHC += CpuNew.opsize;
5855 pCurPatchInstrGC += CpuNew.opsize;
5856 cbLeft -= CpuNew.opsize;
5857 }
5858 }
5859 else
5860 rc = VERR_PATCHING_REFUSED;
5861
5862 if (VBOX_SUCCESS(rc))
5863 {
5864 STAM_COUNTER_INC(&pVM->patm.s.StatInstrDirtyGood);
5865 }
5866 else
5867 {
5868 STAM_COUNTER_INC(&pVM->patm.s.StatInstrDirtyBad);
5869 /* Mark the whole instruction stream with breakpoints. */
5870 memset(pPatchInstrHC, 0xCC, cbDirty);
5871
5872 if ( pVM->patm.s.fOutOfMemory == false
5873 && (pPatch->patch.flags & (PATMFL_DUPLICATE_FUNCTION|PATMFL_IDTHANDLER|PATMFL_TRAPHANDLER)))
5874 {
5875 rc = patmR3RefreshPatch(pVM, pPatch);
5876 if (VBOX_FAILURE(rc))
5877 {
5878 LogRel(("PATM: Failed to refresh dirty patch at %VGv. Disabling it.\n", pPatch->patch.pPrivInstrGC));
5879 }
5880 /* Even if we succeed, we must go back to the original instruction as the patched one could be invalid. */
5881 rc = VERR_PATCHING_REFUSED;
5882 }
5883 }
5884 return rc;
5885}
5886
5887/**
5888 * Handle trap inside patch code
5889 *
5890 * @returns VBox status code.
5891 * @param pVM The VM to operate on.
5892 * @param pCtx CPU context
5893 * @param pEip GC pointer of trapping instruction
5894 * @param ppNewEip GC pointer to new instruction
5895 */
5896PATMR3DECL(int) PATMR3HandleTrap(PVM pVM, PCPUMCTX pCtx, RTGCPTR pEip, RTGCPTR *ppNewEip)
5897{
5898 PPATMPATCHREC pPatch = 0;
5899 void *pvPatchCoreOffset;
5900 RTGCUINTPTR offset;
5901 RTGCPTR pNewEip;
5902 int rc ;
5903 PRECPATCHTOGUEST pPatchToGuestRec = 0;
5904
5905 pNewEip = 0;
5906 *ppNewEip = 0;
5907
5908 STAM_PROFILE_ADV_START(&pVM->patm.s.StatHandleTrap, a);
5909
5910 /* Find the patch record. */
5911 /** @note there might not be a patch to guest translation record (global function) */
5912 offset = pEip - pVM->patm.s.pPatchMemGC;
5913 pvPatchCoreOffset = RTAvloGCPtrGetBestFit(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr, offset, false);
5914 if (pvPatchCoreOffset)
5915 {
5916 pPatch = PATM_PATCHREC_FROM_COREOFFSET(pvPatchCoreOffset);
5917
5918 if (pPatch->patch.uState == PATCH_DIRTY)
5919 {
5920 Log(("PATMR3HandleTrap: trap in dirty patch at %VGv\n", pEip));
5921 if (pPatch->patch.flags & (PATMFL_DUPLICATE_FUNCTION|PATMFL_CALLABLE_AS_FUNCTION))
5922 {
5923 /* Function duplication patches set fPIF to 1 on entry */
5924 pVM->patm.s.pGCStateHC->fPIF = 1;
5925 }
5926 }
5927 else
5928 if (pPatch->patch.uState == PATCH_DISABLED)
5929 {
5930 Log(("PATMR3HandleTrap: trap in disabled patch at %VGv\n", pEip));
5931 if (pPatch->patch.flags & (PATMFL_DUPLICATE_FUNCTION|PATMFL_CALLABLE_AS_FUNCTION))
5932 {
5933 /* Function duplication patches set fPIF to 1 on entry */
5934 pVM->patm.s.pGCStateHC->fPIF = 1;
5935 }
5936 }
5937 else
5938 if (pPatch->patch.uState == PATCH_DISABLE_PENDING)
5939 {
5940 RTGCPTR pPrivInstrGC = pPatch->patch.pPrivInstrGC;
5941
5942 Log(("PATMR3HandleTrap: disable operation is pending for patch at %VGv\n", pPatch->patch.pPrivInstrGC));
5943 rc = PATMR3DisablePatch(pVM, pPatch->patch.pPrivInstrGC);
5944 AssertReleaseMsg(rc != VWRN_PATCH_REMOVED, ("PATMR3DisablePatch removed patch at %VGv\n", pPrivInstrGC));
5945 AssertMsg(pPatch->patch.uState == PATCH_DISABLED || pPatch->patch.uState == PATCH_UNUSABLE, ("Unexpected failure to disable patch state=%d rc=%Vrc\n", pPatch->patch.uState, rc));
5946 }
5947
5948 pPatchToGuestRec = (PRECPATCHTOGUEST)RTAvlU32GetBestFit(&pPatch->patch.Patch2GuestAddrTree, offset, false);
5949 AssertReleaseMsg(pPatchToGuestRec, ("PATMR3HandleTrap: Unable to find corresponding guest address for %VGv (offset %x)\n", pEip, offset));
5950
5951 pNewEip = pPatchToGuestRec->pOrgInstrGC;
5952 pPatch->patch.cTraps++;
5953 PATM_STAT_FAULT_INC(&pPatch->patch);
5954 }
5955 else
5956 AssertReleaseMsg(pVM->patm.s.pGCStateHC->fPIF == 0, ("PATMR3HandleTrap: Unable to find translation record for %VGv (PIF=0)\n", pEip));
5957
5958 /* Check if we were interrupted in PATM generated instruction code. */
5959 if (pVM->patm.s.pGCStateHC->fPIF == 0)
5960 {
5961 DISCPUSTATE Cpu;
5962 rc = CPUMR3DisasmInstrCPU(pVM, pCtx, pEip, &Cpu, "PIF Trap: ");
5963 AssertRC(rc);
5964
5965 if ( rc == VINF_SUCCESS
5966 && ( Cpu.pCurInstr->opcode == OP_PUSHF
5967 || Cpu.pCurInstr->opcode == OP_PUSH
5968 || Cpu.pCurInstr->opcode == OP_CALL)
5969 )
5970 {
5971 STAM_COUNTER_INC(&pVM->patm.s.StatPushTrap);
5972 /* Typical pushf (most patches)/push (call patch) trap because of a monitored page. */
5973 rc = PGMShwModifyPage(pVM, pCtx->esp, 1, X86_PTE_RW, ~(uint64_t)X86_PTE_RW);
5974 AssertMsgRC(rc, ("PGMShwModifyPage -> rc=%Vrc\n", rc));
5975 if (rc == VINF_SUCCESS)
5976 {
5977 uint64_t fFlags;
5978
5979 /* The guest page *must* be present. */
5980 rc = PGMGstGetPage(pVM, pCtx->esp, &fFlags, NULL);
5981 if (rc == VINF_SUCCESS && (fFlags & X86_PTE_P))
5982 {
5983 STAM_PROFILE_ADV_STOP(&pVM->patm.s.StatHandleTrap, a);
5984 return VINF_PATCH_CONTINUE;
5985 }
5986 }
5987 }
5988
5989 char szBuf[256];
5990 szBuf[0] = '\0';
5991 DBGFR3DisasInstr(pVM, pCtx->cs, pEip, szBuf, sizeof(szBuf));
5992
5993 /* Very bad. We crashed in emitted code. Probably stack? */
5994 if (pPatch)
5995 {
5996 AssertReleaseMsg(pVM->patm.s.pGCStateHC->fPIF == 1,
5997 ("Crash in patch code %VGv (%VGv) esp=%RX32\nPatch state=%x flags=%x fDirty=%d\n%s\n", pEip, pNewEip, CPUMGetGuestESP(pVM), pPatch->patch.uState, pPatch->patch.flags, pPatchToGuestRec->fDirty, szBuf));
5998 }
5999 else
6000 AssertReleaseMsg(pVM->patm.s.pGCStateHC->fPIF == 1,
6001 ("Crash in patch code %VGv (%VGv) esp=%RX32\n%s\n", pEip, pNewEip, CPUMGetGuestESP(pVM), szBuf));
6002 EMR3FatalError(pVM, VERR_INTERNAL_ERROR);
6003 }
6004
6005 /* From here on, we must have a valid patch to guest translation. */
6006 if (pvPatchCoreOffset == 0)
6007 {
6008 STAM_PROFILE_ADV_STOP(&pVM->patm.s.StatHandleTrap, a);
6009 AssertMsgFailed(("PATMR3HandleTrap: patch not found at address %VGv!!\n", pEip));
6010 return VERR_PATCH_NOT_FOUND; //fatal error
6011 }
6012
6013 /* Take care of dirty/changed instructions. */
6014 if (pPatchToGuestRec->fDirty)
6015 {
6016 Assert(pPatchToGuestRec->Core.Key == offset);
6017 Assert(pVM->patm.s.pGCStateHC->fPIF == 1);
6018
6019 rc = patmR3HandleDirtyInstr(pVM, pCtx, pPatch, pPatchToGuestRec, pEip);
6020 if (VBOX_SUCCESS(rc))
6021 {
6022 /* Retry the current instruction. */
6023 pNewEip = pEip;
6024 rc = VINF_PATCH_CONTINUE; /* Continue at current patch instruction. */
6025 }
6026 else
6027 {
6028 /* Reset the PATM stack. */
6029 CTXSUFF(pVM->patm.s.pGCState)->Psp = PATM_STACK_SIZE;
6030
6031 rc = VINF_SUCCESS; /* Continue at original instruction. */
6032 }
6033
6034 *ppNewEip = pNewEip;
6035 STAM_PROFILE_ADV_STOP(&pVM->patm.s.StatHandleTrap, a);
6036 return rc;
6037 }
6038
6039#ifdef VBOX_STRICT
6040 if (pPatch->patch.flags & PATMFL_DUPLICATE_FUNCTION)
6041 {
6042 DISCPUSTATE cpu;
6043 bool disret;
6044 uint32_t opsize;
6045
6046 cpu.mode = (pPatch->patch.flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
6047 disret = PATMR3DISInstr(pVM, &pPatch->patch, &cpu, pNewEip, PATMGCVirtToHCVirt(pVM, &pPatch->patch, pNewEip), &opsize, NULL, PATMREAD_RAWCODE);
6048 if (disret && cpu.pCurInstr->opcode == OP_RETN)
6049 {
6050 RTGCPTR retaddr;
6051 PCPUMCTX pCtx;
6052 int rc;
6053
6054 rc = CPUMQueryGuestCtxPtr(pVM, &pCtx);
6055 AssertRC(rc);
6056
6057 rc = PGMPhysReadGCPtr(pVM, &retaddr, pCtx->esp, sizeof(retaddr));
6058 AssertRC(rc);
6059
6060 Log(("Return failed at %VGv (%VGv)\n", pEip, pNewEip));
6061 Log(("Expected return address %VGv found address %VGv Psp=%x\n", pVM->patm.s.pGCStackHC[(pVM->patm.s.pGCStateHC->Psp+PATM_STACK_SIZE)/sizeof(RTGCPTR)], retaddr, pVM->patm.s.pGCStateHC->Psp));
6062 }
6063 }
6064#endif
6065
6066 /* Return original address, correct by subtracting the CS base address. */
6067 *ppNewEip = pNewEip - SELMToFlat(pVM, pCtx->eflags, pCtx->cs, &pCtx->csHid, 0);
6068
6069 /* Reset the PATM stack. */
6070 CTXSUFF(pVM->patm.s.pGCState)->Psp = PATM_STACK_SIZE;
6071
6072 if (pVM->patm.s.pGCStateHC->GCPtrInhibitInterrupts == pNewEip)
6073 {
6074 /* Must be a faulting instruction after sti; currently only sysexit, hlt or iret */
6075 Log(("PATMR3HandleTrap %VGv -> inhibit irqs set!\n", pEip));
6076#ifdef VBOX_STRICT
6077 DISCPUSTATE cpu;
6078 bool disret;
6079 uint32_t opsize;
6080
6081 cpu.mode = (pPatch->patch.flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
6082 disret = PATMR3DISInstr(pVM, &pPatch->patch, &cpu, pNewEip, PATMGCVirtToHCVirt(pVM, &pPatch->patch, pNewEip), &opsize, NULL, PATMREAD_ORGCODE);
6083
6084 if (disret && (cpu.pCurInstr->opcode == OP_SYSEXIT || cpu.pCurInstr->opcode == OP_HLT || cpu.pCurInstr->opcode == OP_INT3))
6085 {
6086 cpu.mode = (pPatch->patch.flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
6087 disret = PATMR3DISInstr(pVM, &pPatch->patch, &cpu, pNewEip, PATMGCVirtToHCVirt(pVM, &pPatch->patch, pNewEip), &opsize, NULL, PATMREAD_RAWCODE);
6088
6089 Assert(cpu.pCurInstr->opcode == OP_SYSEXIT || cpu.pCurInstr->opcode == OP_HLT || cpu.pCurInstr->opcode == OP_IRET);
6090 }
6091#endif
6092 EMSetInhibitInterruptsPC(pVM, pNewEip);
6093 pVM->patm.s.pGCStateHC->GCPtrInhibitInterrupts = 0;
6094 }
6095
6096 Log2(("pPatchBlockGC %VGv - pEip %VGv corresponding GC address %VGv\n", PATCHCODE_PTR_GC(&pPatch->patch), pEip, pNewEip));
6097
6098 if (pNewEip >= pPatch->patch.pPrivInstrGC && pNewEip < pPatch->patch.pPrivInstrGC + pPatch->patch.cbPatchJump)
6099 {
6100 /* We can't jump back to code that we've overwritten with a 5 byte jump! */
6101 Log(("Disabling patch at location %VGv due to trap too close to the privileged instruction \n", pPatch->patch.pPrivInstrGC));
6102 PATMR3DisablePatch(pVM, pPatch->patch.pPrivInstrGC);
6103 STAM_PROFILE_ADV_STOP(&pVM->patm.s.StatHandleTrap, a);
6104 return VERR_PATCH_DISABLED;
6105 }
6106
6107#ifdef PATM_REMOVE_PATCH_ON_TOO_MANY_TRAPS
6108 /** @todo compare to nr of successful runs. add some aging algorithm and determine the best time to disable the patch */
6109 if (pPatch->patch.cTraps > MAX_PATCH_TRAPS)
6110 {
6111 Log(("Disabling patch at location %VGv due to too many traps inside patch code\n", pPatch->patch.pPrivInstrGC));
6112 //we are only wasting time, back out the patch
6113 PATMR3DisablePatch(pVM, pPatch->patch.pPrivInstrGC);
6114 pTrapRec->pNextPatchInstr = 0;
6115 STAM_PROFILE_ADV_STOP(&pVM->patm.s.StatHandleTrap, a);
6116 return VERR_PATCH_DISABLED;
6117 }
6118#endif
6119
6120 STAM_PROFILE_ADV_STOP(&pVM->patm.s.StatHandleTrap, a);
6121 return VINF_SUCCESS;
6122}
6123
6124
6125/**
6126 * Handle page-fault in monitored page
6127 *
6128 * @returns VBox status code.
6129 * @param pVM The VM to operate on.
6130 */
6131PATMR3DECL(int) PATMR3HandleMonitoredPage(PVM pVM)
6132{
6133 RTGCPTR addr = pVM->patm.s.pvFaultMonitor;
6134
6135 addr &= PAGE_BASE_GC_MASK;
6136
6137 int rc = PGMHandlerVirtualDeregister(pVM, addr);
6138 AssertRC(rc); NOREF(rc);
6139
6140 PPATMPATCHREC pPatchRec = (PPATMPATCHREC)RTAvloGCPtrGetBestFit(&pVM->patm.s.PatchLookupTreeHC->PatchTree, addr, false);
6141 if (pPatchRec && pPatchRec->patch.uState == PATCH_ENABLED && PAGE_ADDRESS(pPatchRec->patch.pPrivInstrGC) == PAGE_ADDRESS(addr))
6142 {
6143 STAM_COUNTER_INC(&pVM->patm.s.StatMonitored);
6144 Log(("Renewing patch at %VGv\n", pPatchRec->patch.pPrivInstrGC));
6145 rc = PATMR3DisablePatch(pVM, pPatchRec->patch.pPrivInstrGC);
6146 if (rc == VWRN_PATCH_REMOVED)
6147 return VINF_SUCCESS;
6148
6149 PATMR3EnablePatch(pVM, pPatchRec->patch.pPrivInstrGC);
6150
6151 if (addr == pPatchRec->patch.pPrivInstrGC)
6152 addr++;
6153 }
6154
6155 for(;;)
6156 {
6157 pPatchRec = (PPATMPATCHREC)RTAvloGCPtrGetBestFit(&pVM->patm.s.PatchLookupTreeHC->PatchTree, addr, true);
6158
6159 if (!pPatchRec || PAGE_ADDRESS(pPatchRec->patch.pPrivInstrGC) != PAGE_ADDRESS(addr))
6160 break;
6161
6162 if (pPatchRec && pPatchRec->patch.uState == PATCH_ENABLED)
6163 {
6164 STAM_COUNTER_INC(&pVM->patm.s.StatMonitored);
6165 Log(("Renewing patch at %VGv\n", pPatchRec->patch.pPrivInstrGC));
6166 PATMR3DisablePatch(pVM, pPatchRec->patch.pPrivInstrGC);
6167 PATMR3EnablePatch(pVM, pPatchRec->patch.pPrivInstrGC);
6168 }
6169 addr = pPatchRec->patch.pPrivInstrGC + 1;
6170 }
6171
6172 pVM->patm.s.pvFaultMonitor = 0;
6173 return VINF_SUCCESS;
6174}
6175
6176
6177#ifdef VBOX_WITH_STATISTICS
6178
6179static const char *PATMPatchType(PVM pVM, PPATCHINFO pPatch)
6180{
6181 if (pPatch->flags & PATMFL_SYSENTER)
6182 {
6183 return "SYSENT";
6184 }
6185 else
6186 if (pPatch->flags & (PATMFL_TRAPHANDLER|PATMFL_INTHANDLER))
6187 {
6188 static char szTrap[16];
6189 uint32_t iGate;
6190
6191 iGate = TRPMR3QueryGateByHandler(pVM, PATCHCODE_PTR_GC(pPatch));
6192 if (iGate < 256)
6193 RTStrPrintf(szTrap, sizeof(szTrap), (pPatch->flags & PATMFL_INTHANDLER) ? "INT-%2X" : "TRAP-%2X", iGate);
6194 else
6195 RTStrPrintf(szTrap, sizeof(szTrap), (pPatch->flags & PATMFL_INTHANDLER) ? "INT-??" : "TRAP-??");
6196 return szTrap;
6197 }
6198 else
6199 if (pPatch->flags & (PATMFL_DUPLICATE_FUNCTION))
6200 return "DUPFUNC";
6201 else
6202 if (pPatch->flags & PATMFL_REPLACE_FUNCTION_CALL)
6203 return "FUNCCALL";
6204 else
6205 if (pPatch->flags & PATMFL_TRAMPOLINE)
6206 return "TRAMP";
6207 else
6208 return patmGetInstructionString(pPatch->opcode, pPatch->flags);
6209}
6210
6211static const char *PATMPatchState(PVM pVM, PPATCHINFO pPatch)
6212{
6213 switch(pPatch->uState)
6214 {
6215 case PATCH_ENABLED:
6216 return "ENA";
6217 case PATCH_DISABLED:
6218 return "DIS";
6219 case PATCH_DIRTY:
6220 return "DIR";
6221 case PATCH_UNUSABLE:
6222 return "UNU";
6223 case PATCH_REFUSED:
6224 return "REF";
6225 case PATCH_DISABLE_PENDING:
6226 return "DIP";
6227 default:
6228 AssertFailed();
6229 return " ";
6230 }
6231}
6232
6233/**
6234 * Resets the sample.
6235 * @param pVM The VM handle.
6236 * @param pvSample The sample registered using STAMR3RegisterCallback.
6237 */
6238static void patmResetStat(PVM pVM, void *pvSample)
6239{
6240 PPATCHINFO pPatch = (PPATCHINFO)pvSample;
6241 Assert(pPatch);
6242
6243 pVM->patm.s.pStatsHC[pPatch->uPatchIdx].u32A = 0;
6244 pVM->patm.s.pStatsHC[pPatch->uPatchIdx].u32B = 0;
6245}
6246
6247/**
6248 * Prints the sample into the buffer.
6249 *
6250 * @param pVM The VM handle.
6251 * @param pvSample The sample registered using STAMR3RegisterCallback.
6252 * @param pszBuf The buffer to print into.
6253 * @param cchBuf The size of the buffer.
6254 */
6255static void patmPrintStat(PVM pVM, void *pvSample, char *pszBuf, size_t cchBuf)
6256{
6257 PPATCHINFO pPatch = (PPATCHINFO)pvSample;
6258 Assert(pPatch);
6259
6260 Assert(pPatch->uState != PATCH_REFUSED);
6261 Assert(!(pPatch->flags & (PATMFL_REPLACE_FUNCTION_CALL|PATMFL_MMIO_ACCESS)));
6262
6263 RTStrPrintf(pszBuf, cchBuf, "size %04x ->%3s %8s - %08d - %08d",
6264 pPatch->cbPatchBlockSize, PATMPatchState(pVM, pPatch), PATMPatchType(pVM, pPatch),
6265 pVM->patm.s.pStatsHC[pPatch->uPatchIdx].u32A, pVM->patm.s.pStatsHC[pPatch->uPatchIdx].u32B);
6266}
6267
6268/**
6269 * Returns the GC address of the corresponding patch statistics counter
6270 *
6271 * @returns Stat address
6272 * @param pVM The VM to operate on.
6273 * @param pPatch Patch structure
6274 */
6275RTGCPTR patmPatchQueryStatAddress(PVM pVM, PPATCHINFO pPatch)
6276{
6277 Assert(pPatch->uPatchIdx != PATM_STAT_INDEX_NONE);
6278 return pVM->patm.s.pStatsGC + sizeof(STAMRATIOU32) * pPatch->uPatchIdx + RT_OFFSETOF(STAMRATIOU32, u32A);
6279}
6280
6281#endif /* VBOX_WITH_STATISTICS */
6282
6283#ifdef VBOX_WITH_DEBUGGER
6284/**
6285 * The '.patmoff' command.
6286 *
6287 * @returns VBox status.
6288 * @param pCmd Pointer to the command descriptor (as registered).
6289 * @param pCmdHlp Pointer to command helper functions.
6290 * @param pVM Pointer to the current VM (if any).
6291 * @param paArgs Pointer to (readonly) array of arguments.
6292 * @param cArgs Number of arguments in the array.
6293 */
6294static DECLCALLBACK(int) patmr3CmdOff(PCDBGCCMD pCmd, PDBGCCMDHLP pCmdHlp, PVM pVM, PCDBGCVAR paArgs, unsigned cArgs, PDBGCVAR pResult)
6295{
6296 /*
6297 * Validate input.
6298 */
6299 if (!pVM)
6300 return pCmdHlp->pfnPrintf(pCmdHlp, NULL, "error: The command requires VM to be selected.\n");
6301
6302 RTAvloGCPtrDoWithAll(&pVM->patm.s.PatchLookupTreeHC->PatchTree, true, DisableAllPatches, pVM);
6303 PATMR3AllowPatching(pVM, false);
6304 return pCmdHlp->pfnPrintf(pCmdHlp, NULL, "Patching disabled\n");
6305}
6306
6307/**
6308 * The '.patmon' command.
6309 *
6310 * @returns VBox status.
6311 * @param pCmd Pointer to the command descriptor (as registered).
6312 * @param pCmdHlp Pointer to command helper functions.
6313 * @param pVM Pointer to the current VM (if any).
6314 * @param paArgs Pointer to (readonly) array of arguments.
6315 * @param cArgs Number of arguments in the array.
6316 */
6317static DECLCALLBACK(int) patmr3CmdOn(PCDBGCCMD pCmd, PDBGCCMDHLP pCmdHlp, PVM pVM, PCDBGCVAR paArgs, unsigned cArgs, PDBGCVAR pResult)
6318{
6319 /*
6320 * Validate input.
6321 */
6322 if (!pVM)
6323 return pCmdHlp->pfnPrintf(pCmdHlp, NULL, "error: The command requires VM to be selected.\n");
6324
6325 PATMR3AllowPatching(pVM, true);
6326 RTAvloGCPtrDoWithAll(&pVM->patm.s.PatchLookupTreeHC->PatchTree, true, EnableAllPatches, pVM);
6327 return pCmdHlp->pfnPrintf(pCmdHlp, NULL, "Patching enabled\n");
6328}
6329#endif
Note: See TracBrowser for help on using the repository browser.

© 2025 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette