VirtualBox

source: vbox/trunk/src/VBox/VMM/PATM/PATM.cpp@ 3020

Last change on this file since 3020 was 3020, checked in by vboxsync, 18 years ago

Added missing space after ')' in macro invocations so VCC doesn't mess up the precompiler output.
  • Property svn:eol-style set to native
  • Property svn:keywords set to Id
File size: 236.8 KB
Line 
1/* $Id: PATM.cpp 3020 2007-06-04 12:01:53Z vboxsync $ */
2/** @file
3 * PATM - Dynamic Guest OS Patching Manager
4 *
5 * NOTE: Never ever reuse patch memory!!
6 */
7
8/*
9 * Copyright (C) 2006-2007 innotek GmbH
10 *
11 * This file is part of VirtualBox Open Source Edition (OSE), as
12 * available from http://www.virtualbox.org. This file is free software;
13 * you can redistribute it and/or modify it under the terms of the GNU
14 * General Public License as published by the Free Software Foundation,
15 * in version 2 as it comes in the "COPYING" file of the VirtualBox OSE
16 * distribution. VirtualBox OSE is distributed in the hope that it will
17 * be useful, but WITHOUT ANY WARRANTY of any kind.
18 *
19 * If you received this file as part of a commercial VirtualBox
20 * distribution, then only the terms of your commercial VirtualBox
21 * license agreement apply instead of the previous paragraph.
22 */
23
24/*******************************************************************************
25* Header Files *
26*******************************************************************************/
27#define LOG_GROUP LOG_GROUP_PATM
28#include <VBox/patm.h>
29#include <VBox/stam.h>
30#include <VBox/pgm.h>
31#include <VBox/cpum.h>
32#include <VBox/cpumdis.h>
33#include <VBox/iom.h>
34#include <VBox/sup.h>
35#include <VBox/mm.h>
36#include <VBox/ssm.h>
37#include <VBox/pdm.h>
38#include <VBox/trpm.h>
39#include <VBox/cfgm.h>
40#include <VBox/param.h>
41#include <VBox/selm.h>
42#include <iprt/avl.h>
43#include "PATMInternal.h"
44#include "PATMPatch.h"
45#include <VBox/vm.h>
46#include <VBox/csam.h>
47
48#include <VBox/dbg.h>
49#include <VBox/err.h>
50#include <VBox/log.h>
51#include <iprt/assert.h>
52#include <iprt/asm.h>
53#include <VBox/dis.h>
54#include <VBox/disopcode.h>
55
56#include <iprt/string.h>
57#include "PATMA.h"
58
59//#define PATM_REMOVE_PATCH_ON_TOO_MANY_TRAPS
60//#define PATM_DISABLE_ALL
61
62/*******************************************************************************
63* Internal Functions *
64*******************************************************************************/
65
66static int patmDisableUnusablePatch(PVM pVM, RTGCPTR pInstrGC, RTGCPTR pConflictAddr, PPATCHINFO pPatch);
67static int patmActivateInt3Patch(PVM pVM, PPATCHINFO pPatch);
68static int patmDeactivateInt3Patch(PVM pVM, PPATCHINFO pPatch);
69
70#ifdef DEBUG // keep gcc quiet
71static bool patmIsCommonIDTHandlerPatch(PVM pVM, RTGCPTR pInstrGC);
72#endif
73#ifdef VBOX_WITH_STATISTICS
74static const char *PATMPatchType(PVM pVM, PPATCHINFO pPatch);
75static void patmResetStat(PVM pVM, void *pvSample);
76static void patmPrintStat(PVM pVM, void *pvSample, char *pszBuf, size_t cchBuf);
77#endif
78
79#define patmPatchHCPtr2PatchGCPtr(pVM, pHC) (pVM->patm.s.pPatchMemGC + (pHC - pVM->patm.s.pPatchMemHC))
80#define patmPatchGCPtr2PatchHCPtr(pVM, pGC) (pVM->patm.s.pPatchMemHC + (pGC - pVM->patm.s.pPatchMemGC))
81
82static int patmReinit(PVM pVM);
83static DECLCALLBACK(int) RelocatePatches(PAVLOGCPTRNODECORE pNode, void *pParam);
84static DECLCALLBACK(int) patmVirtPageHandler(PVM pVM, RTGCPTR GCPtr, void *pvPtr, void *pvBuf, size_t cbBuf, PGMACCESSTYPE enmAccessType, void *pvUser);
85
86#ifdef VBOX_WITH_DEBUGGER
87static DECLCALLBACK(int) DisableAllPatches(PAVLOGCPTRNODECORE pNode, void *pVM);
88static DECLCALLBACK(int) patmr3CmdOn(PCDBGCCMD pCmd, PDBGCCMDHLP pCmdHlp, PVM pVM, PCDBGCVAR paArgs, unsigned cArgs, PDBGCVAR pResult);
89static DECLCALLBACK(int) patmr3CmdOff(PCDBGCCMD pCmd, PDBGCCMDHLP pCmdHlp, PVM pVM, PCDBGCVAR paArgs, unsigned cArgs, PDBGCVAR pResult);
90
91/** Command descriptors. */
92static const DBGCCMD g_aCmds[] =
93{
94 /* pszCmd, cArgsMin, cArgsMax, paArgDesc, cArgDescs, pResultDesc, fFlags, pfnHandler pszSyntax, ....pszDescription */
95 { "patmon", 0, 0, NULL, 0, NULL, 0, patmr3CmdOn, "", "Enable patching." },
96 { "patmoff", 0, 0, NULL, 0, NULL, 0, patmr3CmdOff, "", "Disable patching." },
97};
98#endif
99
100/**
101 * Initializes the PATM.
102 *
103 * @returns VBox status code.
104 * @param pVM The VM to operate on.
105 */
106PATMR3DECL(int) PATMR3Init(PVM pVM)
107{
108 int rc;
109
110 Log(("PATMR3Init: Patch record size %d\n", sizeof(PATCHINFO)));
111
112 AssertReleaseMsg(PATMInterruptFlag == (VM_FF_INTERRUPT_APIC | VM_FF_INTERRUPT_PIC | VM_FF_TIMER | VM_FF_REQUEST), ("Interrupt flags out of sync!!\n"));
113
114 /* Allocate patch memory and GC patch state memory. */
115 pVM->patm.s.cbPatchMem = PATCH_MEMORY_SIZE;
116 /* Add another page in case the generated code is much larger than expected. */
117 /** @todo bad safety precaution */
118 rc = MMR3HyperAllocOnceNoRel(pVM, PATCH_MEMORY_SIZE + PAGE_SIZE + PATM_STACK_TOTAL_SIZE + PAGE_SIZE + PATM_STAT_MEMSIZE, PAGE_SIZE, MM_TAG_PATM, (void **)&pVM->patm.s.pPatchMemHC);
119 if (VBOX_FAILURE(rc))
120 {
121 Log(("MMR3HyperAlloc failed with %Vrc\n", rc));
122 return rc;
123 }
124 pVM->patm.s.pPatchMemGC = MMHyperHC2GC(pVM, pVM->patm.s.pPatchMemHC);
125
126 /* PATM stack page for call instruction execution. (2 parts: one for our private stack and one to store the original return address */
127 pVM->patm.s.pGCStackHC = (RTGCPTR *)(pVM->patm.s.pPatchMemHC + PATCH_MEMORY_SIZE + PAGE_SIZE);
128 pVM->patm.s.pGCStackGC = MMHyperHC2GC(pVM, pVM->patm.s.pGCStackHC);
129
130 /*
131 * Hypervisor memory for GC status data (read/write)
132 *
133 * Note1: This is non-critical data; if trashed by the guest, then it will only cause problems for itself
134 * Note2: This doesn't really belong here, but we need access to it for relocation purposes
135 *
136 */
137 Assert(sizeof(PATMGCSTATE) < PAGE_SIZE); /** @note hardcoded dependencies on this exist. */
138 pVM->patm.s.pGCStateHC = (PPATMGCSTATE)((uint8_t *)pVM->patm.s.pGCStackHC + PATM_STACK_TOTAL_SIZE);
139 pVM->patm.s.pGCStateGC = MMHyperHC2GC(pVM, pVM->patm.s.pGCStateHC);
140
141 /* Hypervisor memory for patch statistics */
142 pVM->patm.s.pStatsHC = (PSTAMRATIOU32)((uint8_t *)pVM->patm.s.pGCStateHC + PAGE_SIZE);
143 pVM->patm.s.pStatsGC = MMHyperHC2GC(pVM, pVM->patm.s.pStatsHC);
144
145 /* Memory for patch lookup trees. */
146 rc = MMHyperAlloc(pVM, sizeof(*pVM->patm.s.PatchLookupTreeHC), 0, MM_TAG_PATM, (void **)&pVM->patm.s.PatchLookupTreeHC);
147 AssertRCReturn(rc, rc);
148 pVM->patm.s.PatchLookupTreeGC = MMHyperHC2GC(pVM, pVM->patm.s.PatchLookupTreeHC);
149
150#ifdef __AMD64__ /* see patmReinit(). */
151 /* Check CFGM option. */
152 rc = CFGMR3QueryBool(CFGMR3GetRoot(pVM), "PATMEnabled", &pVM->fPATMEnabled);
153 if (VBOX_FAILURE(rc))
154# ifdef PATM_DISABLE_ALL
155 pVM->fPATMEnabled = false;
156# else
157 pVM->fPATMEnabled = true;
158# endif
159#endif
160
161 rc = patmReinit(pVM);
162 AssertRC(rc);
163 if (VBOX_FAILURE(rc))
164 return rc;
165
166 /*
167 * Register save and load state notificators.
168 */
169 rc = SSMR3RegisterInternal(pVM, "PATM", 0, PATM_SSM_VERSION, sizeof(pVM->patm.s) + PATCH_MEMORY_SIZE + PAGE_SIZE + PATM_STACK_TOTAL_SIZE + PAGE_SIZE,
170 NULL, patmr3Save, NULL,
171 NULL, patmr3Load, NULL);
172 if (VBOX_FAILURE(rc))
173 {
174 AssertRC(rc);
175 return rc;
176 }
177
178#ifdef VBOX_WITH_DEBUGGER
179 /*
180 * Debugger commands.
181 */
182 static bool fRegisteredCmds = false;
183 if (!fRegisteredCmds)
184 {
185 int rc = DBGCRegisterCommands(&g_aCmds[0], ELEMENTS(g_aCmds));
186 if (VBOX_SUCCESS(rc))
187 fRegisteredCmds = true;
188 }
189#endif
190
191#ifdef VBOX_WITH_STATISTICS
192 STAM_REG(pVM, &pVM->patm.s.StatNrOpcodeRead, STAMTYPE_COUNTER, "/PATM/OpcodeBytesRead", STAMUNIT_OCCURENCES, "The number of opcode bytes read by the recompiler.");
193 STAM_REG(pVM, &pVM->patm.s.StatPATMMemoryUsed,STAMTYPE_COUNTER, "/PATM/MemoryUsed", STAMUNIT_OCCURENCES, "The amount of hypervisor heap used for patches.");
194 STAM_REG(pVM, &pVM->patm.s.StatDisabled, STAMTYPE_COUNTER, "/PATM/Patch/Disabled", STAMUNIT_OCCURENCES, "Number of times patches were disabled.");
195 STAM_REG(pVM, &pVM->patm.s.StatEnabled, STAMTYPE_COUNTER, "/PATM/Patch/Enabled", STAMUNIT_OCCURENCES, "Number of times patches were enabled.");
196 STAM_REG(pVM, &pVM->patm.s.StatDirty, STAMTYPE_COUNTER, "/PATM/Patch/Dirty", STAMUNIT_OCCURENCES, "Number of times patches were marked dirty.");
197 STAM_REG(pVM, &pVM->patm.s.StatUnusable, STAMTYPE_COUNTER, "/PATM/Patch/Unusable", STAMUNIT_OCCURENCES, "Number of unusable patches (conflicts).");
198 STAM_REG(pVM, &pVM->patm.s.StatInstalled, STAMTYPE_COUNTER, "/PATM/Patch/Installed", STAMUNIT_OCCURENCES, "Number of installed patches.");
199 STAM_REG(pVM, &pVM->patm.s.StatInt3Callable, STAMTYPE_COUNTER, "/PATM/Patch/Int3Callable", STAMUNIT_OCCURENCES, "Number of cli patches turned into int3 patches.");
200
201 STAM_REG(pVM, &pVM->patm.s.StatInt3BlockRun, STAMTYPE_COUNTER, "/PATM/Patch/Run/Int3", STAMUNIT_OCCURENCES, "Number of times an int3 block patch was executed.");
202 STAMR3RegisterF(pVM, &pVM->patm.s.pGCStateHC->uPatchCalls, STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_OCCURENCES, NULL, "/PATM/Patch/Run/Normal");
203
204 STAM_REG(pVM, &pVM->patm.s.StatInstalledFunctionPatches, STAMTYPE_COUNTER, "/PATM/Patch/Installed/Function", STAMUNIT_OCCURENCES, "Number of installed function duplication patches.");
205 STAM_REG(pVM, &pVM->patm.s.StatInstalledTrampoline, STAMTYPE_COUNTER, "/PATM/Patch/Installed/Trampoline", STAMUNIT_OCCURENCES, "Number of installed trampoline patches.");
206 STAM_REG(pVM, &pVM->patm.s.StatInstalledJump, STAMTYPE_COUNTER, "/PATM/Patch/Installed/Jump", STAMUNIT_OCCURENCES, "Number of installed jump patches.");
207
208 STAM_REG(pVM, &pVM->patm.s.StatOverwritten, STAMTYPE_COUNTER, "/PATM/Patch/Overwritten", STAMUNIT_OCCURENCES, "Number of overwritten patches.");
209 STAM_REG(pVM, &pVM->patm.s.StatFixedConflicts,STAMTYPE_COUNTER, "/PATM/Patch/ConflictFixed", STAMUNIT_OCCURENCES, "Number of fixed conflicts.");
210 STAM_REG(pVM, &pVM->patm.s.StatFlushed, STAMTYPE_COUNTER, "/PATM/Patch/Flushed", STAMUNIT_OCCURENCES, "Number of flushes of pages with patch jumps.");
211 STAM_REG(pVM, &pVM->patm.s.StatMonitored, STAMTYPE_COUNTER, "/PATM/Patch/Monitored", STAMUNIT_OCCURENCES, "Number of patches in monitored patch pages.");
212 STAM_REG(pVM, &pVM->patm.s.StatPageBoundaryCrossed, STAMTYPE_COUNTER, "/PATM/Patch/BoundaryCross", STAMUNIT_OCCURENCES, "Number of refused patches due to patch jump crossing page boundary.");
213
214 STAM_REG(pVM, &pVM->patm.s.StatHandleTrap, STAMTYPE_PROFILE, "/PATM/HandleTrap", STAMUNIT_TICKS_PER_CALL, "Profiling of PATMR3HandleTrap");
215 STAM_REG(pVM, &pVM->patm.s.StatPushTrap, STAMTYPE_COUNTER, "/PATM/HandleTrap/PushWP", STAMUNIT_OCCURENCES, "Number of traps due to monitored stack pages.");
216
217 STAM_REG(pVM, &pVM->patm.s.StatSwitchBack, STAMTYPE_COUNTER, "/PATM/SwitchBack", STAMUNIT_OCCURENCES, "Switch back to original guest code when IF=1 & executing PATM instructions");
218 STAM_REG(pVM, &pVM->patm.s.StatSwitchBackFail,STAMTYPE_COUNTER, "/PATM/SwitchBackFail", STAMUNIT_OCCURENCES, "Failed switch back to original guest code when IF=1 & executing PATM instructions");
219
220 STAM_REG(pVM, &pVM->patm.s.StatDuplicateREQFailed, STAMTYPE_COUNTER, "/PATM/Function/DupREQ/Failed", STAMUNIT_OCCURENCES, "Nr of failed PATMR3DuplicateFunctionRequest calls");
221 STAM_REG(pVM, &pVM->patm.s.StatDuplicateREQSuccess, STAMTYPE_COUNTER, "/PATM/Function/DupREQ/Success", STAMUNIT_OCCURENCES, "Nr of successful PATMR3DuplicateFunctionRequest calls");
222 STAM_REG(pVM, &pVM->patm.s.StatDuplicateUseExisting,STAMTYPE_COUNTER, "/PATM/Function/DupREQ/UseExist", STAMUNIT_OCCURENCES, "Nr of successful PATMR3DuplicateFunctionRequest calls when using an existing patch");
223
224 STAM_REG(pVM, &pVM->patm.s.StatFunctionLookupInsert, STAMTYPE_COUNTER, "/PATM/Function/Lookup/Insert", STAMUNIT_OCCURENCES, "Nr of successful function address insertions");
225 STAM_REG(pVM, &pVM->patm.s.StatFunctionLookupReplace, STAMTYPE_COUNTER, "/PATM/Function/Lookup/Replace", STAMUNIT_OCCURENCES, "Nr of successful function address replacements");
226 STAM_REG(pVM, &pVM->patm.s.StatU32FunctionMaxSlotsUsed, STAMTYPE_U32_RESET,"/PATM/Function/Lookup/MaxSlots", STAMUNIT_OCCURENCES, "Maximum nr of lookup slots used in all call patches");
227
228 STAM_REG(pVM, &pVM->patm.s.StatFunctionFound, STAMTYPE_COUNTER, "/PATM/Function/Found", STAMUNIT_OCCURENCES, "Nr of successful function patch lookups in GC");
229 STAM_REG(pVM, &pVM->patm.s.StatFunctionNotFound, STAMTYPE_COUNTER, "/PATM/Function/NotFound", STAMUNIT_OCCURENCES, "Nr of failed function patch lookups in GC");
230
231 STAM_REG(pVM, &pVM->patm.s.StatPatchWrite, STAMTYPE_PROFILE, "/PATM/Write/Handle", STAMUNIT_TICKS_PER_CALL, "Profiling of PATMR3PatchWrite");
232 STAM_REG(pVM, &pVM->patm.s.StatPatchWriteDetect, STAMTYPE_PROFILE, "/PATM/Write/Detect", STAMUNIT_TICKS_PER_CALL, "Profiling of PATMIsWriteToPatchPage");
233 STAM_REG(pVM, &pVM->patm.s.StatPatchWriteInterpreted, STAMTYPE_COUNTER, "/PATM/Write/Interpreted/Success", STAMUNIT_OCCURENCES, "Nr of interpreted patch writes.");
234 STAM_REG(pVM, &pVM->patm.s.StatPatchWriteInterpretedFailed, STAMTYPE_COUNTER, "/PATM/Write/Interpreted/Failed", STAMUNIT_OCCURENCES, "Nr of failed interpreted patch writes.");
235
236 STAM_REG(pVM, &pVM->patm.s.StatPatchRefreshSuccess, STAMTYPE_COUNTER, "/PATM/Refresh/Success", STAMUNIT_OCCURENCES, "Successful patch refreshes");
237 STAM_REG(pVM, &pVM->patm.s.StatPatchRefreshFailed, STAMTYPE_COUNTER, "/PATM/Refresh/Failure", STAMUNIT_OCCURENCES, "Failed patch refreshes");
238
239 STAM_REG(pVM, &pVM->patm.s.StatPatchPageInserted, STAMTYPE_COUNTER, "/PATM/Page/Inserted", STAMUNIT_OCCURENCES, "Nr of inserted guest pages that were patched");
240 STAM_REG(pVM, &pVM->patm.s.StatPatchPageRemoved, STAMTYPE_COUNTER, "/PATM/Page/Removed", STAMUNIT_OCCURENCES, "Nr of removed guest pages that were patched");
241
242 STAM_REG(pVM, &pVM->patm.s.StatInstrDirty, STAMTYPE_COUNTER, "/PATM/Instr/Dirty/Detected", STAMUNIT_OCCURENCES, "Number of times instructions were marked dirty.");
243 STAM_REG(pVM, &pVM->patm.s.StatInstrDirtyGood, STAMTYPE_COUNTER, "/PATM/Instr/Dirty/Corrected", STAMUNIT_OCCURENCES, "Number of times instructions were marked dirty and corrected later on.");
244 STAM_REG(pVM, &pVM->patm.s.StatInstrDirtyBad, STAMTYPE_COUNTER, "/PATM/Instr/Dirty/Failed", STAMUNIT_OCCURENCES, "Number of times instructions were marked dirty and we were not able to correct them.");
245
246 STAM_REG(pVM, &pVM->patm.s.StatSysEnter, STAMTYPE_COUNTER, "/PATM/Emul/SysEnter", STAMUNIT_OCCURENCES, "Number of times sysenter was emulated.");
247 STAM_REG(pVM, &pVM->patm.s.StatSysExit, STAMTYPE_COUNTER, "/PATM/Emul/SysExit" , STAMUNIT_OCCURENCES, "Number of times sysexit was emulated.");
248 STAM_REG(pVM, &pVM->patm.s.StatEmulIret, STAMTYPE_COUNTER, "/PATM/Emul/Iret/Success", STAMUNIT_OCCURENCES, "Number of times iret was emulated.");
249 STAM_REG(pVM, &pVM->patm.s.StatEmulIretFailed, STAMTYPE_COUNTER, "/PATM/Emul/Iret/Failed", STAMUNIT_OCCURENCES, "Number of times iret was emulated.");
250
251 STAM_REG(pVM, &pVM->patm.s.StatGenRet, STAMTYPE_COUNTER, "/PATM/Gen/Ret" , STAMUNIT_OCCURENCES, "Number of generated ret instructions.");
252 STAM_REG(pVM, &pVM->patm.s.StatGenRetReused, STAMTYPE_COUNTER, "/PATM/Gen/RetReused" , STAMUNIT_OCCURENCES, "Number of reused ret instructions.");
253 STAM_REG(pVM, &pVM->patm.s.StatGenCall, STAMTYPE_COUNTER, "/PATM/Gen/Call", STAMUNIT_OCCURENCES, "Number of generated call instructions.");
254 STAM_REG(pVM, &pVM->patm.s.StatGenJump, STAMTYPE_COUNTER, "/PATM/Gen/Jmp" , STAMUNIT_OCCURENCES, "Number of generated indirect jump instructions.");
255 STAM_REG(pVM, &pVM->patm.s.StatGenPopf, STAMTYPE_COUNTER, "/PATM/Gen/Popf" , STAMUNIT_OCCURENCES, "Number of generated popf instructions.");
256
257 STAM_REG(pVM, &pVM->patm.s.StatCheckPendingIRQ, STAMTYPE_COUNTER, "/PATM/GC/CheckIRQ" , STAMUNIT_OCCURENCES, "Number of traps that ask to check for pending irqs.");
258#endif /* VBOX_WITH_STATISTICS */
259
260 Log(("PATMCallRecord.size %d\n", PATMCallRecord.size));
261 Log(("PATMCallIndirectRecord.size %d\n", PATMCallIndirectRecord.size));
262 Log(("PATMRetRecord.size %d\n", PATMRetRecord.size));
263 Log(("PATMJumpIndirectRecord.size %d\n", PATMJumpIndirectRecord.size));
264 Log(("PATMPopf32Record.size %d\n", PATMPopf32Record.size));
265 Log(("PATMIretRecord.size %d\n", PATMIretRecord.size));
266 Log(("PATMStiRecord.size %d\n", PATMStiRecord.size));
267 Log(("PATMCheckIFRecord.size %d\n", PATMCheckIFRecord.size));
268
269 return rc;
270}
271
272/**
273 * Finalizes HMA page attributes.
274 *
275 * @returns VBox status code.
276 * @param pVM The VM handle.
277 */
278PATMR3DECL(int) PATMR3InitFinalize(PVM pVM)
279{
280 /* The GC state, stack and statistics must be read/write for the guest (supervisor only of course). */
281 int rc = PGMMapSetPage(pVM, pVM->patm.s.pGCStateGC, PAGE_SIZE, X86_PTE_P | X86_PTE_A | X86_PTE_D | X86_PTE_RW);
282 if (VBOX_FAILURE(rc))
283 Log(("PATMR3InitFinalize: PGMMapSetPage failed with %Vrc!!\n", rc));
284
285 rc = PGMMapSetPage(pVM, pVM->patm.s.pGCStackGC, PATM_STACK_TOTAL_SIZE, X86_PTE_P | X86_PTE_A | X86_PTE_D | X86_PTE_RW);
286 if (VBOX_FAILURE(rc))
287 Log(("PATMR3InitFinalize: PGMMapSetPage failed with %Vrc!!\n", rc));
288
289 rc = PGMMapSetPage(pVM, pVM->patm.s.pStatsGC, PATM_STAT_MEMSIZE, X86_PTE_P | X86_PTE_A | X86_PTE_D | X86_PTE_RW);
290 if (VBOX_FAILURE(rc))
291 Log(("PATMR3InitFinalize: PGMMapSetPage failed with %Vrc!!\n", rc));
292
293 return rc;
294}
295
296/**
297 * (Re)initializes PATM
298 *
299 * @param pVM The VM.
300 */
301static int patmReinit(PVM pVM)
302{
303 int rc;
304
305 /*
306 * Assert alignment and sizes.
307 */
308 AssertRelease(!(RT_OFFSETOF(VM, patm.s) & 31));
309 AssertRelease(sizeof(pVM->patm.s) <= sizeof(pVM->patm.padding));
310
311 /*
312 * Setup any fixed pointers and offsets.
313 */
314 pVM->patm.s.offVM = RT_OFFSETOF(VM, patm);
315
316#ifndef __AMD64__ /* would be nice if this was changed everywhere. was driving me crazy on AMD64. */
317#ifndef PATM_DISABLE_ALL
318 pVM->fPATMEnabled = true;
319#endif
320#endif
321
322 Assert(pVM->patm.s.pGCStateHC);
323 memset(pVM->patm.s.pGCStateHC, 0, PAGE_SIZE);
324 AssertReleaseMsg(pVM->patm.s.pGCStateGC, ("Impossible! MMHyperHC2GC(%p) failed!\n", pVM->patm.s.pGCStateGC));
325 Log(("Patch memory allocated at %p - %VGv\n", pVM->patm.s.pPatchMemHC, pVM->patm.s.pPatchMemGC));
326 pVM->patm.s.pGCStateHC->uVMFlags = X86_EFL_IF;
327
328 Assert(pVM->patm.s.pGCStackHC);
329 memset(pVM->patm.s.pGCStackHC, 0, PAGE_SIZE);
330 AssertReleaseMsg(pVM->patm.s.pGCStackGC, ("Impossible! MMHyperHC2GC(%p) failed!\n", pVM->patm.s.pGCStackGC));
331 pVM->patm.s.pGCStateHC->Psp = PATM_STACK_SIZE;
332 pVM->patm.s.pGCStateHC->fPIF = 1; /* PATM Interrupt Flag */
333
334 Assert(pVM->patm.s.pStatsHC);
335 memset(pVM->patm.s.pStatsHC, 0, PATM_STAT_MEMSIZE);
336 AssertReleaseMsg(pVM->patm.s.pStatsGC, ("Impossible! MMHyperHC2GC(%p) failed!\n", pVM->patm.s.pStatsGC));
337
338 Assert(pVM->patm.s.pPatchMemHC);
339 Assert(pVM->patm.s.pPatchMemGC = MMHyperHC2GC(pVM, pVM->patm.s.pPatchMemHC));
340 memset(pVM->patm.s.pPatchMemHC, 0, PATCH_MEMORY_SIZE);
341 AssertReleaseMsg(pVM->patm.s.pPatchMemGC, ("Impossible! MMHyperHC2GC(%p) failed!\n", pVM->patm.s.pPatchMemHC));
342
343 /* Needed for future patching of sldt/sgdt/sidt/str etc. */
344 rc = CPUMR3QueryGuestCtxGCPtr(pVM, &pVM->patm.s.pCPUMCtxGC);
345 AssertRCReturn(rc, rc);
346
347 Assert(pVM->patm.s.PatchLookupTreeHC);
348 Assert(pVM->patm.s.PatchLookupTreeGC == MMHyperHC2GC(pVM, pVM->patm.s.PatchLookupTreeHC));
349
350 /*
351 * (Re)Initialize PATM structure
352 */
353 Assert(!pVM->patm.s.PatchLookupTreeHC->PatchTree);
354 Assert(!pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr);
355 Assert(!pVM->patm.s.PatchLookupTreeHC->PatchTreeByPage);
356 pVM->patm.s.offPatchMem = 16; /* don't start with zero here */
357 pVM->patm.s.uCurrentPatchIdx = 1; /* Index zero is a dummy */
358 pVM->patm.s.pvFaultMonitor = 0;
359 pVM->patm.s.deltaReloc = 0;
360
361 /* Lowest and highest patched instruction */
362 pVM->patm.s.pPatchedInstrGCLowest = ~0;
363 pVM->patm.s.pPatchedInstrGCHighest = 0;
364
365 pVM->patm.s.PatchLookupTreeHC->PatchTree = 0;
366 pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr = 0;
367 pVM->patm.s.PatchLookupTreeHC->PatchTreeByPage = 0;
368
369 pVM->patm.s.pfnSysEnterPatchGC = 0;
370 pVM->patm.s.pfnSysEnterGC = 0;
371
372 pVM->patm.s.fOutOfMemory = false;
373
374 pVM->patm.s.pfnHelperCallGC = 0;
375
376 /* Generate all global functions to be used by future patches. */
377 /* We generate a fake patch in order to use the existing code for relocation. */
378 rc = MMHyperAlloc(pVM, sizeof(PATMPATCHREC), 0, MM_TAG_PATM_PATCH, (void **)&pVM->patm.s.pGlobalPatchRec);
379 if (VBOX_FAILURE(rc))
380 {
381 Log(("Out of memory!!!!\n"));
382 return VERR_NO_MEMORY;
383 }
384 pVM->patm.s.pGlobalPatchRec->patch.flags = PATMFL_GLOBAL_FUNCTIONS;
385 pVM->patm.s.pGlobalPatchRec->patch.uState = PATCH_ENABLED;
386 pVM->patm.s.pGlobalPatchRec->patch.pPatchBlockOffset = pVM->patm.s.offPatchMem;
387
388 rc = patmPatchGenGlobalFunctions(pVM, &pVM->patm.s.pGlobalPatchRec->patch);
389 AssertRC(rc);
390
391 /* Update free pointer in patch memory. */
392 pVM->patm.s.offPatchMem += pVM->patm.s.pGlobalPatchRec->patch.uCurPatchOffset;
393 /* Round to next 8 byte boundary. */
394 pVM->patm.s.offPatchMem = RT_ALIGN_32(pVM->patm.s.offPatchMem, 8);
395 return rc;
396}
397
398
399/**
400 * Applies relocations to data and code managed by this
401 * component. This function will be called at init and
402 * whenever the VMM need to relocate it self inside the GC.
403 *
404 * The PATM will update the addresses used by the switcher.
405 *
406 * @param pVM The VM.
407 */
408PATMR3DECL(void) PATMR3Relocate(PVM pVM)
409{
410 RTGCPTR GCPtrNew = MMHyperHC2GC(pVM, pVM->patm.s.pGCStateHC);
411 RTGCINTPTR delta = GCPtrNew - pVM->patm.s.pGCStateGC;
412
413 Log(("PATMR3Relocate from %VGv to %VGv - delta %08X\n", pVM->patm.s.pGCStateGC, GCPtrNew, delta));
414 if (delta)
415 {
416 PCPUMCTX pCtx;
417 int rc;
418
419 /* Update CPUMCTX guest context pointer. */
420 pVM->patm.s.pCPUMCtxGC += delta;
421
422 pVM->patm.s.deltaReloc = delta;
423
424 RTAvloGCPtrDoWithAll(&pVM->patm.s.PatchLookupTreeHC->PatchTree, true, RelocatePatches, (void *)pVM);
425
426 rc = CPUMQueryGuestCtxPtr(pVM, &pCtx);
427 AssertRC(rc);
428
429 /* If we are running patch code right now, then also adjust EIP. */
430 if (PATMIsPatchGCAddr(pVM, pCtx->eip))
431 pCtx->eip += delta;
432
433 pVM->patm.s.pGCStateGC = GCPtrNew;
434 pVM->patm.s.pPatchMemGC = MMHyperHC2GC(pVM, pVM->patm.s.pPatchMemHC);
435
436 pVM->patm.s.pGCStackGC = MMHyperHC2GC(pVM, pVM->patm.s.pGCStackHC);
437
438 pVM->patm.s.pStatsGC = MMHyperHC2GC(pVM, pVM->patm.s.pStatsHC);
439
440 pVM->patm.s.PatchLookupTreeGC = MMHyperHC2GC(pVM, pVM->patm.s.PatchLookupTreeHC);
441
442 if (pVM->patm.s.pfnSysEnterPatchGC)
443 pVM->patm.s.pfnSysEnterPatchGC += delta;
444
445 /* Deal with the global patch functions. */
446 pVM->patm.s.pfnHelperCallGC += delta;
447 pVM->patm.s.pfnHelperRetGC += delta;
448 pVM->patm.s.pfnHelperIretGC += delta;
449 pVM->patm.s.pfnHelperJumpGC += delta;
450
451 RelocatePatches(&pVM->patm.s.pGlobalPatchRec->Core, (void *)pVM);
452 }
453}
454
455
456/**
457 * Terminates the PATM.
458 *
459 * Termination means cleaning up and freeing all resources,
460 * the VM it self is at this point powered off or suspended.
461 *
462 * @returns VBox status code.
463 * @param pVM The VM to operate on.
464 */
465PATMR3DECL(int) PATMR3Term(PVM pVM)
466{
467 /* Memory was all allocated from the two MM heaps and requires no freeing. */
468 return VINF_SUCCESS;
469}
470
471
472/**
473 * PATM reset callback.
474 *
475 * @returns VBox status code.
476 * @param pVM The VM which is reset.
477 */
478PATMR3DECL(int) PATMR3Reset(PVM pVM)
479{
480 Log(("PATMR3Reset\n"));
481
482 /* Free all patches. */
483 while (true)
484 {
485 PPATMPATCHREC pPatchRec = (PPATMPATCHREC)RTAvloGCPtrRemoveBestFit(&pVM->patm.s.PatchLookupTreeHC->PatchTree, 0, true);
486 if (pPatchRec)
487 {
488 PATMRemovePatch(pVM, pPatchRec, true);
489 }
490 else
491 break;
492 }
493 Assert(!pVM->patm.s.PatchLookupTreeHC->PatchTreeByPage);
494 Assert(!pVM->patm.s.PatchLookupTreeHC->PatchTree);
495 pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr = 0;
496 pVM->patm.s.PatchLookupTreeHC->PatchTreeByPage = 0;
497
498 int rc = patmReinit(pVM);
499 if (VBOX_SUCCESS(rc))
500 rc = PATMR3InitFinalize(pVM); /* paranoia */
501
502 return rc;
503}
504
505/**
506 * Read callback for disassembly function; supports reading bytes that cross a page boundary
507 *
508 * @returns VBox status code.
509 * @param pSrc GC source pointer
510 * @param pDest HC destination pointer
511 * @param size Number of bytes to read
512 * @param dwUserdata Callback specific user data (pCpu)
513 *
514 */
515int32_t patmReadBytes(RTHCUINTPTR pSrc, uint8_t *pDest, uint32_t size, RTHCUINTPTR dwUserdata)
516{
517 DISCPUSTATE *pCpu = (DISCPUSTATE *)dwUserdata;
518 PATMDISASM *pDisInfo = (PATMDISASM *)pCpu->dwUserData[0];
519 int orgsize = size;
520
521 Assert(size);
522 if (size == 0)
523 return VERR_INVALID_PARAMETER;
524
525 /*
526 * Trap/interrupt handler typically call common code on entry. Which might already have patches inserted.
527 * As we currently don't support calling patch code from patch code, we'll let it read the original opcode bytes instead.
528 */
529 /** @todo could change in the future! */
530 if (pDisInfo->fReadFlags & PATMREAD_ORGCODE)
531 {
532 for (int i=0;i<orgsize;i++)
533 {
534 int rc = PATMR3QueryOpcode(pDisInfo->pVM, (RTGCPTR)pSrc, pDest);
535 if (VBOX_SUCCESS(rc))
536 {
537 pSrc++;
538 pDest++;
539 size--;
540 }
541 else break;
542 }
543 if (size == 0)
544 return VINF_SUCCESS;
545#ifdef VBOX_STRICT
546 if ( !(pDisInfo->pPatchInfo->flags & (PATMFL_DUPLICATE_FUNCTION|PATMFL_IDTHANDLER))
547 && !(pDisInfo->fReadFlags & PATMREAD_NOCHECK))
548 {
549 Assert(PATMR3IsInsidePatchJump(pDisInfo->pVM, pSrc, NULL) == false);
550 Assert(PATMR3IsInsidePatchJump(pDisInfo->pVM, pSrc+size-1, NULL) == false);
551 }
552#endif
553 }
554
555
556 if (PAGE_ADDRESS(pDisInfo->pInstrGC) != PAGE_ADDRESS(pSrc + size - 1) && !PATMIsPatchGCAddr(pDisInfo->pVM, pSrc))
557 {
558 return PGMPhysReadGCPtr(pDisInfo->pVM, pDest, pSrc, size);
559 }
560 else
561 {
562 uint8_t *pInstrHC = pDisInfo->pInstrHC;
563
564 Assert(pInstrHC);
565
566 /* pInstrHC is the base address; adjust according to the GC pointer. */
567 pInstrHC = pInstrHC + (pSrc - pDisInfo->pInstrGC);
568
569 memcpy(pDest, (void *)pInstrHC, size);
570 }
571
572 return VINF_SUCCESS;
573}
574
575/**
576 * Callback function for RTAvloGCPtrDoWithAll
577 *
578 * Updates all fixups in the patches
579 *
580 * @returns VBox status code.
581 * @param pNode Current node
582 * @param pParam The VM to operate on.
583 */
584static DECLCALLBACK(int) RelocatePatches(PAVLOGCPTRNODECORE pNode, void *pParam)
585{
586 PPATMPATCHREC pPatch = (PPATMPATCHREC)pNode;
587 PVM pVM = (PVM)pParam;
588 RTGCINTPTR delta;
589#ifdef LOG_ENABLED
590 DISCPUSTATE cpu;
591 char szOutput[256];
592 uint32_t opsize;
593 bool disret;
594#endif
595 int rc;
596
597 /* Nothing to do if the patch is not active. */
598 if (pPatch->patch.uState == PATCH_REFUSED)
599 return 0;
600
601#ifdef LOG_ENABLED
602 if (pPatch->patch.flags & PATMFL_PATCHED_GUEST_CODE)
603 {
604 /** @note pPrivInstrHC is probably not valid anymore */
605 rc = PGMPhysGCPtr2HCPtr(pVM, pPatch->patch.pPrivInstrGC, (PRTHCPTR)&pPatch->patch.pPrivInstrHC);
606 if (rc == VINF_SUCCESS)
607 {
608 cpu.mode = (pPatch->patch.flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
609 disret = PATMR3DISInstr(pVM, &pPatch->patch, &cpu, pPatch->patch.pPrivInstrGC, pPatch->patch.pPrivInstrHC, &opsize, szOutput, PATMREAD_RAWCODE);
610 Log(("Org patch jump: %s", szOutput));
611 }
612 }
613#endif
614
615 Log(("Nr of fixups %d\n", pPatch->patch.nrFixups));
616 delta = (RTGCINTPTR)pVM->patm.s.deltaReloc;
617
618 /*
619 * Apply fixups
620 */
621 PRELOCREC pRec = 0;
622 AVLPVKEY key = 0;
623
624 while (true)
625 {
626 /* Get the record that's closest from above */
627 pRec = (PRELOCREC)RTAvlPVGetBestFit(&pPatch->patch.FixupTree, key, true);
628 if (pRec == 0)
629 break;
630
631 key = (AVLPVKEY)(pRec->pRelocPos + 1); /* search for the next record during the next round. */
632
633 switch (pRec->uType)
634 {
635 case FIXUP_ABSOLUTE:
636 Log(("Absolute fixup at %VGv %VHv -> %VHv at %VGv\n", pRec->pSource, *(RTGCUINTPTR*)pRec->pRelocPos, *(RTGCINTPTR*)pRec->pRelocPos + delta, pRec->pRelocPos));
637 if (!pRec->pSource || PATMIsPatchGCAddr(pVM, pRec->pSource))
638 {
639 *(RTGCUINTPTR *)pRec->pRelocPos += delta;
640 }
641 else
642 {
643 uint8_t curInstr[15];
644 uint8_t oldInstr[15];
645 Assert(pRec->pSource && pPatch->patch.cbPrivInstr <= 15);
646
647 Assert(!(pPatch->patch.flags & PATMFL_GLOBAL_FUNCTIONS));
648
649 memcpy(oldInstr, pPatch->patch.aPrivInstr, pPatch->patch.cbPrivInstr);
650 *(RTGCPTR *)&oldInstr[pPatch->patch.cbPrivInstr - sizeof(RTGCPTR)] = pRec->pDest;
651
652 rc = PGMPhysReadGCPtr(pVM, curInstr, pPatch->patch.pPrivInstrGC, pPatch->patch.cbPrivInstr);
653 Assert(VBOX_SUCCESS(rc) || rc == VERR_PAGE_NOT_PRESENT || rc == VERR_PAGE_TABLE_NOT_PRESENT);
654
655 pRec->pDest = (RTGCPTR)((RTGCUINTPTR)pRec->pDest + delta);
656
657 if (rc == VERR_PAGE_NOT_PRESENT || rc == VERR_PAGE_TABLE_NOT_PRESENT)
658 {
659 RTGCPTR pPage = pPatch->patch.pPrivInstrGC & PAGE_BASE_GC_MASK;
660
661 Log(("PATM: Patch page not present -> check later!\n"));
662 rc = PGMR3HandlerVirtualRegister(pVM, PGMVIRTHANDLERTYPE_ALL, pPage, pPage + (PAGE_SIZE - 1) /* inclusive! */, 0, patmVirtPageHandler, "PATMGCMonitorPage", 0, "PATMMonitorPatchJump");
663 Assert(VBOX_SUCCESS(rc) || rc == VERR_PGM_HANDLER_VIRTUAL_CONFLICT);
664 }
665 else
666 if (memcmp(curInstr, oldInstr, pPatch->patch.cbPrivInstr))
667 {
668 Log(("PATM: Patch was overwritten -> disabling patch!!\n"));
669 /*
670 * Disable patch; this is not a good solution
671 */
672 /* @todo hopefully it was completely overwritten (if the read was successful)!!!! */
673 pPatch->patch.uState = PATCH_DISABLED;
674 }
675 else
676 if (VBOX_SUCCESS(rc))
677 {
678 *(RTGCPTR *)&curInstr[pPatch->patch.cbPrivInstr - sizeof(RTGCPTR)] = pRec->pDest;
679 rc = PGMPhysWriteGCPtrDirty(pVM, pRec->pSource, curInstr, pPatch->patch.cbPrivInstr);
680 AssertRC(rc);
681 }
682 }
683 break;
684
685 case FIXUP_REL_JMPTOPATCH:
686 {
687 RTGCPTR pTarget = (RTGCPTR)((RTGCINTPTR)pRec->pDest + delta);
688
689 if ( pPatch->patch.uState == PATCH_ENABLED
690 && (pPatch->patch.flags & PATMFL_PATCHED_GUEST_CODE))
691 {
692 uint8_t oldJump[SIZEOF_NEAR_COND_JUMP32];
693 uint8_t temp[SIZEOF_NEAR_COND_JUMP32];
694 RTGCPTR pJumpOffGC;
695 RTGCINTPTR displ = (RTGCINTPTR)pTarget - (RTGCINTPTR)pRec->pSource;
696 RTGCINTPTR displOld= (RTGCINTPTR)pRec->pDest - (RTGCINTPTR)pRec->pSource;
697
698 Log(("Relative fixup (g2p) %08X -> %08X at %08X (source=%08x, target=%08x)\n", *(int32_t*)pRec->pRelocPos, displ, pRec->pRelocPos, pRec->pSource, pRec->pDest));
699
700 Assert(pRec->pSource - pPatch->patch.cbPatchJump == pPatch->patch.pPrivInstrGC);
701#ifdef PATM_RESOLVE_CONFLICTS_WITH_JUMP_PATCHES
702 if (pPatch->patch.cbPatchJump == SIZEOF_NEAR_COND_JUMP32)
703 {
704 Assert(pPatch->patch.flags & PATMFL_JUMP_CONFLICT);
705
706 pJumpOffGC = pPatch->patch.pPrivInstrGC + 2; //two byte opcode
707 oldJump[0] = pPatch->patch.aPrivInstr[0];
708 oldJump[1] = pPatch->patch.aPrivInstr[1];
709 *(RTGCUINTPTR *)&oldJump[2] = displOld;
710 }
711 else
712#endif
713 if (pPatch->patch.cbPatchJump == SIZEOF_NEARJUMP32)
714 {
715 pJumpOffGC = pPatch->patch.pPrivInstrGC + 1; //one byte opcode
716 oldJump[0] = 0xE9;
717 *(RTGCUINTPTR *)&oldJump[1] = displOld;
718 }
719 else
720 {
721 AssertMsgFailed(("Invalid patch jump size %d\n", pPatch->patch.cbPatchJump));
722 continue; //this should never happen!!
723 }
724 Assert(pPatch->patch.cbPatchJump <= sizeof(temp));
725
726 /*
727 * Read old patch jump and compare it to the one we previously installed
728 */
729 rc = PGMPhysReadGCPtr(pVM, temp, pPatch->patch.pPrivInstrGC, pPatch->patch.cbPatchJump);
730 Assert(VBOX_SUCCESS(rc) || rc == VERR_PAGE_NOT_PRESENT || rc == VERR_PAGE_TABLE_NOT_PRESENT);
731
732 if (rc == VERR_PAGE_NOT_PRESENT || rc == VERR_PAGE_TABLE_NOT_PRESENT)
733 {
734 RTGCPTR pPage = pPatch->patch.pPrivInstrGC & PAGE_BASE_GC_MASK;
735
736 rc = PGMR3HandlerVirtualRegister(pVM, PGMVIRTHANDLERTYPE_ALL, pPage, pPage + (PAGE_SIZE - 1) /* inclusive! */, 0, patmVirtPageHandler, "PATMGCMonitorPage", 0, "PATMMonitorPatchJump");
737 Assert(VBOX_SUCCESS(rc) || rc == VERR_PGM_HANDLER_VIRTUAL_CONFLICT);
738 }
739 else
740 if (memcmp(temp, oldJump, pPatch->patch.cbPatchJump))
741 {
742 Log(("PATM: Patch jump was overwritten -> disabling patch!!\n"));
743 /*
744 * Disable patch; this is not a good solution
745 */
746 /* @todo hopefully it was completely overwritten (if the read was successful)!!!! */
747 pPatch->patch.uState = PATCH_DISABLED;
748 }
749 else
750 if (VBOX_SUCCESS(rc))
751 {
752 rc = PGMPhysWriteGCPtrDirty(pVM, pJumpOffGC, &displ, sizeof(displ));
753 AssertRC(rc);
754 }
755 else
756 {
757 AssertMsgFailed(("Unexpected error %d from MMR3PhysReadGCVirt\n", rc));
758 }
759 }
760 else
761 {
762 Log(("Skip the guest jump to patch code for this disabled patch %08X - %08X\n", pPatch->patch.pPrivInstrHC, pRec->pRelocPos));
763 }
764
765 pRec->pDest = pTarget;
766 break;
767 }
768
769 case FIXUP_REL_JMPTOGUEST:
770 {
771 RTGCPTR pSource = (RTGCPTR)((RTGCINTPTR)pRec->pSource + delta);
772 RTGCINTPTR displ = (RTGCINTPTR)pRec->pDest - (RTGCINTPTR)pSource;
773
774 Assert(!(pPatch->patch.flags & PATMFL_GLOBAL_FUNCTIONS));
775 Log(("Relative fixup (p2g) %08X -> %08X at %08X (source=%08x, target=%08x)\n", *(int32_t*)pRec->pRelocPos, displ, pRec->pRelocPos, pRec->pSource, pRec->pDest));
776 *(RTGCUINTPTR *)pRec->pRelocPos = displ;
777 pRec->pSource = pSource;
778 break;
779 }
780
781 default:
782 AssertMsg(0, ("Invalid fixup type!!\n"));
783 return VERR_INVALID_PARAMETER;
784 }
785 }
786
787#ifdef LOG_ENABLED
788 if (pPatch->patch.flags & PATMFL_PATCHED_GUEST_CODE)
789 {
790 /** @note pPrivInstrHC is probably not valid anymore */
791 rc = PGMPhysGCPtr2HCPtr(pVM, pPatch->patch.pPrivInstrGC, (PRTHCPTR)&pPatch->patch.pPrivInstrHC);
792 if (rc == VINF_SUCCESS)
793 {
794 cpu.mode = (pPatch->patch.flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
795 disret = PATMR3DISInstr(pVM, &pPatch->patch, &cpu, pPatch->patch.pPrivInstrGC, pPatch->patch.pPrivInstrHC, &opsize, szOutput, PATMREAD_RAWCODE);
796 Log(("Rel patch jump: %s", szOutput));
797 }
798 }
799#endif
800 return 0;
801}
802
803/**
804 * #PF Handler callback for virtual access handler ranges.
805 *
806 * Important to realize that a physical page in a range can have aliases, and
807 * for ALL and WRITE handlers these will also trigger.
808 *
809 * @returns VINF_SUCCESS if the handler have carried out the operation.
810 * @returns VINF_PGM_HANDLER_DO_DEFAULT if the caller should carry out the access operation.
811 * @param pVM VM Handle.
812 * @param GCPtr The virtual address the guest is writing to. (not correct if it's an alias!)
813 * @param pvPtr The HC mapping of that address.
814 * @param pvBuf What the guest is reading/writing.
815 * @param cbBuf How much it's reading/writing.
816 * @param enmAccessType The access type.
817 * @param pvUser User argument.
818 */
819static DECLCALLBACK(int) patmVirtPageHandler(PVM pVM, RTGCPTR GCPtr, void *pvPtr, void *pvBuf, size_t cbBuf, PGMACCESSTYPE enmAccessType, void *pvUser)
820{
821 Assert(enmAccessType == PGMACCESSTYPE_WRITE);
822 /** @todo could be the wrong virtual address (alias) */
823 pVM->patm.s.pvFaultMonitor = GCPtr;
824 PATMR3HandleMonitoredPage(pVM);
825 return VINF_PGM_HANDLER_DO_DEFAULT;
826}
827
828
829#ifdef VBOX_WITH_DEBUGGER
830/**
831 * Callback function for RTAvloGCPtrDoWithAll
832 *
833 * Enables the patch that's being enumerated
834 *
835 * @returns 0 (continue enumeration).
836 * @param pNode Current node
837 * @param pVM The VM to operate on.
838 */
839static DECLCALLBACK(int) EnableAllPatches(PAVLOGCPTRNODECORE pNode, void *pVM)
840{
841 PPATMPATCHREC pPatch = (PPATMPATCHREC)pNode;
842
843 PATMR3EnablePatch((PVM)pVM, (RTGCPTR)pPatch->Core.Key);
844 return 0;
845}
846#endif /* VBOX_WITH_DEBUGGER */
847
848
849#ifdef VBOX_WITH_DEBUGGER
850/**
851 * Callback function for RTAvloGCPtrDoWithAll
852 *
853 * Disables the patch that's being enumerated
854 *
855 * @returns 0 (continue enumeration).
856 * @param pNode Current node
857 * @param pVM The VM to operate on.
858 */
859static DECLCALLBACK(int) DisableAllPatches(PAVLOGCPTRNODECORE pNode, void *pVM)
860{
861 PPATMPATCHREC pPatch = (PPATMPATCHREC)pNode;
862
863 PATMR3DisablePatch((PVM)pVM, (RTGCPTR)pPatch->Core.Key);
864 return 0;
865}
866#endif
867
868/**
869 * Returns the host context pointer and size of the patch memory block
870 *
871 * @returns VBox status code.
872 * @param pVM The VM to operate on.
873 * @param pcb Size of the patch memory block
874 */
875PATMR3DECL(void *) PATMR3QueryPatchMemHC(PVM pVM, uint32_t *pcb)
876{
877 if (pcb)
878 {
879 *pcb = pVM->patm.s.cbPatchMem;
880 }
881 return pVM->patm.s.pPatchMemHC;
882}
883
884
885/**
886 * Returns the guest context pointer and size of the patch memory block
887 *
888 * @returns VBox status code.
889 * @param pVM The VM to operate on.
890 * @param pcb Size of the patch memory block
891 */
892PATMR3DECL(RTGCPTR) PATMR3QueryPatchMemGC(PVM pVM, uint32_t *pcb)
893{
894 if (pcb)
895 {
896 *pcb = pVM->patm.s.cbPatchMem;
897 }
898 return pVM->patm.s.pPatchMemGC;
899}
900
901
902/**
903 * Returns the host context pointer of the GC context structure
904 *
905 * @returns VBox status code.
906 * @param pVM The VM to operate on.
907 */
908PATMR3DECL(PPATMGCSTATE) PATMR3QueryGCStateHC(PVM pVM)
909{
910 return pVM->patm.s.pGCStateHC;
911}
912
913
914/**
915 * Checks whether the HC address is part of our patch region
916 *
917 * @returns VBox status code.
918 * @param pVM The VM to operate on.
919 * @param pAddrGC Guest context address
920 */
921PATMR3DECL(bool) PATMR3IsPatchHCAddr(PVM pVM, HCPTRTYPE(uint8_t *) pAddrHC)
922{
923 return (pAddrHC >= pVM->patm.s.pPatchMemHC && pAddrHC < pVM->patm.s.pPatchMemHC + pVM->patm.s.cbPatchMem) ? true : false;
924}
925
926
927/**
928 * Allows or disallow patching of privileged instructions executed by the guest OS
929 *
930 * @returns VBox status code.
931 * @param pVM The VM to operate on.
932 * @param fAllowPatching Allow/disallow patching
933 */
934PATMR3DECL(int) PATMR3AllowPatching(PVM pVM, uint32_t fAllowPatching)
935{
936 pVM->fPATMEnabled = (fAllowPatching) ? true : false;
937 return VINF_SUCCESS;
938}
939
940/**
941 * Convert a GC patch block pointer to a HC patch pointer
942 *
943 * @returns HC pointer or NULL if it's not a GC patch pointer
944 * @param pVM The VM to operate on.
945 * @param pAddrGC GC pointer
946 */
947PATMR3DECL(HCPTRTYPE(void *)) PATMR3GCPtrToHCPtr(PVM pVM, RTGCPTR pAddrGC)
948{
949 if (pVM->patm.s.pPatchMemGC <= pAddrGC && pVM->patm.s.pPatchMemGC + pVM->patm.s.cbPatchMem > pAddrGC)
950 {
951 return pVM->patm.s.pPatchMemHC + (pAddrGC - pVM->patm.s.pPatchMemGC);
952 }
953 return NULL;
954}
955
956/**
957 * Query PATM state (enabled/disabled)
958 *
959 * @returns 0 - disabled, 1 - enabled
960 * @param pVM The VM to operate on.
961 */
962PATMR3DECL(int) PATMR3IsEnabled(PVM pVM)
963{
964 return pVM->fPATMEnabled;
965}
966
967
968/**
969 * Convert guest context address to host context pointer
970 *
971 * @returns VBox status code.
972 * @param pVM The VM to operate on.
973 * @param pPatch Patch block structure pointer
974 * @param pGCPtr Guest context pointer
975 *
976 * @returns Host context pointer or NULL in case of an error
977 *
978 */
979HCPTRTYPE(uint8_t *) PATMGCVirtToHCVirt(PVM pVM, PPATCHINFO pPatch, GCPTRTYPE(uint8_t *) pGCPtr)
980{
981 int rc;
982 HCPTRTYPE(uint8_t *) pHCPtr;
983 uint32_t offset;
984
985 if (PATMIsPatchGCAddr(pVM, pGCPtr))
986 {
987 return PATCHCODE_PTR_HC(pPatch) + (pGCPtr - PATCHCODE_PTR_GC(pPatch));
988 }
989
990 offset = pGCPtr & PAGE_OFFSET_MASK;
991 if (pPatch->cacheRec.pGuestLoc == (pGCPtr & PAGE_BASE_GC_MASK))
992 {
993 return pPatch->cacheRec.pPatchLocStartHC + offset;
994 }
995
996 rc = PGMPhysGCPtr2HCPtr(pVM, pGCPtr, (void **)&pHCPtr);
997 if (rc != VINF_SUCCESS)
998 {
999 AssertMsg(rc == VINF_SUCCESS || rc == VERR_PAGE_NOT_PRESENT || rc == VERR_PAGE_TABLE_NOT_PRESENT, ("MMR3PhysGCVirt2HCVirtEx failed for %08X\n", pGCPtr));
1000 return NULL;
1001 }
1002////invalid? Assert(sizeof(HCPTRTYPE(uint8_t*)) == sizeof(uint32_t));
1003
1004 pPatch->cacheRec.pPatchLocStartHC = (HCPTRTYPE(uint8_t*))((RTHCUINTPTR)pHCPtr & PAGE_BASE_HC_MASK);
1005 pPatch->cacheRec.pGuestLoc = pGCPtr & PAGE_BASE_GC_MASK;
1006 return pHCPtr;
1007}
1008
1009
1010/* Calculates and fills in all branch targets
1011 *
1012 * @returns VBox status code.
1013 * @param pVM The VM to operate on.
1014 * @param pPatch Current patch block pointer
1015 *
1016 */
1017static int patmr3SetBranchTargets(PVM pVM, PPATCHINFO pPatch)
1018{
1019 int32_t displ;
1020
1021 PJUMPREC pRec = 0;
1022 int nrJumpRecs = 0;
1023
1024 /*
1025 * Set all branch targets inside the patch block.
1026 * We remove all jump records as they are no longer needed afterwards.
1027 */
1028 while (true)
1029 {
1030 GCPTRTYPE(uint8_t *) pInstrGC;
1031 GCPTRTYPE(uint8_t *) pBranchTargetGC = 0;
1032
1033 pRec = (PJUMPREC)RTAvlPVRemoveBestFit(&pPatch->JumpTree, 0, true);
1034 if (pRec == 0)
1035 break;
1036
1037 nrJumpRecs++;
1038
1039 /* HC in patch block to GC in patch block. */
1040 pInstrGC = patmPatchHCPtr2PatchGCPtr(pVM, pRec->pJumpHC);
1041
1042 if (pRec->opcode == OP_CALL)
1043 {
1044 /* Special case: call function replacement patch from this patch block.
1045 */
1046 if (PATMQueryFunctionPatch(pVM, pRec->pTargetGC) == 0)
1047 {
1048 int rc;
1049
1050 if (PATMR3HasBeenPatched(pVM, pRec->pTargetGC) == false)
1051 rc = PATMR3InstallPatch(pVM, pRec->pTargetGC, PATMFL_CODE32 | PATMFL_DUPLICATE_FUNCTION);
1052 else
1053 rc = VERR_PATCHING_REFUSED; /* exists as a normal patch; can't use it */
1054
1055 if (VBOX_FAILURE(rc))
1056 {
1057 uint8_t *pPatchHC;
1058 RTGCPTR pPatchGC;
1059 RTGCPTR pOrgInstrGC;
1060
1061 pOrgInstrGC = PATMR3PatchToGCPtr(pVM, pInstrGC, 0);
1062 Assert(pOrgInstrGC);
1063
1064 /* Failure for some reason -> mark exit point with int 3. */
1065 Log(("Failed to install function replacement patch (at %x) for reason %Vrc\n", pOrgInstrGC, rc));
1066
1067 pPatchGC = patmGuestGCPtrToPatchGCPtr(pVM, pPatch, pOrgInstrGC);
1068 Assert(pPatchGC);
1069
1070 pPatchHC = pVM->patm.s.pPatchMemHC + (pPatchGC - pVM->patm.s.pPatchMemGC);
1071
1072 /* Set a breakpoint at the very beginning of the recompiled instruction */
1073 *pPatchHC = 0xCC;
1074
1075 continue;
1076 }
1077 }
1078 pBranchTargetGC = PATMR3QueryPatchGCPtr(pVM, pRec->pTargetGC);
1079 }
1080 else
1081 {
1082 pBranchTargetGC = patmGuestGCPtrToPatchGCPtr(pVM, pPatch, pRec->pTargetGC);
1083 }
1084
1085 if (pBranchTargetGC == 0)
1086 {
1087 AssertMsgFailed(("patmr3SetBranchTargets: patmGuestGCPtrToPatchGCPtr failed for %08X\n", pRec->pTargetGC));
1088 return VERR_PATCHING_REFUSED;
1089 }
1090 /* Our jumps *always* have a dword displacement (to make things easier). */
1091 Assert(sizeof(uint32_t) == sizeof(RTGCPTR));
1092 displ = pBranchTargetGC - (pInstrGC + pRec->offDispl + sizeof(RTGCPTR));
1093 *(RTGCPTR *)(pRec->pJumpHC + pRec->offDispl) = displ;
1094 Log(("Set branch target %d to %08X : %08x - (%08x + %d + %d)\n", nrJumpRecs, displ, pBranchTargetGC, pInstrGC, pRec->offDispl, sizeof(RTGCPTR)));
1095 }
1096 Assert(nrJumpRecs == pPatch->nrJumpRecs);
1097 Assert(pPatch->JumpTree == 0);
1098 return VINF_SUCCESS;
1099}
1100
1101/* Add an illegal instruction record
1102 *
1103 * @param pVM The VM to operate on.
1104 * @param pPatch Patch structure ptr
1105 * @param pInstrGC Guest context pointer to privileged instruction
1106 *
1107 */
1108static void patmAddIllegalInstrRecord(PVM pVM, PPATCHINFO pPatch, RTGCPTR pInstrGC)
1109{
1110 PAVLPVNODECORE pRec;
1111
1112 pRec = (PAVLPVNODECORE)MMR3HeapAllocZ(pVM, MM_TAG_PATM_PATCH, sizeof(*pRec));
1113 Assert(pRec);
1114 pRec->Key = (AVLPVKEY)pInstrGC;
1115
1116 bool ret = RTAvlPVInsert(&pPatch->pTempInfo->IllegalInstrTree, pRec);
1117 Assert(ret); NOREF(ret);
1118 pPatch->pTempInfo->nrIllegalInstr++;
1119}
1120
1121static bool patmIsIllegalInstr(PPATCHINFO pPatch, RTGCPTR pInstrGC)
1122{
1123 PAVLPVNODECORE pRec;
1124
1125 pRec = RTAvlPVGet(&pPatch->pTempInfo->IllegalInstrTree, (AVLPVKEY)pInstrGC);
1126 if (pRec)
1127 return true;
1128 return false;
1129}
1130
1131/**
1132 * Add a patch to guest lookup record
1133 *
1134 * @param pVM The VM to operate on.
1135 * @param pPatch Patch structure ptr
1136 * @param pPatchInstrHC Guest context pointer to patch block
1137 * @param pInstrGC Guest context pointer to privileged instruction
1138 * @param enmType Lookup type
1139 * @param fDirty Dirty flag
1140 *
1141 */
1142 /** @note Be extremely careful with this function. Make absolutely sure the guest address is correct! (to avoid executing instructions twice!) */
1143void patmr3AddP2GLookupRecord(PVM pVM, PPATCHINFO pPatch, uint8_t *pPatchInstrHC, RTGCPTR pInstrGC, PATM_LOOKUP_TYPE enmType, bool fDirty)
1144{
1145 bool ret;
1146 PRECPATCHTOGUEST pPatchToGuestRec;
1147 PRECGUESTTOPATCH pGuestToPatchRec;
1148 uint32_t PatchOffset = pPatchInstrHC - pVM->patm.s.pPatchMemHC; /* Offset in memory reserved for PATM. */
1149
1150 if (enmType == PATM_LOOKUP_PATCH2GUEST)
1151 {
1152 pPatchToGuestRec = (PRECPATCHTOGUEST)RTAvlU32Get(&pPatch->Patch2GuestAddrTree, PatchOffset);
1153 if (pPatchToGuestRec && pPatchToGuestRec->Core.Key == PatchOffset)
1154 return; /* already there */
1155
1156 Assert(!pPatchToGuestRec);
1157 }
1158#ifdef VBOX_STRICT
1159 else
1160 {
1161 pPatchToGuestRec = (PRECPATCHTOGUEST)RTAvlU32Get(&pPatch->Patch2GuestAddrTree, PatchOffset);
1162 Assert(!pPatchToGuestRec);
1163 }
1164#endif
1165
1166 pPatchToGuestRec = (PRECPATCHTOGUEST)MMR3HeapAllocZ(pVM, MM_TAG_PATM_PATCH, sizeof(RECPATCHTOGUEST) + sizeof(RECGUESTTOPATCH));
1167 Assert(pPatchToGuestRec);
1168 pPatchToGuestRec->Core.Key = PatchOffset;
1169 pPatchToGuestRec->pOrgInstrGC = pInstrGC;
1170 pPatchToGuestRec->enmType = enmType;
1171 pPatchToGuestRec->fDirty = fDirty;
1172
1173 ret = RTAvlU32Insert(&pPatch->Patch2GuestAddrTree, &pPatchToGuestRec->Core);
1174 Assert(ret);
1175
1176 /* GC to patch address */
1177 if (enmType == PATM_LOOKUP_BOTHDIR)
1178 {
1179 pGuestToPatchRec = (PRECGUESTTOPATCH)RTAvlGCPtrGet(&pPatch->Guest2PatchAddrTree, pInstrGC);
1180 if (!pGuestToPatchRec)
1181 {
1182 pGuestToPatchRec = (PRECGUESTTOPATCH)(pPatchToGuestRec+1);
1183 pGuestToPatchRec->Core.Key = pInstrGC;
1184 pGuestToPatchRec->PatchOffset = PatchOffset;
1185
1186 ret = RTAvlGCPtrInsert(&pPatch->Guest2PatchAddrTree, &pGuestToPatchRec->Core);
1187 Assert(ret);
1188 }
1189 }
1190
1191 pPatch->nrPatch2GuestRecs++;
1192}
1193
1194
1195/**
1196 * Removes a patch to guest lookup record
1197 *
1198 * @param pVM The VM to operate on.
1199 * @param pPatch Patch structure ptr
1200 * @param pPatchInstrGC Guest context pointer to patch block
1201 */
1202void patmr3RemoveP2GLookupRecord(PVM pVM, PPATCHINFO pPatch, RTGCPTR pPatchInstrGC)
1203{
1204 PAVLU32NODECORE pNode;
1205 PAVLGCPTRNODECORE pNode2;
1206 PRECPATCHTOGUEST pPatchToGuestRec;
1207 uint32_t PatchOffset = pPatchInstrGC - pVM->patm.s.pPatchMemGC; /* Offset in memory reserved for PATM. */
1208
1209 pPatchToGuestRec = (PRECPATCHTOGUEST)RTAvlU32Get(&pPatch->Patch2GuestAddrTree, PatchOffset);
1210 Assert(pPatchToGuestRec);
1211 if (pPatchToGuestRec)
1212 {
1213 if (pPatchToGuestRec->enmType == PATM_LOOKUP_BOTHDIR)
1214 {
1215 PRECGUESTTOPATCH pGuestToPatchRec = (PRECGUESTTOPATCH)(pPatchToGuestRec+1);
1216
1217 Assert(pGuestToPatchRec->Core.Key);
1218 pNode2 = RTAvlGCPtrRemove(&pPatch->Guest2PatchAddrTree, pGuestToPatchRec->Core.Key);
1219 Assert(pNode2);
1220 }
1221 pNode = RTAvlU32Remove(&pPatch->Patch2GuestAddrTree, pPatchToGuestRec->Core.Key);
1222 Assert(pNode);
1223
1224 MMR3HeapFree(pPatchToGuestRec);
1225 pPatch->nrPatch2GuestRecs--;
1226 }
1227}
1228
1229
1230/**
1231 * RTAvlPVDestroy callback.
1232 */
1233static DECLCALLBACK(int) patmEmptyTreePVCallback(PAVLPVNODECORE pNode, void *)
1234{
1235 MMR3HeapFree(pNode);
1236 return 0;
1237}
1238
1239/**
1240 * Empty the specified tree (PV tree, MMR3 heap)
1241 *
1242 * @param pVM The VM to operate on.
1243 * @param ppTree Tree to empty
1244 */
1245void patmEmptyTree(PVM pVM, PAVLPVNODECORE *ppTree)
1246{
1247 RTAvlPVDestroy(ppTree, patmEmptyTreePVCallback, NULL);
1248}
1249
1250
1251/**
1252 * RTAvlU32Destroy callback.
1253 */
1254static DECLCALLBACK(int) patmEmptyTreeU32Callback(PAVLU32NODECORE pNode, void *)
1255{
1256 MMR3HeapFree(pNode);
1257 return 0;
1258}
1259
1260/**
1261 * Empty the specified tree (U32 tree, MMR3 heap)
1262 *
1263 * @param pVM The VM to operate on.
1264 * @param ppTree Tree to empty
1265 */
1266void patmEmptyTreeU32(PVM pVM, PPAVLU32NODECORE ppTree)
1267{
1268 RTAvlU32Destroy(ppTree, patmEmptyTreeU32Callback, NULL);
1269}
1270
1271
1272/**
1273 * Analyses the instructions following the cli for compliance with our heuristics for cli & pushf
1274 *
1275 * @returns VBox status code.
1276 * @param pVM The VM to operate on.
1277 * @param pCpu CPU disassembly state
1278 * @param pInstrGC Guest context pointer to privileged instruction
1279 * @param pCurInstrGC Guest context pointer to the current instruction
1280 * @param pUserData User pointer (callback specific)
1281 *
1282 */
1283static int patmAnalyseBlockCallback(PVM pVM, DISCPUSTATE *pCpu, GCPTRTYPE(uint8_t *) pInstrGC, GCPTRTYPE(uint8_t *) pCurInstrGC, void *pUserData)
1284{
1285 PPATCHINFO pPatch = (PPATCHINFO)pUserData;
1286 bool fIllegalInstr = false;
1287
1288 //Preliminary heuristics:
1289 //- no call instructions without a fixed displacement between cli and sti/popf
1290 //- no jumps in the instructions following cli (4+ bytes; enough for the replacement jump (5 bytes))
1291 //- no nested pushf/cli
1292 //- sti/popf should be the (eventual) target of all branches
1293 //- no near or far returns; no int xx, no into
1294 //
1295 // Note: Later on we can impose less stricter guidelines if the need arises
1296
1297 /* Bail out if the patch gets too big. */
1298 if (pPatch->cbPatchBlockSize >= MAX_PATCH_SIZE)
1299 {
1300 Log(("Code block too big (%x) for patch at %VGv!!\n", pPatch->cbPatchBlockSize, pCurInstrGC));
1301 fIllegalInstr = true;
1302 patmAddIllegalInstrRecord(pVM, pPatch, pCurInstrGC);
1303 }
1304 else
1305 {
1306 /* No unconditinal jumps or calls without fixed displacements. */
1307 if ( (pCpu->pCurInstr->optype & OPTYPE_CONTROLFLOW)
1308 && (pCpu->pCurInstr->opcode == OP_JMP || pCpu->pCurInstr->opcode == OP_CALL)
1309 )
1310 {
1311 Assert(pCpu->param1.size <= 4 || pCpu->param1.size == 8);
1312 if ( pCpu->param1.size == 8 /* far call/jmp */
1313 || (pCpu->pCurInstr->opcode == OP_CALL && !(pPatch->flags & PATMFL_SUPPORT_CALLS))
1314 || (OP_PARM_VTYPE(pCpu->pCurInstr->param1) != OP_PARM_J && !(pPatch->flags & PATMFL_SUPPORT_INDIRECT_CALLS))
1315 )
1316 {
1317 fIllegalInstr = true;
1318 patmAddIllegalInstrRecord(pVM, pPatch, pCurInstrGC);
1319 }
1320 }
1321
1322 /* An unconditional (short) jump right after a cli is a potential problem; we will overwrite whichever function comes afterwards */
1323 if (pPatch->opcode == OP_CLI && pCpu->pCurInstr->opcode == OP_JMP)
1324 {
1325 if (pCurInstrGC > pPatch->pPrivInstrGC && pCurInstrGC + pCpu->opsize < pPatch->pPrivInstrGC + SIZEOF_NEARJUMP32) /* hardcoded patch jump size; cbPatchJump is still zero */
1326 {
1327 Log(("Dangerous unconditional jump ends in our generated patch jump!! (%x vs %x)\n", pCurInstrGC, pPatch->pPrivInstrGC));
1328 /* We turn this one into a int 3 callable patch. */
1329 pPatch->flags |= PATMFL_INT3_REPLACEMENT_BLOCK;
1330 }
1331 }
1332 else
1333 /* no nested pushfs just yet; nested cli is allowed for cli patches though. */
1334 if (pPatch->opcode == OP_PUSHF)
1335 {
1336 if (pCurInstrGC != pInstrGC && pCpu->pCurInstr->opcode == OP_PUSHF)
1337 {
1338 fIllegalInstr = true;
1339 patmAddIllegalInstrRecord(pVM, pPatch, pCurInstrGC);
1340 }
1341 }
1342
1343 // no far returns
1344 if (pCpu->pCurInstr->opcode == OP_RETF)
1345 {
1346 pPatch->pTempInfo->nrRetInstr++;
1347 fIllegalInstr = true;
1348 patmAddIllegalInstrRecord(pVM, pPatch, pCurInstrGC);
1349 }
1350 else
1351 // no int xx or into either
1352 if (pCpu->pCurInstr->opcode == OP_INT3 || pCpu->pCurInstr->opcode == OP_INT || pCpu->pCurInstr->opcode == OP_INTO)
1353 {
1354 fIllegalInstr = true;
1355 patmAddIllegalInstrRecord(pVM, pPatch, pCurInstrGC);
1356 }
1357 }
1358
1359 pPatch->cbPatchBlockSize += pCpu->opsize;
1360
1361 /* Illegal instruction -> end of analysis phase for this code block */
1362 if (fIllegalInstr || patmIsIllegalInstr(pPatch, pCurInstrGC))
1363 return VINF_SUCCESS;
1364
1365 /* Check for exit points. */
1366 switch (pCpu->pCurInstr->opcode)
1367 {
1368 case OP_SYSEXIT:
1369 return VINF_SUCCESS; /* duplicate it; will fault or emulated in GC. */
1370
1371 case OP_SYSENTER:
1372 case OP_ILLUD2:
1373 //This appears to be some kind of kernel panic in Linux 2.4; no point to analyse more
1374 Log(("Illegal opcode (0xf 0xb) -> return here\n"));
1375 return VINF_SUCCESS;
1376
1377 case OP_STI:
1378 case OP_POPF:
1379 Assert(!(pPatch->flags & (PATMFL_DUPLICATE_FUNCTION)));
1380 /* If out exit point lies within the generated patch jump, then we have to refuse!! */
1381 if (pCurInstrGC > pPatch->pPrivInstrGC && pCurInstrGC < pPatch->pPrivInstrGC + SIZEOF_NEARJUMP32) /* hardcoded patch jump size; cbPatchJump is still zero */
1382 {
1383 Log(("Exit point within patch jump itself!! (%x vs %x)\n", pCurInstrGC, pPatch->pPrivInstrGC));
1384 return VERR_PATCHING_REFUSED;
1385 }
1386 if (pPatch->opcode == OP_PUSHF)
1387 {
1388 if (pCpu->pCurInstr->opcode == OP_POPF)
1389 {
1390 if (pPatch->cbPatchBlockSize >= SIZEOF_NEARJUMP32)
1391 return VINF_SUCCESS;
1392
1393 /* Or else we need to duplicate more instructions, because we can't jump back yet! */
1394 Log(("WARNING: End of block reached, but we need to duplicate some extra instruction to avoid a conflict with the patch jump\n"));
1395 pPatch->flags |= PATMFL_CHECK_SIZE;
1396 }
1397 break; //sti doesn't mark the end of a pushf block; only popf does
1398 }
1399 //else no break
1400 case OP_RETN: /* exit point for function replacement */
1401 return VINF_SUCCESS;
1402
1403 case OP_IRET:
1404 return VINF_SUCCESS; /* exitpoint */
1405
1406 case OP_CPUID:
1407 case OP_CALL:
1408 case OP_JMP:
1409 break;
1410
1411 default:
1412 if (pCpu->pCurInstr->optype & (OPTYPE_PRIVILEGED_NOTRAP))
1413 {
1414 patmAddIllegalInstrRecord(pVM, pPatch, pCurInstrGC);
1415 return VINF_SUCCESS; /* exit point */
1416 }
1417 break;
1418 }
1419
1420 // If single instruction patch, we've copied enough instructions *and* the current instruction is not a relative jump
1421 if ((pPatch->flags & PATMFL_CHECK_SIZE) && pPatch->cbPatchBlockSize > SIZEOF_NEARJUMP32 && !(pCpu->pCurInstr->optype & OPTYPE_RELATIVE_CONTROLFLOW))
1422 {
1423 // The end marker for this kind of patch is any instruction at a location outside our patch jump
1424 Log(("End of block at %VGv size %d\n", pCurInstrGC, pCpu->opsize));
1425 return VINF_SUCCESS;
1426 }
1427
1428 return VWRN_CONTINUE_ANALYSIS;
1429}
1430
1431/**
1432 * Analyses the instructions inside a function for compliance
1433 *
1434 * @returns VBox status code.
1435 * @param pVM The VM to operate on.
1436 * @param pCpu CPU disassembly state
1437 * @param pInstrGC Guest context pointer to privileged instruction
1438 * @param pCurInstrGC Guest context pointer to the current instruction
1439 * @param pUserData User pointer (callback specific)
1440 *
1441 */
1442static int patmAnalyseFunctionCallback(PVM pVM, DISCPUSTATE *pCpu, GCPTRTYPE(uint8_t *) pInstrGC, GCPTRTYPE(uint8_t *) pCurInstrGC, void *pUserData)
1443{
1444 PPATCHINFO pPatch = (PPATCHINFO)pUserData;
1445 bool fIllegalInstr = false;
1446
1447 //Preliminary heuristics:
1448 //- no call instructions
1449 //- ret ends a block
1450
1451 Assert(pPatch->flags & (PATMFL_DUPLICATE_FUNCTION));
1452
1453 // bail out if the patch gets too big
1454 if (pPatch->cbPatchBlockSize >= MAX_PATCH_SIZE)
1455 {
1456 Log(("Code block too big (%x) for function patch at %VGv!!\n", pPatch->cbPatchBlockSize, pCurInstrGC));
1457 fIllegalInstr = true;
1458 patmAddIllegalInstrRecord(pVM, pPatch, pCurInstrGC);
1459 }
1460 else
1461 {
1462 // no unconditinal jumps or calls without fixed displacements
1463 if ( (pCpu->pCurInstr->optype & OPTYPE_CONTROLFLOW)
1464 && (pCpu->pCurInstr->opcode == OP_JMP || pCpu->pCurInstr->opcode == OP_CALL)
1465 )
1466 {
1467 Assert(pCpu->param1.size <= 4 || pCpu->param1.size == 8);
1468 if ( pCpu->param1.size == 8 /* far call/jmp */
1469 || (pCpu->pCurInstr->opcode == OP_CALL && !(pPatch->flags & PATMFL_SUPPORT_CALLS))
1470 || (OP_PARM_VTYPE(pCpu->pCurInstr->param1) != OP_PARM_J && !(pPatch->flags & PATMFL_SUPPORT_INDIRECT_CALLS))
1471 )
1472 {
1473 fIllegalInstr = true;
1474 patmAddIllegalInstrRecord(pVM, pPatch, pCurInstrGC);
1475 }
1476 }
1477 else /* no far returns */
1478 if (pCpu->pCurInstr->opcode == OP_RETF)
1479 {
1480 patmAddIllegalInstrRecord(pVM, pPatch, pCurInstrGC);
1481 fIllegalInstr = true;
1482 }
1483 else /* no int xx or into either */
1484 if (pCpu->pCurInstr->opcode == OP_INT3 || pCpu->pCurInstr->opcode == OP_INT || pCpu->pCurInstr->opcode == OP_INTO)
1485 {
1486 patmAddIllegalInstrRecord(pVM, pPatch, pCurInstrGC);
1487 fIllegalInstr = true;
1488 }
1489
1490 #if 0
1491 ///@todo we can handle certain in/out and privileged instructions in the guest context
1492 if (pCpu->pCurInstr->optype & OPTYPE_PRIVILEGED && pCpu->pCurInstr->opcode != OP_STI)
1493 {
1494 Log(("Illegal instructions for function patch!!\n"));
1495 return VERR_PATCHING_REFUSED;
1496 }
1497 #endif
1498 }
1499
1500 pPatch->cbPatchBlockSize += pCpu->opsize;
1501
1502 /* Illegal instruction -> end of analysis phase for this code block */
1503 if (fIllegalInstr || patmIsIllegalInstr(pPatch, pCurInstrGC))
1504 {
1505 return VINF_SUCCESS;
1506 }
1507
1508 // Check for exit points
1509 switch (pCpu->pCurInstr->opcode)
1510 {
1511 case OP_ILLUD2:
1512 //This appears to be some kind of kernel panic in Linux 2.4; no point to analyse more
1513 Log(("Illegal opcode (0xf 0xb) -> return here\n"));
1514 return VINF_SUCCESS;
1515
1516 case OP_IRET:
1517 case OP_SYSEXIT: /* will fault or emulated in GC */
1518 case OP_RETN:
1519 return VINF_SUCCESS;
1520
1521 case OP_POPF:
1522 case OP_STI:
1523 return VWRN_CONTINUE_ANALYSIS;
1524 default:
1525 if (pCpu->pCurInstr->optype & (OPTYPE_PRIVILEGED_NOTRAP))
1526 {
1527 patmAddIllegalInstrRecord(pVM, pPatch, pCurInstrGC);
1528 return VINF_SUCCESS; /* exit point */
1529 }
1530 return VWRN_CONTINUE_ANALYSIS;
1531 }
1532
1533 return VWRN_CONTINUE_ANALYSIS;
1534}
1535
1536/**
1537 * Recompiles the instructions in a code block
1538 *
1539 * @returns VBox status code.
1540 * @param pVM The VM to operate on.
1541 * @param pCpu CPU disassembly state
1542 * @param pInstrGC Guest context pointer to privileged instruction
1543 * @param pCurInstrGC Guest context pointer to the current instruction
1544 * @param pUserData User pointer (callback specific)
1545 *
1546 */
1547static int patmRecompileCallback(PVM pVM, DISCPUSTATE *pCpu, GCPTRTYPE(uint8_t *) pInstrGC, GCPTRTYPE(uint8_t *) pCurInstrGC, void *pUserData)
1548{
1549 PPATCHINFO pPatch = (PPATCHINFO)pUserData;
1550 int rc = VINF_SUCCESS;
1551 bool fInhibitIRQInstr = false; /* did the instruction cause PATMFL_INHIBITIRQS to be set? */
1552
1553 LogFlow(("patmRecompileCallback %VGv %VGv\n", pInstrGC, pCurInstrGC));
1554
1555 if ( patmGuestGCPtrToPatchGCPtr(pVM, pPatch, pCurInstrGC) != 0
1556 && !(pPatch->flags & PATMFL_RECOMPILE_NEXT)) /* do not do this when the next instruction *must* be executed! */
1557 {
1558 /*
1559 * Been there, done that; so insert a jump (we don't want to duplicate code)
1560 * no need to record this instruction as it's glue code that never crashes (it had better not!)
1561 */
1562 Log(("patmRecompileCallback: jump to code we've recompiled before %VGv!\n", pCurInstrGC));
1563 return patmPatchGenRelJump(pVM, pPatch, pCurInstrGC, OP_JMP, !!(pCpu->prefix & PREFIX_OPSIZE));
1564 }
1565
1566 if (pPatch->flags & (PATMFL_DUPLICATE_FUNCTION))
1567 {
1568 rc = patmAnalyseFunctionCallback(pVM, pCpu, pInstrGC, pCurInstrGC, pUserData);
1569 }
1570 else
1571 rc = patmAnalyseBlockCallback(pVM, pCpu, pInstrGC, pCurInstrGC, pUserData);
1572
1573 if (VBOX_FAILURE(rc))
1574 return rc;
1575
1576 /** @note Never do a direct return unless a failure is encountered! */
1577
1578 /* Clear recompilation of next instruction flag; we are doing that right here. */
1579 if (pPatch->flags & PATMFL_RECOMPILE_NEXT)
1580 pPatch->flags &= ~PATMFL_RECOMPILE_NEXT;
1581
1582 /* Add lookup record for patch to guest address translation */
1583 patmr3AddP2GLookupRecord(pVM, pPatch, PATCHCODE_PTR_HC(pPatch) + pPatch->uCurPatchOffset, pCurInstrGC, PATM_LOOKUP_BOTHDIR);
1584
1585 /* Update lowest and highest instruction address for this patch */
1586 if (pCurInstrGC < pPatch->pInstrGCLowest)
1587 pPatch->pInstrGCLowest = pCurInstrGC;
1588 else
1589 if (pCurInstrGC > pPatch->pInstrGCHighest)
1590 pPatch->pInstrGCHighest = pCurInstrGC + pCpu->opsize;
1591
1592 /* Illegal instruction -> end of recompile phase for this code block. */
1593 if (patmIsIllegalInstr(pPatch, pCurInstrGC))
1594 {
1595 Log(("Illegal instruction at %VGv -> mark with int 3\n", pCurInstrGC));
1596 rc = patmPatchGenIllegalInstr(pVM, pPatch);
1597 goto end;
1598 }
1599
1600 /* For our first attempt, we'll handle only simple relative jumps (immediate offset coded in instruction).
1601 * Indirect calls are handled below.
1602 */
1603 if ( (pCpu->pCurInstr->optype & OPTYPE_CONTROLFLOW)
1604 && (pCpu->pCurInstr->opcode != OP_CALL || (pPatch->flags & PATMFL_SUPPORT_CALLS))
1605 && (OP_PARM_VTYPE(pCpu->pCurInstr->param1) == OP_PARM_J))
1606 {
1607 GCPTRTYPE(uint8_t *) pTargetGC = PATMResolveBranch(pCpu, pCurInstrGC);
1608 if (pTargetGC == 0)
1609 {
1610 Log(("We don't support far jumps here!! (%08X)\n", pCpu->param1.flags));
1611 return VERR_PATCHING_REFUSED;
1612 }
1613
1614 if (pCpu->pCurInstr->opcode == OP_CALL)
1615 {
1616 Assert(!PATMIsPatchGCAddr(pVM, pTargetGC));
1617 rc = patmPatchGenCall(pVM, pPatch, pCpu, pCurInstrGC, pTargetGC, false);
1618 if (VBOX_FAILURE(rc))
1619 goto end;
1620 }
1621 else
1622 rc = patmPatchGenRelJump(pVM, pPatch, pTargetGC, pCpu->pCurInstr->opcode, !!(pCpu->prefix & PREFIX_OPSIZE));
1623
1624 if (VBOX_SUCCESS(rc))
1625 rc = VWRN_CONTINUE_RECOMPILE;
1626
1627 goto end;
1628 }
1629
1630 switch (pCpu->pCurInstr->opcode)
1631 {
1632 case OP_CLI:
1633 {
1634 /* If a cli is found while duplicating instructions for another patch, then it's of vital importance to continue
1635 * until we've found the proper exit point(s).
1636 */
1637 if ( pCurInstrGC != pInstrGC
1638 && !(pPatch->flags & (PATMFL_DUPLICATE_FUNCTION))
1639 )
1640 {
1641 Log(("cli instruction found in other instruction patch block; force it to continue & find an exit point\n"));
1642 pPatch->flags &= ~(PATMFL_CHECK_SIZE | PATMFL_SINGLE_INSTRUCTION);
1643 }
1644 /* Set by irq inhibition; no longer valid now. */
1645 pPatch->flags &= ~PATMFL_GENERATE_JUMPTOGUEST;
1646
1647 rc = patmPatchGenCli(pVM, pPatch);
1648 if (VBOX_SUCCESS(rc))
1649 rc = VWRN_CONTINUE_RECOMPILE;
1650 break;
1651 }
1652
1653 case OP_MOV:
1654 if (pCpu->pCurInstr->optype & OPTYPE_POTENTIALLY_DANGEROUS)
1655 {
1656 /* mov ss, src? */
1657 if ( (pCpu->param1.flags & USE_REG_SEG)
1658 && (pCpu->param1.base.reg_seg == USE_REG_SS))
1659 {
1660 Log(("Force recompilation of next instruction for OP_MOV at %VGv\n", pCurInstrGC));
1661 pPatch->flags |= PATMFL_RECOMPILE_NEXT;
1662 /** @todo this could cause a fault (ring 0 selector being loaded in ring 1) */
1663 }
1664#if 0 /* necessary for Haiku */
1665 else
1666 if ( (pCpu->param2.flags & USE_REG_SEG)
1667 && (pCpu->param2.base.reg_seg == USE_REG_SS)
1668 && (pCpu->param1.flags & (USE_REG_GEN32|USE_REG_GEN16))) /** @todo memory operand must in theory be handled too */
1669 {
1670 /* mov GPR, ss */
1671 rc = patmPatchGenMovFromSS(pVM, pPatch, pCpu, pCurInstrGC);
1672 if (VBOX_SUCCESS(rc))
1673 rc = VWRN_CONTINUE_RECOMPILE;
1674 break;
1675 }
1676#endif
1677 }
1678 goto duplicate_instr;
1679
1680 case OP_POP:
1681 if (pCpu->pCurInstr->param1 == OP_PARM_REG_SS)
1682 {
1683 Assert(pCpu->pCurInstr->optype & OPTYPE_INHIBIT_IRQS);
1684
1685 Log(("Force recompilation of next instruction for OP_MOV at %VGv\n", pCurInstrGC));
1686 pPatch->flags |= PATMFL_RECOMPILE_NEXT;
1687 }
1688 goto duplicate_instr;
1689
1690 case OP_STI:
1691 {
1692 RTGCPTR pNextInstrGC = 0; /* by default no inhibit irq */
1693
1694 /** In a sequence of instructions that inhibit irqs, only the first one actually inhibits irqs. */
1695 if (!(pPatch->flags & PATMFL_INHIBIT_IRQS))
1696 {
1697 pPatch->flags |= PATMFL_INHIBIT_IRQS | PATMFL_GENERATE_JUMPTOGUEST;
1698 fInhibitIRQInstr = true;
1699 pNextInstrGC = pCurInstrGC + pCpu->opsize;
1700 Log(("Inhibit irqs for instruction OP_STI at %VGv\n", pCurInstrGC));
1701 }
1702 rc = patmPatchGenSti(pVM, pPatch, pCurInstrGC, pNextInstrGC);
1703
1704 if (VBOX_SUCCESS(rc))
1705 {
1706 DISCPUSTATE cpu = *pCpu;
1707 unsigned opsize;
1708 int disret;
1709 GCPTRTYPE(uint8_t *) pNextInstrGC, pReturnInstrGC;
1710 HCPTRTYPE(uint8_t *) pNextInstrHC;
1711
1712 pPatch->flags |= PATMFL_FOUND_PATCHEND;
1713
1714 pNextInstrGC = pCurInstrGC + pCpu->opsize;
1715 pNextInstrHC = PATMGCVirtToHCVirt(pVM, pPatch, pNextInstrGC);
1716 if (pNextInstrHC == NULL)
1717 {
1718 AssertFailed();
1719 return VERR_PATCHING_REFUSED;
1720 }
1721
1722 // Disassemble the next instruction
1723 disret = PATMR3DISInstr(pVM, pPatch, &cpu, pNextInstrGC, pNextInstrHC, &opsize, NULL);
1724 if (disret == false)
1725 {
1726 AssertMsgFailed(("STI: Disassembly failed (probably page not present) -> return to caller\n"));
1727 return VERR_PATCHING_REFUSED;
1728 }
1729 pReturnInstrGC = pNextInstrGC + opsize;
1730
1731 if ( (pPatch->flags & (PATMFL_DUPLICATE_FUNCTION))
1732 || pReturnInstrGC <= pInstrGC
1733 || pReturnInstrGC - pInstrGC >= SIZEOF_NEARJUMP32
1734 )
1735 {
1736 /* Not an exit point for function duplication patches */
1737 if ( (pPatch->flags & PATMFL_DUPLICATE_FUNCTION)
1738 && VBOX_SUCCESS(rc))
1739 {
1740 pPatch->flags &= ~PATMFL_GENERATE_JUMPTOGUEST; /* Don't generate a jump back */
1741 rc = VWRN_CONTINUE_RECOMPILE;
1742 }
1743 else
1744 rc = VINF_SUCCESS; //exit point
1745 }
1746 else {
1747 Log(("PATM: sti occurred too soon; refusing patch!\n"));
1748 rc = VERR_PATCHING_REFUSED; //not allowed!!
1749 }
1750 }
1751 break;
1752 }
1753
1754 case OP_POPF:
1755 {
1756 bool fGenerateJmpBack = (pCurInstrGC + pCpu->opsize - pInstrGC >= SIZEOF_NEARJUMP32);
1757
1758 /* Not an exit point for IDT handler or function replacement patches */
1759 if (pPatch->flags & (PATMFL_IDTHANDLER|PATMFL_DUPLICATE_FUNCTION))
1760 fGenerateJmpBack = false;
1761
1762 rc = patmPatchGenPopf(pVM, pPatch, pCurInstrGC + pCpu->opsize, !!(pCpu->prefix & PREFIX_OPSIZE), fGenerateJmpBack);
1763 if (VBOX_SUCCESS(rc))
1764 {
1765 if (fGenerateJmpBack == false)
1766 {
1767 /* Not an exit point for IDT handler or function replacement patches */
1768 rc = VWRN_CONTINUE_RECOMPILE;
1769 }
1770 else
1771 {
1772 pPatch->flags |= PATMFL_FOUND_PATCHEND;
1773 rc = VINF_SUCCESS; /* exit point! */
1774 }
1775 }
1776 break;
1777 }
1778
1779 case OP_PUSHF:
1780 rc = patmPatchGenPushf(pVM, pPatch, !!(pCpu->prefix & PREFIX_OPSIZE));
1781 if (VBOX_SUCCESS(rc))
1782 rc = VWRN_CONTINUE_RECOMPILE;
1783 break;
1784
1785 case OP_PUSH:
1786 if (pCpu->pCurInstr->param1 == OP_PARM_REG_CS)
1787 {
1788 rc = patmPatchGenPushCS(pVM, pPatch);
1789 if (VBOX_SUCCESS(rc))
1790 rc = VWRN_CONTINUE_RECOMPILE;
1791 break;
1792 }
1793 goto duplicate_instr;
1794
1795 case OP_IRET:
1796 Log(("IRET at %VGv\n", pCurInstrGC));
1797 rc = patmPatchGenIret(pVM, pPatch, pCurInstrGC, !!(pCpu->prefix & PREFIX_OPSIZE));
1798 if (VBOX_SUCCESS(rc))
1799 {
1800 pPatch->flags |= PATMFL_FOUND_PATCHEND;
1801 rc = VINF_SUCCESS; /* exit point by definition */
1802 }
1803 break;
1804
1805 case OP_ILLUD2:
1806 /* This appears to be some kind of kernel panic in Linux 2.4; no point to continue */
1807 rc = patmPatchGenIllegalInstr(pVM, pPatch);
1808 if (VBOX_SUCCESS(rc))
1809 rc = VINF_SUCCESS; /* exit point by definition */
1810 Log(("Illegal opcode (0xf 0xb)\n"));
1811 break;
1812
1813 case OP_CPUID:
1814 rc = patmPatchGenCpuid(pVM, pPatch, pCurInstrGC);
1815 if (VBOX_SUCCESS(rc))
1816 rc = VWRN_CONTINUE_RECOMPILE;
1817 break;
1818
1819 case OP_STR:
1820 case OP_SLDT:
1821 rc = patmPatchGenSldtStr(pVM, pPatch, pCpu, pCurInstrGC);
1822 if (VBOX_SUCCESS(rc))
1823 rc = VWRN_CONTINUE_RECOMPILE;
1824 break;
1825
1826 case OP_SGDT:
1827 case OP_SIDT:
1828 rc = patmPatchGenSxDT(pVM, pPatch, pCpu, pCurInstrGC);
1829 if (VBOX_SUCCESS(rc))
1830 rc = VWRN_CONTINUE_RECOMPILE;
1831 break;
1832
1833 case OP_RETN:
1834 /* retn is an exit point for function patches */
1835 rc = patmPatchGenRet(pVM, pPatch, pCpu, pCurInstrGC);
1836 if (VBOX_SUCCESS(rc))
1837 rc = VINF_SUCCESS; /* exit point by definition */
1838 break;
1839
1840 case OP_SYSEXIT:
1841 /* Duplicate it, so it can be emulated in GC (or fault). */
1842 rc = patmPatchGenDuplicate(pVM, pPatch, pCpu, pCurInstrGC);
1843 if (VBOX_SUCCESS(rc))
1844 rc = VINF_SUCCESS; /* exit point by definition */
1845 break;
1846
1847 case OP_CALL:
1848 Assert(pPatch->flags & PATMFL_SUPPORT_INDIRECT_CALLS);
1849 /* In interrupt gate handlers it's possible to encounter jumps or calls when IF has been enabled again.
1850 * In that case we'll jump to the original instruction and continue from there. Otherwise an int 3 is executed.
1851 */
1852 Assert(pCpu->param1.size == 4 || pCpu->param1.size == 8);
1853 if (pPatch->flags & PATMFL_SUPPORT_INDIRECT_CALLS && pCpu->param1.size == 4 /* no far calls! */)
1854 {
1855 rc = patmPatchGenCall(pVM, pPatch, pCpu, pCurInstrGC, (RTGCPTR)0xDEADBEEF, true);
1856 if (VBOX_SUCCESS(rc))
1857 {
1858 rc = VWRN_CONTINUE_RECOMPILE;
1859 }
1860 break;
1861 }
1862 goto gen_illegal_instr;
1863
1864 case OP_JMP:
1865 Assert(pPatch->flags & PATMFL_SUPPORT_INDIRECT_CALLS);
1866 /* In interrupt gate handlers it's possible to encounter jumps or calls when IF has been enabled again.
1867 * In that case we'll jump to the original instruction and continue from there. Otherwise an int 3 is executed.
1868 */
1869 Assert(pCpu->param1.size == 4 || pCpu->param1.size == 8);
1870 if (pPatch->flags & PATMFL_SUPPORT_INDIRECT_CALLS && pCpu->param1.size == 4 /* no far jumps! */)
1871 {
1872 rc = patmPatchGenJump(pVM, pPatch, pCpu, pCurInstrGC);
1873 if (VBOX_SUCCESS(rc))
1874 rc = VINF_SUCCESS; /* end of branch */
1875 break;
1876 }
1877 goto gen_illegal_instr;
1878
1879 case OP_INT3:
1880 case OP_INT:
1881 case OP_INTO:
1882 goto gen_illegal_instr;
1883
1884 case OP_MOV_DR:
1885 /** @note: currently we let DRx writes cause a trap d; our trap handler will decide to interpret it or not. */
1886 if (pCpu->pCurInstr->param2 == OP_PARM_Dd)
1887 {
1888 rc = patmPatchGenMovDebug(pVM, pPatch, pCpu);
1889 if (VBOX_SUCCESS(rc))
1890 rc = VWRN_CONTINUE_RECOMPILE;
1891 break;
1892 }
1893 goto duplicate_instr;
1894
1895 case OP_MOV_CR:
1896 /** @note: currently we let CRx writes cause a trap d; our trap handler will decide to interpret it or not. */
1897 if (pCpu->pCurInstr->param2 == OP_PARM_Cd)
1898 {
1899 rc = patmPatchGenMovControl(pVM, pPatch, pCpu);
1900 if (VBOX_SUCCESS(rc))
1901 rc = VWRN_CONTINUE_RECOMPILE;
1902 break;
1903 }
1904 goto duplicate_instr;
1905
1906 default:
1907 if (pCpu->pCurInstr->optype & (OPTYPE_CONTROLFLOW | OPTYPE_PRIVILEGED_NOTRAP))
1908 {
1909gen_illegal_instr:
1910 rc = patmPatchGenIllegalInstr(pVM, pPatch);
1911 if (VBOX_SUCCESS(rc))
1912 rc = VINF_SUCCESS; /* exit point by definition */
1913 }
1914 else
1915 {
1916duplicate_instr:
1917 Log(("patmPatchGenDuplicate\n"));
1918 rc = patmPatchGenDuplicate(pVM, pPatch, pCpu, pCurInstrGC);
1919 if (VBOX_SUCCESS(rc))
1920 rc = VWRN_CONTINUE_RECOMPILE;
1921 }
1922 break;
1923 }
1924
1925end:
1926
1927 if ( !fInhibitIRQInstr
1928 && (pPatch->flags & PATMFL_INHIBIT_IRQS))
1929 {
1930 int rc2;
1931 RTGCPTR pNextInstrGC = pCurInstrGC + pCpu->opsize;
1932
1933 pPatch->flags &= ~PATMFL_INHIBIT_IRQS;
1934 Log(("Clear inhibit IRQ flag at %VGv\n", pCurInstrGC));
1935 if (pPatch->flags & PATMFL_GENERATE_JUMPTOGUEST)
1936 {
1937 Log(("patmRecompileCallback: generate jump back to guest (%VGv) after fused instruction\n", pNextInstrGC));
1938
1939 rc2 = patmPatchGenJumpToGuest(pVM, pPatch, pNextInstrGC, true /* clear inhibit irq flag */);
1940 pPatch->flags &= ~PATMFL_GENERATE_JUMPTOGUEST;
1941 rc = VINF_SUCCESS; /* end of the line */
1942 }
1943 else
1944 {
1945 rc2 = patmPatchGenClearInhibitIRQ(pVM, pPatch, pNextInstrGC);
1946 }
1947 if (VBOX_FAILURE(rc2))
1948 rc = rc2;
1949 }
1950
1951 if (VBOX_SUCCESS(rc))
1952 {
1953 // If single instruction patch, we've copied enough instructions *and* the current instruction is not a relative jump
1954 if ( (pPatch->flags & PATMFL_CHECK_SIZE)
1955 && pCurInstrGC + pCpu->opsize - pInstrGC >= SIZEOF_NEARJUMP32
1956 && !(pCpu->pCurInstr->optype & OPTYPE_RELATIVE_CONTROLFLOW)
1957 && !(pPatch->flags & PATMFL_RECOMPILE_NEXT) /* do not do this when the next instruction *must* be executed! */
1958 )
1959 {
1960 RTGCPTR pNextInstrGC = pCurInstrGC + pCpu->opsize;
1961
1962 // The end marker for this kind of patch is any instruction at a location outside our patch jump
1963 Log(("patmRecompileCallback: end found for single instruction patch at %VGv opsize %d\n", pNextInstrGC, pCpu->opsize));
1964
1965 rc = patmPatchGenJumpToGuest(pVM, pPatch, pNextInstrGC);
1966 AssertRC(rc);
1967 }
1968 }
1969 return rc;
1970}
1971
1972
1973#ifdef LOG_ENABLED
1974
1975/* Add a disasm jump record (temporary for prevent duplicate analysis)
1976 *
1977 * @param pVM The VM to operate on.
1978 * @param pPatch Patch structure ptr
1979 * @param pInstrGC Guest context pointer to privileged instruction
1980 *
1981 */
1982static void patmPatchAddDisasmJump(PVM pVM, PPATCHINFO pPatch, RTGCPTR pInstrGC)
1983{
1984 PAVLPVNODECORE pRec;
1985
1986 pRec = (PAVLPVNODECORE)MMR3HeapAllocZ(pVM, MM_TAG_PATM_PATCH, sizeof(*pRec));
1987 Assert(pRec);
1988 pRec->Key = (AVLPVKEY)pInstrGC;
1989
1990 int ret = RTAvlPVInsert(&pPatch->pTempInfo->DisasmJumpTree, pRec);
1991 Assert(ret);
1992}
1993
1994/**
1995 * Checks if jump target has been analysed before.
1996 *
1997 * @returns VBox status code.
1998 * @param pPatch Patch struct
1999 * @param pInstrGC Jump target
2000 *
2001 */
2002static bool patmIsKnownDisasmJump(PPATCHINFO pPatch, RTGCPTR pInstrGC)
2003{
2004 PAVLPVNODECORE pRec;
2005
2006 pRec = RTAvlPVGet(&pPatch->pTempInfo->DisasmJumpTree, (AVLPVKEY)pInstrGC);
2007 if (pRec)
2008 return true;
2009 return false;
2010}
2011
2012/**
2013 * For proper disassembly of the final patch block
2014 *
2015 * @returns VBox status code.
2016 * @param pVM The VM to operate on.
2017 * @param pCpu CPU disassembly state
2018 * @param pInstrGC Guest context pointer to privileged instruction
2019 * @param pCurInstrGC Guest context pointer to the current instruction
2020 * @param pUserData User pointer (callback specific)
2021 *
2022 */
2023int patmr3DisasmCallback(PVM pVM, DISCPUSTATE *pCpu, GCPTRTYPE(uint8_t *) pInstrGC, GCPTRTYPE(uint8_t *) pCurInstrGC, void *pUserData)
2024{
2025 PPATCHINFO pPatch = (PPATCHINFO)pUserData;
2026
2027 if (pCpu->pCurInstr->opcode == OP_INT3)
2028 {
2029 /* Could be an int3 inserted in a call patch. Check to be sure */
2030 DISCPUSTATE cpu;
2031 uint8_t *pOrgJumpHC;
2032 RTGCPTR pOrgJumpGC;
2033 uint32_t dummy;
2034
2035 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
2036 pOrgJumpGC = patmPatchGCPtr2GuestGCPtr(pVM, pPatch, pCurInstrGC);
2037 pOrgJumpHC = PATMGCVirtToHCVirt(pVM, pPatch, pOrgJumpGC);
2038
2039 bool disret = PATMR3DISInstr(pVM, pPatch, &cpu, pOrgJumpGC, pOrgJumpHC, &dummy, NULL);
2040 if (!disret || cpu.pCurInstr->opcode != OP_CALL || cpu.param1.size != 4 /* only near calls */)
2041 return VINF_SUCCESS;
2042
2043 return VWRN_CONTINUE_ANALYSIS;
2044 }
2045
2046 if ( pCpu->pCurInstr->opcode == OP_ILLUD2
2047 && PATMIsPatchGCAddr(pVM, pCurInstrGC))
2048 {
2049 /* the indirect call patch contains an 0xF/0xB illegal instr to call for assistance; check for this and continue */
2050 return VWRN_CONTINUE_ANALYSIS;
2051 }
2052
2053 if ( (pCpu->pCurInstr->opcode == OP_CALL && !(pPatch->flags & PATMFL_SUPPORT_CALLS))
2054 || pCpu->pCurInstr->opcode == OP_INT
2055 || pCpu->pCurInstr->opcode == OP_IRET
2056 || pCpu->pCurInstr->opcode == OP_RETN
2057 || pCpu->pCurInstr->opcode == OP_RETF
2058 )
2059 {
2060 return VINF_SUCCESS;
2061 }
2062
2063 if (pCpu->pCurInstr->opcode == OP_ILLUD2)
2064 return VINF_SUCCESS;
2065
2066 return VWRN_CONTINUE_ANALYSIS;
2067}
2068
2069
2070/**
2071 * Disassembles the code stream until the callback function detects a failure or decides everything is acceptable
2072 *
2073 * @returns VBox status code.
2074 * @param pVM The VM to operate on.
2075 * @param pInstrGC Guest context pointer to the initial privileged instruction
2076 * @param pCurInstrGC Guest context pointer to the current instruction
2077 * @param pfnPATMR3Disasm Callback for testing the disassembled instruction
2078 * @param pUserData User pointer (callback specific)
2079 *
2080 */
2081int patmr3DisasmCode(PVM pVM, GCPTRTYPE(uint8_t *) pInstrGC, GCPTRTYPE(uint8_t *) pCurInstrGC, PFN_PATMR3ANALYSE pfnPATMR3Disasm, void *pUserData)
2082{
2083 DISCPUSTATE cpu;
2084 PPATCHINFO pPatch = (PPATCHINFO)pUserData;
2085 int rc = VWRN_CONTINUE_ANALYSIS;
2086 uint32_t opsize, delta;
2087 HCPTRTYPE(uint8_t *) pCurInstrHC = 0;
2088 bool disret;
2089 char szOutput[256];
2090
2091 Assert(pCurInstrHC != PATCHCODE_PTR_HC(pPatch) || pPatch->pTempInfo->DisasmJumpTree == 0);
2092
2093 /* We need this to determine branch targets (and for disassembling). */
2094 delta = pVM->patm.s.pPatchMemGC - (uintptr_t)pVM->patm.s.pPatchMemHC;
2095
2096 while(rc == VWRN_CONTINUE_ANALYSIS)
2097 {
2098 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
2099
2100 pCurInstrHC = PATMGCVirtToHCVirt(pVM, pPatch, pCurInstrGC);
2101 if (pCurInstrHC == NULL)
2102 {
2103 rc = VERR_PATCHING_REFUSED;
2104 goto end;
2105 }
2106
2107 disret = PATMR3DISInstr(pVM, pPatch, &cpu, pCurInstrGC, pCurInstrHC, &opsize, szOutput, PATMREAD_RAWCODE);
2108 if (PATMIsPatchGCAddr(pVM, pCurInstrGC))
2109 {
2110 RTGCPTR pOrgInstrGC = patmPatchGCPtr2GuestGCPtr(pVM, pPatch, pCurInstrGC);
2111
2112 if (pOrgInstrGC != pPatch->pTempInfo->pLastDisasmInstrGC)
2113 Log(("DIS %VGv<-%s", pOrgInstrGC, szOutput));
2114 else
2115 Log(("DIS %s", szOutput));
2116
2117 pPatch->pTempInfo->pLastDisasmInstrGC = pOrgInstrGC;
2118 if (patmIsIllegalInstr(pPatch, pOrgInstrGC))
2119 {
2120 rc = VINF_SUCCESS;
2121 goto end;
2122 }
2123 }
2124 else
2125 Log(("DIS: %s", szOutput));
2126
2127 if (disret == false)
2128 {
2129 Log(("Disassembly failed (probably page not present) -> return to caller\n"));
2130 rc = VINF_SUCCESS;
2131 goto end;
2132 }
2133
2134 rc = pfnPATMR3Disasm(pVM, &cpu, pInstrGC, pCurInstrGC, pUserData);
2135 if (rc != VWRN_CONTINUE_ANALYSIS) {
2136 break; //done!
2137 }
2138
2139 /* For our first attempt, we'll handle only simple relative jumps and calls (immediate offset coded in instruction) */
2140 if ( (cpu.pCurInstr->optype & OPTYPE_CONTROLFLOW)
2141 && (OP_PARM_VTYPE(cpu.pCurInstr->param1) == OP_PARM_J)
2142 && cpu.pCurInstr->opcode != OP_CALL /* complete functions are replaced; don't bother here. */
2143 )
2144 {
2145 RTGCPTR pTargetGC = PATMResolveBranch(&cpu, pCurInstrGC);
2146 RTGCPTR pOrgTargetGC;
2147
2148 if (pTargetGC == 0)
2149 {
2150 Log(("We don't support far jumps here!! (%08X)\n", cpu.param1.flags));
2151 rc = VERR_PATCHING_REFUSED;
2152 break;
2153 }
2154
2155 if (!PATMIsPatchGCAddr(pVM, pTargetGC))
2156 {
2157 //jump back to guest code
2158 rc = VINF_SUCCESS;
2159 goto end;
2160 }
2161 pOrgTargetGC = PATMR3PatchToGCPtr(pVM, pTargetGC, 0);
2162
2163 if (patmIsCommonIDTHandlerPatch(pVM, pOrgTargetGC))
2164 {
2165 rc = VINF_SUCCESS;
2166 goto end;
2167 }
2168
2169 if (patmIsKnownDisasmJump(pPatch, pTargetGC) == false)
2170 {
2171 /* New jump, let's check it. */
2172 patmPatchAddDisasmJump(pVM, pPatch, pTargetGC);
2173
2174 if (cpu.pCurInstr->opcode == OP_CALL) pPatch->pTempInfo->nrCalls++;
2175 rc = patmr3DisasmCode(pVM, pInstrGC, pTargetGC, pfnPATMR3Disasm, pUserData);
2176 if (cpu.pCurInstr->opcode == OP_CALL) pPatch->pTempInfo->nrCalls--;
2177
2178 if (rc != VINF_SUCCESS) {
2179 break; //done!
2180 }
2181 }
2182 if (cpu.pCurInstr->opcode == OP_JMP)
2183 {
2184 /* Unconditional jump; return to caller. */
2185 rc = VINF_SUCCESS;
2186 goto end;
2187 }
2188
2189 rc = VWRN_CONTINUE_ANALYSIS;
2190 }
2191 pCurInstrGC += opsize;
2192 }
2193end:
2194 return rc;
2195}
2196
2197/**
2198 * Disassembles the code stream until the callback function detects a failure or decides everything is acceptable
2199 *
2200 * @returns VBox status code.
2201 * @param pVM The VM to operate on.
2202 * @param pInstrGC Guest context pointer to the initial privileged instruction
2203 * @param pCurInstrGC Guest context pointer to the current instruction
2204 * @param pfnPATMR3Disasm Callback for testing the disassembled instruction
2205 * @param pUserData User pointer (callback specific)
2206 *
2207 */
2208int patmr3DisasmCodeStream(PVM pVM, GCPTRTYPE(uint8_t *) pInstrGC, GCPTRTYPE(uint8_t *) pCurInstrGC, PFN_PATMR3ANALYSE pfnPATMR3Disasm, void *pUserData)
2209{
2210 PPATCHINFO pPatch = (PPATCHINFO)pUserData;
2211
2212 int rc = patmr3DisasmCode(pVM, pInstrGC, pCurInstrGC, pfnPATMR3Disasm, pUserData);
2213 /* Free all disasm jump records. */
2214 patmEmptyTree(pVM, &pPatch->pTempInfo->DisasmJumpTree);
2215 return rc;
2216}
2217
2218#endif /* LOG_ENABLED */
2219
2220/**
2221 * Detects it the specified address falls within a 5 byte jump generated for an active patch.
2222 * If so, this patch is permanently disabled.
2223 *
2224 * @param pVM The VM to operate on.
2225 * @param pInstrGC Guest context pointer to instruction
2226 * @param pConflictGC Guest context pointer to check
2227 *
2228 * @note also checks for patch hints to make sure they can never be enabled if a conflict is present.
2229 *
2230 */
2231PATMR3DECL(int) PATMR3DetectConflict(PVM pVM, RTGCPTR pInstrGC, RTGCPTR pConflictGC)
2232{
2233 PPATCHINFO pTargetPatch = PATMFindActivePatchByEntrypoint(pVM, pConflictGC, true /* include patch hints */);
2234 if (pTargetPatch)
2235 {
2236 return patmDisableUnusablePatch(pVM, pInstrGC, pConflictGC, pTargetPatch);
2237 }
2238 return VERR_PATCH_NO_CONFLICT;
2239}
2240
2241/**
2242 * Recompile the code stream until the callback function detects a failure or decides everything is acceptable
2243 *
2244 * @returns VBox status code.
2245 * @param pVM The VM to operate on.
2246 * @param pInstrGC Guest context pointer to privileged instruction
2247 * @param pCurInstrGC Guest context pointer to the current instruction
2248 * @param pfnPATMR3Recompile Callback for testing the disassembled instruction
2249 * @param pUserData User pointer (callback specific)
2250 *
2251 */
2252static int patmRecompileCodeStream(PVM pVM, GCPTRTYPE(uint8_t *) pInstrGC, GCPTRTYPE(uint8_t *) pCurInstrGC, PFN_PATMR3ANALYSE pfnPATMR3Recompile, void *pUserData)
2253{
2254 DISCPUSTATE cpu;
2255 PPATCHINFO pPatch = (PPATCHINFO)pUserData;
2256 int rc = VWRN_CONTINUE_ANALYSIS;
2257 uint32_t opsize;
2258 HCPTRTYPE(uint8_t *) pCurInstrHC = 0;
2259 bool disret;
2260#ifdef LOG_ENABLED
2261 char szOutput[256];
2262#endif
2263
2264 while (rc == VWRN_CONTINUE_RECOMPILE)
2265 {
2266 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
2267
2268 ////Log(("patmRecompileCodeStream %VGv %VGv\n", pInstrGC, pCurInstrGC));
2269
2270 pCurInstrHC = PATMGCVirtToHCVirt(pVM, pPatch, pCurInstrGC);
2271 if (pCurInstrHC == NULL)
2272 {
2273 rc = VERR_PATCHING_REFUSED; /* fatal in this case */
2274 goto end;
2275 }
2276#ifdef LOG_ENABLED
2277 disret = PATMR3DISInstr(pVM, pPatch, &cpu, pCurInstrGC, pCurInstrHC, &opsize, szOutput);
2278 Log(("Recompile: %s", szOutput));
2279#else
2280 disret = PATMR3DISInstr(pVM, pPatch, &cpu, pCurInstrGC, pCurInstrHC, &opsize, NULL);
2281#endif
2282 if (disret == false)
2283 {
2284 Log(("Disassembly failed (probably page not present) -> return to caller\n"));
2285
2286 /* Add lookup record for patch to guest address translation */
2287 patmr3AddP2GLookupRecord(pVM, pPatch, PATCHCODE_PTR_HC(pPatch) + pPatch->uCurPatchOffset, pCurInstrGC, PATM_LOOKUP_BOTHDIR);
2288 patmPatchGenIllegalInstr(pVM, pPatch);
2289 rc = VINF_SUCCESS; /* Note: don't fail here; we might refuse an important patch!! */
2290 goto end;
2291 }
2292
2293 rc = pfnPATMR3Recompile(pVM, &cpu, pInstrGC, pCurInstrGC, pUserData);
2294 if (rc != VWRN_CONTINUE_RECOMPILE)
2295 {
2296 /* If irqs are inhibited because of the current instruction, then we must make sure the next one is executed! */
2297 if ( rc == VINF_SUCCESS
2298 && (pPatch->flags & PATMFL_INHIBIT_IRQS))
2299 {
2300 DISCPUSTATE cpunext;
2301 uint32_t opsizenext;
2302 uint8_t *pNextInstrHC;
2303 RTGCPTR pNextInstrGC = pCurInstrGC + opsize;
2304
2305 Log(("patmRecompileCodeStream: irqs inhibited by instruction %VGv\n", pNextInstrGC));
2306
2307 /* Certain instructions (e.g. sti) force the next instruction to be executed before any interrupts can occur.
2308 * Recompile the next instruction as well
2309 */
2310 pNextInstrHC = PATMGCVirtToHCVirt(pVM, pPatch, pNextInstrGC);
2311 if (pNextInstrHC == NULL)
2312 {
2313 rc = VERR_PATCHING_REFUSED; /* fatal in this case */
2314 goto end;
2315 }
2316 cpunext.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
2317 disret = PATMR3DISInstr(pVM, pPatch, &cpunext, pNextInstrGC, pNextInstrHC, &opsizenext, NULL);
2318 if (disret == false)
2319 {
2320 rc = VERR_PATCHING_REFUSED; /* fatal in this case */
2321 goto end;
2322 }
2323 switch(cpunext.pCurInstr->opcode)
2324 {
2325 case OP_IRET: /* inhibit cleared in generated code */
2326 case OP_SYSEXIT: /* faults; inhibit should be cleared in HC handling */
2327 case OP_HLT:
2328 break; /* recompile these */
2329
2330 default:
2331 if (cpunext.pCurInstr->optype & OPTYPE_CONTROLFLOW)
2332 {
2333 Log(("Unexpected control flow instruction after inhibit irq instruction\n"));
2334
2335 rc = patmPatchGenJumpToGuest(pVM, pPatch, pNextInstrGC, true /* clear inhibit irq flag */);
2336 AssertRC(rc);
2337 pPatch->flags &= ~PATMFL_INHIBIT_IRQS;
2338 goto end; /** @todo should be ok to ignore instruction fusing in this case */
2339 }
2340 break;
2341 }
2342
2343 /** @note after a cli we must continue to a proper exit point */
2344 if (cpunext.pCurInstr->opcode != OP_CLI)
2345 {
2346 rc = pfnPATMR3Recompile(pVM, &cpunext, pInstrGC, pNextInstrGC, pUserData);
2347 if (VBOX_SUCCESS(rc))
2348 {
2349 rc = VINF_SUCCESS;
2350 goto end;
2351 }
2352 break;
2353 }
2354 else
2355 rc = VWRN_CONTINUE_RECOMPILE;
2356 }
2357 else
2358 break; /* done! */
2359 }
2360
2361 /** @todo continue with the instructions following the jump and then recompile the jump target code */
2362
2363
2364 /* For our first attempt, we'll handle only simple relative jumps and calls (immediate offset coded in instruction). */
2365 if ( (cpu.pCurInstr->optype & OPTYPE_CONTROLFLOW)
2366 && (OP_PARM_VTYPE(cpu.pCurInstr->param1) == OP_PARM_J)
2367 && cpu.pCurInstr->opcode != OP_CALL /* complete functions are replaced; don't bother here. */
2368 )
2369 {
2370 GCPTRTYPE(uint8_t *) addr = PATMResolveBranch(&cpu, pCurInstrGC);
2371 if (addr == 0)
2372 {
2373 Log(("We don't support far jumps here!! (%08X)\n", cpu.param1.flags));
2374 rc = VERR_PATCHING_REFUSED;
2375 break;
2376 }
2377
2378 Log(("Jump encountered target %VGv\n", addr));
2379
2380 /* We don't check if the branch target lies in a valid page as we've already done that in the analysis phase. */
2381 if (!(cpu.pCurInstr->optype & OPTYPE_UNCOND_CONTROLFLOW))
2382 {
2383 Log(("patmRecompileCodeStream continue passed conditional jump\n"));
2384 /* First we need to finish this linear code stream until the next exit point. */
2385 rc = patmRecompileCodeStream(pVM, pInstrGC, pCurInstrGC+opsize, pfnPATMR3Recompile, pUserData);
2386 if (VBOX_FAILURE(rc))
2387 {
2388 Log(("patmRecompileCodeStream fatal error %d\n", rc));
2389 break; //fatal error
2390 }
2391 }
2392
2393 if (patmGuestGCPtrToPatchGCPtr(pVM, pPatch, addr) == 0)
2394 {
2395 /* New code; let's recompile it. */
2396 Log(("patmRecompileCodeStream continue with jump\n"));
2397
2398 /*
2399 * If we are jumping to an existing patch (or within 5 bytes of the entrypoint), then we must temporarily disable
2400 * this patch so we can continue our analysis
2401 *
2402 * We rely on CSAM to detect and resolve conflicts
2403 */
2404 PPATCHINFO pTargetPatch = PATMFindActivePatchByEntrypoint(pVM, addr);
2405 if(pTargetPatch)
2406 {
2407 Log(("Found active patch at target %VGv (%VGv) -> temporarily disabling it!!\n", addr, pTargetPatch->pPrivInstrGC));
2408 PATMR3DisablePatch(pVM, pTargetPatch->pPrivInstrGC);
2409 }
2410
2411 if (cpu.pCurInstr->opcode == OP_CALL) pPatch->pTempInfo->nrCalls++;
2412 rc = patmRecompileCodeStream(pVM, pInstrGC, addr, pfnPATMR3Recompile, pUserData);
2413 if (cpu.pCurInstr->opcode == OP_CALL) pPatch->pTempInfo->nrCalls--;
2414
2415 if(pTargetPatch)
2416 {
2417 PATMR3EnablePatch(pVM, pTargetPatch->pPrivInstrGC);
2418 }
2419
2420 if (VBOX_FAILURE(rc))
2421 {
2422 Log(("patmRecompileCodeStream fatal error %d\n", rc));
2423 break; //done!
2424 }
2425 }
2426 /* Always return to caller here; we're done! */
2427 rc = VINF_SUCCESS;
2428 goto end;
2429 }
2430 else
2431 if (cpu.pCurInstr->optype & OPTYPE_UNCOND_CONTROLFLOW)
2432 {
2433 rc = VINF_SUCCESS;
2434 goto end;
2435 }
2436 pCurInstrGC += opsize;
2437 }
2438end:
2439 Assert(!(pPatch->flags & PATMFL_RECOMPILE_NEXT));
2440 return rc;
2441}
2442
2443
2444/**
2445 * Generate the jump from guest to patch code
2446 *
2447 * @returns VBox status code.
2448 * @param pVM The VM to operate on.
2449 * @param pPatch Patch record
2450 */
2451static int patmGenJumpToPatch(PVM pVM, PPATCHINFO pPatch, bool fAddFixup = true)
2452{
2453 uint8_t temp[8];
2454 uint8_t *pPB;
2455 int rc;
2456
2457 Assert(pPatch->cbPatchJump <= sizeof(temp));
2458 Assert(!(pPatch->flags & PATMFL_PATCHED_GUEST_CODE));
2459
2460 pPB = pPatch->pPrivInstrHC;
2461
2462#ifdef PATM_RESOLVE_CONFLICTS_WITH_JUMP_PATCHES
2463 if (pPatch->flags & PATMFL_JUMP_CONFLICT)
2464 {
2465 Assert(pPatch->pPatchJumpDestGC);
2466
2467 if (pPatch->cbPatchJump == SIZEOF_NEARJUMP32)
2468 {
2469 // jmp [PatchCode]
2470 if (fAddFixup)
2471 {
2472 if (patmPatchAddReloc32(pVM, pPatch, &pPB[1], FIXUP_REL_JMPTOPATCH, pPatch->pPrivInstrGC + pPatch->cbPatchJump, pPatch->pPatchJumpDestGC) != VINF_SUCCESS)
2473 {
2474 Log(("Relocation failed for the jump in the guest code!!\n"));
2475 return VERR_PATCHING_REFUSED;
2476 }
2477 }
2478
2479 temp[0] = pPatch->aPrivInstr[0]; //jump opcode copied from original instruction
2480 *(uint32_t *)&temp[1] = (uint32_t)pPatch->pPatchJumpDestGC - ((uint32_t)pPatch->pPrivInstrGC + pPatch->cbPatchJump); //return address
2481 }
2482 else
2483 if (pPatch->cbPatchJump == SIZEOF_NEAR_COND_JUMP32)
2484 {
2485 // jmp [PatchCode]
2486 if (fAddFixup)
2487 {
2488 if (patmPatchAddReloc32(pVM, pPatch, &pPB[2], FIXUP_REL_JMPTOPATCH, pPatch->pPrivInstrGC + pPatch->cbPatchJump, pPatch->pPatchJumpDestGC) != VINF_SUCCESS)
2489 {
2490 Log(("Relocation failed for the jump in the guest code!!\n"));
2491 return VERR_PATCHING_REFUSED;
2492 }
2493 }
2494
2495 temp[0] = pPatch->aPrivInstr[0]; //jump opcode copied from original instruction
2496 temp[1] = pPatch->aPrivInstr[1]; //jump opcode copied from original instruction
2497 *(uint32_t *)&temp[2] = (uint32_t)pPatch->pPatchJumpDestGC - ((uint32_t)pPatch->pPrivInstrGC + pPatch->cbPatchJump); //return address
2498 }
2499 else
2500 {
2501 Assert(0);
2502 return VERR_PATCHING_REFUSED;
2503 }
2504 }
2505 else
2506#endif
2507 {
2508 Assert(pPatch->cbPatchJump == SIZEOF_NEARJUMP32);
2509
2510 // jmp [PatchCode]
2511 if (fAddFixup)
2512 {
2513 if (patmPatchAddReloc32(pVM, pPatch, &pPB[1], FIXUP_REL_JMPTOPATCH, pPatch->pPrivInstrGC + SIZEOF_NEARJUMP32, PATCHCODE_PTR_GC(pPatch)) != VINF_SUCCESS)
2514 {
2515 Log(("Relocation failed for the jump in the guest code!!\n"));
2516 return VERR_PATCHING_REFUSED;
2517 }
2518 }
2519 temp[0] = 0xE9; //jmp
2520 *(uint32_t *)&temp[1] = (RTGCUINTPTR)PATCHCODE_PTR_GC(pPatch) - ((RTGCUINTPTR)pPatch->pPrivInstrGC + SIZEOF_NEARJUMP32); //return address
2521 }
2522 rc = PGMPhysWriteGCPtrDirty(pVM, pPatch->pPrivInstrGC, temp, pPatch->cbPatchJump);
2523 AssertRC(rc);
2524
2525 if (rc == VINF_SUCCESS)
2526 pPatch->flags |= PATMFL_PATCHED_GUEST_CODE;
2527
2528 return rc;
2529}
2530
2531/**
2532 * Remove the jump from guest to patch code
2533 *
2534 * @returns VBox status code.
2535 * @param pVM The VM to operate on.
2536 * @param pPatch Patch record
2537 */
2538static int patmRemoveJumpToPatch(PVM pVM, PPATCHINFO pPatch)
2539{
2540#ifdef DEBUG
2541 DISCPUSTATE cpu;
2542 char szOutput[256];
2543 uint32_t opsize, i = 0;
2544 bool disret;
2545
2546 while(i < pPatch->cbPrivInstr)
2547 {
2548 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
2549 disret = PATMR3DISInstr(pVM, pPatch, &cpu, pPatch->pPrivInstrGC + i, &pPatch->pPrivInstrHC[i], &opsize, szOutput);
2550 if (disret == false)
2551 break;
2552
2553 Log(("Org patch jump: %s", szOutput));
2554 Assert(opsize);
2555 i += opsize;
2556 }
2557#endif
2558
2559 /* Restore original code (privileged instruction + following instructions that were overwritten because of the 5/6 byte jmp). */
2560 int rc = PGMPhysWriteGCPtrDirty(pVM, pPatch->pPrivInstrGC, pPatch->aPrivInstr, pPatch->cbPatchJump);
2561#ifdef DEBUG
2562 if (rc == VINF_SUCCESS)
2563 {
2564 DISCPUSTATE cpu;
2565 char szOutput[256];
2566 uint32_t opsize, i = 0;
2567 bool disret;
2568
2569 while(i < pPatch->cbPrivInstr)
2570 {
2571 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
2572 disret = PATMR3DISInstr(pVM, pPatch, &cpu, pPatch->pPrivInstrGC + i, &pPatch->pPrivInstrHC[i], &opsize, szOutput);
2573 if (disret == false)
2574 break;
2575
2576 Log(("Org instr: %s", szOutput));
2577 Assert(opsize);
2578 i += opsize;
2579 }
2580 }
2581#endif
2582 pPatch->flags &= ~PATMFL_PATCHED_GUEST_CODE;
2583 return rc;
2584}
2585
2586/**
2587 * Generate the call from guest to patch code
2588 *
2589 * @returns VBox status code.
2590 * @param pVM The VM to operate on.
2591 * @param pPatch Patch record
2592 */
2593static int patmGenCallToPatch(PVM pVM, PPATCHINFO pPatch, RTGCPTR pTargetGC, bool fAddFixup = true)
2594{
2595 uint8_t temp[8];
2596 uint8_t *pPB;
2597 int rc;
2598
2599 Assert(pPatch->cbPatchJump <= sizeof(temp));
2600
2601 pPB = pPatch->pPrivInstrHC;
2602
2603 Assert(pPatch->cbPatchJump == SIZEOF_NEARJUMP32);
2604
2605 // jmp [PatchCode]
2606 if (fAddFixup)
2607 {
2608 if (patmPatchAddReloc32(pVM, pPatch, &pPB[1], FIXUP_REL_JMPTOPATCH, pPatch->pPrivInstrGC + SIZEOF_NEARJUMP32, pTargetGC) != VINF_SUCCESS)
2609 {
2610 Log(("Relocation failed for the jump in the guest code!!\n"));
2611 return VERR_PATCHING_REFUSED;
2612 }
2613 }
2614
2615 Assert(pPatch->aPrivInstr[0] == 0xE8 || pPatch->aPrivInstr[0] == 0xE9); /* call or jmp */
2616 temp[0] = pPatch->aPrivInstr[0];
2617 *(uint32_t *)&temp[1] = (uint32_t)pTargetGC - ((uint32_t)pPatch->pPrivInstrGC + SIZEOF_NEARJUMP32); //return address
2618
2619 rc = PGMPhysWriteGCPtrDirty(pVM, pPatch->pPrivInstrGC, temp, pPatch->cbPatchJump);
2620 AssertRC(rc);
2621
2622 return rc;
2623}
2624
2625
2626/**
2627 * Patch cli/sti pushf/popf instruction block at specified location
2628 *
2629 * @returns VBox status code.
2630 * @param pVM The VM to operate on.
2631 * @param pInstrGC Guest context point to privileged instruction
2632 * @param pInstrHC Host context point to privileged instruction
2633 * @param uOpcode Instruction opcode
2634 * @param uOpSize Size of starting instruction
2635 * @param pPatchRec Patch record
2636 *
2637 * @note returns failure if patching is not allowed or possible
2638 *
2639 */
2640PATMR3DECL(int) PATMR3PatchBlock(PVM pVM, RTGCPTR pInstrGC, HCPTRTYPE(uint8_t *) pInstrHC,
2641 uint32_t uOpcode, uint32_t uOpSize, PPATMPATCHREC pPatchRec)
2642{
2643 PPATCHINFO pPatch = &pPatchRec->patch;
2644 int rc = VERR_PATCHING_REFUSED;
2645 DISCPUSTATE cpu;
2646 uint32_t orgOffsetPatchMem = ~0;
2647 RTGCPTR pInstrStart;
2648#ifdef LOG_ENABLED
2649 uint32_t opsize;
2650 char szOutput[256];
2651 bool disret;
2652#endif
2653
2654 /* Save original offset (in case of failures later on) */
2655 /** @todo use the hypervisor heap (that has quite a few consequences for save/restore though) */
2656 orgOffsetPatchMem = pVM->patm.s.offPatchMem;
2657
2658 Assert(!(pPatch->flags & (PATMFL_GUEST_SPECIFIC|PATMFL_USER_MODE|PATMFL_TRAPHANDLER)));
2659 switch (uOpcode)
2660 {
2661 case OP_MOV:
2662 break;
2663
2664 case OP_CLI:
2665 case OP_PUSHF:
2666 /* We can 'call' a cli or pushf patch. It will either return to the original guest code when IF is set again, or fault. */
2667 /** @note special precautions are taken when disabling and enabling such patches. */
2668 pPatch->flags |= PATMFL_CALLABLE_AS_FUNCTION;
2669 break;
2670
2671 default:
2672 if (!(pPatch->flags & PATMFL_IDTHANDLER))
2673 {
2674 AssertMsg(0, ("PATMR3PatchBlock: Invalid opcode %x\n", uOpcode));
2675 return VERR_INVALID_PARAMETER;
2676 }
2677 }
2678
2679 if (!(pPatch->flags & (PATMFL_IDTHANDLER|PATMFL_IDTHANDLER_WITHOUT_ENTRYPOINT|PATMFL_SYSENTER|PATMFL_INT3_REPLACEMENT_BLOCK)))
2680 pPatch->flags |= PATMFL_MUST_INSTALL_PATCHJMP;
2681
2682 /* If we're going to insert a patch jump, then the jump itself is not allowed to cross a page boundary. */
2683 if ( (pPatch->flags & PATMFL_MUST_INSTALL_PATCHJMP)
2684 && PAGE_ADDRESS(pInstrGC) != PAGE_ADDRESS(pInstrGC + SIZEOF_NEARJUMP32)
2685 )
2686 {
2687 STAM_COUNTER_INC(&pVM->patm.s.StatPageBoundaryCrossed);
2688#ifdef DEBUG_sandervl
2689//// AssertMsgFailed(("Patch jump would cross page boundary -> refuse!!\n"));
2690#endif
2691 rc = VERR_PATCHING_REFUSED;
2692 goto failure;
2693 }
2694
2695 pPatch->nrPatch2GuestRecs = 0;
2696 pInstrStart = pInstrGC;
2697
2698#ifdef PATM_ENABLE_CALL
2699 pPatch->flags |= PATMFL_SUPPORT_CALLS | PATMFL_SUPPORT_INDIRECT_CALLS;
2700#endif
2701
2702 pPatch->pPatchBlockOffset = pVM->patm.s.offPatchMem;
2703 pPatch->uCurPatchOffset = 0;
2704
2705 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
2706
2707 if ((pPatch->flags & (PATMFL_IDTHANDLER|PATMFL_IDTHANDLER_WITHOUT_ENTRYPOINT|PATMFL_SYSENTER)) == PATMFL_IDTHANDLER)
2708 {
2709 Assert(pPatch->flags & PATMFL_INTHANDLER);
2710
2711 /* Install fake cli patch (to clear the virtual IF and check int xx parameters) */
2712 rc = patmPatchGenIntEntry(pVM, pPatch, pInstrGC);
2713 if (VBOX_FAILURE(rc))
2714 goto failure;
2715 }
2716
2717 /***************************************************************************************************************************/
2718 /** @note We can't insert *any* code before a sysenter handler; some linux guests have an invalid stack at this point!!!!! */
2719 /***************************************************************************************************************************/
2720#ifdef VBOX_WITH_STATISTICS
2721 if (!(pPatch->flags & PATMFL_SYSENTER))
2722 {
2723 rc = patmPatchGenStats(pVM, pPatch, pInstrGC);
2724 if (VBOX_FAILURE(rc))
2725 goto failure;
2726 }
2727#endif
2728
2729 rc = patmRecompileCodeStream(pVM, pInstrGC, pInstrGC, patmRecompileCallback, pPatch);
2730 if (rc != VINF_SUCCESS)
2731 {
2732 Log(("PATMR3PatchCli: patmRecompileCodeStream failed with %d\n", rc));
2733 goto failure;
2734 }
2735
2736 /* Calculated during analysis. */
2737 if (pPatch->cbPatchBlockSize < SIZEOF_NEARJUMP32)
2738 {
2739 /* Most likely cause: we encountered an illegal instruction very early on. */
2740 /** @todo could turn it into an int3 callable patch. */
2741 Log(("PATMR3PatchBlock: patch block too small -> refuse\n"));
2742 rc = VERR_PATCHING_REFUSED;
2743 goto failure;
2744 }
2745
2746 /* size of patch block */
2747 pPatch->cbPatchBlockSize = pPatch->uCurPatchOffset;
2748
2749
2750 /* Update free pointer in patch memory. */
2751 pVM->patm.s.offPatchMem += pPatch->cbPatchBlockSize;
2752 /* Round to next 8 byte boundary. */
2753 pVM->patm.s.offPatchMem = RT_ALIGN_32(pVM->patm.s.offPatchMem, 8);
2754
2755 /*
2756 * Insert into patch to guest lookup tree
2757 */
2758 LogFlow(("Insert %VGv patch offset %VGv\n", pPatchRec->patch.pPrivInstrGC, pPatch->pPatchBlockOffset));
2759 pPatchRec->CoreOffset.Key = pPatch->pPatchBlockOffset;
2760 rc = RTAvloGCPtrInsert(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr, &pPatchRec->CoreOffset);
2761 AssertMsg(rc, ("RTAvlULInsert failed for %x\n", pPatchRec->CoreOffset.Key));
2762 if (!rc)
2763 {
2764 rc = VERR_PATCHING_REFUSED;
2765 goto failure;
2766 }
2767
2768 /* Note that patmr3SetBranchTargets can install additional patches!! */
2769 rc = patmr3SetBranchTargets(pVM, pPatch);
2770 if (rc != VINF_SUCCESS)
2771 {
2772 Log(("PATMR3PatchCli: patmr3SetBranchTargets failed with %d\n", rc));
2773 goto failure;
2774 }
2775
2776#ifdef LOG_ENABLED
2777 Log(("Patch code ----------------------------------------------------------\n"));
2778 patmr3DisasmCodeStream(pVM, PATCHCODE_PTR_GC(pPatch), PATCHCODE_PTR_GC(pPatch), patmr3DisasmCallback, pPatch);
2779 Log(("Patch code ends -----------------------------------------------------\n"));
2780#endif
2781
2782 /* make a copy of the guest code bytes that will be overwritten */
2783 pPatch->cbPatchJump = SIZEOF_NEARJUMP32;
2784
2785 rc = PGMPhysReadGCPtr(pVM, pPatch->aPrivInstr, pPatch->pPrivInstrGC, pPatch->cbPatchJump);
2786 AssertRC(rc);
2787
2788 if (pPatch->flags & PATMFL_INT3_REPLACEMENT_BLOCK)
2789 {
2790 /*uint8_t ASMInt3 = 0xCC; - unused */
2791
2792 Log(("PATMR3PatchBlock %VGv -> int 3 callable patch.\n", pPatch->pPrivInstrGC));
2793 /* Replace first opcode byte with 'int 3'. */
2794 rc = patmActivateInt3Patch(pVM, pPatch);
2795 if (VBOX_FAILURE(rc))
2796 goto failure;
2797
2798 /* normal patch can be turned into an int3 patch -> clear patch jump installation flag. */
2799 pPatch->flags &= ~PATMFL_MUST_INSTALL_PATCHJMP;
2800
2801 pPatch->flags &= ~PATMFL_INSTR_HINT;
2802 STAM_COUNTER_INC(&pVM->patm.s.StatInt3Callable);
2803 }
2804 else
2805 if (pPatch->flags & PATMFL_MUST_INSTALL_PATCHJMP)
2806 {
2807 Assert(!(pPatch->flags & (PATMFL_IDTHANDLER|PATMFL_IDTHANDLER_WITHOUT_ENTRYPOINT|PATMFL_SYSENTER|PATMFL_INT3_REPLACEMENT_BLOCK)));
2808 /* now insert a jump in the guest code */
2809 rc = patmGenJumpToPatch(pVM, pPatch, true);
2810 AssertRC(rc);
2811 if (VBOX_FAILURE(rc))
2812 goto failure;
2813
2814 }
2815
2816#ifdef LOG_ENABLED
2817 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
2818 disret = PATMR3DISInstr(pVM, pPatch, &cpu, pPatch->pPrivInstrGC, pPatch->pPrivInstrHC, &opsize, szOutput, PATMREAD_RAWCODE);
2819 Log(("%s patch: %s", patmGetInstructionString(pPatch->opcode, pPatch->flags), szOutput));
2820#endif
2821
2822 patmEmptyTree(pVM, &pPatch->pTempInfo->IllegalInstrTree);
2823 pPatch->pTempInfo->nrIllegalInstr = 0;
2824
2825 Log(("Successfully installed %s patch at %VGv\n", patmGetInstructionString(pPatch->opcode, pPatch->flags), pInstrGC));
2826
2827 pPatch->uState = PATCH_ENABLED;
2828 return VINF_SUCCESS;
2829
2830failure:
2831 if (pPatchRec->CoreOffset.Key)
2832 RTAvloGCPtrRemove(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr, pPatchRec->CoreOffset.Key);
2833
2834 patmEmptyTree(pVM, &pPatch->FixupTree);
2835 pPatch->nrFixups = 0;
2836
2837 patmEmptyTree(pVM, &pPatch->JumpTree);
2838 pPatch->nrJumpRecs = 0;
2839
2840 patmEmptyTree(pVM, &pPatch->pTempInfo->IllegalInstrTree);
2841 pPatch->pTempInfo->nrIllegalInstr = 0;
2842
2843 /* Turn this cli patch into a dummy. */
2844 pPatch->uState = PATCH_REFUSED;
2845 pPatch->pPatchBlockOffset = 0;
2846
2847 // Give back the patch memory we no longer need
2848 Assert(orgOffsetPatchMem != (uint32_t)~0);
2849 pVM->patm.s.offPatchMem = orgOffsetPatchMem;
2850
2851 return rc;
2852}
2853
2854/**
2855 * Patch IDT handler
2856 *
2857 * @returns VBox status code.
2858 * @param pVM The VM to operate on.
2859 * @param pInstrGC Guest context point to privileged instruction
2860 * @param pInstrHC Host context point to privileged instruction
2861 * @param uOpSize Size of starting instruction
2862 * @param pPatchRec Patch record
2863 *
2864 * @note returns failure if patching is not allowed or possible
2865 *
2866 */
2867static int patmIdtHandler(PVM pVM, RTGCPTR pInstrGC, HCPTRTYPE(uint8_t *) pInstrHC,
2868 uint32_t uOpSize, PPATMPATCHREC pPatchRec)
2869{
2870 PPATCHINFO pPatch = &pPatchRec->patch;
2871 bool disret;
2872 DISCPUSTATE cpuPush, cpuJmp;
2873 uint32_t opsize;
2874 RTGCPTR pCurInstrGC = pInstrGC;
2875 uint8_t *pCurInstrHC = pInstrHC;
2876 uint32_t orgOffsetPatchMem = ~0;
2877
2878 /*
2879 * In Linux it's often the case that many interrupt handlers push a predefined value onto the stack
2880 * and then jump to a common entrypoint. In order not to waste a lot of memory, we will check for this
2881 * condition here and only patch the common entypoint once.
2882 */
2883 cpuPush.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
2884 disret = PATMR3DISInstr(pVM, pPatch, &cpuPush, pCurInstrGC, pCurInstrHC, &opsize, NULL);
2885 Assert(disret);
2886 if (disret && cpuPush.pCurInstr->opcode == OP_PUSH)
2887 {
2888 RTGCPTR pJmpInstrGC;
2889 int rc;
2890
2891 pCurInstrGC += opsize;
2892 pCurInstrHC = PATMGCVirtToHCVirt(pVM, pPatch, pCurInstrGC);
2893
2894 cpuJmp.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
2895 disret = PATMR3DISInstr(pVM, pPatch, &cpuJmp, pCurInstrGC, pCurInstrHC, &opsize, NULL);
2896 if ( disret
2897 && cpuJmp.pCurInstr->opcode == OP_JMP
2898 && (pJmpInstrGC = PATMResolveBranch(&cpuJmp, pCurInstrGC))
2899 )
2900 {
2901 PPATMPATCHREC pJmpPatch = (PPATMPATCHREC)RTAvloGCPtrGet(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pJmpInstrGC);
2902 if (pJmpPatch == 0)
2903 {
2904 /* Patch it first! */
2905 rc = PATMR3InstallPatch(pVM, pJmpInstrGC, pPatch->flags | PATMFL_IDTHANDLER_WITHOUT_ENTRYPOINT);
2906 if (rc != VINF_SUCCESS)
2907 goto failure;
2908 pJmpPatch = (PPATMPATCHREC)RTAvloGCPtrGet(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pJmpInstrGC);
2909 Assert(pJmpPatch);
2910 }
2911 if (pJmpPatch->patch.uState != PATCH_ENABLED)
2912 goto failure;
2913
2914 /* save original offset (in case of failures later on) */
2915 orgOffsetPatchMem = pVM->patm.s.offPatchMem;
2916
2917 pPatch->pPatchBlockOffset = pVM->patm.s.offPatchMem;
2918 pPatch->uCurPatchOffset = 0;
2919 pPatch->nrPatch2GuestRecs = 0;
2920
2921#ifdef VBOX_WITH_STATISTICS
2922 rc = patmPatchGenStats(pVM, pPatch, pInstrGC);
2923 if (VBOX_FAILURE(rc))
2924 goto failure;
2925#endif
2926
2927 /* Install fake cli patch (to clear the virtual IF) */
2928 rc = patmPatchGenIntEntry(pVM, pPatch, pInstrGC);
2929 if (VBOX_FAILURE(rc))
2930 goto failure;
2931
2932 /* Add lookup record for patch to guest address translation (for the push) */
2933 patmr3AddP2GLookupRecord(pVM, pPatch, PATCHCODE_PTR_HC(pPatch) + pPatch->uCurPatchOffset, pInstrGC, PATM_LOOKUP_BOTHDIR);
2934
2935 /* Duplicate push. */
2936 rc = patmPatchGenDuplicate(pVM, pPatch, &cpuPush, pInstrGC);
2937 if (VBOX_FAILURE(rc))
2938 goto failure;
2939
2940 /* Generate jump to common entrypoint. */
2941 rc = patmPatchGenPatchJump(pVM, pPatch, pCurInstrGC, PATCHCODE_PTR_GC(&pJmpPatch->patch));
2942 if (VBOX_FAILURE(rc))
2943 goto failure;
2944
2945 /* size of patch block */
2946 pPatch->cbPatchBlockSize = pPatch->uCurPatchOffset;
2947
2948 /* Update free pointer in patch memory. */
2949 pVM->patm.s.offPatchMem += pPatch->cbPatchBlockSize;
2950 /* Round to next 8 byte boundary */
2951 pVM->patm.s.offPatchMem = RT_ALIGN_32(pVM->patm.s.offPatchMem, 8);
2952
2953 /* There's no jump from guest to patch code. */
2954 pPatch->cbPatchJump = 0;
2955
2956
2957#ifdef LOG_ENABLED
2958 Log(("Patch code ----------------------------------------------------------\n"));
2959 patmr3DisasmCodeStream(pVM, PATCHCODE_PTR_GC(pPatch), PATCHCODE_PTR_GC(pPatch), patmr3DisasmCallback, pPatch);
2960 Log(("Patch code ends -----------------------------------------------------\n"));
2961#endif
2962 Log(("Successfully installed IDT handler patch at %VGv\n", pInstrGC));
2963
2964 /*
2965 * Insert into patch to guest lookup tree
2966 */
2967 LogFlow(("Insert %VGv patch offset %VGv\n", pPatchRec->patch.pPrivInstrGC, pPatch->pPatchBlockOffset));
2968 pPatchRec->CoreOffset.Key = pPatch->pPatchBlockOffset;
2969 rc = RTAvloGCPtrInsert(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr, &pPatchRec->CoreOffset);
2970 AssertMsg(rc, ("RTAvlULInsert failed for %x\n", pPatchRec->CoreOffset.Key));
2971
2972 pPatch->uState = PATCH_ENABLED;
2973
2974 return VINF_SUCCESS;
2975 }
2976 }
2977failure:
2978 /* Give back the patch memory we no longer need */
2979 if (orgOffsetPatchMem != (uint32_t)~0)
2980 pVM->patm.s.offPatchMem = orgOffsetPatchMem;
2981
2982 return PATMR3PatchBlock(pVM, pInstrGC, pInstrHC, OP_CLI, uOpSize, pPatchRec);
2983}
2984
2985/**
2986 * Install a trampoline to call a guest trap handler directly
2987 *
2988 * @returns VBox status code.
2989 * @param pVM The VM to operate on.
2990 * @param pInstrGC Guest context point to privileged instruction
2991 * @param pPatchRec Patch record
2992 *
2993 */
2994static int patmInstallTrapTrampoline(PVM pVM, RTGCPTR pInstrGC, PPATMPATCHREC pPatchRec)
2995{
2996 PPATCHINFO pPatch = &pPatchRec->patch;
2997 int rc = VERR_PATCHING_REFUSED;
2998 uint32_t orgOffsetPatchMem = ~0;
2999#ifdef LOG_ENABLED
3000 bool disret;
3001 DISCPUSTATE cpu;
3002 uint32_t opsize;
3003 char szOutput[256];
3004#endif
3005
3006 // save original offset (in case of failures later on)
3007 orgOffsetPatchMem = pVM->patm.s.offPatchMem;
3008
3009 pPatch->pPatchBlockOffset = pVM->patm.s.offPatchMem;
3010 pPatch->uCurPatchOffset = 0;
3011 pPatch->nrPatch2GuestRecs = 0;
3012
3013#ifdef VBOX_WITH_STATISTICS
3014 rc = patmPatchGenStats(pVM, pPatch, pInstrGC);
3015 if (VBOX_FAILURE(rc))
3016 goto failure;
3017#endif
3018
3019 rc = patmPatchGenTrapEntry(pVM, pPatch, pInstrGC);
3020 if (VBOX_FAILURE(rc))
3021 goto failure;
3022
3023 /* size of patch block */
3024 pPatch->cbPatchBlockSize = pPatch->uCurPatchOffset;
3025
3026 /* Update free pointer in patch memory. */
3027 pVM->patm.s.offPatchMem += pPatch->cbPatchBlockSize;
3028 /* Round to next 8 byte boundary */
3029 pVM->patm.s.offPatchMem = RT_ALIGN_32(pVM->patm.s.offPatchMem, 8);
3030
3031 /* There's no jump from guest to patch code. */
3032 pPatch->cbPatchJump = 0;
3033
3034#ifdef LOG_ENABLED
3035 Log(("Patch code ----------------------------------------------------------\n"));
3036 patmr3DisasmCodeStream(pVM, PATCHCODE_PTR_GC(pPatch), PATCHCODE_PTR_GC(pPatch), patmr3DisasmCallback, pPatch);
3037 Log(("Patch code ends -----------------------------------------------------\n"));
3038#endif
3039
3040#ifdef LOG_ENABLED
3041 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
3042 disret = PATMR3DISInstr(pVM, pPatch, &cpu, pPatch->pPrivInstrGC, pPatch->pPrivInstrHC, &opsize, szOutput);
3043 Log(("TRAP handler patch: %s", szOutput));
3044#endif
3045 Log(("Successfully installed Trap Trampoline patch at %VGv\n", pInstrGC));
3046
3047 /*
3048 * Insert into patch to guest lookup tree
3049 */
3050 LogFlow(("Insert %VGv patch offset %VGv\n", pPatchRec->patch.pPrivInstrGC, pPatch->pPatchBlockOffset));
3051 pPatchRec->CoreOffset.Key = pPatch->pPatchBlockOffset;
3052 rc = RTAvloGCPtrInsert(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr, &pPatchRec->CoreOffset);
3053 AssertMsg(rc, ("RTAvlULInsert failed for %x\n", pPatchRec->CoreOffset.Key));
3054
3055 pPatch->uState = PATCH_ENABLED;
3056 return VINF_SUCCESS;
3057
3058failure:
3059 AssertMsgFailed(("Failed to install trap handler trampoline!!\n"));
3060
3061 /* Turn this cli patch into a dummy. */
3062 pPatch->uState = PATCH_REFUSED;
3063 pPatch->pPatchBlockOffset = 0;
3064
3065 /* Give back the patch memory we no longer need */
3066 Assert(orgOffsetPatchMem != (uint32_t)~0);
3067 pVM->patm.s.offPatchMem = orgOffsetPatchMem;
3068
3069 return rc;
3070}
3071
3072
3073#ifdef DEBUG
3074/**
3075 * Check if the instruction is patched as a common idt handler
3076 *
3077 * @returns true or false
3078 * @param pVM The VM to operate on.
3079 * @param pInstrGC Guest context point to the instruction
3080 *
3081 */
3082static bool patmIsCommonIDTHandlerPatch(PVM pVM, RTGCPTR pInstrGC)
3083{
3084 PPATMPATCHREC pRec;
3085
3086 pRec = (PPATMPATCHREC)RTAvloGCPtrGet(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pInstrGC);
3087 if (pRec && pRec->patch.flags & PATMFL_IDTHANDLER_WITHOUT_ENTRYPOINT)
3088 return true;
3089 return false;
3090}
3091#endif //DEBUG
3092
3093
3094/**
3095 * Duplicates a complete function
3096 *
3097 * @returns VBox status code.
3098 * @param pVM The VM to operate on.
3099 * @param pInstrGC Guest context point to privileged instruction
3100 * @param pPatchRec Patch record
3101 *
3102 */
3103static int patmDuplicateFunction(PVM pVM, RTGCPTR pInstrGC, PPATMPATCHREC pPatchRec)
3104{
3105 PPATCHINFO pPatch = &pPatchRec->patch;
3106 int rc = VERR_PATCHING_REFUSED;
3107 DISCPUSTATE cpu;
3108 uint32_t orgOffsetPatchMem = ~0;
3109
3110 Log(("patmDuplicateFunction %VGv\n", pInstrGC));
3111 /* Save original offset (in case of failures later on). */
3112 orgOffsetPatchMem = pVM->patm.s.offPatchMem;
3113
3114 /* We will not go on indefinitely with call instruction handling. */
3115 if (pVM->patm.s.ulCallDepth > PATM_MAX_CALL_DEPTH)
3116 {
3117 Log(("patmDuplicateFunction: maximum callback depth reached!!\n"));
3118 return VERR_PATCHING_REFUSED;
3119 }
3120
3121 pVM->patm.s.ulCallDepth++;
3122
3123#ifdef PATM_ENABLE_CALL
3124 pPatch->flags |= PATMFL_SUPPORT_CALLS | PATMFL_SUPPORT_INDIRECT_CALLS;
3125#endif
3126
3127 Assert(pPatch->flags & (PATMFL_DUPLICATE_FUNCTION));
3128
3129 pPatch->nrPatch2GuestRecs = 0;
3130 pPatch->pPatchBlockOffset = pVM->patm.s.offPatchMem;
3131 pPatch->uCurPatchOffset = 0;
3132
3133 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
3134
3135 /** @note Set the PATM interrupt flag here; it was cleared before the patched call. (!!!) */
3136 rc = patmPatchGenSetPIF(pVM, pPatch, pInstrGC);
3137 if (VBOX_FAILURE(rc))
3138 goto failure;
3139
3140#ifdef VBOX_WITH_STATISTICS
3141 rc = patmPatchGenStats(pVM, pPatch, pInstrGC);
3142 if (VBOX_FAILURE(rc))
3143 goto failure;
3144#endif
3145 rc = patmRecompileCodeStream(pVM, pInstrGC, pInstrGC, patmRecompileCallback, pPatch);
3146 if (rc != VINF_SUCCESS)
3147 {
3148 Log(("PATMR3PatchCli: patmRecompileCodeStream failed with %d\n", rc));
3149 goto failure;
3150 }
3151
3152 //size of patch block
3153 pPatch->cbPatchBlockSize = pPatch->uCurPatchOffset;
3154
3155 //update free pointer in patch memory
3156 pVM->patm.s.offPatchMem += pPatch->cbPatchBlockSize;
3157 /* Round to next 8 byte boundary. */
3158 pVM->patm.s.offPatchMem = RT_ALIGN_32(pVM->patm.s.offPatchMem, 8);
3159
3160 pPatch->uState = PATCH_ENABLED;
3161
3162 /*
3163 * Insert into patch to guest lookup tree
3164 */
3165 LogFlow(("Insert %VGv patch offset %VGv\n", pPatchRec->patch.pPrivInstrGC, pPatch->pPatchBlockOffset));
3166 pPatchRec->CoreOffset.Key = pPatch->pPatchBlockOffset;
3167 rc = RTAvloGCPtrInsert(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr, &pPatchRec->CoreOffset);
3168 AssertMsg(rc, ("RTAvloGCPtrInsert failed for %x\n", pPatchRec->CoreOffset.Key));
3169 if (!rc)
3170 {
3171 rc = VERR_PATCHING_REFUSED;
3172 goto failure;
3173 }
3174
3175 /* Note that patmr3SetBranchTargets can install additional patches!! */
3176 rc = patmr3SetBranchTargets(pVM, pPatch);
3177 if (rc != VINF_SUCCESS)
3178 {
3179 Log(("PATMR3PatchCli: patmr3SetBranchTargets failed with %d\n", rc));
3180 goto failure;
3181 }
3182
3183#ifdef LOG_ENABLED
3184 Log(("Patch code ----------------------------------------------------------\n"));
3185 patmr3DisasmCodeStream(pVM, PATCHCODE_PTR_GC(pPatch), PATCHCODE_PTR_GC(pPatch), patmr3DisasmCallback, pPatch);
3186 Log(("Patch code ends -----------------------------------------------------\n"));
3187#endif
3188
3189 Log(("Successfully installed function duplication patch at %VGv\n", pInstrGC));
3190
3191 patmEmptyTree(pVM, &pPatch->pTempInfo->IllegalInstrTree);
3192 pPatch->pTempInfo->nrIllegalInstr = 0;
3193
3194 pVM->patm.s.ulCallDepth--;
3195 STAM_COUNTER_INC(&pVM->patm.s.StatInstalledFunctionPatches);
3196 return VINF_SUCCESS;
3197
3198failure:
3199 if (pPatchRec->CoreOffset.Key)
3200 RTAvloGCPtrRemove(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr, pPatchRec->CoreOffset.Key);
3201
3202 patmEmptyTree(pVM, &pPatch->FixupTree);
3203 pPatch->nrFixups = 0;
3204
3205 patmEmptyTree(pVM, &pPatch->JumpTree);
3206 pPatch->nrJumpRecs = 0;
3207
3208 patmEmptyTree(pVM, &pPatch->pTempInfo->IllegalInstrTree);
3209 pPatch->pTempInfo->nrIllegalInstr = 0;
3210
3211 /* Turn this cli patch into a dummy. */
3212 pPatch->uState = PATCH_REFUSED;
3213 pPatch->pPatchBlockOffset = 0;
3214
3215 // Give back the patch memory we no longer need
3216 Assert(orgOffsetPatchMem != (uint32_t)~0);
3217 pVM->patm.s.offPatchMem = orgOffsetPatchMem;
3218
3219 pVM->patm.s.ulCallDepth--;
3220 Log(("patmDupicateFunction %VGv failed!!\n", pInstrGC));
3221 return rc;
3222}
3223
3224/**
3225 * Creates trampoline code to jump inside an existing patch
3226 *
3227 * @returns VBox status code.
3228 * @param pVM The VM to operate on.
3229 * @param pInstrGC Guest context point to privileged instruction
3230 * @param pPatchRec Patch record
3231 *
3232 */
3233static int patmCreateTrampoline(PVM pVM, RTGCPTR pInstrGC, PPATMPATCHREC pPatchRec)
3234{
3235 PPATCHINFO pPatch = &pPatchRec->patch;
3236 RTGCPTR pPage, pPatchTargetGC = 0;
3237 uint32_t orgOffsetPatchMem = ~0;
3238 int rc = VERR_PATCHING_REFUSED;
3239
3240 Log(("patmCreateTrampoline %VGv\n", pInstrGC));
3241 /* Save original offset (in case of failures later on). */
3242 orgOffsetPatchMem = pVM->patm.s.offPatchMem;
3243
3244 /* First we check if the duplicate function target lies in some existing function patch already. Will save some space. */
3245 /** @todo we already checked this before */
3246 pPage = pInstrGC & PAGE_BASE_GC_MASK;
3247
3248 PPATMPATCHPAGE pPatchPage = (PPATMPATCHPAGE)RTAvloGCPtrGet(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPage, (RTGCPTR)pPage);
3249 if (pPatchPage)
3250 {
3251 uint32_t i;
3252
3253 for (i=0;i<pPatchPage->cCount;i++)
3254 {
3255 if (pPatchPage->aPatch[i])
3256 {
3257 PPATCHINFO pPatch = pPatchPage->aPatch[i];
3258
3259 if ( (pPatch->flags & PATMFL_DUPLICATE_FUNCTION)
3260 && pPatch->uState == PATCH_ENABLED)
3261 {
3262 pPatchTargetGC = patmGuestGCPtrToPatchGCPtr(pVM, pPatch, pInstrGC);
3263 if (pPatchTargetGC)
3264 {
3265 uint32_t offsetPatch = pPatchTargetGC - pVM->patm.s.pPatchMemGC;
3266 PRECPATCHTOGUEST pPatchToGuestRec = (PRECPATCHTOGUEST)RTAvlU32GetBestFit(&pPatch->Patch2GuestAddrTree, offsetPatch, false);
3267 Assert(pPatchToGuestRec);
3268
3269 pPatchToGuestRec->fJumpTarget = true;
3270 Assert(pPatchTargetGC != pPatch->pPrivInstrGC);
3271 Log(("patmCreateTrampoline: generating jump to code inside patch at %VGv\n", pPatch->pPrivInstrGC));
3272 pPatch->flags |= PATMFL_EXTERNAL_JUMP_INSIDE;
3273 break;
3274 }
3275 }
3276 }
3277 }
3278 }
3279 AssertReturn(pPatchPage && pPatchTargetGC, VERR_PATCHING_REFUSED);
3280
3281 pPatch->nrPatch2GuestRecs = 0;
3282 pPatch->pPatchBlockOffset = pVM->patm.s.offPatchMem;
3283 pPatch->uCurPatchOffset = 0;
3284
3285 /** @note Set the PATM interrupt flag here; it was cleared before the patched call. (!!!) */
3286 rc = patmPatchGenSetPIF(pVM, pPatch, pInstrGC);
3287 if (VBOX_FAILURE(rc))
3288 goto failure;
3289
3290#ifdef VBOX_WITH_STATISTICS
3291 rc = patmPatchGenStats(pVM, pPatch, pInstrGC);
3292 if (VBOX_FAILURE(rc))
3293 goto failure;
3294#endif
3295
3296 rc = patmPatchGenPatchJump(pVM, pPatch, pInstrGC, pPatchTargetGC);
3297 if (VBOX_FAILURE(rc))
3298 goto failure;
3299
3300 /*
3301 * Insert into patch to guest lookup tree
3302 */
3303 LogFlow(("Insert %VGv patch offset %VGv\n", pPatchRec->patch.pPrivInstrGC, pPatch->pPatchBlockOffset));
3304 pPatchRec->CoreOffset.Key = pPatch->pPatchBlockOffset;
3305 rc = RTAvloGCPtrInsert(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr, &pPatchRec->CoreOffset);
3306 AssertMsg(rc, ("RTAvloGCPtrInsert failed for %x\n", pPatchRec->CoreOffset.Key));
3307 if (!rc)
3308 {
3309 rc = VERR_PATCHING_REFUSED;
3310 goto failure;
3311 }
3312
3313 /* size of patch block */
3314 pPatch->cbPatchBlockSize = pPatch->uCurPatchOffset;
3315
3316 /* Update free pointer in patch memory. */
3317 pVM->patm.s.offPatchMem += pPatch->cbPatchBlockSize;
3318 /* Round to next 8 byte boundary */
3319 pVM->patm.s.offPatchMem = RT_ALIGN_32(pVM->patm.s.offPatchMem, 8);
3320
3321 /* There's no jump from guest to patch code. */
3322 pPatch->cbPatchJump = 0;
3323
3324 /* Enable the patch. */
3325 pPatch->uState = PATCH_ENABLED;
3326 /* We allow this patch to be called as a function. */
3327 pPatch->flags |= PATMFL_CALLABLE_AS_FUNCTION;
3328 STAM_COUNTER_INC(&pVM->patm.s.StatInstalledTrampoline);
3329 return VINF_SUCCESS;
3330
3331failure:
3332 if (pPatchRec->CoreOffset.Key)
3333 RTAvloGCPtrRemove(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr, pPatchRec->CoreOffset.Key);
3334
3335 patmEmptyTree(pVM, &pPatch->FixupTree);
3336 pPatch->nrFixups = 0;
3337
3338 patmEmptyTree(pVM, &pPatch->JumpTree);
3339 pPatch->nrJumpRecs = 0;
3340
3341 patmEmptyTree(pVM, &pPatch->pTempInfo->IllegalInstrTree);
3342 pPatch->pTempInfo->nrIllegalInstr = 0;
3343
3344 /* Turn this cli patch into a dummy. */
3345 pPatch->uState = PATCH_REFUSED;
3346 pPatch->pPatchBlockOffset = 0;
3347
3348 // Give back the patch memory we no longer need
3349 Assert(orgOffsetPatchMem != (uint32_t)~0);
3350 pVM->patm.s.offPatchMem = orgOffsetPatchMem;
3351
3352 return rc;
3353}
3354
3355
3356/**
3357 * Patch branch target function for call/jump at specified location.
3358 * (in responds to a VINF_PATM_DUPLICATE_FUNCTION GC exit reason)
3359 *
3360 * @returns VBox status code.
3361 * @param pVM The VM to operate on.
3362 * @param pCtx Guest context
3363 *
3364 */
3365PATMR3DECL(int) PATMR3DuplicateFunctionRequest(PVM pVM, PCPUMCTX pCtx)
3366{
3367 RTGCPTR pBranchTarget, pPage;
3368 int rc;
3369 RTGCPTR pPatchTargetGC = 0;
3370
3371 pBranchTarget = pCtx->edx;
3372 pBranchTarget = SELMToFlat(pVM, pCtx->eflags, pCtx->cs, &pCtx->csHid, pBranchTarget);
3373
3374 /* First we check if the duplicate function target lies in some existing function patch already. Will save some space. */
3375 pPage = pBranchTarget & PAGE_BASE_GC_MASK;
3376
3377 PPATMPATCHPAGE pPatchPage = (PPATMPATCHPAGE)RTAvloGCPtrGet(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPage, (RTGCPTR)pPage);
3378 if (pPatchPage)
3379 {
3380 uint32_t i;
3381
3382 for (i=0;i<pPatchPage->cCount;i++)
3383 {
3384 if (pPatchPage->aPatch[i])
3385 {
3386 PPATCHINFO pPatch = pPatchPage->aPatch[i];
3387
3388 if ( (pPatch->flags & PATMFL_DUPLICATE_FUNCTION)
3389 && pPatch->uState == PATCH_ENABLED)
3390 {
3391 pPatchTargetGC = patmGuestGCPtrToPatchGCPtr(pVM, pPatch, pBranchTarget);
3392 if (pPatchTargetGC)
3393 {
3394 STAM_COUNTER_INC(&pVM->patm.s.StatDuplicateUseExisting);
3395 break;
3396 }
3397 }
3398 }
3399 }
3400 }
3401
3402 if (pPatchTargetGC)
3403 {
3404 /* Create a trampoline that also sets PATM_INTERRUPTFLAG. */
3405 rc = PATMR3InstallPatch(pVM, pBranchTarget, PATMFL_CODE32 | PATMFL_TRAMPOLINE);
3406 }
3407 else
3408 {
3409 rc = PATMR3InstallPatch(pVM, pBranchTarget, PATMFL_CODE32 | PATMFL_DUPLICATE_FUNCTION);
3410 }
3411
3412 if (rc == VINF_SUCCESS)
3413 {
3414 pPatchTargetGC = PATMR3QueryPatchGCPtr(pVM, pBranchTarget);
3415 Assert(pPatchTargetGC);
3416 }
3417
3418 if (pPatchTargetGC)
3419 {
3420 pCtx->eax = pPatchTargetGC;
3421 pCtx->eax = pCtx->eax - (RTGCUINTPTR)pVM->patm.s.pPatchMemGC; /* make it relative */
3422 }
3423 else
3424 {
3425 /* We add a dummy entry into the lookup cache so we won't get bombarded with the same requests over and over again. */
3426 pCtx->eax = 0;
3427 STAM_COUNTER_INC(&pVM->patm.s.StatDuplicateREQFailed);
3428 }
3429 Assert(PATMIsPatchGCAddr(pVM, pCtx->edi));
3430 rc = PATMAddBranchToLookupCache(pVM, pCtx->edi, pBranchTarget, pCtx->eax);
3431 AssertRC(rc);
3432
3433 pCtx->eip += PATM_ILLEGAL_INSTR_SIZE;
3434 STAM_COUNTER_INC(&pVM->patm.s.StatDuplicateREQSuccess);
3435 return VINF_SUCCESS;
3436}
3437
3438/**
3439 * Replaces a function call by a call to an existing function duplicate (or jmp -> jmp)
3440 *
3441 * @returns VBox status code.
3442 * @param pVM The VM to operate on.
3443 * @param pCpu Disassembly CPU structure ptr
3444 * @param pInstrGC Guest context point to privileged instruction
3445 * @param pPatch Patch record
3446 *
3447 */
3448static int patmReplaceFunctionCall(PVM pVM, DISCPUSTATE *pCpu, RTGCPTR pInstrGC, PPATCHINFO pPatch)
3449{
3450 int rc = VERR_PATCHING_REFUSED;
3451 DISCPUSTATE cpu;
3452 RTGCPTR pTargetGC;
3453 PPATMPATCHREC pPatchFunction;
3454 uint32_t opsize;
3455 bool disret;
3456#ifdef LOG_ENABLED
3457 char szOutput[256];
3458#endif
3459
3460 Assert(pPatch->flags & PATMFL_REPLACE_FUNCTION_CALL);
3461 Assert((pCpu->pCurInstr->opcode == OP_CALL || pCpu->pCurInstr->opcode == OP_JMP) && pCpu->opsize == SIZEOF_NEARJUMP32);
3462
3463 if ((pCpu->pCurInstr->opcode != OP_CALL && pCpu->pCurInstr->opcode != OP_JMP) || pCpu->opsize != SIZEOF_NEARJUMP32)
3464 {
3465 rc = VERR_PATCHING_REFUSED;
3466 goto failure;
3467 }
3468
3469 pTargetGC = PATMResolveBranch(pCpu, pInstrGC);
3470 if (pTargetGC == 0)
3471 {
3472 Log(("We don't support far jumps here!! (%08X)\n", pCpu->param1.flags));
3473 rc = VERR_PATCHING_REFUSED;
3474 goto failure;
3475 }
3476
3477 pPatchFunction = (PPATMPATCHREC)RTAvloGCPtrGet(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pTargetGC);
3478 if (pPatchFunction == NULL)
3479 {
3480 for(;;)
3481 {
3482 /* It could be an indirect call (call -> jmp dest).
3483 * Note that it's dangerous to assume the jump will never change...
3484 */
3485 uint8_t *pTmpInstrHC;
3486
3487 pTmpInstrHC = PATMGCVirtToHCVirt(pVM, pPatch, pTargetGC);
3488 Assert(pTmpInstrHC);
3489 if (pTmpInstrHC == 0)
3490 break;
3491
3492 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
3493 disret = PATMR3DISInstr(pVM, pPatch, &cpu, pTargetGC, pTmpInstrHC, &opsize, NULL);
3494 if (disret == false || cpu.pCurInstr->opcode != OP_JMP)
3495 break;
3496
3497 pTargetGC = PATMResolveBranch(&cpu, pTargetGC);
3498 if (pTargetGC == 0)
3499 {
3500 break;
3501 }
3502
3503 pPatchFunction = (PPATMPATCHREC)RTAvloGCPtrGet(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pTargetGC);
3504 break;
3505 }
3506 if (pPatchFunction == 0)
3507 {
3508 AssertMsgFailed(("Unable to find duplicate function %VGv\n", pTargetGC));
3509 rc = VERR_PATCHING_REFUSED;
3510 goto failure;
3511 }
3512 }
3513
3514 // make a copy of the guest code bytes that will be overwritten
3515 pPatch->cbPatchJump = SIZEOF_NEARJUMP32;
3516
3517 rc = PGMPhysReadGCPtr(pVM, pPatch->aPrivInstr, pPatch->pPrivInstrGC, pPatch->cbPatchJump);
3518 AssertRC(rc);
3519
3520 /* Now replace the original call in the guest code */
3521 rc = patmGenCallToPatch(pVM, pPatch, PATCHCODE_PTR_GC(&pPatchFunction->patch), true);
3522 AssertRC(rc);
3523 if (VBOX_FAILURE(rc))
3524 goto failure;
3525
3526 /* Lowest and highest address for write monitoring. */
3527 pPatch->pInstrGCLowest = pInstrGC;
3528 pPatch->pInstrGCHighest = pInstrGC + pCpu->opsize;
3529
3530#ifdef LOG_ENABLED
3531 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
3532 disret = PATMR3DISInstr(pVM, pPatch, &cpu, pPatch->pPrivInstrGC, pPatch->pPrivInstrHC, &opsize, szOutput);
3533 Log(("Call patch: %s", szOutput));
3534#endif
3535
3536 Log(("Successfully installed function replacement patch at %VGv\n", pInstrGC));
3537
3538 pPatch->uState = PATCH_ENABLED;
3539 return VINF_SUCCESS;
3540
3541failure:
3542 /* Turn this patch into a dummy. */
3543 pPatch->uState = PATCH_REFUSED;
3544
3545 return rc;
3546}
3547
3548/**
3549 * Replace the address in an MMIO instruction with the cached version.
3550 *
3551 * @returns VBox status code.
3552 * @param pVM The VM to operate on.
3553 * @param pInstrGC Guest context point to privileged instruction
3554 * @param pCpu Disassembly CPU structure ptr
3555 * @param pPatch Patch record
3556 *
3557 * @note returns failure if patching is not allowed or possible
3558 *
3559 */
3560static int patmPatchMMIOInstr(PVM pVM, RTGCPTR pInstrGC, DISCPUSTATE *pCpu, PPATCHINFO pPatch)
3561{
3562 uint8_t *pPB;
3563 int rc = VERR_PATCHING_REFUSED;
3564#ifdef LOG_ENABLED
3565 DISCPUSTATE cpu;
3566 uint32_t opsize;
3567 bool disret;
3568 char szOutput[256];
3569#endif
3570
3571 Assert(pVM->patm.s.mmio.pCachedData);
3572 if (!pVM->patm.s.mmio.pCachedData)
3573 goto failure;
3574
3575 if (pCpu->param2.flags != USE_DISPLACEMENT32)
3576 goto failure;
3577
3578 pPB = pPatch->pPrivInstrHC;
3579
3580 /* Add relocation record for cached data access. */
3581 if (patmPatchAddReloc32(pVM, pPatch, &pPB[pCpu->opsize - sizeof(RTGCPTR)], FIXUP_ABSOLUTE, pPatch->pPrivInstrGC, pVM->patm.s.mmio.pCachedData) != VINF_SUCCESS)
3582 {
3583 Log(("Relocation failed for cached mmio address!!\n"));
3584 return VERR_PATCHING_REFUSED;
3585 }
3586#ifdef LOG_ENABLED
3587 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
3588 disret = PATMR3DISInstr(pVM, pPatch, &cpu, pPatch->pPrivInstrGC, pPatch->pPrivInstrHC, &opsize, szOutput);
3589 Log(("MMIO patch old instruction: %s", szOutput));
3590#endif
3591
3592 /* Save original instruction. */
3593 rc = PGMPhysReadGCPtr(pVM, pPatch->aPrivInstr, pPatch->pPrivInstrGC, pPatch->cbPrivInstr);
3594 AssertRC(rc);
3595
3596 pPatch->cbPatchJump = pPatch->cbPrivInstr; /* bit of a misnomer in this case; size of replacement instruction. */
3597
3598 /* Replace address with that of the cached item. */
3599 rc = PGMPhysWriteGCPtrDirty(pVM, pInstrGC + pCpu->opsize - sizeof(RTGCPTR), &pVM->patm.s.mmio.pCachedData, sizeof(RTGCPTR));
3600 AssertRC(rc);
3601 if (VBOX_FAILURE(rc))
3602 {
3603 goto failure;
3604 }
3605
3606#ifdef LOG_ENABLED
3607 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
3608 disret = PATMR3DISInstr(pVM, pPatch, &cpu, pPatch->pPrivInstrGC, pPatch->pPrivInstrHC, &opsize, szOutput);
3609 Log(("MMIO patch: %s", szOutput));
3610#endif
3611 pVM->patm.s.mmio.pCachedData = 0;
3612 pVM->patm.s.mmio.GCPhys = 0;
3613 pPatch->uState = PATCH_ENABLED;
3614 return VINF_SUCCESS;
3615
3616failure:
3617 /* Turn this patch into a dummy. */
3618 pPatch->uState = PATCH_REFUSED;
3619
3620 return rc;
3621}
3622
3623
3624/**
3625 * Replace the address in an MMIO instruction with the cached version. (instruction is part of an existing patch)
3626 *
3627 * @returns VBox status code.
3628 * @param pVM The VM to operate on.
3629 * @param pInstrGC Guest context point to privileged instruction
3630 * @param pPatch Patch record
3631 *
3632 * @note returns failure if patching is not allowed or possible
3633 *
3634 */
3635static int patmPatchPATMMMIOInstr(PVM pVM, RTGCPTR pInstrGC, PPATCHINFO pPatch)
3636{
3637 DISCPUSTATE cpu;
3638 uint32_t opsize;
3639 bool disret;
3640 uint8_t *pInstrHC;
3641#ifdef LOG_ENABLED
3642 char szOutput[256];
3643#endif
3644
3645 AssertReturn(pVM->patm.s.mmio.pCachedData, VERR_INVALID_PARAMETER);
3646
3647 /* Convert GC to HC address. */
3648 pInstrHC = patmPatchGCPtr2PatchHCPtr(pVM, pInstrGC);
3649 AssertReturn(pInstrHC, VERR_PATCHING_REFUSED);
3650
3651 /* Disassemble mmio instruction. */
3652 cpu.mode = pPatch->uOpMode;
3653 disret = PATMR3DISInstr(pVM, pPatch, &cpu, pInstrGC, pInstrHC, &opsize, NULL);
3654 if (disret == false)
3655 {
3656 Log(("Disassembly failed (probably page not present) -> return to caller\n"));
3657 return VERR_PATCHING_REFUSED;
3658 }
3659
3660 AssertMsg(opsize <= MAX_INSTR_SIZE, ("privileged instruction too big %d!!\n", opsize));
3661 if (opsize > MAX_INSTR_SIZE)
3662 return VERR_PATCHING_REFUSED;
3663 if (cpu.param2.flags != USE_DISPLACEMENT32)
3664 return VERR_PATCHING_REFUSED;
3665
3666 /* Add relocation record for cached data access. */
3667 if (patmPatchAddReloc32(pVM, pPatch, &pInstrHC[cpu.opsize - sizeof(RTGCPTR)], FIXUP_ABSOLUTE) != VINF_SUCCESS)
3668 {
3669 Log(("Relocation failed for cached mmio address!!\n"));
3670 return VERR_PATCHING_REFUSED;
3671 }
3672 /* Replace address with that of the cached item. */
3673 *(RTGCPTR *)&pInstrHC[cpu.opsize - sizeof(RTGCPTR)] = pVM->patm.s.mmio.pCachedData;
3674
3675 /* Lowest and highest address for write monitoring. */
3676 pPatch->pInstrGCLowest = pInstrGC;
3677 pPatch->pInstrGCHighest = pInstrGC + cpu.opsize;
3678
3679#ifdef LOG_ENABLED
3680 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
3681 disret = PATMR3DISInstr(pVM, pPatch, &cpu, pInstrGC, pInstrHC, &opsize, szOutput);
3682 Log(("MMIO patch: %s", szOutput));
3683#endif
3684
3685 pVM->patm.s.mmio.pCachedData = 0;
3686 pVM->patm.s.mmio.GCPhys = 0;
3687 return VINF_SUCCESS;
3688}
3689
3690/**
3691 * Activates an int3 patch
3692 *
3693 * @returns VBox status code.
3694 * @param pVM The VM to operate on.
3695 * @param pPatch Patch record
3696 */
3697static int patmActivateInt3Patch(PVM pVM, PPATCHINFO pPatch)
3698{
3699 uint8_t ASMInt3 = 0xCC;
3700 int rc;
3701
3702 Assert(pPatch->flags & (PATMFL_INT3_REPLACEMENT|PATMFL_INT3_REPLACEMENT_BLOCK));
3703 Assert(pPatch->uState != PATCH_ENABLED);
3704
3705 /* Replace first opcode byte with 'int 3'. */
3706 rc = PGMPhysWriteGCPtrDirty(pVM, pPatch->pPrivInstrGC, &ASMInt3, sizeof(ASMInt3));
3707 AssertRC(rc);
3708
3709 pPatch->cbPatchJump = sizeof(ASMInt3);
3710
3711 return rc;
3712}
3713
3714/**
3715 * Deactivates an int3 patch
3716 *
3717 * @returns VBox status code.
3718 * @param pVM The VM to operate on.
3719 * @param pPatch Patch record
3720 */
3721static int patmDeactivateInt3Patch(PVM pVM, PPATCHINFO pPatch)
3722{
3723 uint8_t ASMInt3 = 0xCC;
3724 int rc;
3725
3726 Assert(pPatch->flags & (PATMFL_INT3_REPLACEMENT|PATMFL_INT3_REPLACEMENT_BLOCK));
3727 Assert(pPatch->uState == PATCH_ENABLED || pPatch->uState == PATCH_DIRTY);
3728
3729 /* Restore first opcode byte. */
3730 rc = PGMPhysWriteGCPtrDirty(pVM, pPatch->pPrivInstrGC, pPatch->aPrivInstr, sizeof(ASMInt3));
3731 AssertRC(rc);
3732 return rc;
3733}
3734
3735/**
3736 * Replace an instruction with a breakpoint (0xCC), that is handled dynamically in the guest context.
3737 *
3738 * @returns VBox status code.
3739 * @param pVM The VM to operate on.
3740 * @param pInstrGC Guest context point to privileged instruction
3741 * @param pInstrHC Host context point to privileged instruction
3742 * @param pCpu Disassembly CPU structure ptr
3743 * @param pPatch Patch record
3744 *
3745 * @note returns failure if patching is not allowed or possible
3746 *
3747 */
3748PATMR3DECL(int) PATMR3PatchInstrInt3(PVM pVM, RTGCPTR pInstrGC, HCPTRTYPE(uint8_t *) pInstrHC, DISCPUSTATE *pCpu, PPATCHINFO pPatch)
3749{
3750 uint8_t ASMInt3 = 0xCC;
3751 int rc;
3752
3753 /** @note Do not use patch memory here! It might called during patch installation too. */
3754
3755#ifdef LOG_ENABLED
3756 DISCPUSTATE cpu;
3757 char szOutput[256];
3758 uint32_t opsize;
3759
3760 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
3761 PATMR3DISInstr(pVM, pPatch, &cpu, pInstrGC, pInstrHC, &opsize, szOutput);
3762 Log(("PATMR3PatchInstrInt3: %s", szOutput));
3763#endif
3764
3765 /* Save the original instruction. */
3766 rc = PGMPhysReadGCPtr(pVM, pPatch->aPrivInstr, pPatch->pPrivInstrGC, pPatch->cbPrivInstr);
3767 AssertRC(rc);
3768 pPatch->cbPatchJump = sizeof(ASMInt3); /* bit of a misnomer in this case; size of replacement instruction. */
3769
3770 pPatch->flags |= PATMFL_INT3_REPLACEMENT;
3771
3772 /* Replace first opcode byte with 'int 3'. */
3773 rc = patmActivateInt3Patch(pVM, pPatch);
3774 if (VBOX_FAILURE(rc))
3775 goto failure;
3776
3777 /* Lowest and highest address for write monitoring. */
3778 pPatch->pInstrGCLowest = pInstrGC;
3779 pPatch->pInstrGCHighest = pInstrGC + pCpu->opsize;
3780
3781 pPatch->uState = PATCH_ENABLED;
3782 return VINF_SUCCESS;
3783
3784failure:
3785 /* Turn this patch into a dummy. */
3786 return VERR_PATCHING_REFUSED;
3787}
3788
3789#ifdef PATM_RESOLVE_CONFLICTS_WITH_JUMP_PATCHES
3790/**
3791 * Patch a jump instruction at specified location
3792 *
3793 * @returns VBox status code.
3794 * @param pVM The VM to operate on.
3795 * @param pInstrGC Guest context point to privileged instruction
3796 * @param pInstrHC Host context point to privileged instruction
3797 * @param pCpu Disassembly CPU structure ptr
3798 * @param pPatchRec Patch record
3799 *
3800 * @note returns failure if patching is not allowed or possible
3801 *
3802 */
3803int patmPatchJump(PVM pVM, RTGCPTR pInstrGC, HCPTRTYPE(uint8_t *) pInstrHC, DISCPUSTATE *pCpu, PPATMPATCHREC pPatchRec)
3804{
3805 PPATCHINFO pPatch = &pPatchRec->patch;
3806 int rc = VERR_PATCHING_REFUSED;
3807#ifdef LOG_ENABLED
3808 bool disret;
3809 DISCPUSTATE cpu;
3810 uint32_t opsize;
3811 char szOutput[256];
3812#endif
3813
3814 pPatch->pPatchBlockOffset = 0; /* doesn't use patch memory */
3815 pPatch->uCurPatchOffset = 0;
3816 pPatch->cbPatchBlockSize = 0;
3817 pPatch->flags |= PATMFL_SINGLE_INSTRUCTION;
3818
3819 /*
3820 * Instruction replacements such as these should never be interrupted. I've added code to EM.cpp to
3821 * make sure this never happens. (unless a trap is triggered (intentionally or not))
3822 */
3823 switch (pCpu->pCurInstr->opcode)
3824 {
3825 case OP_JO:
3826 case OP_JNO:
3827 case OP_JC:
3828 case OP_JNC:
3829 case OP_JE:
3830 case OP_JNE:
3831 case OP_JBE:
3832 case OP_JNBE:
3833 case OP_JS:
3834 case OP_JNS:
3835 case OP_JP:
3836 case OP_JNP:
3837 case OP_JL:
3838 case OP_JNL:
3839 case OP_JLE:
3840 case OP_JNLE:
3841 case OP_JMP:
3842 Assert(pPatch->flags & PATMFL_JUMP_CONFLICT);
3843 Assert(pCpu->param1.flags & USE_IMMEDIATE32_REL);
3844 if (!(pCpu->param1.flags & USE_IMMEDIATE32_REL))
3845 goto failure;
3846
3847 Assert(pCpu->opsize == SIZEOF_NEARJUMP32 || pCpu->opsize == SIZEOF_NEAR_COND_JUMP32);
3848 if (pCpu->opsize != SIZEOF_NEARJUMP32 && pCpu->opsize != SIZEOF_NEAR_COND_JUMP32)
3849 goto failure;
3850
3851 if (PAGE_ADDRESS(pInstrGC) != PAGE_ADDRESS(pInstrGC + pCpu->opsize))
3852 {
3853 STAM_COUNTER_INC(&pVM->patm.s.StatPageBoundaryCrossed);
3854 AssertMsgFailed(("Patch jump would cross page boundary -> refuse!!\n"));
3855 rc = VERR_PATCHING_REFUSED;
3856 goto failure;
3857 }
3858
3859 break;
3860
3861 default:
3862 goto failure;
3863 }
3864
3865 // make a copy of the guest code bytes that will be overwritten
3866 Assert(pCpu->opsize <= sizeof(pPatch->aPrivInstr));
3867 Assert(pCpu->opsize >= SIZEOF_NEARJUMP32);
3868 pPatch->cbPatchJump = pCpu->opsize;
3869
3870 rc = PGMPhysReadGCPtr(pVM, pPatch->aPrivInstr, pPatch->pPrivInstrGC, pPatch->cbPatchJump);
3871 AssertRC(rc);
3872
3873 /* Now insert a jump in the guest code. */
3874 /*
3875 * A conflict jump patch needs to be treated differently; we'll just replace the relative jump address with one that
3876 * references the target instruction in the conflict patch.
3877 */
3878 RTGCPTR pJmpDest = PATMR3GuestGCPtrToPatchGCPtr(pVM, pInstrGC + pCpu->opsize + (int32_t)pCpu->param1.parval);
3879
3880 AssertMsg(pJmpDest, ("PATMR3GuestGCPtrToPatchGCPtr failed for %VGv\n", pInstrGC + pCpu->opsize + (int32_t)pCpu->param1.parval));
3881 pPatch->pPatchJumpDestGC = pJmpDest;
3882
3883 rc = patmGenJumpToPatch(pVM, pPatch, true);
3884 AssertRC(rc);
3885 if (VBOX_FAILURE(rc))
3886 goto failure;
3887
3888 pPatch->flags |= PATMFL_MUST_INSTALL_PATCHJMP;
3889
3890#ifdef LOG_ENABLED
3891 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
3892 disret = PATMR3DISInstr(pVM, pPatch, &cpu, pPatch->pPrivInstrGC, pPatch->pPrivInstrHC, &opsize, szOutput);
3893 Log(("%s patch: %s", patmGetInstructionString(pPatch->opcode, pPatch->flags), szOutput));
3894#endif
3895
3896 Log(("Successfully installed %s patch at %VGv\n", patmGetInstructionString(pPatch->opcode, pPatch->flags), pInstrGC));
3897
3898 STAM_COUNTER_INC(&pVM->patm.s.StatInstalledJump);
3899
3900 /* Lowest and highest address for write monitoring. */
3901 pPatch->pInstrGCLowest = pInstrGC;
3902 pPatch->pInstrGCHighest = pInstrGC + pPatch->cbPatchJump;
3903
3904 pPatch->uState = PATCH_ENABLED;
3905 return VINF_SUCCESS;
3906
3907failure:
3908 /* Turn this cli patch into a dummy. */
3909 pPatch->uState = PATCH_REFUSED;
3910
3911 return rc;
3912}
3913#endif /* PATM_RESOLVE_CONFLICTS_WITH_JUMP_PATCHES */
3914
3915
3916/**
3917 * Gives hint to PATM about supervisor guest instructions
3918 *
3919 * @returns VBox status code.
3920 * @param pVM The VM to operate on.
3921 * @param pInstr Guest context point to privileged instruction
3922 * @param flags Patch flags
3923 */
3924PATMR3DECL(int) PATMR3AddHint(PVM pVM, RTGCPTR pInstrGC, uint32_t flags)
3925{
3926 Assert(pInstrGC);
3927 Assert(flags == PATMFL_CODE32);
3928
3929 Log(("PATMR3AddHint %VGv\n", pInstrGC));
3930 return PATMR3InstallPatch(pVM, pInstrGC, PATMFL_CODE32 | PATMFL_INSTR_HINT);
3931}
3932
3933/**
3934 * Patch privileged instruction at specified location
3935 *
3936 * @returns VBox status code.
3937 * @param pVM The VM to operate on.
3938 * @param pInstr Guest context point to privileged instruction (0:32 flat address)
3939 * @param flags Patch flags
3940 *
3941 * @note returns failure if patching is not allowed or possible
3942 */
3943PATMR3DECL(int) PATMR3InstallPatch(PVM pVM, RTGCPTR pInstrGC, uint64_t flags)
3944{
3945 DISCPUSTATE cpu;
3946 HCPTRTYPE(uint8_t *) pInstrHC;
3947 uint32_t opsize;
3948 PPATMPATCHREC pPatchRec;
3949 PCPUMCTX pCtx = 0;
3950 bool disret;
3951 int rc;
3952
3953 if (!pVM || pInstrGC == 0 || (flags & ~(PATMFL_CODE32|PATMFL_IDTHANDLER|PATMFL_INTHANDLER|PATMFL_SYSENTER|PATMFL_TRAPHANDLER|PATMFL_DUPLICATE_FUNCTION|PATMFL_REPLACE_FUNCTION_CALL|PATMFL_GUEST_SPECIFIC|PATMFL_INT3_REPLACEMENT|PATMFL_TRAPHANDLER_WITH_ERRORCODE|PATMFL_IDTHANDLER_WITHOUT_ENTRYPOINT|PATMFL_MMIO_ACCESS|PATMFL_TRAMPOLINE|PATMFL_INSTR_HINT|PATMFL_JUMP_CONFLICT)))
3954 {
3955 AssertFailed();
3956 return VERR_INVALID_PARAMETER;
3957 }
3958
3959 if (PATMIsEnabled(pVM) == false)
3960 return VERR_PATCHING_REFUSED;
3961
3962 /* Test for patch conflict only with patches that actually change guest code. */
3963 if (!(flags & (PATMFL_GUEST_SPECIFIC|PATMFL_IDTHANDLER|PATMFL_INTHANDLER|PATMFL_TRAMPOLINE)))
3964 {
3965 PPATCHINFO pConflictPatch = PATMFindActivePatchByEntrypoint(pVM, pInstrGC);
3966 AssertReleaseMsg(pConflictPatch == 0, ("Unable to patch overwritten instruction at %VGv (%VGv)\n", pInstrGC, pConflictPatch->pPrivInstrGC));
3967 if (pConflictPatch != 0)
3968 return VERR_PATCHING_REFUSED;
3969 }
3970
3971 if (!(flags & PATMFL_CODE32))
3972 {
3973 /** @todo Only 32 bits code right now */
3974 AssertMsgFailed(("PATMR3InstallPatch: We don't support 16 bits code at this moment!!\n"));
3975 return VERR_NOT_IMPLEMENTED;
3976 }
3977
3978 /* We ran out of patch memory; don't bother anymore. */
3979 if (pVM->patm.s.fOutOfMemory == true)
3980 return VERR_PATCHING_REFUSED;
3981
3982 /* Make sure the code selector is wide open; otherwise refuse. */
3983 CPUMQueryGuestCtxPtr(pVM, &pCtx);
3984 if (CPUMGetGuestCPL(pVM, CPUMCTX2CORE(pCtx)) == 0)
3985 {
3986 RTGCPTR pInstrGCFlat = SELMToFlat(pVM, pCtx->eflags, pCtx->cs, &pCtx->csHid, pInstrGC);
3987 if (pInstrGCFlat != pInstrGC)
3988 {
3989 Log(("PATMR3InstallPatch: code selector not wide open: %04x:%VGv != %VGv eflags=%08x\n", pCtx->cs, pInstrGCFlat, pInstrGC, pCtx->eflags.u32));
3990 return VERR_PATCHING_REFUSED;
3991 }
3992 }
3993
3994 /** @note the OpenBSD specific check will break if we allow additional patches to be installed (int 3)) */
3995 if (!(flags & PATMFL_GUEST_SPECIFIC))
3996 {
3997 /* New code. Make sure CSAM has a go at it first. */
3998 CSAMR3CheckCode(pVM, pInstrGC);
3999 }
4000
4001 /** @note obsolete */
4002 if ( PATMIsPatchGCAddr(pVM, pInstrGC)
4003 && (flags & PATMFL_MMIO_ACCESS))
4004 {
4005 RTGCUINTPTR offset;
4006 void *pvPatchCoreOffset;
4007
4008 /* Find the patch record. */
4009 offset = pInstrGC - pVM->patm.s.pPatchMemGC;
4010 pvPatchCoreOffset = RTAvloGCPtrGetBestFit(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr, offset, false);
4011 if (pvPatchCoreOffset == NULL)
4012 {
4013 AssertMsgFailed(("PATMR3InstallPatch: patch not found at address %VGv!!\n", pInstrGC));
4014 return VERR_PATCH_NOT_FOUND; //fatal error
4015 }
4016 pPatchRec = PATM_PATCHREC_FROM_COREOFFSET(pvPatchCoreOffset);
4017
4018 return patmPatchPATMMMIOInstr(pVM, pInstrGC, &pPatchRec->patch);
4019 }
4020
4021 AssertReturn(!PATMIsPatchGCAddr(pVM, pInstrGC), VERR_PATCHING_REFUSED);
4022
4023 pPatchRec = (PPATMPATCHREC)RTAvloGCPtrGet(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pInstrGC);
4024 if (pPatchRec)
4025 {
4026 Assert(!(flags & PATMFL_TRAMPOLINE));
4027
4028 /* Hints about existing patches are ignored. */
4029 if (flags & PATMFL_INSTR_HINT)
4030 return VERR_PATCHING_REFUSED;
4031
4032 if (pPatchRec->patch.uState == PATCH_DISABLE_PENDING)
4033 {
4034 Log(("PATMR3InstallPatch: disable operation is pending for patch at %VGv\n", pPatchRec->patch.pPrivInstrGC));
4035 PATMR3DisablePatch(pVM, pPatchRec->patch.pPrivInstrGC);
4036 Assert(pPatchRec->patch.uState == PATCH_DISABLED);
4037 }
4038
4039 if (pPatchRec->patch.uState == PATCH_DISABLED)
4040 {
4041 /* A patch, for which we previously received a hint, will be enabled and turned into a normal patch. */
4042 if (pPatchRec->patch.flags & PATMFL_INSTR_HINT)
4043 {
4044 Log(("Enabling HINTED patch %VGv\n", pInstrGC));
4045 pPatchRec->patch.flags &= ~PATMFL_INSTR_HINT;
4046 }
4047 else
4048 Log(("Enabling patch %VGv again\n", pInstrGC));
4049
4050 /** @todo we shouldn't disable and enable patches too often (it's relatively cheap, but pointless if it always happens) */
4051 rc = PATMR3EnablePatch(pVM, pInstrGC);
4052 if (VBOX_SUCCESS(rc))
4053 return VWRN_PATCH_ENABLED;
4054
4055 return rc;
4056 }
4057 if ( pPatchRec->patch.uState == PATCH_ENABLED
4058 || pPatchRec->patch.uState == PATCH_DIRTY)
4059 {
4060 /*
4061 * The patch might have been overwritten.
4062 */
4063 STAM_COUNTER_INC(&pVM->patm.s.StatOverwritten);
4064 if (pPatchRec->patch.uState != PATCH_REFUSED && pPatchRec->patch.uState != PATCH_UNUSABLE)
4065 {
4066 /* Patch must have been overwritten; remove it and pretend nothing happened. */
4067 Log(("Patch an existing patched instruction?!? (%VGv)\n", pInstrGC));
4068 if (pPatchRec->patch.flags & (PATMFL_DUPLICATE_FUNCTION|PATMFL_IDTHANDLER|PATMFL_MMIO_ACCESS|PATMFL_INT3_REPLACEMENT|PATMFL_INT3_REPLACEMENT_BLOCK))
4069 {
4070 if (flags & PATMFL_IDTHANDLER)
4071 pPatchRec->patch.flags |= (flags & (PATMFL_IDTHANDLER|PATMFL_TRAPHANDLER|PATMFL_INTHANDLER)); /* update the type */
4072
4073 return VERR_PATM_ALREADY_PATCHED; /* already done once */
4074 }
4075 }
4076 PATMR3RemovePatch(pVM, pInstrGC);
4077 }
4078 else
4079 {
4080 AssertMsg(pPatchRec->patch.uState == PATCH_REFUSED || pPatchRec->patch.uState == PATCH_UNUSABLE, ("Patch an existing patched instruction?!? (%VGv, state=%d)\n", pInstrGC, pPatchRec->patch.uState));
4081 /* already tried it once! */
4082 return VERR_PATCHING_REFUSED;
4083 }
4084 }
4085
4086 rc = MMHyperAlloc(pVM, sizeof(PATMPATCHREC), 0, MM_TAG_PATM_PATCH, (void **)&pPatchRec);
4087 if (VBOX_FAILURE(rc))
4088 {
4089 Log(("Out of memory!!!!\n"));
4090 return VERR_NO_MEMORY;
4091 }
4092 pPatchRec->Core.Key = pInstrGC;
4093 pPatchRec->patch.uState = PATCH_REFUSED; //default
4094 rc = RTAvloGCPtrInsert(&pVM->patm.s.PatchLookupTreeHC->PatchTree, &pPatchRec->Core);
4095 Assert(rc);
4096
4097 RTGCPHYS GCPhys;
4098 rc = PGMGstGetPage(pVM, pInstrGC, NULL, &GCPhys);
4099 if (rc != VINF_SUCCESS)
4100 {
4101 Log(("PGMGstGetPage failed with %Vrc\n", rc));
4102 return rc;
4103 }
4104 /* Disallow patching instructions inside ROM code; complete function duplication is allowed though. */
4105 if ( !(flags & (PATMFL_DUPLICATE_FUNCTION|PATMFL_TRAMPOLINE))
4106 && !PGMPhysIsGCPhysNormal(pVM, GCPhys))
4107 {
4108 Log(("Code at %RGv (phys %RGp) is in a ROM, MMIO or invalid page - refused\n", pInstrGC, GCPhys));
4109 return VERR_PATCHING_REFUSED;
4110 }
4111 GCPhys = GCPhys + (pInstrGC & PAGE_OFFSET_MASK);
4112 rc = PGMPhysGCPhys2HCPtr(pVM, GCPhys, MAX_INSTR_SIZE, (void **)&pInstrHC);
4113 AssertRCReturn(rc, rc);
4114
4115 pPatchRec->patch.pPrivInstrHC = pInstrHC;
4116 pPatchRec->patch.pPrivInstrGC = pInstrGC;
4117 pPatchRec->patch.flags = flags;
4118 pPatchRec->patch.uOpMode = (flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
4119
4120 pPatchRec->patch.pInstrGCLowest = pInstrGC;
4121 pPatchRec->patch.pInstrGCHighest = pInstrGC;
4122
4123 if (!(pPatchRec->patch.flags & (PATMFL_DUPLICATE_FUNCTION | PATMFL_IDTHANDLER | PATMFL_SYSENTER | PATMFL_TRAMPOLINE)))
4124 {
4125 /*
4126 * Close proximity to an unusable patch is a possible hint that this patch would turn out to be dangerous too!
4127 */
4128 PPATMPATCHREC pPatchNear = (PPATMPATCHREC)RTAvloGCPtrGetBestFit(&pVM->patm.s.PatchLookupTreeHC->PatchTree, (pInstrGC + SIZEOF_NEARJUMP32 - 1), false);
4129 if (pPatchNear)
4130 {
4131 if (pPatchNear->patch.uState == PATCH_UNUSABLE && pInstrGC < pPatchNear->patch.pPrivInstrGC && pInstrGC + SIZEOF_NEARJUMP32 > pPatchNear->patch.pPrivInstrGC)
4132 {
4133 Log(("Dangerous patch; would overwrite the ususable patch at %VGv\n", pPatchNear->patch.pPrivInstrGC));
4134
4135 pPatchRec->patch.uState = PATCH_UNUSABLE;
4136 /*
4137 * Leave the new patch active as it's marked unusable; to prevent us from checking it over and over again
4138 */
4139 return VERR_PATCHING_REFUSED;
4140 }
4141 }
4142 }
4143
4144 pPatchRec->patch.pTempInfo = (PPATCHINFOTEMP)MMR3HeapAllocZ(pVM, MM_TAG_PATM_PATCH, sizeof(PATCHINFOTEMP));
4145 if (pPatchRec->patch.pTempInfo == 0)
4146 {
4147 Log(("Out of memory!!!!\n"));
4148 return VERR_NO_MEMORY;
4149 }
4150
4151 cpu.mode = pPatchRec->patch.uOpMode;
4152 disret = PATMR3DISInstr(pVM, &pPatchRec->patch, &cpu, pInstrGC, pInstrHC, &opsize, NULL);
4153 if (disret == false)
4154 {
4155 Log(("Disassembly failed (probably page not present) -> return to caller\n"));
4156 return VERR_PATCHING_REFUSED;
4157 }
4158
4159 AssertMsg(opsize <= MAX_INSTR_SIZE, ("privileged instruction too big %d!!\n", opsize));
4160 if (opsize > MAX_INSTR_SIZE)
4161 {
4162 return VERR_PATCHING_REFUSED;
4163 }
4164
4165 pPatchRec->patch.cbPrivInstr = opsize;
4166 pPatchRec->patch.opcode = cpu.pCurInstr->opcode;
4167
4168 /* Restricted hinting for now. */
4169 Assert(!(flags & PATMFL_INSTR_HINT) || cpu.pCurInstr->opcode == OP_CLI);
4170
4171 /* Allocate statistics slot */
4172 if (pVM->patm.s.uCurrentPatchIdx < PATM_STAT_MAX_COUNTERS)
4173 {
4174 pPatchRec->patch.uPatchIdx = pVM->patm.s.uCurrentPatchIdx++;
4175 }
4176 else
4177 {
4178 Log(("WARNING: Patch index wrap around!!\n"));
4179 pPatchRec->patch.uPatchIdx = PATM_STAT_INDEX_DUMMY;
4180 }
4181
4182 if (pPatchRec->patch.flags & PATMFL_TRAPHANDLER)
4183 {
4184 rc = patmInstallTrapTrampoline(pVM, pInstrGC, pPatchRec);
4185 }
4186 else
4187 if (pPatchRec->patch.flags & (PATMFL_DUPLICATE_FUNCTION ))
4188 {
4189 rc = patmDuplicateFunction(pVM, pInstrGC, pPatchRec);
4190 }
4191 else
4192 if (pPatchRec->patch.flags & PATMFL_TRAMPOLINE)
4193 {
4194 rc = patmCreateTrampoline(pVM, pInstrGC, pPatchRec);
4195 }
4196 else
4197 if (pPatchRec->patch.flags & PATMFL_REPLACE_FUNCTION_CALL)
4198 {
4199 rc = patmReplaceFunctionCall(pVM, &cpu, pInstrGC, &pPatchRec->patch);
4200 }
4201 else
4202 if (pPatchRec->patch.flags & PATMFL_INT3_REPLACEMENT)
4203 {
4204 rc = PATMR3PatchInstrInt3(pVM, pInstrGC, pInstrHC, &cpu, &pPatchRec->patch);
4205 }
4206 else
4207 if (pPatchRec->patch.flags & PATMFL_MMIO_ACCESS)
4208 {
4209 rc = patmPatchMMIOInstr(pVM, pInstrGC, &cpu, &pPatchRec->patch);
4210 }
4211 else
4212 if (pPatchRec->patch.flags & (PATMFL_IDTHANDLER|PATMFL_SYSENTER))
4213 {
4214 if (pPatchRec->patch.flags & PATMFL_SYSENTER)
4215 pPatchRec->patch.flags |= PATMFL_IDTHANDLER; /* we treat a sysenter handler as an IDT handler */
4216
4217 rc = patmIdtHandler(pVM, pInstrGC, pInstrHC, opsize, pPatchRec);
4218#ifdef VBOX_WITH_STATISTICS
4219 if ( rc == VINF_SUCCESS
4220 && (pPatchRec->patch.flags & PATMFL_SYSENTER))
4221 {
4222 pVM->patm.s.uSysEnterPatchIdx = pPatchRec->patch.uPatchIdx;
4223 }
4224#endif
4225 }
4226 else
4227 if (pPatchRec->patch.flags & PATMFL_GUEST_SPECIFIC)
4228 {
4229 switch (cpu.pCurInstr->opcode)
4230 {
4231 case OP_SYSENTER:
4232 case OP_PUSH:
4233 rc = PATMInstallGuestSpecificPatch(pVM, &cpu, pInstrGC, pInstrHC, pPatchRec);
4234 if (rc == VINF_SUCCESS)
4235 {
4236 if (rc == VINF_SUCCESS)
4237 Log(("PATMR3InstallPatch GUEST: %s %VGv code32=%d\n", patmGetInstructionString(pPatchRec->patch.opcode, pPatchRec->patch.flags), pInstrGC, (flags & PATMFL_CODE32) ? 1 : 0));
4238 return rc;
4239 }
4240 break;
4241
4242 default:
4243 rc = VERR_NOT_IMPLEMENTED;
4244 break;
4245 }
4246 }
4247 else
4248 {
4249 switch (cpu.pCurInstr->opcode)
4250 {
4251 case OP_SYSENTER:
4252 rc = PATMInstallGuestSpecificPatch(pVM, &cpu, pInstrGC, pInstrHC, pPatchRec);
4253 if (rc == VINF_SUCCESS)
4254 {
4255 Log(("PATMR3InstallPatch GUEST: %s %VGv code32=%d\n", patmGetInstructionString(pPatchRec->patch.opcode, pPatchRec->patch.flags), pInstrGC, (flags & PATMFL_CODE32) ? 1 : 0));
4256 return VINF_SUCCESS;
4257 }
4258 break;
4259
4260#ifdef PATM_RESOLVE_CONFLICTS_WITH_JUMP_PATCHES
4261 case OP_JO:
4262 case OP_JNO:
4263 case OP_JC:
4264 case OP_JNC:
4265 case OP_JE:
4266 case OP_JNE:
4267 case OP_JBE:
4268 case OP_JNBE:
4269 case OP_JS:
4270 case OP_JNS:
4271 case OP_JP:
4272 case OP_JNP:
4273 case OP_JL:
4274 case OP_JNL:
4275 case OP_JLE:
4276 case OP_JNLE:
4277 case OP_JECXZ:
4278 case OP_LOOP:
4279 case OP_LOOPNE:
4280 case OP_LOOPE:
4281 case OP_JMP:
4282 if (pPatchRec->patch.flags & PATMFL_JUMP_CONFLICT)
4283 {
4284 rc = patmPatchJump(pVM, pInstrGC, pInstrHC, &cpu, pPatchRec);
4285 break;
4286 }
4287 return VERR_NOT_IMPLEMENTED;
4288#endif
4289
4290 case OP_PUSHF:
4291 case OP_CLI:
4292 Log(("PATMR3InstallPatch %s %VGv code32=%d\n", patmGetInstructionString(pPatchRec->patch.opcode, pPatchRec->patch.flags), pInstrGC, (flags & PATMFL_CODE32) ? 1 : 0));
4293 rc = PATMR3PatchBlock(pVM, pInstrGC, pInstrHC, cpu.pCurInstr->opcode, opsize, pPatchRec);
4294 break;
4295
4296 case OP_STR:
4297 case OP_SGDT:
4298 case OP_SLDT:
4299 case OP_SIDT:
4300 case OP_CPUID:
4301 case OP_LSL:
4302 case OP_LAR:
4303 case OP_SMSW:
4304 case OP_VERW:
4305 case OP_VERR:
4306 case OP_IRET:
4307 rc = PATMR3PatchInstrInt3(pVM, pInstrGC, pInstrHC, &cpu, &pPatchRec->patch);
4308 break;
4309
4310 default:
4311 return VERR_NOT_IMPLEMENTED;
4312 }
4313 }
4314
4315 if (rc != VINF_SUCCESS)
4316 {
4317 if (pPatchRec && pPatchRec->patch.nrPatch2GuestRecs)
4318 {
4319 patmEmptyTreeU32(pVM, &pPatchRec->patch.Patch2GuestAddrTree);
4320 pPatchRec->patch.nrPatch2GuestRecs = 0;
4321 }
4322 pVM->patm.s.uCurrentPatchIdx--;
4323 }
4324 else
4325 {
4326 rc = patmInsertPatchPages(pVM, &pPatchRec->patch);
4327 AssertRCReturn(rc, rc);
4328
4329 /* Keep track upper and lower boundaries of patched instructions */
4330 if (pPatchRec->patch.pInstrGCLowest < pVM->patm.s.pPatchedInstrGCLowest)
4331 pVM->patm.s.pPatchedInstrGCLowest = pPatchRec->patch.pInstrGCLowest;
4332 if (pPatchRec->patch.pInstrGCHighest > pVM->patm.s.pPatchedInstrGCHighest)
4333 pVM->patm.s.pPatchedInstrGCHighest = pPatchRec->patch.pInstrGCHighest;
4334
4335 Log(("Patch lowest %VGv highest %VGv\n", pPatchRec->patch.pInstrGCLowest, pPatchRec->patch.pInstrGCHighest));
4336 Log(("Global lowest %VGv highest %VGv\n", pVM->patm.s.pPatchedInstrGCLowest, pVM->patm.s.pPatchedInstrGCHighest));
4337
4338 STAM_COUNTER_ADD(&pVM->patm.s.StatInstalled, 1);
4339 STAM_COUNTER_ADD(&pVM->patm.s.StatPATMMemoryUsed, pPatchRec->patch.cbPatchBlockSize);
4340
4341 rc = VINF_SUCCESS;
4342
4343 /* Patch hints are not enabled by default. Only when the are actually encountered. */
4344 if (pPatchRec->patch.flags & PATMFL_INSTR_HINT)
4345 {
4346 rc = PATMR3DisablePatch(pVM, pInstrGC);
4347 AssertRCReturn(rc, rc);
4348 }
4349
4350#ifdef VBOX_WITH_STATISTICS
4351 /* Register statistics counter */
4352 if (PATM_STAT_INDEX_IS_VALID(pPatchRec->patch.uPatchIdx))
4353 {
4354 STAMR3RegisterCallback(pVM, &pPatchRec->patch, STAMVISIBILITY_NOT_GUI, STAMUNIT_GOOD_BAD, patmResetStat, patmPrintStat, "Patch statistics",
4355 "/PATM/Stats/Patch/0x%VGv", pPatchRec->patch.pPrivInstrGC);
4356#ifndef DEBUG_sandervl
4357 /* Full breakdown for the GUI. */
4358 STAMR3RegisterF(pVM, &pVM->patm.s.pStatsHC[pPatchRec->patch.uPatchIdx], STAMTYPE_RATIO_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_GOOD_BAD, PATMPatchType(pVM, &pPatchRec->patch),
4359 "/PATM/Stats/PatchBD/0x%VGv", pPatchRec->patch.pPrivInstrGC);
4360 STAMR3RegisterF(pVM, &pPatchRec->patch.cbPatchBlockSize,STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_BYTES, NULL, "/PATM/Stats/PatchBD/0x%VGv/cbPatchBlockSize", pPatchRec->patch.pPrivInstrGC);
4361 STAMR3RegisterF(pVM, &pPatchRec->patch.cbPatchJump, STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_BYTES, NULL, "/PATM/Stats/PatchBD/0x%VGv/cbPatchJump", pPatchRec->patch.pPrivInstrGC);
4362 STAMR3RegisterF(pVM, &pPatchRec->patch.cbPrivInstr, STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_BYTES, NULL, "/PATM/Stats/PatchBD/0x%VGv/cbPrivInstr", pPatchRec->patch.pPrivInstrGC);
4363 STAMR3RegisterF(pVM, &pPatchRec->patch.cCodeWrites, STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_OCCURENCES, NULL, "/PATM/Stats/PatchBD/0x%VGv/cCodeWrites", pPatchRec->patch.pPrivInstrGC);
4364 STAMR3RegisterF(pVM, &pPatchRec->patch.cInvalidWrites, STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_OCCURENCES, NULL, "/PATM/Stats/PatchBD/0x%VGv/cInvalidWrites", pPatchRec->patch.pPrivInstrGC);
4365 STAMR3RegisterF(pVM, &pPatchRec->patch.cTraps, STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_OCCURENCES, NULL, "/PATM/Stats/PatchBD/0x%VGv/cTraps", pPatchRec->patch.pPrivInstrGC);
4366 STAMR3RegisterF(pVM, &pPatchRec->patch.flags, STAMTYPE_X32, STAMVISIBILITY_ALWAYS, STAMUNIT_NONE, NULL, "/PATM/Stats/PatchBD/0x%VGv/flags", pPatchRec->patch.pPrivInstrGC);
4367 STAMR3RegisterF(pVM, &pPatchRec->patch.nrJumpRecs, STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_OCCURENCES, NULL, "/PATM/Stats/PatchBD/0x%VGv/nrJumpRecs", pPatchRec->patch.pPrivInstrGC);
4368 STAMR3RegisterF(pVM, &pPatchRec->patch.nrFixups, STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_OCCURENCES, NULL, "/PATM/Stats/PatchBD/0x%VGv/nrFixups", pPatchRec->patch.pPrivInstrGC);
4369 STAMR3RegisterF(pVM, &pPatchRec->patch.opcode, STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_OCCURENCES, NULL, "/PATM/Stats/PatchBD/0x%VGv/opcode", pPatchRec->patch.pPrivInstrGC);
4370 STAMR3RegisterF(pVM, &pPatchRec->patch.uOldState, STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_NONE, NULL, "/PATM/Stats/PatchBD/0x%VGv/uOldState", pPatchRec->patch.pPrivInstrGC);
4371 STAMR3RegisterF(pVM, &pPatchRec->patch.uOpMode, STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_NONE, NULL, "/PATM/Stats/PatchBD/0x%VGv/uOpMode", pPatchRec->patch.pPrivInstrGC);
4372 /// @todo change the state to be a callback so we can get a state mnemonic instead.
4373 STAMR3RegisterF(pVM, &pPatchRec->patch.uState, STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_NONE, NULL, "/PATM/Stats/PatchBD/0x%VGv/uState", pPatchRec->patch.pPrivInstrGC);
4374#endif
4375 }
4376#endif
4377 }
4378 return rc;
4379}
4380
4381/**
4382 * Query instruction size
4383 *
4384 * @returns VBox status code.
4385 * @param pVM The VM to operate on.
4386 * @param pPatch Patch record
4387 * @param pInstrGC Instruction address
4388 */
4389static uint32_t patmGetInstrSize(PVM pVM, PPATCHINFO pPatch, RTGCPTR pInstrGC)
4390{
4391 uint8_t *pInstrHC;
4392
4393 int rc = PGMPhysGCPtr2HCPtr(pVM, pInstrGC, (RTHCPTR *)&pInstrHC);
4394 if (rc == VINF_SUCCESS)
4395 {
4396 DISCPUSTATE cpu;
4397 bool disret;
4398 uint32_t opsize;
4399
4400 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
4401 disret = PATMR3DISInstr(pVM, pPatch, &cpu, pInstrGC, pInstrHC, &opsize, NULL, PATMREAD_ORGCODE | PATMREAD_NOCHECK);
4402 if (disret)
4403 return opsize;
4404 }
4405 return 0;
4406}
4407
4408/**
4409 * Add patch to page record
4410 *
4411 * @returns VBox status code.
4412 * @param pVM The VM to operate on.
4413 * @param pPage Page address
4414 * @param pPatch Patch record
4415 */
4416int patmAddPatchToPage(PVM pVM, RTGCUINTPTR pPage, PPATCHINFO pPatch)
4417{
4418 PPATMPATCHPAGE pPatchPage;
4419 int rc;
4420
4421 Log(("patmAddPatchToPage: insert patch %VHv to page %VGv\n", pPatch, pPage));
4422
4423 pPatchPage = (PPATMPATCHPAGE)RTAvloGCPtrGet(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPage, pPage);
4424 if (pPatchPage)
4425 {
4426 Assert(pPatchPage->cCount <= pPatchPage->cMaxPatches);
4427 if (pPatchPage->cCount == pPatchPage->cMaxPatches)
4428 {
4429 uint32_t cMaxPatchesOld = pPatchPage->cMaxPatches;
4430 PPATCHINFO *paPatchOld = pPatchPage->aPatch;
4431
4432 pPatchPage->cMaxPatches += PATMPATCHPAGE_PREALLOC_INCREMENT;
4433 rc = MMHyperAlloc(pVM, sizeof(PPATCHINFO)*pPatchPage->cMaxPatches, 0, MM_TAG_PATM_PATCH, (void **)&pPatchPage->aPatch);
4434 if (VBOX_FAILURE(rc))
4435 {
4436 Log(("Out of memory!!!!\n"));
4437 return VERR_NO_MEMORY;
4438 }
4439 memcpy(pPatchPage->aPatch, paPatchOld, cMaxPatchesOld*sizeof(PPATCHINFO));
4440 MMHyperFree(pVM, paPatchOld);
4441 }
4442 pPatchPage->aPatch[pPatchPage->cCount] = pPatch;
4443 pPatchPage->cCount++;
4444 }
4445 else
4446 {
4447 rc = MMHyperAlloc(pVM, sizeof(PATMPATCHPAGE), 0, MM_TAG_PATM_PATCH, (void **)&pPatchPage);
4448 if (VBOX_FAILURE(rc))
4449 {
4450 Log(("Out of memory!!!!\n"));
4451 return VERR_NO_MEMORY;
4452 }
4453 pPatchPage->Core.Key = pPage;
4454 pPatchPage->cCount = 1;
4455 pPatchPage->cMaxPatches = PATMPATCHPAGE_PREALLOC_INCREMENT;
4456
4457 rc = MMHyperAlloc(pVM, sizeof(PPATCHINFO)*PATMPATCHPAGE_PREALLOC_INCREMENT, 0, MM_TAG_PATM_PATCH, (void **)&pPatchPage->aPatch);
4458 if (VBOX_FAILURE(rc))
4459 {
4460 Log(("Out of memory!!!!\n"));
4461 MMHyperFree(pVM, pPatchPage);
4462 return VERR_NO_MEMORY;
4463 }
4464 pPatchPage->aPatch[0] = pPatch;
4465
4466 rc = RTAvloGCPtrInsert(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPage, &pPatchPage->Core);
4467 Assert(rc);
4468 pVM->patm.s.cPageRecords++;
4469
4470 STAM_COUNTER_INC(&pVM->patm.s.StatPatchPageInserted);
4471 }
4472 CSAMR3MonitorPage(pVM, pPage, CSAM_TAG_PATM);
4473
4474 /* Get the closest guest instruction (from below) */
4475 PRECGUESTTOPATCH pGuestToPatchRec = (PRECGUESTTOPATCH)RTAvlGCPtrGetBestFit(&pPatch->Guest2PatchAddrTree, pPage, true);
4476 Assert(pGuestToPatchRec);
4477 if (pGuestToPatchRec)
4478 {
4479 if ( pPatchPage->pLowestAddrGC == 0
4480 || pPatchPage->pLowestAddrGC > (RTGCPTR)pGuestToPatchRec->Core.Key)
4481 {
4482 RTGCUINTPTR offset;
4483
4484 pPatchPage->pLowestAddrGC = (RTGCPTR)pGuestToPatchRec->Core.Key;
4485
4486 offset = pPatchPage->pLowestAddrGC & PAGE_OFFSET_MASK;
4487 /* If we're too close to the page boundary, then make sure an instruction from the previous page doesn't cross the boundary itself. */
4488 if (offset && offset < MAX_INSTR_SIZE)
4489 {
4490 /* Get the closest guest instruction (from above) */
4491 pGuestToPatchRec = (PRECGUESTTOPATCH)RTAvlGCPtrGetBestFit(&pPatch->Guest2PatchAddrTree, pPage-1, false);
4492
4493 if (pGuestToPatchRec)
4494 {
4495 uint32_t size = patmGetInstrSize(pVM, pPatch, (RTGCPTR)pGuestToPatchRec->Core.Key);
4496 if ((RTGCUINTPTR)pGuestToPatchRec->Core.Key + size > pPage)
4497 pPatchPage->pLowestAddrGC = pPage;
4498 }
4499 }
4500 }
4501 }
4502
4503 /* Get the closest guest instruction (from above) */
4504 pGuestToPatchRec = (PRECGUESTTOPATCH)RTAvlGCPtrGetBestFit(&pPatch->Guest2PatchAddrTree, pPage+PAGE_SIZE-1, false);
4505 Assert(pGuestToPatchRec);
4506 if (pGuestToPatchRec)
4507 {
4508 if ( pPatchPage->pHighestAddrGC == 0
4509 || pPatchPage->pHighestAddrGC < (RTGCPTR)pGuestToPatchRec->Core.Key)
4510 {
4511 pPatchPage->pHighestAddrGC = (RTGCPTR)pGuestToPatchRec->Core.Key;
4512 /* Increase by instruction size. */
4513 uint32_t size = patmGetInstrSize(pVM, pPatch, pPatchPage->pHighestAddrGC);
4514//// Assert(size);
4515 pPatchPage->pHighestAddrGC += size;
4516 }
4517 }
4518
4519 return VINF_SUCCESS;
4520}
4521
4522/**
4523 * Remove patch from page record
4524 *
4525 * @returns VBox status code.
4526 * @param pVM The VM to operate on.
4527 * @param pPage Page address
4528 * @param pPatch Patch record
4529 */
4530int patmRemovePatchFromPage(PVM pVM, RTGCUINTPTR pPage, PPATCHINFO pPatch)
4531{
4532 PPATMPATCHPAGE pPatchPage;
4533 int rc;
4534
4535 pPatchPage = (PPATMPATCHPAGE)RTAvloGCPtrGet(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPage, pPage);
4536 Assert(pPatchPage);
4537
4538 if (!pPatchPage)
4539 return VERR_INVALID_PARAMETER;
4540
4541 Assert(pPatchPage->cCount <= pPatchPage->cMaxPatches);
4542
4543 Log(("patmRemovePatchPage: remove patch %VHv from page %VGv\n", pPatch, pPage));
4544 if (pPatchPage->cCount > 1)
4545 {
4546 uint32_t i;
4547
4548 /* Used by multiple patches */
4549 for (i=0;i<pPatchPage->cCount;i++)
4550 {
4551 if (pPatchPage->aPatch[i] == pPatch)
4552 {
4553 pPatchPage->aPatch[i] = 0;
4554 break;
4555 }
4556 }
4557 /* close the gap between the remaining pointers. */
4558 if (i < pPatchPage->cCount - 1)
4559 {
4560 memcpy(&pPatchPage->aPatch[i], &pPatchPage->aPatch[i+1], sizeof(PPATCHINFO)*(pPatchPage->cCount - (i+1)));
4561 }
4562 AssertMsg(i < pPatchPage->cCount, ("Unable to find patch %VHv in page %VGv\n", pPatch, pPage));
4563
4564 pPatchPage->cCount--;
4565 }
4566 else
4567 {
4568 PPATMPATCHPAGE pPatchNode;
4569
4570 Log(("patmRemovePatchFromPage %VGv\n", pPage));
4571
4572 STAM_COUNTER_INC(&pVM->patm.s.StatPatchPageRemoved);
4573 pPatchNode = (PPATMPATCHPAGE)RTAvloGCPtrRemove(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPage, pPage);
4574 Assert(pPatchNode && pPatchNode == pPatchPage);
4575
4576 Assert(pPatchPage->aPatch);
4577 rc = MMHyperFree(pVM, pPatchPage->aPatch);
4578 AssertRC(rc);
4579 rc = MMHyperFree(pVM, pPatchPage);
4580 AssertRC(rc);
4581 pVM->patm.s.cPageRecords--;
4582 }
4583 return VINF_SUCCESS;
4584}
4585
4586/**
4587 * Insert page records for all guest pages that contain instructions that were recompiled for this patch
4588 *
4589 * @returns VBox status code.
4590 * @param pVM The VM to operate on.
4591 * @param pPatch Patch record
4592 */
4593int patmInsertPatchPages(PVM pVM, PPATCHINFO pPatch)
4594{
4595 int rc;
4596 RTGCUINTPTR pPatchPageStart, pPatchPageEnd, pPage;
4597
4598 /* Insert the pages that contain patched instructions into a lookup tree for detecting self-modifying code. */
4599 pPatchPageStart = (RTGCUINTPTR)pPatch->pInstrGCLowest & PAGE_BASE_GC_MASK;
4600 pPatchPageEnd = (RTGCUINTPTR)pPatch->pInstrGCHighest & PAGE_BASE_GC_MASK;
4601
4602 /** @todo optimize better (large gaps between current and next used page) */
4603 for(pPage = pPatchPageStart; pPage <= pPatchPageEnd; pPage += PAGE_SIZE)
4604 {
4605 /* Get the closest guest instruction (from above) */
4606 PRECGUESTTOPATCH pGuestToPatchRec = (PRECGUESTTOPATCH)RTAvlGCPtrGetBestFit(&pPatch->Guest2PatchAddrTree, pPage, true);
4607 if ( pGuestToPatchRec
4608 && PAGE_ADDRESS(pGuestToPatchRec->Core.Key) == PAGE_ADDRESS(pPage)
4609 )
4610 {
4611 /* Code in page really patched -> add record */
4612 rc = patmAddPatchToPage(pVM, pPage, pPatch);
4613 AssertRC(rc);
4614 }
4615 }
4616 pPatch->flags |= PATMFL_CODE_MONITORED;
4617 return VINF_SUCCESS;
4618}
4619
4620/**
4621 * Remove page records for all guest pages that contain instructions that were recompiled for this patch
4622 *
4623 * @returns VBox status code.
4624 * @param pVM The VM to operate on.
4625 * @param pPatch Patch record
4626 */
4627int patmRemovePatchPages(PVM pVM, PPATCHINFO pPatch)
4628{
4629 int rc;
4630 RTGCUINTPTR pPatchPageStart, pPatchPageEnd, pPage;
4631
4632 /* Insert the pages that contain patched instructions into a lookup tree for detecting self-modifying code. */
4633 pPatchPageStart = (RTGCUINTPTR)pPatch->pInstrGCLowest & PAGE_BASE_GC_MASK;
4634 pPatchPageEnd = (RTGCUINTPTR)pPatch->pInstrGCHighest & PAGE_BASE_GC_MASK;
4635
4636 for(pPage = pPatchPageStart; pPage <= pPatchPageEnd; pPage += PAGE_SIZE)
4637 {
4638 /* Get the closest guest instruction (from above) */
4639 PRECGUESTTOPATCH pGuestToPatchRec = (PRECGUESTTOPATCH)RTAvlGCPtrGetBestFit(&pPatch->Guest2PatchAddrTree, pPage, true);
4640 if ( pGuestToPatchRec
4641 && PAGE_ADDRESS(pGuestToPatchRec->Core.Key) == PAGE_ADDRESS(pPage) /** @todo bird: PAGE_ADDRESS is for the current context really. check out these. */
4642 )
4643 {
4644 /* Code in page really patched -> remove record */
4645 rc = patmRemovePatchFromPage(pVM, pPage, pPatch);
4646 AssertRC(rc);
4647 }
4648 }
4649 pPatch->flags &= ~PATMFL_CODE_MONITORED;
4650 return VINF_SUCCESS;
4651}
4652
4653/**
4654 * Notifies PATM about a (potential) write to code that has been patched.
4655 *
4656 * @returns VBox status code.
4657 * @param pVM The VM to operate on.
4658 * @param GCPtr GC pointer to write address
4659 * @param cbWrite Nr of bytes to write
4660 *
4661 */
4662PATMR3DECL(int) PATMR3PatchWrite(PVM pVM, RTGCPTR GCPtr, uint32_t cbWrite)
4663{
4664 RTGCUINTPTR pWritePageStart, pWritePageEnd, pPage;
4665
4666 Log(("PATMR3PatchWrite %VGv %x\n", GCPtr, cbWrite));
4667
4668 Assert(VM_IS_EMT(pVM));
4669
4670 /* Quick boundary check */
4671 if ( GCPtr < pVM->patm.s.pPatchedInstrGCLowest
4672 || GCPtr > pVM->patm.s.pPatchedInstrGCHighest
4673 )
4674 return VINF_SUCCESS;
4675
4676 STAM_PROFILE_ADV_START(&pVM->patm.s.StatPatchWrite, a);
4677
4678 pWritePageStart = (RTGCUINTPTR)GCPtr & PAGE_BASE_GC_MASK;
4679 pWritePageEnd = ((RTGCUINTPTR)GCPtr + cbWrite - 1) & PAGE_BASE_GC_MASK;
4680
4681 for (pPage = pWritePageStart; pPage <= pWritePageEnd; pPage += PAGE_SIZE)
4682 {
4683loop_start:
4684 PPATMPATCHPAGE pPatchPage = (PPATMPATCHPAGE)RTAvloGCPtrGet(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPage, (RTGCPTR)pPage);
4685 if (pPatchPage)
4686 {
4687 uint32_t i;
4688 bool fValidPatchWrite = false;
4689
4690 for (i=0;i<pPatchPage->cCount;i++)
4691 {
4692 if (pPatchPage->aPatch[i])
4693 {
4694 PPATCHINFO pPatch = pPatchPage->aPatch[i];
4695 RTGCPTR pPatchInstrGC;
4696 //unused: bool fForceBreak = false;
4697
4698 Assert(pPatchPage->aPatch[i]->flags & PATMFL_CODE_MONITORED);
4699 /** @todo inefficient and includes redundant checks for multiple pages. */
4700 for (uint32_t j=0; j<cbWrite; j++)
4701 {
4702 RTGCPTR pGuestPtrGC = (RTGCPTR)((RTGCUINTPTR)GCPtr + j);
4703
4704 if ( pPatch->cbPatchJump
4705 && pGuestPtrGC >= pPatch->pPrivInstrGC
4706 && pGuestPtrGC < pPatch->pPrivInstrGC + pPatch->cbPatchJump)
4707 {
4708 /* The guest is about to overwrite the 5 byte jump to patch code. Remove the patch. */
4709 Log(("PATMR3PatchWrite: overwriting jump to patch code -> remove patch.\n"));
4710 int rc = PATMR3RemovePatch(pVM, pPatch->pPrivInstrGC);
4711 AssertRC(rc);
4712
4713 /** @note jump back to the start as the pPatchPage has been deleted or changed */
4714 goto loop_start;
4715 }
4716
4717 pPatchInstrGC = patmGuestGCPtrToPatchGCPtr(pVM, pPatch, pGuestPtrGC);
4718 if (pPatchInstrGC)
4719 {
4720 uint32_t PatchOffset = pPatchInstrGC - pVM->patm.s.pPatchMemGC; /* Offset in memory reserved for PATM. */
4721
4722 fValidPatchWrite = true;
4723
4724 PRECPATCHTOGUEST pPatchToGuestRec = (PRECPATCHTOGUEST)RTAvlU32Get(&pPatch->Patch2GuestAddrTree, PatchOffset);
4725 Assert(pPatchToGuestRec);
4726 if (pPatchToGuestRec && !pPatchToGuestRec->fDirty)
4727 {
4728 Log(("PATMR3PatchWrite: Found patched instruction %VGv -> %VGv\n", pGuestPtrGC, pPatchInstrGC));
4729
4730 if (++pPatch->cCodeWrites > PATM_MAX_CODE_WRITES)
4731 {
4732 LogRel(("PATM: Disable block at %VGv - write %VGv-%VGv\n", pPatch->pPrivInstrGC, pGuestPtrGC, pGuestPtrGC+cbWrite));
4733
4734 PATMR3MarkDirtyPatch(pVM, pPatch);
4735
4736 /** @note jump back to the start as the pPatchPage has been deleted or changed */
4737 goto loop_start;
4738 }
4739 else
4740 {
4741 /* Replace the patch instruction with a breakpoint; when it's hit, then we'll attempt to recompile the instruction again. */
4742 uint8_t *pInstrHC = patmPatchGCPtr2PatchHCPtr(pVM, pPatchInstrGC);
4743
4744 pPatchToGuestRec->u8DirtyOpcode = *pInstrHC;
4745 pPatchToGuestRec->fDirty = true;
4746
4747 *pInstrHC = 0xCC;
4748
4749 STAM_COUNTER_INC(&pVM->patm.s.StatInstrDirty);
4750 }
4751 }
4752 /* else already marked dirty */
4753 }
4754 }
4755 }
4756 } /* for each patch */
4757
4758 if (fValidPatchWrite == false)
4759 {
4760 /* Write to a part of the page that either:
4761 * - doesn't contain any code (shared code/data); rather unlikely
4762 * - old code page that's no longer in active use.
4763 */
4764invalid_write_loop_start:
4765 pPatchPage = (PPATMPATCHPAGE)RTAvloGCPtrGet(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPage, (RTGCPTR)pPage);
4766
4767 if (pPatchPage)
4768 {
4769 for (i=0;i<pPatchPage->cCount;i++)
4770 {
4771 PPATCHINFO pPatch = pPatchPage->aPatch[i];
4772
4773 if (pPatch->cInvalidWrites > PATM_MAX_INVALID_WRITES)
4774 {
4775 /** @note possibly dangerous assumption that all future writes will be harmless. */
4776 if (pPatch->flags & PATMFL_IDTHANDLER)
4777 {
4778 LogRel(("PATM: Stop monitoring IDT handler pages at %VGv - invalid write %VGv-%VGv \n", pPatch->pPrivInstrGC, GCPtr, GCPtr+cbWrite));
4779
4780 Assert(pPatch->flags & PATMFL_CODE_MONITORED);
4781 int rc = patmRemovePatchPages(pVM, pPatch);
4782 AssertRC(rc);
4783 }
4784 else
4785 {
4786 LogRel(("PATM: Disable block at %VGv - invalid write %VGv-%VGv \n", pPatch->pPrivInstrGC, GCPtr, GCPtr+cbWrite));
4787 PATMR3MarkDirtyPatch(pVM, pPatch);
4788 }
4789 /** @note jump back to the start as the pPatchPage has been deleted or changed */
4790 goto invalid_write_loop_start;
4791 }
4792 } /* for */
4793 }
4794 }
4795 }
4796 }
4797 STAM_PROFILE_ADV_STOP(&pVM->patm.s.StatPatchWrite, a);
4798 return VINF_SUCCESS;
4799
4800}
4801
4802/**
4803 * Disable all patches in a flushed page
4804 *
4805 * @returns VBox status code
4806 * @param pVM The VM to operate on.
4807 * @param addr GC address of the page to flush
4808 */
4809/** @note Currently only called by CSAMR3FlushPage; optimization to avoid having to double check if the physical address has changed
4810 */
4811PATMR3DECL(int) PATMR3FlushPage(PVM pVM, RTGCPTR addr)
4812{
4813 addr &= PAGE_BASE_GC_MASK;
4814
4815 PPATMPATCHPAGE pPatchPage = (PPATMPATCHPAGE)RTAvloGCPtrGet(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPage, addr);
4816 if (pPatchPage)
4817 {
4818 int i;
4819
4820 /* From top to bottom as the array is modified by PATMR3MarkDirtyPatch. */
4821 for (i=(int)pPatchPage->cCount-1;i>=0;i--)
4822 {
4823 if (pPatchPage->aPatch[i])
4824 {
4825 PPATCHINFO pPatch = pPatchPage->aPatch[i];
4826
4827 Log(("PATMR3FlushPage %VGv remove patch at %VGv\n", addr, pPatch->pPrivInstrGC));
4828 PATMR3MarkDirtyPatch(pVM, pPatch);
4829 }
4830 }
4831 STAM_COUNTER_INC(&pVM->patm.s.StatFlushed);
4832 }
4833 return VINF_SUCCESS;
4834}
4835
4836/**
4837 * Checks if the instructions at the specified address has been patched already.
4838 *
4839 * @returns boolean, patched or not
4840 * @param pVM The VM to operate on.
4841 * @param pInstrGC Guest context pointer to instruction
4842 */
4843PATMR3DECL(bool) PATMR3HasBeenPatched(PVM pVM, RTGCPTR pInstrGC)
4844{
4845 PPATMPATCHREC pPatchRec;
4846 pPatchRec = (PPATMPATCHREC)RTAvloGCPtrGet(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pInstrGC);
4847 if (pPatchRec && pPatchRec->patch.uState == PATCH_ENABLED)
4848 return true;
4849 return false;
4850}
4851
4852/**
4853 * Query the opcode of the original code that was overwritten by the 5 bytes patch jump
4854 *
4855 * @returns VBox status code.
4856 * @param pVM The VM to operate on.
4857 * @param pInstrGC GC address of instr
4858 * @param pByte opcode byte pointer (OUT)
4859 *
4860 */
4861PATMR3DECL(int) PATMR3QueryOpcode(PVM pVM, RTGCPTR pInstrGC, uint8_t *pByte)
4862{
4863 PPATMPATCHREC pPatchRec;
4864
4865 /** @todo this will not work for aliased pages! (never has, but so far not a problem for us) */
4866
4867 /* Shortcut. */
4868 if ( !PATMIsEnabled(pVM)
4869 || pInstrGC < pVM->patm.s.pPatchedInstrGCLowest
4870 || pInstrGC > pVM->patm.s.pPatchedInstrGCHighest)
4871 {
4872 return VERR_PATCH_NOT_FOUND;
4873 }
4874
4875 pPatchRec = (PPATMPATCHREC)RTAvloGCPtrGetBestFit(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pInstrGC, false);
4876 // if the patch is enabled and the pointer lies within 5 bytes of this priv instr ptr, then we've got a hit!
4877 if ( pPatchRec
4878 && pPatchRec->patch.uState == PATCH_ENABLED
4879 && pInstrGC >= pPatchRec->patch.pPrivInstrGC
4880 && pInstrGC < pPatchRec->patch.pPrivInstrGC + pPatchRec->patch.cbPatchJump)
4881 {
4882 RTGCPTR offset = pInstrGC - pPatchRec->patch.pPrivInstrGC;
4883 *pByte = pPatchRec->patch.aPrivInstr[offset];
4884
4885 if (pPatchRec->patch.cbPatchJump == 1)
4886 {
4887 Log(("PATMR3QueryOpcode: returning opcode %2X for instruction at %VGv\n", *pByte, pInstrGC));
4888 }
4889 STAM_COUNTER_ADD(&pVM->patm.s.StatNrOpcodeRead, 1);
4890 return VINF_SUCCESS;
4891 }
4892 return VERR_PATCH_NOT_FOUND;
4893}
4894
4895/**
4896 * Disable patch for privileged instruction at specified location
4897 *
4898 * @returns VBox status code.
4899 * @param pVM The VM to operate on.
4900 * @param pInstr Guest context point to privileged instruction
4901 *
4902 * @note returns failure if patching is not allowed or possible
4903 *
4904 */
4905PATMR3DECL(int) PATMR3DisablePatch(PVM pVM, RTGCPTR pInstrGC)
4906{
4907 PPATMPATCHREC pPatchRec;
4908 PPATCHINFO pPatch;
4909
4910 Log(("PATMR3DisablePatch: %VGv\n", pInstrGC));
4911 pPatchRec = (PPATMPATCHREC)RTAvloGCPtrGet(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pInstrGC);
4912 if (pPatchRec)
4913 {
4914 int rc = VINF_SUCCESS;
4915
4916 pPatch = &pPatchRec->patch;
4917
4918 /* Already disabled? */
4919 if (pPatch->uState == PATCH_DISABLED)
4920 return VINF_SUCCESS;
4921
4922 /* Clear the IDT entries for the patch we're disabling. */
4923 /** @note very important as we clear IF in the patch itself */
4924 /** @todo this needs to be changed */
4925 if (pPatch->flags & PATMFL_IDTHANDLER)
4926 {
4927 uint32_t iGate;
4928
4929 iGate = TRPMR3QueryGateByHandler(pVM, PATCHCODE_PTR_GC(pPatch));
4930 if (iGate != (uint32_t)~0)
4931 {
4932 TRPMR3SetGuestTrapHandler(pVM, iGate, TRPM_INVALID_HANDLER);
4933 LogRel(("PATM: Disabling IDT %x patch handler %VGv\n", iGate, pInstrGC));
4934 }
4935 }
4936
4937 /* Mark the entry with a breakpoint in case somebody else calls it later on (cli patch used as a function, function, trampoline or idt patches) */
4938 if ( pPatch->pPatchBlockOffset
4939 && pPatch->uState == PATCH_ENABLED)
4940 {
4941 Log(("Invalidate patch at %VGv (HC=%VGv)\n", PATCHCODE_PTR_GC(pPatch), PATCHCODE_PTR_HC(pPatch)));
4942 pPatch->bDirtyOpcode = *PATCHCODE_PTR_HC(pPatch);
4943 *PATCHCODE_PTR_HC(pPatch) = 0xCC;
4944 }
4945
4946 /* IDT or function patches haven't changed any guest code. */
4947 if (pPatch->flags & PATMFL_PATCHED_GUEST_CODE)
4948 {
4949 Assert(pPatch->flags & PATMFL_MUST_INSTALL_PATCHJMP);
4950 Assert(!(pPatch->flags & (PATMFL_DUPLICATE_FUNCTION|PATMFL_IDTHANDLER|PATMFL_TRAMPOLINE|PATMFL_INT3_REPLACEMENT|PATMFL_INT3_REPLACEMENT_BLOCK)));
4951
4952 if (pPatch->uState != PATCH_REFUSED)
4953 {
4954 AssertMsg(pPatch->pPrivInstrHC, ("Invalid HC pointer?!? (%VGv)\n", pInstrGC));
4955 Assert(pPatch->cbPatchJump);
4956
4957 /** pPrivInstrHC is probably not valid anymore */
4958 rc = PGMPhysGCPtr2HCPtr(pVM, pPatchRec->patch.pPrivInstrGC, (PRTHCPTR)&pPatchRec->patch.pPrivInstrHC);
4959 if (rc == VINF_SUCCESS)
4960 {
4961 uint8_t temp[16];
4962
4963 Assert(pPatch->cbPatchJump < sizeof(temp));
4964
4965 /* Let's first check if the guest code is still the same. */
4966 rc = PGMPhysReadGCPtr(pVM, temp, pPatch->pPrivInstrGC, pPatch->cbPatchJump);
4967 Assert(rc == VINF_SUCCESS || rc == VERR_PAGE_TABLE_NOT_PRESENT || rc == VERR_PAGE_NOT_PRESENT);
4968 if (rc == VINF_SUCCESS)
4969 {
4970 RTGCINTPTR displ = (RTGCUINTPTR)PATCHCODE_PTR_GC(pPatch) - ((RTGCUINTPTR)pPatch->pPrivInstrGC + SIZEOF_NEARJUMP32);
4971
4972 if ( temp[0] != 0xE9 /* jmp opcode */
4973 || *(RTGCINTPTR *)(&temp[1]) != displ
4974 )
4975 {
4976 Log(("PATMR3DisablePatch: Can't disable a patch who's guest code has changed!!\n"));
4977 STAM_COUNTER_INC(&pVM->patm.s.StatOverwritten);
4978 /* Remove it completely */
4979 pPatch->uState = PATCH_DISABLED; /* don't call PATMR3DisablePatch again */
4980 rc = PATMR3RemovePatch(pVM, pInstrGC);
4981 AssertRC(rc);
4982 return VWRN_PATCH_REMOVED;
4983 }
4984 }
4985 patmRemoveJumpToPatch(pVM, pPatch);
4986
4987 }
4988 else
4989 {
4990 Log(("PATMR3DisablePatch: unable to disable patch -> mark PATCH_DISABLE_PENDING\n"));
4991 pPatch->uState = PATCH_DISABLE_PENDING;
4992 }
4993 }
4994 else
4995 {
4996 AssertMsgFailed(("Patch was refused!\n"));
4997 return VERR_PATCH_ALREADY_DISABLED;
4998 }
4999 }
5000 else
5001 if (pPatch->flags & (PATMFL_INT3_REPLACEMENT|PATMFL_INT3_REPLACEMENT_BLOCK))
5002 {
5003 uint8_t temp[16];
5004
5005 Assert(pPatch->cbPatchJump < sizeof(temp));
5006
5007 /* Let's first check if the guest code is still the same. */
5008 rc = PGMPhysReadGCPtr(pVM, temp, pPatch->pPrivInstrGC, pPatch->cbPatchJump);
5009 Assert(rc == VINF_SUCCESS || rc == VERR_PAGE_TABLE_NOT_PRESENT || rc == VERR_PAGE_NOT_PRESENT);
5010 if (rc == VINF_SUCCESS)
5011 {
5012 if (temp[0] != 0xCC)
5013 {
5014 Log(("PATMR3DisablePatch: Can't disable a patch who's guest code has changed!!\n"));
5015 STAM_COUNTER_INC(&pVM->patm.s.StatOverwritten);
5016 /* Remove it completely */
5017 pPatch->uState = PATCH_DISABLED; /* don't call PATMR3DisablePatch again */
5018 rc = PATMR3RemovePatch(pVM, pInstrGC);
5019 AssertRC(rc);
5020 return VWRN_PATCH_REMOVED;
5021 }
5022 patmDeactivateInt3Patch(pVM, pPatch);
5023 }
5024 }
5025
5026 if (rc == VINF_SUCCESS)
5027 {
5028 /* Save old state and mark this one as disabled (so it can be enabled later on). */
5029 if (pPatch->uState == PATCH_DISABLE_PENDING)
5030 {
5031 /* Just to be safe, let's make sure this one can never be reused; the patch might be marked dirty already (int3 at start) */
5032 pPatch->uState = PATCH_UNUSABLE;
5033 }
5034 else
5035 if (pPatch->uState != PATCH_DIRTY)
5036 {
5037 pPatch->uOldState = pPatch->uState;
5038 pPatch->uState = PATCH_DISABLED;
5039 }
5040 STAM_COUNTER_ADD(&pVM->patm.s.StatDisabled, 1);
5041 }
5042
5043 Log(("PATMR3DisablePatch: disabled patch at %VGv\n", pInstrGC));
5044 return VINF_SUCCESS;
5045 }
5046 Log(("Patch not found!\n"));
5047 return VERR_PATCH_NOT_FOUND;
5048}
5049
5050/**
5051 * Permanently disable patch for privileged instruction at specified location
5052 *
5053 * @returns VBox status code.
5054 * @param pVM The VM to operate on.
5055 * @param pInstr Guest context instruction pointer
5056 * @param pConflictAddr Guest context pointer which conflicts with specified patch
5057 * @param pConflictPatch Conflicting patch
5058 *
5059 */
5060static int patmDisableUnusablePatch(PVM pVM, RTGCPTR pInstrGC, RTGCPTR pConflictAddr, PPATCHINFO pConflictPatch)
5061{
5062#ifdef PATM_RESOLVE_CONFLICTS_WITH_JUMP_PATCHES
5063 PATCHINFO patch = {0};
5064 DISCPUSTATE cpu;
5065 HCPTRTYPE(uint8_t *) pInstrHC;
5066 uint32_t opsize;
5067 bool disret;
5068 int rc;
5069
5070 pInstrHC = PATMGCVirtToHCVirt(pVM, &patch, pInstrGC);
5071 cpu.mode = (pConflictPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
5072 disret = PATMR3DISInstr(pVM, &patch, &cpu, pInstrGC, pInstrHC, &opsize, NULL);
5073 /*
5074 * If it's a 5 byte relative jump, then we can work around the problem by replacing the 32 bits relative offset
5075 * with one that jumps right into the conflict patch.
5076 * Otherwise we must disable the conflicting patch to avoid serious problems.
5077 */
5078 if ( disret == true
5079 && (pConflictPatch->flags & PATMFL_CODE32)
5080 && (cpu.pCurInstr->opcode == OP_JMP || (cpu.pCurInstr->optype & OPTYPE_COND_CONTROLFLOW))
5081 && (cpu.param1.flags & USE_IMMEDIATE32_REL))
5082 {
5083 /* Hint patches must be enabled first. */
5084 if (pConflictPatch->flags & PATMFL_INSTR_HINT)
5085 {
5086 Log(("Enabling HINTED patch %VGv\n", pConflictPatch->pPrivInstrGC));
5087 pConflictPatch->flags &= ~PATMFL_INSTR_HINT;
5088 rc = PATMR3EnablePatch(pVM, pConflictPatch->pPrivInstrGC);
5089 Assert(rc == VINF_SUCCESS || rc == VERR_PATCH_NOT_FOUND);
5090 /* Enabling might fail if the patched code has changed in the meantime. */
5091 if (rc != VINF_SUCCESS)
5092 return rc;
5093 }
5094
5095 rc = PATMR3InstallPatch(pVM, pInstrGC, PATMFL_CODE32 | PATMFL_JUMP_CONFLICT);
5096 if (VBOX_SUCCESS(rc))
5097 {
5098 Log(("PATM -> CONFLICT: Installed JMP patch for patch conflict at %VGv\n", pInstrGC));
5099 STAM_COUNTER_INC(&pVM->patm.s.StatFixedConflicts);
5100 return VINF_SUCCESS;
5101 }
5102 }
5103#endif
5104
5105 if (pConflictPatch->opcode == OP_CLI)
5106 {
5107 /* Turn it into an int3 patch; our GC trap handler will call the generated code manually. */
5108 Log(("PATM -> CONFLICT: Found active patch at instruction %VGv with target %VGv -> turn into int 3 patch!!\n", pInstrGC, pConflictPatch->pPrivInstrGC));
5109 int rc = PATMR3DisablePatch(pVM, pConflictPatch->pPrivInstrGC);
5110 if (rc == VWRN_PATCH_REMOVED)
5111 return VINF_SUCCESS;
5112 if (VBOX_SUCCESS(rc))
5113 {
5114 pConflictPatch->flags &= ~(PATMFL_MUST_INSTALL_PATCHJMP|PATMFL_INSTR_HINT);
5115 pConflictPatch->flags |= PATMFL_INT3_REPLACEMENT_BLOCK;
5116 rc = PATMR3EnablePatch(pVM, pConflictPatch->pPrivInstrGC);
5117 if (rc == VERR_PATCH_NOT_FOUND)
5118 return VINF_SUCCESS; /* removed already */
5119
5120 AssertRC(rc);
5121 if (VBOX_SUCCESS(rc))
5122 {
5123 STAM_COUNTER_INC(&pVM->patm.s.StatInt3Callable);
5124 return VINF_SUCCESS;
5125 }
5126 }
5127 /* else turned into unusable patch (see below) */
5128 }
5129 else
5130 {
5131 Log(("PATM -> CONFLICT: Found active patch at instruction %VGv with target %VGv -> DISABLING it!!\n", pInstrGC, pConflictPatch->pPrivInstrGC));
5132 int rc = PATMR3DisablePatch(pVM, pConflictPatch->pPrivInstrGC);
5133 if (rc == VWRN_PATCH_REMOVED)
5134 return VINF_SUCCESS;
5135 }
5136
5137 /* No need to monitor the code anymore. */
5138 if (pConflictPatch->flags & PATMFL_CODE_MONITORED)
5139 {
5140 int rc = patmRemovePatchPages(pVM, pConflictPatch);
5141 AssertRC(rc);
5142 }
5143 pConflictPatch->uState = PATCH_UNUSABLE;
5144 STAM_COUNTER_INC(&pVM->patm.s.StatUnusable);
5145 return VERR_PATCH_DISABLED;
5146}
5147
5148/**
5149 * Enable patch for privileged instruction at specified location
5150 *
5151 * @returns VBox status code.
5152 * @param pVM The VM to operate on.
5153 * @param pInstr Guest context point to privileged instruction
5154 *
5155 * @note returns failure if patching is not allowed or possible
5156 *
5157 */
5158PATMR3DECL(int) PATMR3EnablePatch(PVM pVM, RTGCPTR pInstrGC)
5159{
5160 PPATMPATCHREC pPatchRec;
5161 PPATCHINFO pPatch;
5162
5163 Log(("PATMR3EnablePatch %VGv\n", pInstrGC));
5164 pPatchRec = (PPATMPATCHREC)RTAvloGCPtrGet(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pInstrGC);
5165 if (pPatchRec)
5166 {
5167 int rc = VINF_SUCCESS;
5168
5169 pPatch = &pPatchRec->patch;
5170
5171 if (pPatch->uState == PATCH_DISABLED)
5172 {
5173 if (pPatch->flags & PATMFL_MUST_INSTALL_PATCHJMP)
5174 {
5175 Assert(!(pPatch->flags & PATMFL_PATCHED_GUEST_CODE));
5176 /** @todo -> pPrivInstrHC is probably not valid anymore */
5177 rc = PGMPhysGCPtr2HCPtr(pVM, pPatchRec->patch.pPrivInstrGC, (PRTHCPTR)&pPatchRec->patch.pPrivInstrHC);
5178 if (rc == VINF_SUCCESS)
5179 {
5180#ifdef DEBUG
5181 DISCPUSTATE cpu;
5182 char szOutput[256];
5183 uint32_t opsize, i = 0;
5184#endif
5185 uint8_t temp[16];
5186
5187 Assert(pPatch->cbPatchJump < sizeof(temp));
5188
5189 // let's first check if the guest code is still the same
5190 int rc = PGMPhysReadGCPtr(pVM, temp, pPatch->pPrivInstrGC, pPatch->cbPatchJump);
5191 AssertRC(rc);
5192
5193 if (memcmp(temp, pPatch->aPrivInstr, pPatch->cbPatchJump))
5194 {
5195 Log(("PATMR3EnablePatch: Can't enable a patch who's guest code has changed!!\n"));
5196 STAM_COUNTER_INC(&pVM->patm.s.StatOverwritten);
5197 /* Remove it completely */
5198 PATMR3RemovePatch(pVM, pInstrGC);
5199 return VERR_PATCH_NOT_FOUND;
5200 }
5201
5202 rc = patmGenJumpToPatch(pVM, pPatch, false);
5203 AssertRC(rc);
5204 if (VBOX_FAILURE(rc))
5205 return rc;
5206
5207#ifdef DEBUG
5208 bool disret;
5209 i = 0;
5210 while(i < pPatch->cbPatchJump)
5211 {
5212 cpu.mode = (pPatch->flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
5213 disret = PATMR3DISInstr(pVM, pPatch, &cpu, pPatch->pPrivInstrGC + i, &pPatch->pPrivInstrHC[i], &opsize, szOutput);
5214 Log(("Renewed patch instr: %s", szOutput));
5215 i += opsize;
5216 }
5217#endif
5218 }
5219 }
5220 else
5221 if (pPatch->flags & (PATMFL_INT3_REPLACEMENT|PATMFL_INT3_REPLACEMENT_BLOCK))
5222 {
5223 uint8_t temp[16];
5224
5225 Assert(pPatch->cbPatchJump < sizeof(temp));
5226
5227 /* Let's first check if the guest code is still the same. */
5228 int rc = PGMPhysReadGCPtr(pVM, temp, pPatch->pPrivInstrGC, pPatch->cbPatchJump);
5229 AssertRC(rc);
5230
5231 if (memcmp(temp, pPatch->aPrivInstr, pPatch->cbPatchJump))
5232 {
5233 Log(("PATMR3EnablePatch: Can't enable a patch who's guest code has changed!!\n"));
5234 STAM_COUNTER_INC(&pVM->patm.s.StatOverwritten);
5235 PATMR3RemovePatch(pVM, pInstrGC);
5236 return VERR_PATCH_NOT_FOUND;
5237 }
5238
5239 rc = patmActivateInt3Patch(pVM, pPatch);
5240 if (VBOX_FAILURE(rc))
5241 return rc;
5242 }
5243
5244 pPatch->uState = pPatch->uOldState; //restore state
5245
5246 /* Restore the entry breakpoint with the original opcode (see PATMR3DisablePatch). */
5247 if (pPatch->pPatchBlockOffset)
5248 {
5249 *PATCHCODE_PTR_HC(pPatch) = pPatch->bDirtyOpcode;
5250 }
5251
5252 STAM_COUNTER_ADD(&pVM->patm.s.StatEnabled, 1);
5253 }
5254 else
5255 Log(("PATMR3EnablePatch: Unable to enable patch %VGv with state %d\n", pInstrGC, pPatch->uState));
5256
5257 return rc;
5258 }
5259 return VERR_PATCH_NOT_FOUND;
5260}
5261
5262/**
5263 * Remove patch for privileged instruction at specified location
5264 *
5265 * @returns VBox status code.
5266 * @param pVM The VM to operate on.
5267 * @param pPatchRec Patch record
5268 * @param fForceRemove Remove *all* patches
5269 */
5270int PATMRemovePatch(PVM pVM, PPATMPATCHREC pPatchRec, bool fForceRemove)
5271{
5272 PPATCHINFO pPatch;
5273
5274 pPatch = &pPatchRec->patch;
5275
5276 /* Strictly forbidden to remove such patches. There can be dependencies!! */
5277 AssertReturn(fForceRemove || !(pPatch->flags & (PATMFL_DUPLICATE_FUNCTION)), VERR_ACCESS_DENIED);
5278
5279 /** @note NEVER EVER REUSE PATCH MEMORY */
5280 /** @note PATMR3DisablePatch put a breakpoint (0xCC) at the entry of this patch */
5281
5282 if (pPatchRec->patch.pPatchBlockOffset)
5283 {
5284 PAVLOGCPTRNODECORE pNode;
5285
5286 pNode = RTAvloGCPtrRemove(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr, pPatchRec->patch.pPatchBlockOffset);
5287 Assert(pNode);
5288 }
5289
5290 if (pPatchRec->patch.flags & PATMFL_CODE_MONITORED)
5291 {
5292 int rc = patmRemovePatchPages(pVM, &pPatchRec->patch);
5293 AssertRC(rc);
5294 }
5295
5296#ifdef VBOX_WITH_STATISTICS
5297 if (PATM_STAT_INDEX_IS_VALID(pPatchRec->patch.uPatchIdx))
5298 {
5299 STAMR3Deregister(pVM, &pPatchRec->patch);
5300#ifndef DEBUG_sandervl
5301 STAMR3Deregister(pVM, &pVM->patm.s.pStatsHC[pPatchRec->patch.uPatchIdx]);
5302 STAMR3Deregister(pVM, &pPatchRec->patch.cbPatchBlockSize);
5303 STAMR3Deregister(pVM, &pPatchRec->patch.cbPatchJump);
5304 STAMR3Deregister(pVM, &pPatchRec->patch.cbPrivInstr);
5305 STAMR3Deregister(pVM, &pPatchRec->patch.cCodeWrites);
5306 STAMR3Deregister(pVM, &pPatchRec->patch.cInvalidWrites);
5307 STAMR3Deregister(pVM, &pPatchRec->patch.cTraps);
5308 STAMR3Deregister(pVM, &pPatchRec->patch.flags);
5309 STAMR3Deregister(pVM, &pPatchRec->patch.nrJumpRecs);
5310 STAMR3Deregister(pVM, &pPatchRec->patch.nrFixups);
5311 STAMR3Deregister(pVM, &pPatchRec->patch.opcode);
5312 STAMR3Deregister(pVM, &pPatchRec->patch.uState);
5313 STAMR3Deregister(pVM, &pPatchRec->patch.uOldState);
5314 STAMR3Deregister(pVM, &pPatchRec->patch.uOpMode);
5315#endif
5316 }
5317#endif
5318
5319 /** @note no need to free Guest2PatchAddrTree as those records share memory with Patch2GuestAddrTree records. */
5320 patmEmptyTreeU32(pVM, &pPatch->Patch2GuestAddrTree);
5321 pPatch->nrPatch2GuestRecs = 0;
5322 Assert(pPatch->Patch2GuestAddrTree == 0);
5323
5324 patmEmptyTree(pVM, &pPatch->FixupTree);
5325 pPatch->nrFixups = 0;
5326 Assert(pPatch->FixupTree == 0);
5327
5328 if (pPatchRec->patch.pTempInfo)
5329 MMR3HeapFree(pPatchRec->patch.pTempInfo);
5330
5331 /** @note might fail, because it has already been removed (e.g. during reset). */
5332 RTAvloGCPtrRemove(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pPatchRec->Core.Key);
5333
5334 /* Free the patch record */
5335 MMHyperFree(pVM, pPatchRec);
5336 return VINF_SUCCESS;
5337}
5338
5339/**
5340 * Attempt to refresh the patch by recompiling its entire code block
5341 *
5342 * @returns VBox status code.
5343 * @param pVM The VM to operate on.
5344 * @param pPatchRec Patch record
5345 */
5346int patmR3RefreshPatch(PVM pVM, PPATMPATCHREC pPatchRec)
5347{
5348 PPATCHINFO pPatch;
5349 int rc;
5350 RTGCPTR pInstrGC = pPatchRec->patch.pPrivInstrGC;
5351
5352 Log(("patmR3RefreshPatch: attempt to refresh patch at %VGv\n", pInstrGC));
5353
5354 pPatch = &pPatchRec->patch;
5355 AssertReturn(pPatch->flags & (PATMFL_DUPLICATE_FUNCTION|PATMFL_IDTHANDLER|PATMFL_TRAPHANDLER), VERR_PATCHING_REFUSED);
5356 AssertReturn(!(pPatch->flags & PATMFL_EXTERNAL_JUMP_INSIDE), VERR_PATCHING_REFUSED);
5357
5358 /** Note: quite ugly to enable/disable/remove/insert old and new patches, but there's no easy way around it. */
5359
5360 rc = PATMR3DisablePatch(pVM, pInstrGC);
5361 AssertRC(rc);
5362
5363 /** Kick it out of the lookup tree to make sure PATMR3InstallPatch doesn't fail (hack alert) */
5364 RTAvloGCPtrRemove(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pPatchRec->Core.Key);
5365#ifdef VBOX_WITH_STATISTICS
5366 if (PATM_STAT_INDEX_IS_VALID(pPatchRec->patch.uPatchIdx))
5367 {
5368 STAMR3Deregister(pVM, &pPatchRec->patch);
5369#ifndef DEBUG_sandervl
5370 STAMR3Deregister(pVM, &pVM->patm.s.pStatsHC[pPatchRec->patch.uPatchIdx]);
5371 STAMR3Deregister(pVM, &pPatchRec->patch.cbPatchBlockSize);
5372 STAMR3Deregister(pVM, &pPatchRec->patch.cbPatchJump);
5373 STAMR3Deregister(pVM, &pPatchRec->patch.cbPrivInstr);
5374 STAMR3Deregister(pVM, &pPatchRec->patch.cCodeWrites);
5375 STAMR3Deregister(pVM, &pPatchRec->patch.cInvalidWrites);
5376 STAMR3Deregister(pVM, &pPatchRec->patch.cTraps);
5377 STAMR3Deregister(pVM, &pPatchRec->patch.flags);
5378 STAMR3Deregister(pVM, &pPatchRec->patch.nrJumpRecs);
5379 STAMR3Deregister(pVM, &pPatchRec->patch.nrFixups);
5380 STAMR3Deregister(pVM, &pPatchRec->patch.opcode);
5381 STAMR3Deregister(pVM, &pPatchRec->patch.uState);
5382 STAMR3Deregister(pVM, &pPatchRec->patch.uOldState);
5383 STAMR3Deregister(pVM, &pPatchRec->patch.uOpMode);
5384#endif
5385 }
5386#endif
5387
5388 /** Note: We don't attempt to reuse patch memory here as it's quite common that the new code block requires more memory. */
5389
5390 /* Attempt to install a new patch. */
5391 rc = PATMR3InstallPatch(pVM, pInstrGC, pPatch->flags & (PATMFL_CODE32|PATMFL_IDTHANDLER|PATMFL_INTHANDLER|PATMFL_TRAPHANDLER|PATMFL_DUPLICATE_FUNCTION|PATMFL_TRAPHANDLER_WITH_ERRORCODE|PATMFL_IDTHANDLER_WITHOUT_ENTRYPOINT));
5392 if (VBOX_SUCCESS(rc))
5393 {
5394 RTGCPTR pPatchTargetGC;
5395 PPATMPATCHREC pNewPatchRec;
5396
5397 /* Determine target address in new patch */
5398 pPatchTargetGC = PATMR3QueryPatchGCPtr(pVM, pInstrGC);
5399 Assert(pPatchTargetGC);
5400 if (!pPatchTargetGC)
5401 {
5402 rc = VERR_PATCHING_REFUSED;
5403 goto failure;
5404 }
5405
5406 /* Reset offset into patch memory to put the next code blocks right at the beginning. */
5407 pPatch->uCurPatchOffset = 0;
5408
5409 /* insert jump to new patch in old patch block */
5410 rc = patmPatchGenPatchJump(pVM, pPatch, pInstrGC, pPatchTargetGC, false /* no lookup record */);
5411 if (VBOX_FAILURE(rc))
5412 goto failure;
5413
5414 pNewPatchRec = (PPATMPATCHREC)RTAvloGCPtrGet(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pInstrGC);
5415 Assert(pNewPatchRec); /* can't fail */
5416
5417 /* Remove old patch (only do that when everything is finished) */
5418 int rc2 = PATMRemovePatch(pVM, pPatchRec, true /* force removal */);
5419 AssertRC(rc2);
5420
5421 /* Put the new patch back into the tree, because removing the old one kicked this one out. (hack alert) */
5422 RTAvloGCPtrInsert(&pVM->patm.s.PatchLookupTreeHC->PatchTree, &pNewPatchRec->Core);
5423
5424 LogRel(("PATM: patmR3RefreshPatch: succeeded to refresh patch at %VGv \n", pInstrGC));
5425 STAM_COUNTER_INC(&pVM->patm.s.StatPatchRefreshSuccess);
5426 }
5427
5428failure:
5429 if (VBOX_FAILURE(rc))
5430 {
5431 LogRel(("PATM: patmR3RefreshPatch: failed to refresh patch at %VGv. Reactiving old one. \n", pInstrGC));
5432
5433 /* Remove the new inactive patch */
5434 rc = PATMR3RemovePatch(pVM, pInstrGC);
5435 AssertRC(rc);
5436
5437 /* Put the old patch back into the tree (or else it won't be saved) (hack alert) */
5438 RTAvloGCPtrInsert(&pVM->patm.s.PatchLookupTreeHC->PatchTree, &pPatchRec->Core);
5439
5440 /* Enable again in case the dirty instruction is near the end and there are safe code paths. */
5441 int rc2 = PATMR3EnablePatch(pVM, pInstrGC);
5442 AssertRC(rc2);
5443
5444 STAM_COUNTER_INC(&pVM->patm.s.StatPatchRefreshFailed);
5445 }
5446 return rc;
5447}
5448
5449/**
5450 * Find patch for privileged instruction at specified location
5451 *
5452 * @returns Patch structure pointer if found; else NULL
5453 * @param pVM The VM to operate on.
5454 * @param pInstr Guest context point to instruction that might lie within 5 bytes of an existing patch jump
5455 * @param fIncludeHints Include hinted patches or not
5456 *
5457 */
5458PPATCHINFO PATMFindActivePatchByEntrypoint(PVM pVM, RTGCPTR pInstrGC, bool fIncludeHints)
5459{
5460 PPATMPATCHREC pPatchRec = (PPATMPATCHREC)RTAvloGCPtrGetBestFit(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pInstrGC, false);
5461 /* if the patch is enabled, the pointer is not indentical to the privileged patch ptr and it lies within 5 bytes of this priv instr ptr, then we've got a hit! */
5462 if (pPatchRec)
5463 {
5464 if ( pPatchRec->patch.uState == PATCH_ENABLED
5465 && (pPatchRec->patch.flags & PATMFL_PATCHED_GUEST_CODE)
5466 && pInstrGC > pPatchRec->patch.pPrivInstrGC
5467 && pInstrGC < pPatchRec->patch.pPrivInstrGC + pPatchRec->patch.cbPatchJump)
5468 {
5469 Log(("Found active patch at %VGv (org %VGv)\n", pInstrGC, pPatchRec->patch.pPrivInstrGC));
5470 return &pPatchRec->patch;
5471 }
5472 else
5473 if ( fIncludeHints
5474 && pPatchRec->patch.uState == PATCH_DISABLED
5475 && (pPatchRec->patch.flags & PATMFL_INSTR_HINT)
5476 && pInstrGC > pPatchRec->patch.pPrivInstrGC
5477 && pInstrGC < pPatchRec->patch.pPrivInstrGC + pPatchRec->patch.cbPatchJump)
5478 {
5479 Log(("Found HINT patch at %VGv (org %VGv)\n", pInstrGC, pPatchRec->patch.pPrivInstrGC));
5480 return &pPatchRec->patch;
5481 }
5482 }
5483 return NULL;
5484}
5485
5486/**
5487 * Checks whether the GC address is inside a generated patch jump
5488 *
5489 * @returns true -> yes, false -> no
5490 * @param pVM The VM to operate on.
5491 * @param pAddr Guest context address
5492 * @param pPatchAddr Guest context patch address (if true)
5493 */
5494PATMR3DECL(bool) PATMR3IsInsidePatchJump(PVM pVM, RTGCPTR pAddr, PRTGCPTR pPatchAddr)
5495{
5496 RTGCPTR addr;
5497 PPATCHINFO pPatch;
5498
5499 if (PATMIsEnabled(pVM) == false)
5500 return false;
5501
5502 if (pPatchAddr == NULL)
5503 pPatchAddr = &addr;
5504
5505 *pPatchAddr = 0;
5506
5507 pPatch = PATMFindActivePatchByEntrypoint(pVM, pAddr);
5508 if (pPatch)
5509 {
5510 *pPatchAddr = pPatch->pPrivInstrGC;
5511 }
5512 return *pPatchAddr == 0 ? false : true;
5513}
5514
5515/**
5516 * Remove patch for privileged instruction at specified location
5517 *
5518 * @returns VBox status code.
5519 * @param pVM The VM to operate on.
5520 * @param pInstr Guest context point to privileged instruction
5521 *
5522 * @note returns failure if patching is not allowed or possible
5523 *
5524 */
5525PATMR3DECL(int) PATMR3RemovePatch(PVM pVM, RTGCPTR pInstrGC)
5526{
5527 PPATMPATCHREC pPatchRec;
5528
5529 pPatchRec = (PPATMPATCHREC)RTAvloGCPtrGet(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pInstrGC);
5530 if (pPatchRec)
5531 {
5532 int rc = PATMR3DisablePatch(pVM, pInstrGC);
5533 if (rc == VWRN_PATCH_REMOVED)
5534 return VINF_SUCCESS;
5535 return PATMRemovePatch(pVM, pPatchRec, false);
5536 }
5537 AssertFailed();
5538 return VERR_PATCH_NOT_FOUND;
5539}
5540
5541/**
5542 * Mark patch as dirty
5543 *
5544 * @returns VBox status code.
5545 * @param pVM The VM to operate on.
5546 * @param pPatch Patch record
5547 *
5548 * @note returns failure if patching is not allowed or possible
5549 *
5550 */
5551PATMR3DECL(int) PATMR3MarkDirtyPatch(PVM pVM, PPATCHINFO pPatch)
5552{
5553 if (pPatch->pPatchBlockOffset)
5554 {
5555 Log(("Invalidate patch at %VGv (HC=%VGv)\n", PATCHCODE_PTR_GC(pPatch), PATCHCODE_PTR_HC(pPatch)));
5556 pPatch->bDirtyOpcode = *PATCHCODE_PTR_HC(pPatch);
5557 *PATCHCODE_PTR_HC(pPatch) = 0xCC;
5558 }
5559
5560 STAM_COUNTER_INC(&pVM->patm.s.StatDirty);
5561 /* Put back the replaced instruction. */
5562 int rc = PATMR3DisablePatch(pVM, pPatch->pPrivInstrGC);
5563 if (rc == VWRN_PATCH_REMOVED)
5564 return VINF_SUCCESS;
5565
5566 /** @note we don't restore patch pages for patches that are not enabled! */
5567 /** @note be careful when changing this behaviour!! */
5568
5569 /* The patch pages are no longer marked for self-modifying code detection */
5570 if (pPatch->flags & PATMFL_CODE_MONITORED)
5571 {
5572 int rc = patmRemovePatchPages(pVM, pPatch);
5573 AssertRCReturn(rc, rc);
5574 }
5575 pPatch->uState = PATCH_DIRTY;
5576
5577 /* Paranoia; make sure this patch is not somewhere in the callchain, so prevent ret instructions from succeeding. */
5578 CTXSUFF(pVM->patm.s.pGCState)->Psp = PATM_STACK_SIZE;
5579
5580 return VINF_SUCCESS;
5581}
5582
5583/**
5584 * Query the corresponding GC instruction pointer from a pointer inside the patch block itself
5585 *
5586 * @returns VBox status code.
5587 * @param pVM The VM to operate on.
5588 * @param pPatch Patch block structure pointer
5589 * @param pPatchGC GC address in patch block
5590 */
5591RTGCPTR patmPatchGCPtr2GuestGCPtr(PVM pVM, PPATCHINFO pPatch, GCPTRTYPE(uint8_t *) pPatchGC)
5592{
5593 Assert(pPatch->Patch2GuestAddrTree);
5594 /* Get the closest record from below. */
5595 PRECPATCHTOGUEST pPatchToGuestRec = (PRECPATCHTOGUEST)RTAvlU32GetBestFit(&pPatch->Patch2GuestAddrTree, pPatchGC - pVM->patm.s.pPatchMemGC, false);
5596 if (pPatchToGuestRec)
5597 return pPatchToGuestRec->pOrgInstrGC;
5598
5599 return 0;
5600}
5601
5602/* Converts Guest code GC ptr to Patch code GC ptr (if found)
5603 *
5604 * @returns corresponding GC pointer in patch block
5605 * @param pVM The VM to operate on.
5606 * @param pPatch Current patch block pointer
5607 * @param pInstrGC Guest context pointer to privileged instruction
5608 *
5609 */
5610RTGCPTR patmGuestGCPtrToPatchGCPtr(PVM pVM, PPATCHINFO pPatch, GCPTRTYPE(uint8_t*) pInstrGC)
5611{
5612 if (pPatch->Guest2PatchAddrTree)
5613 {
5614 PRECGUESTTOPATCH pGuestToPatchRec = (PRECGUESTTOPATCH)RTAvlGCPtrGet(&pPatch->Guest2PatchAddrTree, pInstrGC);
5615 if (pGuestToPatchRec)
5616 return pVM->patm.s.pPatchMemGC + pGuestToPatchRec->PatchOffset;
5617 }
5618
5619 return 0;
5620}
5621
5622/* Converts Guest code GC ptr to Patch code GC ptr (if found)
5623 *
5624 * @returns corresponding GC pointer in patch block
5625 * @param pVM The VM to operate on.
5626 * @param pInstrGC Guest context pointer to privileged instruction
5627 *
5628 */
5629PATMR3DECL(RTGCPTR) PATMR3GuestGCPtrToPatchGCPtr(PVM pVM, GCPTRTYPE(uint8_t*) pInstrGC)
5630{
5631 PPATMPATCHREC pPatchRec = (PPATMPATCHREC)RTAvloGCPtrGetBestFit(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pInstrGC, false);
5632 if (pPatchRec && pPatchRec->patch.uState == PATCH_ENABLED && pInstrGC >= pPatchRec->patch.pPrivInstrGC)
5633 {
5634 return patmGuestGCPtrToPatchGCPtr(pVM, &pPatchRec->patch, pInstrGC);
5635 }
5636 return 0;
5637}
5638
5639/**
5640 * Query the corresponding GC instruction pointer from a pointer inside the patch block itself
5641 *
5642 * @returns original GC instruction pointer or 0 if not found
5643 * @param pVM The VM to operate on.
5644 * @param pPatchGC GC address in patch block
5645 * @param pEnmState State of the translated address (out)
5646 *
5647 */
5648PATMR3DECL(RTGCPTR) PATMR3PatchToGCPtr(PVM pVM, RTGCPTR pPatchGC, PATMTRANSSTATE *pEnmState)
5649{
5650 PPATMPATCHREC pPatchRec;
5651 void *pvPatchCoreOffset;
5652 RTGCPTR pPrivInstrGC;
5653
5654 Assert(PATMIsPatchGCAddr(pVM, pPatchGC));
5655 pvPatchCoreOffset = RTAvloGCPtrGetBestFit(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr, pPatchGC - pVM->patm.s.pPatchMemGC, false);
5656 if (pvPatchCoreOffset == 0)
5657 {
5658 Log(("PATMR3PatchToGCPtr failed for %VGv offset %x\n", pPatchGC, pPatchGC - pVM->patm.s.pPatchMemGC));
5659 return 0;
5660 }
5661 pPatchRec = PATM_PATCHREC_FROM_COREOFFSET(pvPatchCoreOffset);
5662 pPrivInstrGC = patmPatchGCPtr2GuestGCPtr(pVM, &pPatchRec->patch, pPatchGC);
5663 if (pEnmState)
5664 {
5665 AssertMsg(pPrivInstrGC && ( pPatchRec->patch.uState == PATCH_ENABLED
5666 || pPatchRec->patch.uState == PATCH_DIRTY
5667 || pPatchRec->patch.uState == PATCH_DISABLE_PENDING
5668 || pPatchRec->patch.uState == PATCH_UNUSABLE),
5669 ("pPrivInstrGC=%VGv uState=%d\n", pPrivInstrGC, pPatchRec->patch.uState));
5670
5671 if ( !pPrivInstrGC
5672 || pPatchRec->patch.uState == PATCH_UNUSABLE
5673 || pPatchRec->patch.uState == PATCH_REFUSED)
5674 {
5675 pPrivInstrGC = 0;
5676 *pEnmState = PATMTRANS_FAILED;
5677 }
5678 else
5679 if (pVM->patm.s.pGCStateHC->GCPtrInhibitInterrupts == pPrivInstrGC)
5680 {
5681 *pEnmState = PATMTRANS_INHIBITIRQ;
5682 }
5683 else
5684 if ( pPatchRec->patch.uState == PATCH_ENABLED
5685 && !(pPatchRec->patch.flags & (PATMFL_DUPLICATE_FUNCTION|PATMFL_IDTHANDLER|PATMFL_TRAMPOLINE))
5686 && pPrivInstrGC > pPatchRec->patch.pPrivInstrGC
5687 && pPrivInstrGC < pPatchRec->patch.pPrivInstrGC + pPatchRec->patch.cbPatchJump)
5688 {
5689 *pEnmState = PATMTRANS_OVERWRITTEN;
5690 }
5691 else
5692 if (PATMFindActivePatchByEntrypoint(pVM, pPrivInstrGC))
5693 {
5694 *pEnmState = PATMTRANS_OVERWRITTEN;
5695 }
5696 else
5697 if (pPrivInstrGC == pPatchRec->patch.pPrivInstrGC)
5698 {
5699 *pEnmState = PATMTRANS_PATCHSTART;
5700 }
5701 else
5702 *pEnmState = PATMTRANS_SAFE;
5703 }
5704 return pPrivInstrGC;
5705}
5706
5707/**
5708 * Returns the GC pointer of the patch for the specified GC address
5709 *
5710 * @returns VBox status code.
5711 * @param pVM The VM to operate on.
5712 * @param pAddrGC Guest context address
5713 */
5714PATMR3DECL(RTGCPTR) PATMR3QueryPatchGCPtr(PVM pVM, RTGCPTR pAddrGC)
5715{
5716 PPATMPATCHREC pPatchRec;
5717
5718 // Find the patch record
5719 pPatchRec = (PPATMPATCHREC)RTAvloGCPtrGet(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pAddrGC);
5720 /** @todo we should only use patches that are enabled! always did this, but it's incorrect! */
5721 if (pPatchRec && (pPatchRec->patch.uState == PATCH_ENABLED || pPatchRec->patch.uState == PATCH_DIRTY))
5722 return PATCHCODE_PTR_GC(&pPatchRec->patch);
5723
5724 return 0;
5725}
5726
5727/**
5728 * Attempt to recover dirty instructions
5729 *
5730 * @returns VBox status code.
5731 * @param pVM The VM to operate on.
5732 * @param pCtx CPU context
5733 * @param pPatch Patch record
5734 * @param pPatchToGuestRec Patch to guest address record
5735 * @param pEip GC pointer of trapping instruction
5736 */
5737static int patmR3HandleDirtyInstr(PVM pVM, PCPUMCTX pCtx, PPATMPATCHREC pPatch, PRECPATCHTOGUEST pPatchToGuestRec, RTGCPTR pEip)
5738{
5739 DISCPUSTATE CpuOld, CpuNew;
5740 uint8_t *pPatchInstrHC, *pCurPatchInstrHC;
5741 int rc;
5742 RTGCPTR pCurInstrGC, pCurPatchInstrGC;
5743 uint32_t cbDirty;
5744 PRECPATCHTOGUEST pRec;
5745
5746 Log(("patmR3HandleDirtyInstr: dirty instruction at %VGv (%VGv)\n", pEip, pPatchToGuestRec->pOrgInstrGC));
5747
5748 pRec = pPatchToGuestRec;
5749 pCurInstrGC = pPatchToGuestRec->pOrgInstrGC;
5750 pCurPatchInstrGC = pEip;
5751 cbDirty = 0;
5752 pPatchInstrHC = patmPatchGCPtr2PatchHCPtr(pVM, pCurPatchInstrGC);
5753
5754 /* Find all adjacent dirty instructions */
5755 while (true)
5756 {
5757 if (pRec->fJumpTarget)
5758 {
5759 LogRel(("PATM: patmR3HandleDirtyInstr: dirty instruction at %VGv (%VGv) ignored, because instruction in function was reused as target of jump\n", pEip, pPatchToGuestRec->pOrgInstrGC));
5760 pRec->fDirty = false;
5761 return VERR_PATCHING_REFUSED;
5762 }
5763
5764 /* Restore original instruction opcode byte so we can check if the write was indeed safe. */
5765 pCurPatchInstrHC = patmPatchGCPtr2PatchHCPtr(pVM, pCurPatchInstrGC);
5766 *pCurPatchInstrHC = pRec->u8DirtyOpcode;
5767
5768 /* Only harmless instructions are acceptable. */
5769 rc = CPUMR3DisasmInstrCPU(pVM, pCtx, pCurPatchInstrGC, &CpuOld, 0);
5770 if ( VBOX_FAILURE(rc)
5771 || !(CpuOld.pCurInstr->optype & OPTYPE_HARMLESS))
5772 break;
5773
5774#ifdef DEBUG
5775 char szBuf[256];
5776 szBuf[0] = '\0';
5777 DBGFR3DisasInstr(pVM, pCtx->cs, pCurPatchInstrGC, szBuf, sizeof(szBuf));
5778 Log(("DIRTY: %s\n", szBuf));
5779#endif
5780 /** Remove old lookup record. */
5781 patmr3RemoveP2GLookupRecord(pVM, &pPatch->patch, pCurPatchInstrGC);
5782
5783 pCurPatchInstrGC += CpuOld.opsize;
5784 cbDirty += CpuOld.opsize;
5785
5786 /* Mark as clean; if we fail we'll let it always fault. */
5787 pRec->fDirty = false;
5788
5789 /* Let's see if there's another dirty instruction right after. */
5790 pRec = (PRECPATCHTOGUEST)RTAvlU32GetBestFit(&pPatch->patch.Patch2GuestAddrTree, pCurPatchInstrGC - pVM->patm.s.pPatchMemGC, true);
5791 if (!pRec || !pRec->fDirty)
5792 break; /* no more dirty instructions */
5793 }
5794
5795 if ( VBOX_SUCCESS(rc)
5796 && (CpuOld.pCurInstr->optype & OPTYPE_HARMLESS)
5797 )
5798 {
5799 uint32_t cbLeft;
5800
5801 pCurPatchInstrHC = pPatchInstrHC;
5802 pCurPatchInstrGC = pEip;
5803 cbLeft = cbDirty;
5804
5805 while (cbLeft && VBOX_SUCCESS(rc))
5806 {
5807 bool fValidInstr;
5808
5809 rc = CPUMR3DisasmInstrCPU(pVM, pCtx, pCurInstrGC, &CpuNew, 0);
5810
5811 fValidInstr = !!(CpuNew.pCurInstr->optype & OPTYPE_HARMLESS);
5812 if ( !fValidInstr
5813 && (CpuNew.pCurInstr->optype & OPTYPE_RELATIVE_CONTROLFLOW)
5814 )
5815 {
5816 RTGCPTR pTargetGC = PATMResolveBranch(&CpuNew, pCurInstrGC);
5817
5818 if ( pTargetGC >= pPatchToGuestRec->pOrgInstrGC
5819 && pTargetGC <= pPatchToGuestRec->pOrgInstrGC + cbDirty
5820 )
5821 {
5822 /* A relative jump to an instruction inside or to the end of the dirty block is acceptable. */
5823 fValidInstr = true;
5824 }
5825 }
5826
5827 /* If the instruction is completely harmless (which implies a 1:1 patch copy). */
5828 if ( rc == VINF_SUCCESS
5829 && CpuNew.opsize <= cbLeft /* must still fit */
5830 && fValidInstr
5831 )
5832 {
5833#ifdef DEBUG
5834 char szBuf[256];
5835 szBuf[0] = '\0';
5836 DBGFR3DisasInstr(pVM, pCtx->cs, pCurInstrGC, szBuf, sizeof(szBuf));
5837 Log(("NEW: %s\n", szBuf));
5838#endif
5839
5840 /* Copy the new instruction. */
5841 rc = PGMPhysReadGCPtr(pVM, pCurPatchInstrHC, pCurInstrGC, CpuNew.opsize);
5842 AssertRC(rc);
5843
5844 /* Add a new lookup record for the duplicated instruction. */
5845 patmr3AddP2GLookupRecord(pVM, &pPatch->patch, pCurPatchInstrHC, pCurInstrGC, PATM_LOOKUP_BOTHDIR);
5846 }
5847 else
5848 {
5849#ifdef DEBUG
5850 char szBuf[256];
5851 szBuf[0] = '\0';
5852 DBGFR3DisasInstr(pVM, pCtx->cs, pCurInstrGC, szBuf, sizeof(szBuf));
5853 Log(("NEW: %s (FAILED)\n", szBuf));
5854#endif
5855 /* Restore the old lookup record for the duplicated instruction. */
5856 patmr3AddP2GLookupRecord(pVM, &pPatch->patch, pCurPatchInstrHC, pCurInstrGC, PATM_LOOKUP_BOTHDIR);
5857
5858 /** @todo in theory we need to restore the lookup records for the remaining dirty instructions too! */
5859 rc = VERR_PATCHING_REFUSED;
5860 break;
5861 }
5862 pCurInstrGC += CpuNew.opsize;
5863 pCurPatchInstrHC += CpuNew.opsize;
5864 pCurPatchInstrGC += CpuNew.opsize;
5865 cbLeft -= CpuNew.opsize;
5866 }
5867 }
5868 else
5869 rc = VERR_PATCHING_REFUSED;
5870
5871 if (VBOX_SUCCESS(rc))
5872 {
5873 STAM_COUNTER_INC(&pVM->patm.s.StatInstrDirtyGood);
5874 }
5875 else
5876 {
5877 STAM_COUNTER_INC(&pVM->patm.s.StatInstrDirtyBad);
5878 /* Mark the whole instruction stream with breakpoints. */
5879 memset(pPatchInstrHC, 0xCC, cbDirty);
5880
5881 if ( pVM->patm.s.fOutOfMemory == false
5882 && (pPatch->patch.flags & (PATMFL_DUPLICATE_FUNCTION|PATMFL_IDTHANDLER|PATMFL_TRAPHANDLER)))
5883 {
5884 rc = patmR3RefreshPatch(pVM, pPatch);
5885 if (VBOX_FAILURE(rc))
5886 {
5887 LogRel(("PATM: Failed to refresh dirty patch at %VGv. Disabling it.\n", pPatch->patch.pPrivInstrGC));
5888 }
5889 /* Even if we succeed, we must go back to the original instruction as the patched one could be invalid. */
5890 rc = VERR_PATCHING_REFUSED;
5891 }
5892 }
5893 return rc;
5894}
5895
5896/**
5897 * Handle trap inside patch code
5898 *
5899 * @returns VBox status code.
5900 * @param pVM The VM to operate on.
5901 * @param pCtx CPU context
5902 * @param pEip GC pointer of trapping instruction
5903 * @param ppNewEip GC pointer to new instruction
5904 */
5905PATMR3DECL(int) PATMR3HandleTrap(PVM pVM, PCPUMCTX pCtx, RTGCPTR pEip, RTGCPTR *ppNewEip)
5906{
5907 PPATMPATCHREC pPatch = 0;
5908 void *pvPatchCoreOffset;
5909 RTGCUINTPTR offset;
5910 RTGCPTR pNewEip;
5911 int rc ;
5912 PRECPATCHTOGUEST pPatchToGuestRec = 0;
5913
5914 pNewEip = 0;
5915 *ppNewEip = 0;
5916
5917 STAM_PROFILE_ADV_START(&pVM->patm.s.StatHandleTrap, a);
5918
5919 /* Find the patch record. */
5920 /** @note there might not be a patch to guest translation record (global function) */
5921 offset = pEip - pVM->patm.s.pPatchMemGC;
5922 pvPatchCoreOffset = RTAvloGCPtrGetBestFit(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr, offset, false);
5923 if (pvPatchCoreOffset)
5924 {
5925 pPatch = PATM_PATCHREC_FROM_COREOFFSET(pvPatchCoreOffset);
5926
5927 if (pPatch->patch.uState == PATCH_DIRTY)
5928 {
5929 Log(("PATMR3HandleTrap: trap in dirty patch at %VGv\n", pEip));
5930 if (pPatch->patch.flags & (PATMFL_DUPLICATE_FUNCTION|PATMFL_CALLABLE_AS_FUNCTION))
5931 {
5932 /* Function duplication patches set fPIF to 1 on entry */
5933 pVM->patm.s.pGCStateHC->fPIF = 1;
5934 }
5935 }
5936 else
5937 if (pPatch->patch.uState == PATCH_DISABLED)
5938 {
5939 Log(("PATMR3HandleTrap: trap in disabled patch at %VGv\n", pEip));
5940 if (pPatch->patch.flags & (PATMFL_DUPLICATE_FUNCTION|PATMFL_CALLABLE_AS_FUNCTION))
5941 {
5942 /* Function duplication patches set fPIF to 1 on entry */
5943 pVM->patm.s.pGCStateHC->fPIF = 1;
5944 }
5945 }
5946 else
5947 if (pPatch->patch.uState == PATCH_DISABLE_PENDING)
5948 {
5949 RTGCPTR pPrivInstrGC = pPatch->patch.pPrivInstrGC;
5950
5951 Log(("PATMR3HandleTrap: disable operation is pending for patch at %VGv\n", pPatch->patch.pPrivInstrGC));
5952 rc = PATMR3DisablePatch(pVM, pPatch->patch.pPrivInstrGC);
5953 AssertReleaseMsg(rc != VWRN_PATCH_REMOVED, ("PATMR3DisablePatch removed patch at %VGv\n", pPrivInstrGC));
5954 AssertMsg(pPatch->patch.uState == PATCH_DISABLED || pPatch->patch.uState == PATCH_UNUSABLE, ("Unexpected failure to disable patch state=%d rc=%Vrc\n", pPatch->patch.uState, rc));
5955 }
5956
5957 pPatchToGuestRec = (PRECPATCHTOGUEST)RTAvlU32GetBestFit(&pPatch->patch.Patch2GuestAddrTree, offset, false);
5958 AssertReleaseMsg(pPatchToGuestRec, ("PATMR3HandleTrap: Unable to find corresponding guest address for %VGv (offset %x)\n", pEip, offset));
5959
5960 pNewEip = pPatchToGuestRec->pOrgInstrGC;
5961 pPatch->patch.cTraps++;
5962 PATM_STAT_FAULT_INC(&pPatch->patch);
5963 }
5964 else
5965 AssertReleaseMsg(pVM->patm.s.pGCStateHC->fPIF == 0, ("PATMR3HandleTrap: Unable to find translation record for %VGv (PIF=0)\n", pEip));
5966
5967 /* Check if we were interrupted in PATM generated instruction code. */
5968 if (pVM->patm.s.pGCStateHC->fPIF == 0)
5969 {
5970 DISCPUSTATE Cpu;
5971 rc = CPUMR3DisasmInstrCPU(pVM, pCtx, pEip, &Cpu, "PIF Trap: ");
5972 AssertRC(rc);
5973
5974 if ( rc == VINF_SUCCESS
5975 && ( Cpu.pCurInstr->opcode == OP_PUSHF
5976 || Cpu.pCurInstr->opcode == OP_PUSH
5977 || Cpu.pCurInstr->opcode == OP_CALL)
5978 )
5979 {
5980 STAM_COUNTER_INC(&pVM->patm.s.StatPushTrap);
5981 /* Typical pushf (most patches)/push (call patch) trap because of a monitored page. */
5982 rc = PGMShwModifyPage(pVM, pCtx->esp, 1, X86_PTE_RW, ~(uint64_t)X86_PTE_RW);
5983 AssertMsgRC(rc, ("PGMShwModifyPage -> rc=%Vrc\n", rc));
5984 if (rc == VINF_SUCCESS)
5985 {
5986 uint64_t fFlags;
5987
5988 /* The guest page *must* be present. */
5989 rc = PGMGstGetPage(pVM, pCtx->esp, &fFlags, NULL);
5990 if (rc == VINF_SUCCESS && (fFlags & X86_PTE_P))
5991 {
5992 STAM_PROFILE_ADV_STOP(&pVM->patm.s.StatHandleTrap, a);
5993 return VINF_PATCH_CONTINUE;
5994 }
5995 }
5996 }
5997
5998 char szBuf[256];
5999 szBuf[0] = '\0';
6000 DBGFR3DisasInstr(pVM, pCtx->cs, pEip, szBuf, sizeof(szBuf));
6001
6002 /* Very bad. We crashed in emitted code. Probably stack? */
6003 if (pPatch)
6004 {
6005 AssertReleaseMsg(pVM->patm.s.pGCStateHC->fPIF == 1,
6006 ("Crash in patch code %VGv (%VGv) esp=%RX32\nPatch state=%x flags=%x fDirty=%d\n%s\n", pEip, pNewEip, CPUMGetGuestESP(pVM), pPatch->patch.uState, pPatch->patch.flags, pPatchToGuestRec->fDirty, szBuf));
6007 }
6008 else
6009 AssertReleaseMsg(pVM->patm.s.pGCStateHC->fPIF == 1,
6010 ("Crash in patch code %VGv (%VGv) esp=%RX32\n%s\n", pEip, pNewEip, CPUMGetGuestESP(pVM), szBuf));
6011 EMR3FatalError(pVM, VERR_INTERNAL_ERROR);
6012 }
6013
6014 /* From here on, we must have a valid patch to guest translation. */
6015 if (pvPatchCoreOffset == 0)
6016 {
6017 STAM_PROFILE_ADV_STOP(&pVM->patm.s.StatHandleTrap, a);
6018 AssertMsgFailed(("PATMR3HandleTrap: patch not found at address %VGv!!\n", pEip));
6019 return VERR_PATCH_NOT_FOUND; //fatal error
6020 }
6021
6022 /* Take care of dirty/changed instructions. */
6023 if (pPatchToGuestRec->fDirty)
6024 {
6025 Assert(pPatchToGuestRec->Core.Key == offset);
6026 Assert(pVM->patm.s.pGCStateHC->fPIF == 1);
6027
6028 rc = patmR3HandleDirtyInstr(pVM, pCtx, pPatch, pPatchToGuestRec, pEip);
6029 if (VBOX_SUCCESS(rc))
6030 {
6031 /* Retry the current instruction. */
6032 pNewEip = pEip;
6033 rc = VINF_PATCH_CONTINUE; /* Continue at current patch instruction. */
6034 }
6035 else
6036 {
6037 /* Reset the PATM stack. */
6038 CTXSUFF(pVM->patm.s.pGCState)->Psp = PATM_STACK_SIZE;
6039
6040 rc = VINF_SUCCESS; /* Continue at original instruction. */
6041 }
6042
6043 *ppNewEip = pNewEip;
6044 STAM_PROFILE_ADV_STOP(&pVM->patm.s.StatHandleTrap, a);
6045 return rc;
6046 }
6047
6048#ifdef VBOX_STRICT
6049 if (pPatch->patch.flags & PATMFL_DUPLICATE_FUNCTION)
6050 {
6051 DISCPUSTATE cpu;
6052 bool disret;
6053 uint32_t opsize;
6054
6055 cpu.mode = (pPatch->patch.flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
6056 disret = PATMR3DISInstr(pVM, &pPatch->patch, &cpu, pNewEip, PATMGCVirtToHCVirt(pVM, &pPatch->patch, pNewEip), &opsize, NULL, PATMREAD_RAWCODE);
6057 if (disret && cpu.pCurInstr->opcode == OP_RETN)
6058 {
6059 RTGCPTR retaddr;
6060 PCPUMCTX pCtx;
6061 int rc;
6062
6063 rc = CPUMQueryGuestCtxPtr(pVM, &pCtx);
6064 AssertRC(rc);
6065
6066 rc = PGMPhysReadGCPtr(pVM, &retaddr, pCtx->esp, sizeof(retaddr));
6067 AssertRC(rc);
6068
6069 Log(("Return failed at %VGv (%VGv)\n", pEip, pNewEip));
6070 Log(("Expected return address %VGv found address %VGv Psp=%x\n", pVM->patm.s.pGCStackHC[(pVM->patm.s.pGCStateHC->Psp+PATM_STACK_SIZE)/sizeof(RTGCPTR)], retaddr, pVM->patm.s.pGCStateHC->Psp));
6071 }
6072 }
6073#endif
6074
6075 /* Return original address, correct by subtracting the CS base address. */
6076 *ppNewEip = pNewEip - SELMToFlat(pVM, pCtx->eflags, pCtx->cs, &pCtx->csHid, 0);
6077
6078 /* Reset the PATM stack. */
6079 CTXSUFF(pVM->patm.s.pGCState)->Psp = PATM_STACK_SIZE;
6080
6081 if (pVM->patm.s.pGCStateHC->GCPtrInhibitInterrupts == pNewEip)
6082 {
6083 /* Must be a faulting instruction after sti; currently only sysexit, hlt or iret */
6084 Log(("PATMR3HandleTrap %VGv -> inhibit irqs set!\n", pEip));
6085#ifdef VBOX_STRICT
6086 DISCPUSTATE cpu;
6087 bool disret;
6088 uint32_t opsize;
6089
6090 cpu.mode = (pPatch->patch.flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
6091 disret = PATMR3DISInstr(pVM, &pPatch->patch, &cpu, pNewEip, PATMGCVirtToHCVirt(pVM, &pPatch->patch, pNewEip), &opsize, NULL, PATMREAD_ORGCODE);
6092
6093 if (disret && (cpu.pCurInstr->opcode == OP_SYSEXIT || cpu.pCurInstr->opcode == OP_HLT || cpu.pCurInstr->opcode == OP_INT3))
6094 {
6095 cpu.mode = (pPatch->patch.flags & PATMFL_CODE32) ? CPUMODE_32BIT : CPUMODE_16BIT;
6096 disret = PATMR3DISInstr(pVM, &pPatch->patch, &cpu, pNewEip, PATMGCVirtToHCVirt(pVM, &pPatch->patch, pNewEip), &opsize, NULL, PATMREAD_RAWCODE);
6097
6098 Assert(cpu.pCurInstr->opcode == OP_SYSEXIT || cpu.pCurInstr->opcode == OP_HLT || cpu.pCurInstr->opcode == OP_IRET);
6099 }
6100#endif
6101 EMSetInhibitInterruptsPC(pVM, pNewEip);
6102 pVM->patm.s.pGCStateHC->GCPtrInhibitInterrupts = 0;
6103 }
6104
6105 Log2(("pPatchBlockGC %VGv - pEip %VGv corresponding GC address %VGv\n", PATCHCODE_PTR_GC(&pPatch->patch), pEip, pNewEip));
6106
6107 if (pNewEip >= pPatch->patch.pPrivInstrGC && pNewEip < pPatch->patch.pPrivInstrGC + pPatch->patch.cbPatchJump)
6108 {
6109 /* We can't jump back to code that we've overwritten with a 5 byte jump! */
6110 Log(("Disabling patch at location %VGv due to trap too close to the privileged instruction \n", pPatch->patch.pPrivInstrGC));
6111 PATMR3DisablePatch(pVM, pPatch->patch.pPrivInstrGC);
6112 STAM_PROFILE_ADV_STOP(&pVM->patm.s.StatHandleTrap, a);
6113 return VERR_PATCH_DISABLED;
6114 }
6115
6116#ifdef PATM_REMOVE_PATCH_ON_TOO_MANY_TRAPS
6117 /** @todo compare to nr of successful runs. add some aging algorithm and determine the best time to disable the patch */
6118 if (pPatch->patch.cTraps > MAX_PATCH_TRAPS)
6119 {
6120 Log(("Disabling patch at location %VGv due to too many traps inside patch code\n", pPatch->patch.pPrivInstrGC));
6121 //we are only wasting time, back out the patch
6122 PATMR3DisablePatch(pVM, pPatch->patch.pPrivInstrGC);
6123 pTrapRec->pNextPatchInstr = 0;
6124 STAM_PROFILE_ADV_STOP(&pVM->patm.s.StatHandleTrap, a);
6125 return VERR_PATCH_DISABLED;
6126 }
6127#endif
6128
6129 STAM_PROFILE_ADV_STOP(&pVM->patm.s.StatHandleTrap, a);
6130 return VINF_SUCCESS;
6131}
6132
6133
6134/**
6135 * Handle page-fault in monitored page
6136 *
6137 * @returns VBox status code.
6138 * @param pVM The VM to operate on.
6139 */
6140PATMR3DECL(int) PATMR3HandleMonitoredPage(PVM pVM)
6141{
6142 RTGCPTR addr = pVM->patm.s.pvFaultMonitor;
6143
6144 addr &= PAGE_BASE_GC_MASK;
6145
6146 int rc = PGMHandlerVirtualDeregister(pVM, addr);
6147 AssertRC(rc); NOREF(rc);
6148
6149 PPATMPATCHREC pPatchRec = (PPATMPATCHREC)RTAvloGCPtrGetBestFit(&pVM->patm.s.PatchLookupTreeHC->PatchTree, addr, false);
6150 if (pPatchRec && pPatchRec->patch.uState == PATCH_ENABLED && PAGE_ADDRESS(pPatchRec->patch.pPrivInstrGC) == PAGE_ADDRESS(addr))
6151 {
6152 STAM_COUNTER_INC(&pVM->patm.s.StatMonitored);
6153 Log(("Renewing patch at %VGv\n", pPatchRec->patch.pPrivInstrGC));
6154 rc = PATMR3DisablePatch(pVM, pPatchRec->patch.pPrivInstrGC);
6155 if (rc == VWRN_PATCH_REMOVED)
6156 return VINF_SUCCESS;
6157
6158 PATMR3EnablePatch(pVM, pPatchRec->patch.pPrivInstrGC);
6159
6160 if (addr == pPatchRec->patch.pPrivInstrGC)
6161 addr++;
6162 }
6163
6164 for(;;)
6165 {
6166 pPatchRec = (PPATMPATCHREC)RTAvloGCPtrGetBestFit(&pVM->patm.s.PatchLookupTreeHC->PatchTree, addr, true);
6167
6168 if (!pPatchRec || PAGE_ADDRESS(pPatchRec->patch.pPrivInstrGC) != PAGE_ADDRESS(addr))
6169 break;
6170
6171 if (pPatchRec && pPatchRec->patch.uState == PATCH_ENABLED)
6172 {
6173 STAM_COUNTER_INC(&pVM->patm.s.StatMonitored);
6174 Log(("Renewing patch at %VGv\n", pPatchRec->patch.pPrivInstrGC));
6175 PATMR3DisablePatch(pVM, pPatchRec->patch.pPrivInstrGC);
6176 PATMR3EnablePatch(pVM, pPatchRec->patch.pPrivInstrGC);
6177 }
6178 addr = pPatchRec->patch.pPrivInstrGC + 1;
6179 }
6180
6181 pVM->patm.s.pvFaultMonitor = 0;
6182 return VINF_SUCCESS;
6183}
6184
6185
6186#ifdef VBOX_WITH_STATISTICS
6187
6188static const char *PATMPatchType(PVM pVM, PPATCHINFO pPatch)
6189{
6190 if (pPatch->flags & PATMFL_SYSENTER)
6191 {
6192 return "SYSENT";
6193 }
6194 else
6195 if (pPatch->flags & (PATMFL_TRAPHANDLER|PATMFL_INTHANDLER))
6196 {
6197 static char szTrap[16];
6198 uint32_t iGate;
6199
6200 iGate = TRPMR3QueryGateByHandler(pVM, PATCHCODE_PTR_GC(pPatch));
6201 if (iGate < 256)
6202 RTStrPrintf(szTrap, sizeof(szTrap), (pPatch->flags & PATMFL_INTHANDLER) ? "INT-%2X" : "TRAP-%2X", iGate);
6203 else
6204 RTStrPrintf(szTrap, sizeof(szTrap), (pPatch->flags & PATMFL_INTHANDLER) ? "INT-??" : "TRAP-??");
6205 return szTrap;
6206 }
6207 else
6208 if (pPatch->flags & (PATMFL_DUPLICATE_FUNCTION))
6209 return "DUPFUNC";
6210 else
6211 if (pPatch->flags & PATMFL_REPLACE_FUNCTION_CALL)
6212 return "FUNCCALL";
6213 else
6214 if (pPatch->flags & PATMFL_TRAMPOLINE)
6215 return "TRAMP";
6216 else
6217 return patmGetInstructionString(pPatch->opcode, pPatch->flags);
6218}
6219
6220static const char *PATMPatchState(PVM pVM, PPATCHINFO pPatch)
6221{
6222 switch(pPatch->uState)
6223 {
6224 case PATCH_ENABLED:
6225 return "ENA";
6226 case PATCH_DISABLED:
6227 return "DIS";
6228 case PATCH_DIRTY:
6229 return "DIR";
6230 case PATCH_UNUSABLE:
6231 return "UNU";
6232 case PATCH_REFUSED:
6233 return "REF";
6234 case PATCH_DISABLE_PENDING:
6235 return "DIP";
6236 default:
6237 AssertFailed();
6238 return " ";
6239 }
6240}
6241
6242/**
6243 * Resets the sample.
6244 * @param pVM The VM handle.
6245 * @param pvSample The sample registered using STAMR3RegisterCallback.
6246 */
6247static void patmResetStat(PVM pVM, void *pvSample)
6248{
6249 PPATCHINFO pPatch = (PPATCHINFO)pvSample;
6250 Assert(pPatch);
6251
6252 pVM->patm.s.pStatsHC[pPatch->uPatchIdx].u32A = 0;
6253 pVM->patm.s.pStatsHC[pPatch->uPatchIdx].u32B = 0;
6254}
6255
6256/**
6257 * Prints the sample into the buffer.
6258 *
6259 * @param pVM The VM handle.
6260 * @param pvSample The sample registered using STAMR3RegisterCallback.
6261 * @param pszBuf The buffer to print into.
6262 * @param cchBuf The size of the buffer.
6263 */
6264static void patmPrintStat(PVM pVM, void *pvSample, char *pszBuf, size_t cchBuf)
6265{
6266 PPATCHINFO pPatch = (PPATCHINFO)pvSample;
6267 Assert(pPatch);
6268
6269 Assert(pPatch->uState != PATCH_REFUSED);
6270 Assert(!(pPatch->flags & (PATMFL_REPLACE_FUNCTION_CALL|PATMFL_MMIO_ACCESS)));
6271
6272 RTStrPrintf(pszBuf, cchBuf, "size %04x ->%3s %8s - %08d - %08d",
6273 pPatch->cbPatchBlockSize, PATMPatchState(pVM, pPatch), PATMPatchType(pVM, pPatch),
6274 pVM->patm.s.pStatsHC[pPatch->uPatchIdx].u32A, pVM->patm.s.pStatsHC[pPatch->uPatchIdx].u32B);
6275}
6276
6277/**
6278 * Returns the GC address of the corresponding patch statistics counter
6279 *
6280 * @returns Stat address
6281 * @param pVM The VM to operate on.
6282 * @param pPatch Patch structure
6283 */
6284RTGCPTR patmPatchQueryStatAddress(PVM pVM, PPATCHINFO pPatch)
6285{
6286 Assert(pPatch->uPatchIdx != PATM_STAT_INDEX_NONE);
6287 return pVM->patm.s.pStatsGC + sizeof(STAMRATIOU32) * pPatch->uPatchIdx + RT_OFFSETOF(STAMRATIOU32, u32A);
6288}
6289
6290#endif /* VBOX_WITH_STATISTICS */
6291
6292#ifdef VBOX_WITH_DEBUGGER
6293/**
6294 * The '.patmoff' command.
6295 *
6296 * @returns VBox status.
6297 * @param pCmd Pointer to the command descriptor (as registered).
6298 * @param pCmdHlp Pointer to command helper functions.
6299 * @param pVM Pointer to the current VM (if any).
6300 * @param paArgs Pointer to (readonly) array of arguments.
6301 * @param cArgs Number of arguments in the array.
6302 */
6303static DECLCALLBACK(int) patmr3CmdOff(PCDBGCCMD pCmd, PDBGCCMDHLP pCmdHlp, PVM pVM, PCDBGCVAR paArgs, unsigned cArgs, PDBGCVAR pResult)
6304{
6305 /*
6306 * Validate input.
6307 */
6308 if (!pVM)
6309 return pCmdHlp->pfnPrintf(pCmdHlp, NULL, "error: The command requires VM to be selected.\n");
6310
6311 RTAvloGCPtrDoWithAll(&pVM->patm.s.PatchLookupTreeHC->PatchTree, true, DisableAllPatches, pVM);
6312 PATMR3AllowPatching(pVM, false);
6313 return pCmdHlp->pfnPrintf(pCmdHlp, NULL, "Patching disabled\n");
6314}
6315
6316/**
6317 * The '.patmon' command.
6318 *
6319 * @returns VBox status.
6320 * @param pCmd Pointer to the command descriptor (as registered).
6321 * @param pCmdHlp Pointer to command helper functions.
6322 * @param pVM Pointer to the current VM (if any).
6323 * @param paArgs Pointer to (readonly) array of arguments.
6324 * @param cArgs Number of arguments in the array.
6325 */
6326static DECLCALLBACK(int) patmr3CmdOn(PCDBGCCMD pCmd, PDBGCCMDHLP pCmdHlp, PVM pVM, PCDBGCVAR paArgs, unsigned cArgs, PDBGCVAR pResult)
6327{
6328 /*
6329 * Validate input.
6330 */
6331 if (!pVM)
6332 return pCmdHlp->pfnPrintf(pCmdHlp, NULL, "error: The command requires VM to be selected.\n");
6333
6334 PATMR3AllowPatching(pVM, true);
6335 RTAvloGCPtrDoWithAll(&pVM->patm.s.PatchLookupTreeHC->PatchTree, true, EnableAllPatches, pVM);
6336 return pCmdHlp->pfnPrintf(pCmdHlp, NULL, "Patching enabled\n");
6337}
6338#endif
Note: See TracBrowser for help on using the repository browser.

© 2025 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette