VirtualBox

source: vbox/trunk/src/VBox/VMM/VMMR3/PATM.cpp@ 60601

Last change on this file since 60601 was 58396, checked in by vboxsync, 9 years ago

VMM: Stubbed the csam, patm, rem and hm documentation @pages.

  • Property svn:eol-style set to native
  • Property svn:keywords set to Id Revision
File size: 263.4 KB
Line 
1/* $Id: PATM.cpp 58396 2015-10-23 21:16:36Z vboxsync $ */
2/** @file
3 * PATM - Dynamic Guest OS Patching Manager
4 *
5 * @note Never ever reuse patch memory!!
6 */
7
8/*
9 * Copyright (C) 2006-2015 Oracle Corporation
10 *
11 * This file is part of VirtualBox Open Source Edition (OSE), as
12 * available from http://www.virtualbox.org. This file is free software;
13 * you can redistribute it and/or modify it under the terms of the GNU
14 * General Public License (GPL) as published by the Free Software
15 * Foundation, in version 2 as it comes in the "COPYING" file of the
16 * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
17 * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
18 */
19
20/** @page pg_patm PATM - Patch Manager
21 *
22 * The patch manager (PATM) patches privileged guest code to allow it to execute
23 * directly in raw-mode.
24 *
25 * The PATM works closely together with the @ref pg_csam "CSAM" detect code
26 * needing patching and detected changes to the patch. It also interfaces with
27 * other components, like @ref pg_trpm "TRPM" and @ref pg_rem "REM", for these
28 * purposes.
29 *
30 * @sa @ref grp_patm
31 */
32
33/*********************************************************************************************************************************
34* Header Files *
35*********************************************************************************************************************************/
36#define LOG_GROUP LOG_GROUP_PATM
37#include <VBox/vmm/patm.h>
38#include <VBox/vmm/stam.h>
39#include <VBox/vmm/pdmapi.h>
40#include <VBox/vmm/pgm.h>
41#include <VBox/vmm/cpum.h>
42#include <VBox/vmm/cpumdis.h>
43#include <VBox/vmm/iom.h>
44#include <VBox/vmm/mm.h>
45#include <VBox/vmm/em.h>
46#include <VBox/vmm/hm.h>
47#include <VBox/vmm/ssm.h>
48#include <VBox/vmm/trpm.h>
49#include <VBox/vmm/cfgm.h>
50#include <VBox/param.h>
51#include <VBox/vmm/selm.h>
52#include <VBox/vmm/csam.h>
53#include <iprt/avl.h>
54#include "PATMInternal.h"
55#include "PATMPatch.h"
56#include <VBox/vmm/vm.h>
57#include <VBox/vmm/uvm.h>
58#include <VBox/dbg.h>
59#include <VBox/err.h>
60#include <VBox/log.h>
61#include <iprt/assert.h>
62#include <iprt/asm.h>
63#include <VBox/dis.h>
64#include <VBox/disopcode.h>
65#include "internal/pgm.h"
66
67#include <iprt/string.h>
68#include "PATMA.h"
69
70//#define PATM_REMOVE_PATCH_ON_TOO_MANY_TRAPS
71//#define PATM_DISABLE_ALL
72
73/**
74 * Refresh trampoline patch state.
75 */
76typedef struct PATMREFRESHPATCH
77{
78 /** Pointer to the VM structure. */
79 PVM pVM;
80 /** The trampoline patch record. */
81 PPATCHINFO pPatchTrampoline;
82 /** The new patch we want to jump to. */
83 PPATCHINFO pPatchRec;
84} PATMREFRESHPATCH, *PPATMREFRESHPATCH;
85
86
87#define PATMREAD_RAWCODE 1 /* read code as-is */
88#define PATMREAD_ORGCODE 2 /* read original guest opcode bytes; not the patched bytes */
89#define PATMREAD_NOCHECK 4 /* don't check for patch conflicts */
90
91/*
92 * Private structure used during disassembly
93 */
94typedef struct
95{
96 PVM pVM;
97 PPATCHINFO pPatchInfo;
98 R3PTRTYPE(uint8_t *) pbInstrHC;
99 RTRCPTR pInstrGC;
100 uint32_t fReadFlags;
101} PATMDISASM, *PPATMDISASM;
102
103
104/*********************************************************************************************************************************
105* Internal Functions *
106*********************************************************************************************************************************/
107static int patmDisableUnusablePatch(PVM pVM, RTRCPTR pInstrGC, RTRCPTR pConflictAddr, PPATCHINFO pPatch);
108static int patmActivateInt3Patch(PVM pVM, PPATCHINFO pPatch);
109static int patmDeactivateInt3Patch(PVM pVM, PPATCHINFO pPatch);
110
111#ifdef LOG_ENABLED // keep gcc quiet
112static bool patmIsCommonIDTHandlerPatch(PVM pVM, RTRCPTR pInstrGC);
113#endif
114#ifdef VBOX_WITH_STATISTICS
115static const char *PATMPatchType(PVM pVM, PPATCHINFO pPatch);
116static void patmResetStat(PVM pVM, void *pvSample);
117static void patmPrintStat(PVM pVM, void *pvSample, char *pszBuf, size_t cchBuf);
118#endif
119
120#define patmPatchHCPtr2PatchGCPtr(pVM, pHC) (pVM->patm.s.pPatchMemGC + (pHC - pVM->patm.s.pPatchMemHC))
121#define patmPatchGCPtr2PatchHCPtr(pVM, pGC) (pVM->patm.s.pPatchMemHC + (pGC - pVM->patm.s.pPatchMemGC))
122
123static int patmReinit(PVM pVM);
124static DECLCALLBACK(int) patmR3RelocatePatches(PAVLOU32NODECORE pNode, void *pParam);
125static RTRCPTR patmR3GuestGCPtrToPatchGCPtrSimple(PVM pVM, RCPTRTYPE(uint8_t*) pInstrGC);
126static int patmR3MarkDirtyPatch(PVM pVM, PPATCHINFO pPatch);
127
128#ifdef VBOX_WITH_DEBUGGER
129static DECLCALLBACK(int) DisableAllPatches(PAVLOU32NODECORE pNode, void *pVM);
130static FNDBGCCMD patmr3CmdOn;
131static FNDBGCCMD patmr3CmdOff;
132
133/** Command descriptors. */
134static const DBGCCMD g_aCmds[] =
135{
136 /* pszCmd, cArgsMin, cArgsMax, paArgDesc, cArgDescs, fFlags, pfnHandler pszSyntax, ....pszDescription */
137 { "patmon", 0, 0, NULL, 0, 0, patmr3CmdOn, "", "Enable patching." },
138 { "patmoff", 0, 0, NULL, 0, 0, patmr3CmdOff, "", "Disable patching." },
139};
140#endif
141
142/* Don't want to break saved states, so put it here as a global variable. */
143static unsigned int cIDTHandlersDisabled = 0;
144
145/**
146 * Initializes the PATM.
147 *
148 * @returns VBox status code.
149 * @param pVM The cross context VM structure.
150 */
151VMMR3_INT_DECL(int) PATMR3Init(PVM pVM)
152{
153 int rc;
154
155 /*
156 * We only need a saved state dummy loader if HM is enabled.
157 */
158 if (HMIsEnabled(pVM))
159 {
160 pVM->fPATMEnabled = false;
161 return SSMR3RegisterStub(pVM, "PATM", 0);
162 }
163
164 /*
165 * Raw-mode.
166 */
167 Log(("PATMR3Init: Patch record size %d\n", sizeof(PATCHINFO)));
168
169 /* These values can't change as they are hardcoded in patch code (old saved states!) */
170 AssertCompile(VMCPU_FF_TIMER == RT_BIT_32(2));
171 AssertCompile(VM_FF_REQUEST == VMCPU_FF_REQUEST);
172 AssertCompile(VMCPU_FF_INTERRUPT_APIC == RT_BIT_32(0));
173 AssertCompile(VMCPU_FF_INTERRUPT_PIC == RT_BIT_32(1));
174
175 AssertReleaseMsg(g_fPatmInterruptFlag == (VMCPU_FF_INTERRUPT_APIC | VMCPU_FF_INTERRUPT_PIC | VMCPU_FF_TIMER | VMCPU_FF_REQUEST),
176 ("Interrupt flags out of sync!! g_fPatmInterruptFlag=%#x expected %#x. broken assembler?\n", g_fPatmInterruptFlag, VMCPU_FF_INTERRUPT_APIC | VMCPU_FF_INTERRUPT_PIC | VMCPU_FF_TIMER | VMCPU_FF_REQUEST));
177
178 /* Allocate patch memory and GC patch state memory. */
179 pVM->patm.s.cbPatchMem = PATCH_MEMORY_SIZE;
180 /* Add another page in case the generated code is much larger than expected. */
181 /** @todo bad safety precaution */
182 rc = MMR3HyperAllocOnceNoRel(pVM, PATCH_MEMORY_SIZE + PAGE_SIZE + PATM_STACK_TOTAL_SIZE + PAGE_SIZE + PATM_STAT_MEMSIZE, PAGE_SIZE, MM_TAG_PATM, (void **)&pVM->patm.s.pPatchMemHC);
183 if (RT_FAILURE(rc))
184 {
185 Log(("MMHyperAlloc failed with %Rrc\n", rc));
186 return rc;
187 }
188 pVM->patm.s.pPatchMemGC = MMHyperR3ToRC(pVM, pVM->patm.s.pPatchMemHC);
189
190 /* PATM stack page for call instruction execution. (2 parts: one for our private stack and one to store the original return address */
191 pVM->patm.s.pGCStackHC = (RTRCPTR *)(pVM->patm.s.pPatchMemHC + PATCH_MEMORY_SIZE + PAGE_SIZE);
192 pVM->patm.s.pGCStackGC = MMHyperR3ToRC(pVM, pVM->patm.s.pGCStackHC);
193
194 patmR3DbgInit(pVM);
195
196 /*
197 * Hypervisor memory for GC status data (read/write)
198 *
199 * Note1: This is non-critical data; if trashed by the guest, then it will only cause problems for itself
200 * Note2: This doesn't really belong here, but we need access to it for relocation purposes
201 *
202 */
203 Assert(sizeof(PATMGCSTATE) < PAGE_SIZE); /* Note: hardcoded dependencies on this exist. */
204 pVM->patm.s.pGCStateHC = (PPATMGCSTATE)((uint8_t *)pVM->patm.s.pGCStackHC + PATM_STACK_TOTAL_SIZE);
205 pVM->patm.s.pGCStateGC = MMHyperR3ToRC(pVM, pVM->patm.s.pGCStateHC);
206
207 /* Hypervisor memory for patch statistics */
208 pVM->patm.s.pStatsHC = (PSTAMRATIOU32)((uint8_t *)pVM->patm.s.pGCStateHC + PAGE_SIZE);
209 pVM->patm.s.pStatsGC = MMHyperR3ToRC(pVM, pVM->patm.s.pStatsHC);
210
211 /* Memory for patch lookup trees. */
212 rc = MMHyperAlloc(pVM, sizeof(*pVM->patm.s.PatchLookupTreeHC), 0, MM_TAG_PATM, (void **)&pVM->patm.s.PatchLookupTreeHC);
213 AssertRCReturn(rc, rc);
214 pVM->patm.s.PatchLookupTreeGC = MMHyperR3ToRC(pVM, pVM->patm.s.PatchLookupTreeHC);
215
216#ifdef RT_ARCH_AMD64 /* see patmReinit(). */
217 /* Check CFGM option. */
218 rc = CFGMR3QueryBool(CFGMR3GetRoot(pVM), "PATMEnabled", &pVM->fPATMEnabled);
219 if (RT_FAILURE(rc))
220# ifdef PATM_DISABLE_ALL
221 pVM->fPATMEnabled = false;
222# else
223 pVM->fPATMEnabled = true;
224# endif
225#endif
226
227 rc = patmReinit(pVM);
228 AssertRC(rc);
229 if (RT_FAILURE(rc))
230 return rc;
231
232 /*
233 * Register the virtual page access handler type.
234 */
235 rc = PGMR3HandlerVirtualTypeRegister(pVM, PGMVIRTHANDLERKIND_ALL, false /*fRelocUserRC*/,
236 NULL /*pfnInvalidateR3*/,
237 patmVirtPageHandler,
238 "patmVirtPageHandler", "patmRCVirtPagePfHandler",
239 "PATMMonitorPatchJump", &pVM->patm.s.hMonitorPageType);
240 AssertRCReturn(rc, rc);
241
242 /*
243 * Register save and load state notifiers.
244 */
245 rc = SSMR3RegisterInternal(pVM, "PATM", 0, PATM_SAVED_STATE_VERSION, sizeof(pVM->patm.s) + PATCH_MEMORY_SIZE + PAGE_SIZE + PATM_STACK_TOTAL_SIZE + PAGE_SIZE,
246 NULL, NULL, NULL,
247 NULL, patmR3Save, NULL,
248 NULL, patmR3Load, NULL);
249 AssertRCReturn(rc, rc);
250
251#ifdef VBOX_WITH_DEBUGGER
252 /*
253 * Debugger commands.
254 */
255 static bool s_fRegisteredCmds = false;
256 if (!s_fRegisteredCmds)
257 {
258 int rc2 = DBGCRegisterCommands(&g_aCmds[0], RT_ELEMENTS(g_aCmds));
259 if (RT_SUCCESS(rc2))
260 s_fRegisteredCmds = true;
261 }
262#endif
263
264#ifdef VBOX_WITH_STATISTICS
265 STAM_REG(pVM, &pVM->patm.s.StatNrOpcodeRead, STAMTYPE_COUNTER, "/PATM/OpcodeBytesRead", STAMUNIT_OCCURENCES, "The number of opcode bytes read by the recompiler.");
266 STAM_REG(pVM, &pVM->patm.s.StatPATMMemoryUsed,STAMTYPE_COUNTER, "/PATM/MemoryUsed", STAMUNIT_OCCURENCES, "The amount of hypervisor heap used for patches.");
267 STAM_REG(pVM, &pVM->patm.s.StatDisabled, STAMTYPE_COUNTER, "/PATM/Patch/Disabled", STAMUNIT_OCCURENCES, "Number of times patches were disabled.");
268 STAM_REG(pVM, &pVM->patm.s.StatEnabled, STAMTYPE_COUNTER, "/PATM/Patch/Enabled", STAMUNIT_OCCURENCES, "Number of times patches were enabled.");
269 STAM_REG(pVM, &pVM->patm.s.StatDirty, STAMTYPE_COUNTER, "/PATM/Patch/Dirty", STAMUNIT_OCCURENCES, "Number of times patches were marked dirty.");
270 STAM_REG(pVM, &pVM->patm.s.StatUnusable, STAMTYPE_COUNTER, "/PATM/Patch/Unusable", STAMUNIT_OCCURENCES, "Number of unusable patches (conflicts).");
271 STAM_REG(pVM, &pVM->patm.s.StatInstalled, STAMTYPE_COUNTER, "/PATM/Patch/Installed", STAMUNIT_OCCURENCES, "Number of installed patches.");
272 STAM_REG(pVM, &pVM->patm.s.StatInt3Callable, STAMTYPE_COUNTER, "/PATM/Patch/Int3Callable", STAMUNIT_OCCURENCES, "Number of cli patches turned into int3 patches.");
273
274 STAM_REG(pVM, &pVM->patm.s.StatInt3BlockRun, STAMTYPE_COUNTER, "/PATM/Patch/Run/Int3", STAMUNIT_OCCURENCES, "Number of times an int3 block patch was executed.");
275 STAMR3RegisterF(pVM, &pVM->patm.s.pGCStateHC->uPatchCalls, STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_OCCURENCES, NULL, "/PATM/Patch/Run/Normal");
276
277 STAM_REG(pVM, &pVM->patm.s.StatInstalledFunctionPatches, STAMTYPE_COUNTER, "/PATM/Patch/Installed/Function", STAMUNIT_OCCURENCES, "Number of installed function duplication patches.");
278 STAM_REG(pVM, &pVM->patm.s.StatInstalledTrampoline, STAMTYPE_COUNTER, "/PATM/Patch/Installed/Trampoline", STAMUNIT_OCCURENCES, "Number of installed trampoline patches.");
279 STAM_REG(pVM, &pVM->patm.s.StatInstalledJump, STAMTYPE_COUNTER, "/PATM/Patch/Installed/Jump", STAMUNIT_OCCURENCES, "Number of installed jump patches.");
280
281 STAM_REG(pVM, &pVM->patm.s.StatOverwritten, STAMTYPE_COUNTER, "/PATM/Patch/Overwritten", STAMUNIT_OCCURENCES, "Number of overwritten patches.");
282 STAM_REG(pVM, &pVM->patm.s.StatFixedConflicts,STAMTYPE_COUNTER, "/PATM/Patch/ConflictFixed", STAMUNIT_OCCURENCES, "Number of fixed conflicts.");
283 STAM_REG(pVM, &pVM->patm.s.StatFlushed, STAMTYPE_COUNTER, "/PATM/Patch/Flushed", STAMUNIT_OCCURENCES, "Number of flushes of pages with patch jumps.");
284 STAM_REG(pVM, &pVM->patm.s.StatMonitored, STAMTYPE_COUNTER, "/PATM/Patch/Monitored", STAMUNIT_OCCURENCES, "Number of patches in monitored patch pages.");
285 STAM_REG(pVM, &pVM->patm.s.StatPageBoundaryCrossed, STAMTYPE_COUNTER, "/PATM/Patch/BoundaryCross", STAMUNIT_OCCURENCES, "Number of refused patches due to patch jump crossing page boundary.");
286
287 STAM_REG(pVM, &pVM->patm.s.StatHandleTrap, STAMTYPE_PROFILE, "/PATM/HandleTrap", STAMUNIT_TICKS_PER_CALL, "Profiling of PATMR3HandleTrap");
288 STAM_REG(pVM, &pVM->patm.s.StatPushTrap, STAMTYPE_COUNTER, "/PATM/HandleTrap/PushWP", STAMUNIT_OCCURENCES, "Number of traps due to monitored stack pages.");
289
290 STAM_REG(pVM, &pVM->patm.s.StatSwitchBack, STAMTYPE_COUNTER, "/PATM/SwitchBack", STAMUNIT_OCCURENCES, "Switch back to original guest code when IF=1 & executing PATM instructions");
291 STAM_REG(pVM, &pVM->patm.s.StatSwitchBackFail,STAMTYPE_COUNTER, "/PATM/SwitchBackFail", STAMUNIT_OCCURENCES, "Failed switch back to original guest code when IF=1 & executing PATM instructions");
292
293 STAM_REG(pVM, &pVM->patm.s.StatDuplicateREQFailed, STAMTYPE_COUNTER, "/PATM/Function/DupREQ/Failed", STAMUNIT_OCCURENCES, "Nr of failed PATMR3DuplicateFunctionRequest calls");
294 STAM_REG(pVM, &pVM->patm.s.StatDuplicateREQSuccess, STAMTYPE_COUNTER, "/PATM/Function/DupREQ/Success", STAMUNIT_OCCURENCES, "Nr of successful PATMR3DuplicateFunctionRequest calls");
295 STAM_REG(pVM, &pVM->patm.s.StatDuplicateUseExisting,STAMTYPE_COUNTER, "/PATM/Function/DupREQ/UseExist", STAMUNIT_OCCURENCES, "Nr of successful PATMR3DuplicateFunctionRequest calls when using an existing patch");
296
297 STAM_REG(pVM, &pVM->patm.s.StatFunctionLookupInsert, STAMTYPE_COUNTER, "/PATM/Function/Lookup/Insert", STAMUNIT_OCCURENCES, "Nr of successful function address insertions");
298 STAM_REG(pVM, &pVM->patm.s.StatFunctionLookupReplace, STAMTYPE_COUNTER, "/PATM/Function/Lookup/Replace", STAMUNIT_OCCURENCES, "Nr of successful function address replacements");
299 STAM_REG(pVM, &pVM->patm.s.StatU32FunctionMaxSlotsUsed, STAMTYPE_U32_RESET,"/PATM/Function/Lookup/MaxSlots", STAMUNIT_OCCURENCES, "Maximum nr of lookup slots used in all call patches");
300
301 STAM_REG(pVM, &pVM->patm.s.StatFunctionFound, STAMTYPE_COUNTER, "/PATM/Function/Found", STAMUNIT_OCCURENCES, "Nr of successful function patch lookups in GC");
302 STAM_REG(pVM, &pVM->patm.s.StatFunctionNotFound, STAMTYPE_COUNTER, "/PATM/Function/NotFound", STAMUNIT_OCCURENCES, "Nr of failed function patch lookups in GC");
303
304 STAM_REG(pVM, &pVM->patm.s.StatPatchWrite, STAMTYPE_PROFILE, "/PATM/Write/Handle", STAMUNIT_TICKS_PER_CALL, "Profiling of PATMR3PatchWrite");
305 STAM_REG(pVM, &pVM->patm.s.StatPatchWriteDetect, STAMTYPE_PROFILE, "/PATM/Write/Detect", STAMUNIT_TICKS_PER_CALL, "Profiling of PATMIsWriteToPatchPage");
306 STAM_REG(pVM, &pVM->patm.s.StatPatchWriteInterpreted, STAMTYPE_COUNTER, "/PATM/Write/Interpreted/Success", STAMUNIT_OCCURENCES, "Nr of interpreted patch writes.");
307 STAM_REG(pVM, &pVM->patm.s.StatPatchWriteInterpretedFailed, STAMTYPE_COUNTER, "/PATM/Write/Interpreted/Failed", STAMUNIT_OCCURENCES, "Nr of failed interpreted patch writes.");
308
309 STAM_REG(pVM, &pVM->patm.s.StatPatchRefreshSuccess, STAMTYPE_COUNTER, "/PATM/Refresh/Success", STAMUNIT_OCCURENCES, "Successful patch refreshes");
310 STAM_REG(pVM, &pVM->patm.s.StatPatchRefreshFailed, STAMTYPE_COUNTER, "/PATM/Refresh/Failure", STAMUNIT_OCCURENCES, "Failed patch refreshes");
311
312 STAM_REG(pVM, &pVM->patm.s.StatPatchPageInserted, STAMTYPE_COUNTER, "/PATM/Page/Inserted", STAMUNIT_OCCURENCES, "Nr of inserted guest pages that were patched");
313 STAM_REG(pVM, &pVM->patm.s.StatPatchPageRemoved, STAMTYPE_COUNTER, "/PATM/Page/Removed", STAMUNIT_OCCURENCES, "Nr of removed guest pages that were patched");
314
315 STAM_REG(pVM, &pVM->patm.s.StatInstrDirty, STAMTYPE_COUNTER, "/PATM/Instr/Dirty/Detected", STAMUNIT_OCCURENCES, "Number of times instructions were marked dirty.");
316 STAM_REG(pVM, &pVM->patm.s.StatInstrDirtyGood, STAMTYPE_COUNTER, "/PATM/Instr/Dirty/Corrected", STAMUNIT_OCCURENCES, "Number of times instructions were marked dirty and corrected later on.");
317 STAM_REG(pVM, &pVM->patm.s.StatInstrDirtyBad, STAMTYPE_COUNTER, "/PATM/Instr/Dirty/Failed", STAMUNIT_OCCURENCES, "Number of times instructions were marked dirty and we were not able to correct them.");
318
319 STAM_REG(pVM, &pVM->patm.s.StatSysEnter, STAMTYPE_COUNTER, "/PATM/Emul/SysEnter", STAMUNIT_OCCURENCES, "Number of times sysenter was emulated.");
320 STAM_REG(pVM, &pVM->patm.s.StatSysExit, STAMTYPE_COUNTER, "/PATM/Emul/SysExit" , STAMUNIT_OCCURENCES, "Number of times sysexit was emulated.");
321 STAM_REG(pVM, &pVM->patm.s.StatEmulIret, STAMTYPE_COUNTER, "/PATM/Emul/Iret/Success", STAMUNIT_OCCURENCES, "Number of times iret was emulated.");
322 STAM_REG(pVM, &pVM->patm.s.StatEmulIretFailed, STAMTYPE_COUNTER, "/PATM/Emul/Iret/Failed", STAMUNIT_OCCURENCES, "Number of times iret was emulated.");
323
324 STAM_REG(pVM, &pVM->patm.s.StatGenRet, STAMTYPE_COUNTER, "/PATM/Gen/Ret" , STAMUNIT_OCCURENCES, "Number of generated ret instructions.");
325 STAM_REG(pVM, &pVM->patm.s.StatGenRetReused, STAMTYPE_COUNTER, "/PATM/Gen/RetReused" , STAMUNIT_OCCURENCES, "Number of reused ret instructions.");
326 STAM_REG(pVM, &pVM->patm.s.StatGenCall, STAMTYPE_COUNTER, "/PATM/Gen/Call", STAMUNIT_OCCURENCES, "Number of generated call instructions.");
327 STAM_REG(pVM, &pVM->patm.s.StatGenJump, STAMTYPE_COUNTER, "/PATM/Gen/Jmp" , STAMUNIT_OCCURENCES, "Number of generated indirect jump instructions.");
328 STAM_REG(pVM, &pVM->patm.s.StatGenPopf, STAMTYPE_COUNTER, "/PATM/Gen/Popf" , STAMUNIT_OCCURENCES, "Number of generated popf instructions.");
329
330 STAM_REG(pVM, &pVM->patm.s.StatCheckPendingIRQ, STAMTYPE_COUNTER, "/PATM/GC/CheckIRQ" , STAMUNIT_OCCURENCES, "Number of traps that ask to check for pending irqs.");
331#endif /* VBOX_WITH_STATISTICS */
332
333 Log(("g_patmCallRecord.cbFunction %u\n", g_patmCallRecord.cbFunction));
334 Log(("g_patmCallIndirectRecord.cbFunction %u\n", g_patmCallIndirectRecord.cbFunction));
335 Log(("g_patmRetRecord.cbFunction %u\n", g_patmRetRecord.cbFunction));
336 Log(("g_patmJumpIndirectRecord.cbFunction %u\n", g_patmJumpIndirectRecord.cbFunction));
337 Log(("g_patmPopf32Record.cbFunction %u\n", g_patmPopf32Record.cbFunction));
338 Log(("g_patmIretRecord.cbFunction %u\n", g_patmIretRecord.cbFunction));
339 Log(("g_patmStiRecord.cbFunction %u\n", g_patmStiRecord.cbFunction));
340 Log(("g_patmCheckIFRecord.cbFunction %u\n", g_patmCheckIFRecord.cbFunction));
341
342 return rc;
343}
344
345/**
346 * Finalizes HMA page attributes.
347 *
348 * @returns VBox status code.
349 * @param pVM The cross context VM structure.
350 */
351VMMR3_INT_DECL(int) PATMR3InitFinalize(PVM pVM)
352{
353 if (HMIsEnabled(pVM))
354 return VINF_SUCCESS;
355
356 /*
357 * The GC state, stack and statistics must be read/write for the guest
358 * (supervisor only of course).
359 *
360 * Remember, we run guest code at ring-1 and ring-2 levels, which are
361 * considered supervisor levels by the paging structures. We run the VMM
362 * in ring-0 with CR0.WP=0 and mapping all VMM structures as read-only
363 * pages. The following structures are exceptions and must be mapped with
364 * write access so the ring-1 and ring-2 code can modify them.
365 */
366 int rc = PGMMapSetPage(pVM, pVM->patm.s.pGCStateGC, PAGE_SIZE, X86_PTE_P | X86_PTE_A | X86_PTE_D | X86_PTE_RW);
367 AssertLogRelMsgReturn(RT_SUCCESS(rc), ("Failed to make the GCState accessible to ring-1 and ring-2 code: %Rrc\n", rc), rc);
368
369 rc = PGMMapSetPage(pVM, pVM->patm.s.pGCStackGC, PATM_STACK_TOTAL_SIZE, X86_PTE_P | X86_PTE_A | X86_PTE_D | X86_PTE_RW);
370 AssertLogRelMsgReturn(RT_SUCCESS(rc), ("Failed to make the GCStack accessible to ring-1 and ring-2 code: %Rrc\n", rc), rc);
371
372 rc = PGMMapSetPage(pVM, pVM->patm.s.pStatsGC, PATM_STAT_MEMSIZE, X86_PTE_P | X86_PTE_A | X86_PTE_D | X86_PTE_RW);
373 AssertLogRelMsgReturn(RT_SUCCESS(rc), ("Failed to make the stats struct accessible to ring-1 and ring-2 code: %Rrc\n", rc), rc);
374
375 /*
376 * Find the patch helper segment so we can identify code running there as patch code.
377 */
378 rc = PDMR3LdrGetSymbolRC(pVM, NULL, "g_PatchHlpBegin", &pVM->patm.s.pbPatchHelpersRC);
379 AssertLogRelMsgReturn(RT_SUCCESS(rc), ("Failed to resolve g_PatchHlpBegin: %Rrc\n", rc), rc);
380 pVM->patm.s.pbPatchHelpersR3 = (uint8_t *)MMHyperRCToR3(pVM, pVM->patm.s.pbPatchHelpersRC);
381 AssertLogRelReturn(pVM->patm.s.pbPatchHelpersR3 != NULL, VERR_INTERNAL_ERROR_3);
382
383 RTRCPTR RCPtrEnd;
384 rc = PDMR3LdrGetSymbolRC(pVM, NULL, "g_PatchHlpEnd", &RCPtrEnd);
385 AssertLogRelMsgReturn(RT_SUCCESS(rc), ("Failed to resolve g_PatchHlpEnd: %Rrc\n", rc), rc);
386
387 pVM->patm.s.cbPatchHelpers = RCPtrEnd - pVM->patm.s.pbPatchHelpersRC;
388 AssertLogRelMsgReturn(pVM->patm.s.cbPatchHelpers < _128K,
389 ("%RRv-%RRv => %#x\n", pVM->patm.s.pbPatchHelpersRC, RCPtrEnd, pVM->patm.s.cbPatchHelpers),
390 VERR_INTERNAL_ERROR_4);
391
392
393 return VINF_SUCCESS;
394}
395
396/**
397 * (Re)initializes PATM
398 *
399 * @param pVM The cross context VM structure.
400 */
401static int patmReinit(PVM pVM)
402{
403 int rc;
404
405 /*
406 * Assert alignment and sizes.
407 */
408 AssertRelease(!(RT_OFFSETOF(VM, patm.s) & 31));
409 AssertRelease(sizeof(pVM->patm.s) <= sizeof(pVM->patm.padding));
410
411 /*
412 * Setup any fixed pointers and offsets.
413 */
414 pVM->patm.s.offVM = RT_OFFSETOF(VM, patm);
415
416#ifndef RT_ARCH_AMD64 /* would be nice if this was changed everywhere. was driving me crazy on AMD64. */
417#ifndef PATM_DISABLE_ALL
418 pVM->fPATMEnabled = true;
419#endif
420#endif
421
422 Assert(pVM->patm.s.pGCStateHC);
423 memset(pVM->patm.s.pGCStateHC, 0, PAGE_SIZE);
424 AssertReleaseMsg(pVM->patm.s.pGCStateGC, ("Impossible! MMHyperHC2GC(%p) failed!\n", pVM->patm.s.pGCStateGC));
425
426 Log(("Patch memory allocated at %p - %RRv\n", pVM->patm.s.pPatchMemHC, pVM->patm.s.pPatchMemGC));
427 pVM->patm.s.pGCStateHC->uVMFlags = X86_EFL_IF;
428
429 Assert(pVM->patm.s.pGCStackHC);
430 memset(pVM->patm.s.pGCStackHC, 0, PAGE_SIZE);
431 AssertReleaseMsg(pVM->patm.s.pGCStackGC, ("Impossible! MMHyperHC2GC(%p) failed!\n", pVM->patm.s.pGCStackGC));
432 pVM->patm.s.pGCStateHC->Psp = PATM_STACK_SIZE;
433 pVM->patm.s.pGCStateHC->fPIF = 1; /* PATM Interrupt Flag */
434
435 Assert(pVM->patm.s.pStatsHC);
436 memset(pVM->patm.s.pStatsHC, 0, PATM_STAT_MEMSIZE);
437 AssertReleaseMsg(pVM->patm.s.pStatsGC, ("Impossible! MMHyperHC2GC(%p) failed!\n", pVM->patm.s.pStatsGC));
438
439 Assert(pVM->patm.s.pPatchMemHC);
440 Assert(pVM->patm.s.pPatchMemGC == MMHyperR3ToRC(pVM, pVM->patm.s.pPatchMemHC));
441 memset(pVM->patm.s.pPatchMemHC, 0, PATCH_MEMORY_SIZE);
442 AssertReleaseMsg(pVM->patm.s.pPatchMemGC, ("Impossible! MMHyperHC2GC(%p) failed!\n", pVM->patm.s.pPatchMemHC));
443
444 /* Needed for future patching of sldt/sgdt/sidt/str etc. */
445 pVM->patm.s.pCPUMCtxGC = VM_RC_ADDR(pVM, CPUMQueryGuestCtxPtr(VMMGetCpu(pVM)));
446
447 Assert(pVM->patm.s.PatchLookupTreeHC);
448 Assert(pVM->patm.s.PatchLookupTreeGC == MMHyperR3ToRC(pVM, pVM->patm.s.PatchLookupTreeHC));
449
450 /*
451 * (Re)Initialize PATM structure
452 */
453 Assert(!pVM->patm.s.PatchLookupTreeHC->PatchTree);
454 Assert(!pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr);
455 Assert(!pVM->patm.s.PatchLookupTreeHC->PatchTreeByPage);
456 pVM->patm.s.offPatchMem = 16; /* don't start with zero here */
457 pVM->patm.s.uCurrentPatchIdx = 1; /* Index zero is a dummy */
458 pVM->patm.s.pvFaultMonitor = 0;
459 pVM->patm.s.deltaReloc = 0;
460
461 /* Lowest and highest patched instruction */
462 pVM->patm.s.pPatchedInstrGCLowest = ~0;
463 pVM->patm.s.pPatchedInstrGCHighest = 0;
464
465 pVM->patm.s.PatchLookupTreeHC->PatchTree = 0;
466 pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr = 0;
467 pVM->patm.s.PatchLookupTreeHC->PatchTreeByPage = 0;
468
469 pVM->patm.s.pfnSysEnterPatchGC = 0;
470 pVM->patm.s.pfnSysEnterGC = 0;
471
472 pVM->patm.s.fOutOfMemory = false;
473
474 pVM->patm.s.pfnHelperCallGC = 0;
475 patmR3DbgReset(pVM);
476
477 /* Generate all global functions to be used by future patches. */
478 /* We generate a fake patch in order to use the existing code for relocation. */
479 rc = MMHyperAlloc(pVM, sizeof(PATMPATCHREC), 0, MM_TAG_PATM_PATCH, (void **)&pVM->patm.s.pGlobalPatchRec);
480 if (RT_FAILURE(rc))
481 {
482 Log(("Out of memory!!!!\n"));
483 return VERR_NO_MEMORY;
484 }
485 pVM->patm.s.pGlobalPatchRec->patch.flags = PATMFL_GLOBAL_FUNCTIONS;
486 pVM->patm.s.pGlobalPatchRec->patch.uState = PATCH_ENABLED;
487 pVM->patm.s.pGlobalPatchRec->patch.pPatchBlockOffset = pVM->patm.s.offPatchMem;
488
489 rc = patmPatchGenGlobalFunctions(pVM, &pVM->patm.s.pGlobalPatchRec->patch);
490 AssertRC(rc);
491
492 /* Update free pointer in patch memory. */
493 pVM->patm.s.offPatchMem += pVM->patm.s.pGlobalPatchRec->patch.uCurPatchOffset;
494 /* Round to next 8 byte boundary. */
495 pVM->patm.s.offPatchMem = RT_ALIGN_32(pVM->patm.s.offPatchMem, 8);
496
497
498 return rc;
499}
500
501
502/**
503 * Applies relocations to data and code managed by this
504 * component. This function will be called at init and
505 * whenever the VMM need to relocate it self inside the GC.
506 *
507 * The PATM will update the addresses used by the switcher.
508 *
509 * @param pVM The cross context VM structure.
510 * @param offDelta The relocation delta.
511 */
512VMMR3_INT_DECL(void) PATMR3Relocate(PVM pVM, RTRCINTPTR offDelta)
513{
514 if (HMIsEnabled(pVM))
515 return;
516
517 RTRCPTR GCPtrNew = MMHyperR3ToRC(pVM, pVM->patm.s.pGCStateHC);
518 Assert((RTRCINTPTR)(GCPtrNew - pVM->patm.s.pGCStateGC) == offDelta);
519
520 Log(("PATMR3Relocate from %RRv to %RRv - delta %08X\n", pVM->patm.s.pGCStateGC, GCPtrNew, offDelta));
521 if (offDelta)
522 {
523 PCPUMCTX pCtx;
524
525 /* Update CPUMCTX guest context pointer. */
526 pVM->patm.s.pCPUMCtxGC += offDelta;
527
528 pVM->patm.s.deltaReloc = offDelta;
529 RTAvloU32DoWithAll(&pVM->patm.s.PatchLookupTreeHC->PatchTree, true, patmR3RelocatePatches, (void *)pVM);
530
531 pVM->patm.s.pGCStateGC = GCPtrNew;
532 pVM->patm.s.pPatchMemGC = MMHyperR3ToRC(pVM, pVM->patm.s.pPatchMemHC);
533 pVM->patm.s.pGCStackGC = MMHyperR3ToRC(pVM, pVM->patm.s.pGCStackHC);
534 pVM->patm.s.pStatsGC = MMHyperR3ToRC(pVM, pVM->patm.s.pStatsHC);
535 pVM->patm.s.PatchLookupTreeGC = MMHyperR3ToRC(pVM, pVM->patm.s.PatchLookupTreeHC);
536
537 if (pVM->patm.s.pfnSysEnterPatchGC)
538 pVM->patm.s.pfnSysEnterPatchGC += offDelta;
539
540 /* If we are running patch code right now, then also adjust EIP. */
541 pCtx = CPUMQueryGuestCtxPtr(VMMGetCpu(pVM));
542 if (PATMIsPatchGCAddr(pVM, pCtx->eip))
543 pCtx->eip += offDelta;
544
545 /* Deal with the global patch functions. */
546 pVM->patm.s.pfnHelperCallGC += offDelta;
547 pVM->patm.s.pfnHelperRetGC += offDelta;
548 pVM->patm.s.pfnHelperIretGC += offDelta;
549 pVM->patm.s.pfnHelperJumpGC += offDelta;
550
551 pVM->patm.s.pbPatchHelpersRC += offDelta;
552
553 patmR3RelocatePatches(&pVM->patm.s.pGlobalPatchRec->Core, (void *)pVM);
554 }
555}
556
557
558/**
559 * Terminates the PATM.
560 *
561 * Termination means cleaning up and freeing all resources,
562 * the VM it self is at this point powered off or suspended.
563 *
564 * @returns VBox status code.
565 * @param pVM The cross context VM structure.
566 */
567VMMR3_INT_DECL(int) PATMR3Term(PVM pVM)
568{
569 if (HMIsEnabled(pVM))
570 return VINF_SUCCESS;
571
572 patmR3DbgTerm(pVM);
573
574 /* Memory was all allocated from the two MM heaps and requires no freeing. */
575 return VINF_SUCCESS;
576}
577
578
579/**
580 * PATM reset callback.
581 *
582 * @returns VBox status code.
583 * @param pVM The cross context VM structure.
584 */
585VMMR3_INT_DECL(int) PATMR3Reset(PVM pVM)
586{
587 Log(("PATMR3Reset\n"));
588 if (HMIsEnabled(pVM))
589 return VINF_SUCCESS;
590
591 /* Free all patches. */
592 for (;;)
593 {
594 PPATMPATCHREC pPatchRec = (PPATMPATCHREC)RTAvloU32RemoveBestFit(&pVM->patm.s.PatchLookupTreeHC->PatchTree, 0, true);
595 if (pPatchRec)
596 patmR3RemovePatch(pVM, pPatchRec, true);
597 else
598 break;
599 }
600 Assert(!pVM->patm.s.PatchLookupTreeHC->PatchTreeByPage);
601 Assert(!pVM->patm.s.PatchLookupTreeHC->PatchTree);
602 pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr = 0;
603 pVM->patm.s.PatchLookupTreeHC->PatchTreeByPage = 0;
604
605 int rc = patmReinit(pVM);
606 if (RT_SUCCESS(rc))
607 rc = PATMR3InitFinalize(pVM); /* paranoia */
608
609 return rc;
610}
611
612/**
613 * @callback_method_impl{FNDISREADBYTES}
614 */
615static DECLCALLBACK(int) patmReadBytes(PDISCPUSTATE pDis, uint8_t offInstr, uint8_t cbMinRead, uint8_t cbMaxRead)
616{
617 PATMDISASM *pDisInfo = (PATMDISASM *)pDis->pvUser;
618
619/** @todo change this to read more! */
620 /*
621 * Trap/interrupt handler typically call common code on entry. Which might already have patches inserted.
622 * As we currently don't support calling patch code from patch code, we'll let it read the original opcode bytes instead.
623 */
624 /** @todo could change in the future! */
625 if (pDisInfo->fReadFlags & PATMREAD_ORGCODE)
626 {
627 size_t cbRead = cbMaxRead;
628 RTUINTPTR uSrcAddr = pDis->uInstrAddr + offInstr;
629 int rc = PATMR3ReadOrgInstr(pDisInfo->pVM, pDis->uInstrAddr + offInstr, &pDis->abInstr[offInstr], cbRead, &cbRead);
630 if (RT_SUCCESS(rc))
631 {
632 if (cbRead >= cbMinRead)
633 {
634 pDis->cbCachedInstr = offInstr + (uint8_t)cbRead;
635 return VINF_SUCCESS;
636 }
637
638 cbMinRead -= (uint8_t)cbRead;
639 cbMaxRead -= (uint8_t)cbRead;
640 offInstr += (uint8_t)cbRead;
641 uSrcAddr += cbRead;
642 }
643
644#ifdef VBOX_STRICT
645 if ( !(pDisInfo->pPatchInfo->flags & (PATMFL_DUPLICATE_FUNCTION|PATMFL_IDTHANDLER))
646 && !(pDisInfo->fReadFlags & PATMREAD_NOCHECK))
647 {
648 Assert(PATMR3IsInsidePatchJump(pDisInfo->pVM, pDis->uInstrAddr + offInstr, NULL) == false);
649 Assert(PATMR3IsInsidePatchJump(pDisInfo->pVM, pDis->uInstrAddr + offInstr + cbMinRead-1, NULL) == false);
650 }
651#endif
652 }
653
654 int rc = VINF_SUCCESS;
655 RTGCPTR32 uSrcAddr = (RTGCPTR32)pDis->uInstrAddr + offInstr;
656 if ( !pDisInfo->pbInstrHC
657 || ( PAGE_ADDRESS(pDisInfo->pInstrGC) != PAGE_ADDRESS(uSrcAddr + cbMinRead - 1)
658 && !PATMIsPatchGCAddr(pDisInfo->pVM, uSrcAddr)))
659 {
660 Assert(!PATMIsPatchGCAddr(pDisInfo->pVM, uSrcAddr));
661 rc = PGMPhysSimpleReadGCPtr(&pDisInfo->pVM->aCpus[0], &pDis->abInstr[offInstr], uSrcAddr, cbMinRead);
662 offInstr += cbMinRead;
663 }
664 else
665 {
666 /*
667 * pbInstrHC is the base address; adjust according to the GC pointer.
668 *
669 * Try read the max number of bytes here. Since the disassembler only
670 * ever uses these bytes for the current instruction, it doesn't matter
671 * much if we accidentally read the start of the next instruction even
672 * if it happens to be a patch jump or int3.
673 */
674 uint8_t const *pbInstrHC = pDisInfo->pbInstrHC; AssertPtr(pbInstrHC);
675 pbInstrHC += uSrcAddr - pDisInfo->pInstrGC;
676
677 size_t cbMaxRead1 = PAGE_SIZE - (uSrcAddr & PAGE_OFFSET_MASK);
678 size_t cbMaxRead2 = PAGE_SIZE - ((uintptr_t)pbInstrHC & PAGE_OFFSET_MASK);
679 size_t cbToRead = RT_MIN(cbMaxRead1, RT_MAX(cbMaxRead2, cbMinRead));
680 if (cbToRead > cbMaxRead)
681 cbToRead = cbMaxRead;
682
683 memcpy(&pDis->abInstr[offInstr], pbInstrHC, cbToRead);
684 offInstr += (uint8_t)cbToRead;
685 }
686
687 pDis->cbCachedInstr = offInstr;
688 return rc;
689}
690
691
692DECLINLINE(bool) patmR3DisInstrToStr(PVM pVM, PPATCHINFO pPatch, RTGCPTR32 InstrGCPtr32, uint8_t *pbInstrHC, uint32_t fReadFlags,
693 PDISCPUSTATE pCpu, uint32_t *pcbInstr, char *pszOutput, size_t cbOutput)
694{
695 PATMDISASM disinfo;
696 disinfo.pVM = pVM;
697 disinfo.pPatchInfo = pPatch;
698 disinfo.pbInstrHC = pbInstrHC;
699 disinfo.pInstrGC = InstrGCPtr32;
700 disinfo.fReadFlags = fReadFlags;
701 return RT_SUCCESS(DISInstrToStrWithReader(InstrGCPtr32,
702 (pPatch->flags & PATMFL_CODE32) ? DISCPUMODE_32BIT : DISCPUMODE_16BIT,
703 patmReadBytes, &disinfo,
704 pCpu, pcbInstr, pszOutput, cbOutput));
705}
706
707
708DECLINLINE(bool) patmR3DisInstr(PVM pVM, PPATCHINFO pPatch, RTGCPTR32 InstrGCPtr32, uint8_t *pbInstrHC, uint32_t fReadFlags,
709 PDISCPUSTATE pCpu, uint32_t *pcbInstr)
710{
711 PATMDISASM disinfo;
712 disinfo.pVM = pVM;
713 disinfo.pPatchInfo = pPatch;
714 disinfo.pbInstrHC = pbInstrHC;
715 disinfo.pInstrGC = InstrGCPtr32;
716 disinfo.fReadFlags = fReadFlags;
717 return RT_SUCCESS(DISInstrWithReader(InstrGCPtr32,
718 (pPatch->flags & PATMFL_CODE32) ? DISCPUMODE_32BIT : DISCPUMODE_16BIT,
719 patmReadBytes, &disinfo,
720 pCpu, pcbInstr));
721}
722
723
724DECLINLINE(bool) patmR3DisInstrNoStrOpMode(PVM pVM, PPATCHINFO pPatch, RTGCPTR32 InstrGCPtr32, uint8_t *pbInstrHC,
725 uint32_t fReadFlags,
726 PDISCPUSTATE pCpu, uint32_t *pcbInstr)
727{
728 PATMDISASM disinfo;
729 disinfo.pVM = pVM;
730 disinfo.pPatchInfo = pPatch;
731 disinfo.pbInstrHC = pbInstrHC;
732 disinfo.pInstrGC = InstrGCPtr32;
733 disinfo.fReadFlags = fReadFlags;
734 return RT_SUCCESS(DISInstrWithReader(InstrGCPtr32, pPatch->uOpMode, patmReadBytes, &disinfo,
735 pCpu, pcbInstr));
736}
737
738#ifdef LOG_ENABLED
739# define PATM_LOG_ORG_PATCH_INSTR(a_pVM, a_pPatch, a_szComment) \
740 PATM_LOG_PATCH_INSTR(a_pVM, a_pPatch, PATMREAD_ORGCODE, a_szComment, " patch:")
741# define PATM_LOG_RAW_PATCH_INSTR(a_pVM, a_pPatch, a_szComment) \
742 PATM_LOG_PATCH_INSTR(a_pVM, a_pPatch, PATMREAD_RAWCODE, a_szComment, " patch:")
743
744# define PATM_LOG_PATCH_INSTR(a_pVM, a_pPatch, a_fFlags, a_szComment1, a_szComment2) \
745 do { \
746 if (LogIsEnabled()) \
747 patmLogRawPatchInstr(a_pVM, a_pPatch, a_fFlags, a_szComment1, a_szComment2); \
748 } while (0)
749
750static void patmLogRawPatchInstr(PVM pVM, PPATCHINFO pPatch, uint32_t fFlags,
751 const char *pszComment1, const char *pszComment2)
752{
753 DISCPUSTATE DisState;
754 char szOutput[128];
755 szOutput[0] = '\0';
756 patmR3DisInstrToStr(pVM, pPatch, pPatch->pPrivInstrGC, NULL, fFlags,
757 &DisState, NULL, szOutput, sizeof(szOutput));
758 Log(("%s%s %s", pszComment1, pszComment2, szOutput));
759}
760
761#else
762# define PATM_LOG_ORG_PATCH_INSTR(a_pVM, a_pPatch, a_szComment) do { } while (0)
763# define PATM_LOG_RAW_PATCH_INSTR(a_pVM, a_pPatch, a_szComment) do { } while (0)
764# define PATM_LOG_PATCH_INSTR(a_pVM, a_pPatch, a_fFlags, a_szComment1, a_szComment2) do { } while (0)
765#endif
766
767
768/**
769 * Callback function for RTAvloU32DoWithAll
770 *
771 * Updates all fixups in the patches
772 *
773 * @returns VBox status code.
774 * @param pNode Current node
775 * @param pParam Pointer to the VM.
776 */
777static DECLCALLBACK(int) patmR3RelocatePatches(PAVLOU32NODECORE pNode, void *pParam)
778{
779 PPATMPATCHREC pPatch = (PPATMPATCHREC)pNode;
780 PVM pVM = (PVM)pParam;
781 RTRCINTPTR delta;
782 int rc;
783
784 /* Nothing to do if the patch is not active. */
785 if (pPatch->patch.uState == PATCH_REFUSED)
786 return 0;
787
788 if (pPatch->patch.flags & PATMFL_PATCHED_GUEST_CODE)
789 PATM_LOG_PATCH_INSTR(pVM, &pPatch->patch, PATMREAD_RAWCODE, "Org patch jump:", "");
790
791 Log(("Nr of fixups %d\n", pPatch->patch.nrFixups));
792 delta = (RTRCINTPTR)pVM->patm.s.deltaReloc;
793
794 /*
795 * Apply fixups.
796 */
797 AVLPVKEY key = NULL;
798 for (;;)
799 {
800 /* Get the record that's closest from above (after or equal to key). */
801 PRELOCREC pRec = (PRELOCREC)RTAvlPVGetBestFit(&pPatch->patch.FixupTree, key, true);
802 if (!pRec)
803 break;
804
805 key = (uint8_t *)pRec->Core.Key + 1; /* search for the next record during the next round. */
806
807 switch (pRec->uType)
808 {
809 case FIXUP_ABSOLUTE_IN_PATCH_ASM_TMPL:
810 Assert(pRec->pDest == pRec->pSource); Assert(PATM_IS_ASMFIX(pRec->pSource));
811 Log(("Absolute patch template fixup type %#x at %RHv -> %RHv at %RRv\n", pRec->pSource, *(RTRCUINTPTR *)pRec->pRelocPos, *(RTRCINTPTR*)pRec->pRelocPos + delta, pRec->pRelocPos));
812 *(RTRCUINTPTR *)pRec->pRelocPos += delta;
813 break;
814
815 case FIXUP_ABSOLUTE:
816 Log(("Absolute fixup at %RRv %RHv -> %RHv at %RRv\n", pRec->pSource, *(RTRCUINTPTR *)pRec->pRelocPos, *(RTRCINTPTR*)pRec->pRelocPos + delta, pRec->pRelocPos));
817 if ( !pRec->pSource
818 || PATMIsPatchGCAddr(pVM, pRec->pSource))
819 {
820 *(RTRCUINTPTR *)pRec->pRelocPos += delta;
821 }
822 else
823 {
824 uint8_t curInstr[15];
825 uint8_t oldInstr[15];
826 Assert(pRec->pSource && pPatch->patch.cbPrivInstr <= 15);
827
828 Assert(!(pPatch->patch.flags & PATMFL_GLOBAL_FUNCTIONS));
829
830 memcpy(oldInstr, pPatch->patch.aPrivInstr, pPatch->patch.cbPrivInstr);
831 *(RTRCPTR *)&oldInstr[pPatch->patch.cbPrivInstr - sizeof(RTRCPTR)] = pRec->pDest;
832
833 rc = PGMPhysSimpleReadGCPtr(VMMGetCpu0(pVM), curInstr, pPatch->patch.pPrivInstrGC, pPatch->patch.cbPrivInstr);
834 Assert(RT_SUCCESS(rc) || rc == VERR_PAGE_NOT_PRESENT || rc == VERR_PAGE_TABLE_NOT_PRESENT);
835
836 pRec->pDest = (RTRCPTR)((RTRCUINTPTR)pRec->pDest + delta);
837
838 if ( rc == VERR_PAGE_NOT_PRESENT
839 || rc == VERR_PAGE_TABLE_NOT_PRESENT)
840 {
841 RTRCPTR pPage = pPatch->patch.pPrivInstrGC & PAGE_BASE_GC_MASK;
842
843 Log(("PATM: Patch page not present -> check later!\n"));
844 rc = PGMR3HandlerVirtualRegister(pVM, VMMGetCpu(pVM), pVM->patm.s.hMonitorPageType,
845 pPage,
846 pPage + (PAGE_SIZE - 1) /* inclusive! */,
847 (void *)(uintptr_t)pPage, pPage, NULL /*pszDesc*/);
848 Assert(RT_SUCCESS(rc) || rc == VERR_PGM_HANDLER_VIRTUAL_CONFLICT);
849 }
850 else
851 if (memcmp(curInstr, oldInstr, pPatch->patch.cbPrivInstr))
852 {
853 Log(("PATM: Patch was overwritten -> disabling patch!!\n"));
854 /*
855 * Disable patch; this is not a good solution
856 */
857 /* @todo hopefully it was completely overwritten (if the read was successful)!!!! */
858 pPatch->patch.uState = PATCH_DISABLED;
859 }
860 else
861 if (RT_SUCCESS(rc))
862 {
863 *(RTRCPTR *)&curInstr[pPatch->patch.cbPrivInstr - sizeof(RTRCPTR)] = pRec->pDest;
864 rc = PGMPhysSimpleDirtyWriteGCPtr(VMMGetCpu0(pVM), pRec->pSource, curInstr, pPatch->patch.cbPrivInstr);
865 AssertRC(rc);
866 }
867 }
868 break;
869
870 case FIXUP_REL_JMPTOPATCH:
871 {
872 RTRCPTR pTarget = (RTRCPTR)((RTRCINTPTR)pRec->pDest + delta);
873
874 if ( pPatch->patch.uState == PATCH_ENABLED
875 && (pPatch->patch.flags & PATMFL_PATCHED_GUEST_CODE))
876 {
877 uint8_t oldJump[SIZEOF_NEAR_COND_JUMP32];
878 uint8_t temp[SIZEOF_NEAR_COND_JUMP32];
879 RTRCPTR pJumpOffGC;
880 RTRCINTPTR displ = (RTRCINTPTR)pTarget - (RTRCINTPTR)pRec->pSource;
881 RTRCINTPTR displOld= (RTRCINTPTR)pRec->pDest - (RTRCINTPTR)pRec->pSource;
882
883#if 0 /** @todo '*(int32_t*)pRec->pRelocPos' crashes on restore of an XP VM here. pRelocPos=0x8000dbe2180a (bird) */
884 Log(("Relative fixup (g2p) %08X -> %08X at %08X (source=%08x, target=%08x)\n", *(int32_t*)pRec->pRelocPos, displ, pRec->pRelocPos, pRec->pSource, pRec->pDest));
885#else
886 Log(("Relative fixup (g2p) ???????? -> %08X at %08X (source=%08x, target=%08x)\n", displ, pRec->pRelocPos, pRec->pSource, pRec->pDest));
887#endif
888
889 Assert(pRec->pSource - pPatch->patch.cbPatchJump == pPatch->patch.pPrivInstrGC);
890#ifdef PATM_RESOLVE_CONFLICTS_WITH_JUMP_PATCHES
891 if (pPatch->patch.cbPatchJump == SIZEOF_NEAR_COND_JUMP32)
892 {
893 Assert(pPatch->patch.flags & PATMFL_JUMP_CONFLICT);
894
895 pJumpOffGC = pPatch->patch.pPrivInstrGC + 2; //two byte opcode
896 oldJump[0] = pPatch->patch.aPrivInstr[0];
897 oldJump[1] = pPatch->patch.aPrivInstr[1];
898 *(RTRCUINTPTR *)&oldJump[2] = displOld;
899 }
900 else
901#endif
902 if (pPatch->patch.cbPatchJump == SIZEOF_NEARJUMP32)
903 {
904 pJumpOffGC = pPatch->patch.pPrivInstrGC + 1; //one byte opcode
905 oldJump[0] = 0xE9;
906 *(RTRCUINTPTR *)&oldJump[1] = displOld;
907 }
908 else
909 {
910 AssertMsgFailed(("Invalid patch jump size %d\n", pPatch->patch.cbPatchJump));
911 continue; //this should never happen!!
912 }
913 Assert(pPatch->patch.cbPatchJump <= sizeof(temp));
914
915 /*
916 * Read old patch jump and compare it to the one we previously installed
917 */
918 rc = PGMPhysSimpleReadGCPtr(VMMGetCpu0(pVM), temp, pPatch->patch.pPrivInstrGC, pPatch->patch.cbPatchJump);
919 Assert(RT_SUCCESS(rc) || rc == VERR_PAGE_NOT_PRESENT || rc == VERR_PAGE_TABLE_NOT_PRESENT);
920
921 if ( rc == VERR_PAGE_NOT_PRESENT
922 || rc == VERR_PAGE_TABLE_NOT_PRESENT)
923 {
924 RTRCPTR pPage = pPatch->patch.pPrivInstrGC & PAGE_BASE_GC_MASK;
925 Log(("PATM: Patch page not present -> check later!\n"));
926 rc = PGMR3HandlerVirtualRegister(pVM, VMMGetCpu(pVM), pVM->patm.s.hMonitorPageType,
927 pPage,
928 pPage + (PAGE_SIZE - 1) /* inclusive! */,
929 (void *)(uintptr_t)pPage, pPage, NULL /*pszDesc*/);
930 Assert(RT_SUCCESS(rc) || rc == VERR_PGM_HANDLER_VIRTUAL_CONFLICT);
931 }
932 else
933 if (memcmp(temp, oldJump, pPatch->patch.cbPatchJump))
934 {
935 Log(("PATM: Patch jump was overwritten -> disabling patch!!\n"));
936 /*
937 * Disable patch; this is not a good solution
938 */
939 /* @todo hopefully it was completely overwritten (if the read was successful)!!!! */
940 pPatch->patch.uState = PATCH_DISABLED;
941 }
942 else
943 if (RT_SUCCESS(rc))
944 {
945 rc = PGMPhysSimpleDirtyWriteGCPtr(VMMGetCpu0(pVM), pJumpOffGC, &displ, sizeof(displ));
946 AssertRC(rc);
947 }
948 else
949 AssertMsgFailed(("Unexpected error %d from MMR3PhysReadGCVirt\n", rc));
950 }
951 else
952 Log(("Skip the guest jump to patch code for this disabled patch %RGv - %08X\n", pPatch->patch.pPrivInstrGC, pRec->pRelocPos));
953
954 pRec->pDest = pTarget;
955 break;
956 }
957
958 case FIXUP_REL_JMPTOGUEST:
959 {
960 RTRCPTR pSource = (RTRCPTR)((RTRCINTPTR)pRec->pSource + delta);
961 RTRCINTPTR displ = (RTRCINTPTR)pRec->pDest - (RTRCINTPTR)pSource;
962
963 Assert(!(pPatch->patch.flags & PATMFL_GLOBAL_FUNCTIONS));
964 Log(("Relative fixup (p2g) %08X -> %08X at %08X (source=%08x, target=%08x)\n", *(int32_t*)pRec->pRelocPos, displ, pRec->pRelocPos, pRec->pSource, pRec->pDest));
965 *(RTRCUINTPTR *)pRec->pRelocPos = displ;
966 pRec->pSource = pSource;
967 break;
968 }
969
970 case FIXUP_REL_HELPER_IN_PATCH_ASM_TMPL:
971 case FIXUP_CONSTANT_IN_PATCH_ASM_TMPL:
972 /* Only applicable when loading state. */
973 Assert(pRec->pDest == pRec->pSource);
974 Assert(PATM_IS_ASMFIX(pRec->pSource));
975 break;
976
977 default:
978 AssertMsg(0, ("Invalid fixup type!!\n"));
979 return VERR_INVALID_PARAMETER;
980 }
981 }
982
983 if (pPatch->patch.flags & PATMFL_PATCHED_GUEST_CODE)
984 PATM_LOG_PATCH_INSTR(pVM, &pPatch->patch, PATMREAD_RAWCODE, "Rel patch jump:", "");
985 return 0;
986}
987
988#ifdef VBOX_WITH_DEBUGGER
989
990/**
991 * Callback function for RTAvloU32DoWithAll
992 *
993 * Enables the patch that's being enumerated
994 *
995 * @returns 0 (continue enumeration).
996 * @param pNode Current node
997 * @param pVM The cross context VM structure.
998 */
999static DECLCALLBACK(int) EnableAllPatches(PAVLOU32NODECORE pNode, void *pVM)
1000{
1001 PPATMPATCHREC pPatch = (PPATMPATCHREC)pNode;
1002
1003 PATMR3EnablePatch((PVM)pVM, (RTRCPTR)pPatch->Core.Key);
1004 return 0;
1005}
1006
1007
1008/**
1009 * Callback function for RTAvloU32DoWithAll
1010 *
1011 * Disables the patch that's being enumerated
1012 *
1013 * @returns 0 (continue enumeration).
1014 * @param pNode Current node
1015 * @param pVM The cross context VM structure.
1016 */
1017static DECLCALLBACK(int) DisableAllPatches(PAVLOU32NODECORE pNode, void *pVM)
1018{
1019 PPATMPATCHREC pPatch = (PPATMPATCHREC)pNode;
1020
1021 PATMR3DisablePatch((PVM)pVM, (RTRCPTR)pPatch->Core.Key);
1022 return 0;
1023}
1024
1025#endif /* VBOX_WITH_DEBUGGER */
1026
1027/**
1028 * Returns the host context pointer of the GC context structure
1029 *
1030 * @returns VBox status code.
1031 * @param pVM The cross context VM structure.
1032 */
1033VMMR3_INT_DECL(PPATMGCSTATE) PATMR3QueryGCStateHC(PVM pVM)
1034{
1035 AssertReturn(!HMIsEnabled(pVM), NULL);
1036 return pVM->patm.s.pGCStateHC;
1037}
1038
1039
1040/**
1041 * Allows or disallow patching of privileged instructions executed by the guest OS
1042 *
1043 * @returns VBox status code.
1044 * @param pUVM The user mode VM handle.
1045 * @param fAllowPatching Allow/disallow patching
1046 */
1047VMMR3DECL(int) PATMR3AllowPatching(PUVM pUVM, bool fAllowPatching)
1048{
1049 UVM_ASSERT_VALID_EXT_RETURN(pUVM, VERR_INVALID_VM_HANDLE);
1050 PVM pVM = pUVM->pVM;
1051 VM_ASSERT_VALID_EXT_RETURN(pVM, VERR_INVALID_VM_HANDLE);
1052
1053 if (!HMIsEnabled(pVM))
1054 pVM->fPATMEnabled = fAllowPatching;
1055 else
1056 Assert(!pVM->fPATMEnabled);
1057 return VINF_SUCCESS;
1058}
1059
1060
1061/**
1062 * Checks if the patch manager is enabled or not.
1063 *
1064 * @returns true if enabled, false if not (or if invalid handle).
1065 * @param pUVM The user mode VM handle.
1066 */
1067VMMR3DECL(bool) PATMR3IsEnabled(PUVM pUVM)
1068{
1069 UVM_ASSERT_VALID_EXT_RETURN(pUVM, false);
1070 PVM pVM = pUVM->pVM;
1071 VM_ASSERT_VALID_EXT_RETURN(pVM, false);
1072 return PATMIsEnabled(pVM);
1073}
1074
1075
1076/**
1077 * Convert a GC patch block pointer to a HC patch pointer
1078 *
1079 * @returns HC pointer or NULL if it's not a GC patch pointer
1080 * @param pVM The cross context VM structure.
1081 * @param pAddrGC GC pointer
1082 */
1083VMMR3_INT_DECL(void *) PATMR3GCPtrToHCPtr(PVM pVM, RTRCPTR pAddrGC)
1084{
1085 AssertReturn(!HMIsEnabled(pVM), NULL);
1086 RTRCUINTPTR offPatch = (RTRCUINTPTR)pAddrGC - (RTRCUINTPTR)pVM->patm.s.pPatchMemGC;
1087 if (offPatch >= pVM->patm.s.cbPatchMem)
1088 {
1089 offPatch = (RTRCUINTPTR)pAddrGC - (RTRCUINTPTR)pVM->patm.s.pbPatchHelpersRC;
1090 if (offPatch >= pVM->patm.s.cbPatchHelpers)
1091 return NULL;
1092 return pVM->patm.s.pbPatchHelpersR3 + offPatch;
1093 }
1094 return pVM->patm.s.pPatchMemHC + offPatch;
1095}
1096
1097
1098/**
1099 * Convert guest context address to host context pointer
1100 *
1101 * @returns VBox status code.
1102 * @param pVM The cross context VM structure.
1103 * @param pCacheRec Address conversion cache record
1104 * @param pGCPtr Guest context pointer
1105 *
1106 * @returns Host context pointer or NULL in case of an error
1107 *
1108 */
1109R3PTRTYPE(uint8_t *) patmR3GCVirtToHCVirt(PVM pVM, PPATMP2GLOOKUPREC pCacheRec, RCPTRTYPE(uint8_t *) pGCPtr)
1110{
1111 int rc;
1112 R3PTRTYPE(uint8_t *) pHCPtr;
1113 uint32_t offset;
1114
1115 offset = (RTRCUINTPTR)pGCPtr - (RTRCUINTPTR)pVM->patm.s.pPatchMemGC;
1116 if (offset < pVM->patm.s.cbPatchMem)
1117 {
1118#ifdef VBOX_STRICT
1119 PPATCHINFO pPatch = (PPATCHINFO)pCacheRec->pPatch;
1120 Assert(pPatch); Assert(offset - pPatch->pPatchBlockOffset < pPatch->cbPatchBlockSize);
1121#endif
1122 return pVM->patm.s.pPatchMemHC + offset;
1123 }
1124 /* Note! We're _not_ including the patch helpers here. */
1125
1126 offset = pGCPtr & PAGE_OFFSET_MASK;
1127 if (pCacheRec->pGuestLoc == (pGCPtr & PAGE_BASE_GC_MASK))
1128 return pCacheRec->pPageLocStartHC + offset;
1129
1130 /* Release previous lock if any. */
1131 if (pCacheRec->Lock.pvMap)
1132 {
1133 PGMPhysReleasePageMappingLock(pVM, &pCacheRec->Lock);
1134 pCacheRec->Lock.pvMap = NULL;
1135 }
1136
1137 rc = PGMPhysGCPtr2CCPtrReadOnly(VMMGetCpu(pVM), pGCPtr, (const void **)&pHCPtr, &pCacheRec->Lock);
1138 if (rc != VINF_SUCCESS)
1139 {
1140 AssertMsg(rc == VINF_SUCCESS || rc == VERR_PAGE_NOT_PRESENT || rc == VERR_PAGE_TABLE_NOT_PRESENT, ("MMR3PhysGCVirt2HCVirtEx failed for %08X\n", pGCPtr));
1141 return NULL;
1142 }
1143 pCacheRec->pPageLocStartHC = (R3PTRTYPE(uint8_t*))((RTHCUINTPTR)pHCPtr & PAGE_BASE_HC_MASK);
1144 pCacheRec->pGuestLoc = pGCPtr & PAGE_BASE_GC_MASK;
1145 return pHCPtr;
1146}
1147
1148
1149/**
1150 * Calculates and fills in all branch targets
1151 *
1152 * @returns VBox status code.
1153 * @param pVM The cross context VM structure.
1154 * @param pPatch Current patch block pointer
1155 *
1156 */
1157static int patmr3SetBranchTargets(PVM pVM, PPATCHINFO pPatch)
1158{
1159 int32_t displ;
1160
1161 PJUMPREC pRec = 0;
1162 unsigned nrJumpRecs = 0;
1163
1164 /*
1165 * Set all branch targets inside the patch block.
1166 * We remove all jump records as they are no longer needed afterwards.
1167 */
1168 while (true)
1169 {
1170 RCPTRTYPE(uint8_t *) pInstrGC;
1171 RCPTRTYPE(uint8_t *) pBranchTargetGC = 0;
1172
1173 pRec = (PJUMPREC)RTAvlPVRemoveBestFit(&pPatch->JumpTree, 0, true);
1174 if (pRec == 0)
1175 break;
1176
1177 nrJumpRecs++;
1178
1179 /* HC in patch block to GC in patch block. */
1180 pInstrGC = patmPatchHCPtr2PatchGCPtr(pVM, pRec->pJumpHC);
1181
1182 if (pRec->opcode == OP_CALL)
1183 {
1184 /* Special case: call function replacement patch from this patch block.
1185 */
1186 PPATMPATCHREC pFunctionRec = patmQueryFunctionPatch(pVM, pRec->pTargetGC);
1187 if (!pFunctionRec)
1188 {
1189 int rc;
1190
1191 if (PATMR3HasBeenPatched(pVM, pRec->pTargetGC) == false)
1192 rc = PATMR3InstallPatch(pVM, pRec->pTargetGC, PATMFL_CODE32 | PATMFL_DUPLICATE_FUNCTION);
1193 else
1194 rc = VERR_PATCHING_REFUSED; /* exists as a normal patch; can't use it */
1195
1196 if (RT_FAILURE(rc))
1197 {
1198 uint8_t *pPatchHC;
1199 RTRCPTR pPatchGC;
1200 RTRCPTR pOrgInstrGC;
1201
1202 pOrgInstrGC = PATMR3PatchToGCPtr(pVM, pInstrGC, 0);
1203 Assert(pOrgInstrGC);
1204
1205 /* Failure for some reason -> mark exit point with int 3. */
1206 Log(("Failed to install function replacement patch (at %x) for reason %Rrc\n", pOrgInstrGC, rc));
1207
1208 pPatchGC = patmGuestGCPtrToPatchGCPtr(pVM, pPatch, pOrgInstrGC);
1209 Assert(pPatchGC);
1210
1211 pPatchHC = pVM->patm.s.pPatchMemHC + (pPatchGC - pVM->patm.s.pPatchMemGC);
1212
1213 /* Set a breakpoint at the very beginning of the recompiled instruction */
1214 *pPatchHC = 0xCC;
1215
1216 continue;
1217 }
1218 }
1219 else
1220 {
1221 Log(("Patch block %RRv called as function\n", pFunctionRec->patch.pPrivInstrGC));
1222 pFunctionRec->patch.flags |= PATMFL_CODE_REFERENCED;
1223 }
1224
1225 pBranchTargetGC = PATMR3QueryPatchGCPtr(pVM, pRec->pTargetGC);
1226 }
1227 else
1228 pBranchTargetGC = patmGuestGCPtrToPatchGCPtr(pVM, pPatch, pRec->pTargetGC);
1229
1230 if (pBranchTargetGC == 0)
1231 {
1232 AssertMsgFailed(("patmr3SetBranchTargets: patmGuestGCPtrToPatchGCPtr failed for %08X\n", pRec->pTargetGC));
1233 return VERR_PATCHING_REFUSED;
1234 }
1235 /* Our jumps *always* have a dword displacement (to make things easier). */
1236 Assert(sizeof(uint32_t) == sizeof(RTRCPTR));
1237 displ = pBranchTargetGC - (pInstrGC + pRec->offDispl + sizeof(RTRCPTR));
1238 *(RTRCPTR *)(pRec->pJumpHC + pRec->offDispl) = displ;
1239 Log(("Set branch target %d to %08X : %08x - (%08x + %d + %d)\n", nrJumpRecs, displ, pBranchTargetGC, pInstrGC, pRec->offDispl, sizeof(RTRCPTR)));
1240 }
1241 Assert(nrJumpRecs == pPatch->nrJumpRecs);
1242 Assert(pPatch->JumpTree == 0);
1243 return VINF_SUCCESS;
1244}
1245
1246/**
1247 * Add an illegal instruction record
1248 *
1249 * @param pVM The cross context VM structure.
1250 * @param pPatch Patch structure ptr
1251 * @param pInstrGC Guest context pointer to privileged instruction
1252 *
1253 */
1254static void patmAddIllegalInstrRecord(PVM pVM, PPATCHINFO pPatch, RTRCPTR pInstrGC)
1255{
1256 PAVLPVNODECORE pRec;
1257
1258 pRec = (PAVLPVNODECORE)MMR3HeapAllocZ(pVM, MM_TAG_PATM_PATCH, sizeof(*pRec));
1259 Assert(pRec);
1260 pRec->Key = (AVLPVKEY)(uintptr_t)pInstrGC;
1261
1262 bool ret = RTAvlPVInsert(&pPatch->pTempInfo->IllegalInstrTree, pRec);
1263 Assert(ret); NOREF(ret);
1264 pPatch->pTempInfo->nrIllegalInstr++;
1265}
1266
1267static bool patmIsIllegalInstr(PPATCHINFO pPatch, RTRCPTR pInstrGC)
1268{
1269 PAVLPVNODECORE pRec;
1270
1271 pRec = RTAvlPVGet(&pPatch->pTempInfo->IllegalInstrTree, (AVLPVKEY)(uintptr_t)pInstrGC);
1272 if (pRec)
1273 return true;
1274 else
1275 return false;
1276}
1277
1278/**
1279 * Add a patch to guest lookup record
1280 *
1281 * @param pVM The cross context VM structure.
1282 * @param pPatch Patch structure ptr
1283 * @param pPatchInstrHC Guest context pointer to patch block
1284 * @param pInstrGC Guest context pointer to privileged instruction
1285 * @param enmType Lookup type
1286 * @param fDirty Dirty flag
1287 *
1288 * @note Be extremely careful with this function. Make absolutely sure the guest
1289 * address is correct! (to avoid executing instructions twice!)
1290 */
1291void patmR3AddP2GLookupRecord(PVM pVM, PPATCHINFO pPatch, uint8_t *pPatchInstrHC, RTRCPTR pInstrGC, PATM_LOOKUP_TYPE enmType, bool fDirty)
1292{
1293 bool ret;
1294 PRECPATCHTOGUEST pPatchToGuestRec;
1295 PRECGUESTTOPATCH pGuestToPatchRec;
1296 uint32_t PatchOffset = pPatchInstrHC - pVM->patm.s.pPatchMemHC; /* Offset in memory reserved for PATM. */
1297
1298 LogFlowFunc(("pVM=%#p pPatch=%#p pPatchInstrHC=%#p pInstrGC=%#x enmType=%d fDirty=%RTbool\n",
1299 pVM, pPatch, pPatchInstrHC, pInstrGC, enmType, fDirty));
1300
1301 if (enmType == PATM_LOOKUP_PATCH2GUEST)
1302 {
1303 pPatchToGuestRec = (PRECPATCHTOGUEST)RTAvlU32Get(&pPatch->Patch2GuestAddrTree, PatchOffset);
1304 if (pPatchToGuestRec && pPatchToGuestRec->Core.Key == PatchOffset)
1305 return; /* already there */
1306
1307 Assert(!pPatchToGuestRec);
1308 }
1309#ifdef VBOX_STRICT
1310 else
1311 {
1312 pPatchToGuestRec = (PRECPATCHTOGUEST)RTAvlU32Get(&pPatch->Patch2GuestAddrTree, PatchOffset);
1313 Assert(!pPatchToGuestRec);
1314 }
1315#endif
1316
1317 pPatchToGuestRec = (PRECPATCHTOGUEST)MMR3HeapAllocZ(pVM, MM_TAG_PATM_PATCH, sizeof(RECPATCHTOGUEST) + sizeof(RECGUESTTOPATCH));
1318 Assert(pPatchToGuestRec);
1319 pPatchToGuestRec->Core.Key = PatchOffset;
1320 pPatchToGuestRec->pOrgInstrGC = pInstrGC;
1321 pPatchToGuestRec->enmType = enmType;
1322 pPatchToGuestRec->fDirty = fDirty;
1323
1324 ret = RTAvlU32Insert(&pPatch->Patch2GuestAddrTree, &pPatchToGuestRec->Core);
1325 Assert(ret);
1326
1327 /* GC to patch address */
1328 if (enmType == PATM_LOOKUP_BOTHDIR)
1329 {
1330 pGuestToPatchRec = (PRECGUESTTOPATCH)RTAvlU32Get(&pPatch->Guest2PatchAddrTree, pInstrGC);
1331 if (!pGuestToPatchRec)
1332 {
1333 pGuestToPatchRec = (PRECGUESTTOPATCH)(pPatchToGuestRec+1);
1334 pGuestToPatchRec->Core.Key = pInstrGC;
1335 pGuestToPatchRec->PatchOffset = PatchOffset;
1336
1337 ret = RTAvlU32Insert(&pPatch->Guest2PatchAddrTree, &pGuestToPatchRec->Core);
1338 Assert(ret);
1339 }
1340 }
1341
1342 pPatch->nrPatch2GuestRecs++;
1343}
1344
1345
1346/**
1347 * Removes a patch to guest lookup record
1348 *
1349 * @param pVM The cross context VM structure.
1350 * @param pPatch Patch structure ptr
1351 * @param pPatchInstrGC Guest context pointer to patch block
1352 */
1353void patmr3RemoveP2GLookupRecord(PVM pVM, PPATCHINFO pPatch, RTRCPTR pPatchInstrGC)
1354{
1355 PAVLU32NODECORE pNode;
1356 PAVLU32NODECORE pNode2;
1357 PRECPATCHTOGUEST pPatchToGuestRec;
1358 uint32_t PatchOffset = pPatchInstrGC - pVM->patm.s.pPatchMemGC; /* Offset in memory reserved for PATM. */
1359
1360 pPatchToGuestRec = (PRECPATCHTOGUEST)RTAvlU32Get(&pPatch->Patch2GuestAddrTree, PatchOffset);
1361 Assert(pPatchToGuestRec);
1362 if (pPatchToGuestRec)
1363 {
1364 if (pPatchToGuestRec->enmType == PATM_LOOKUP_BOTHDIR)
1365 {
1366 PRECGUESTTOPATCH pGuestToPatchRec = (PRECGUESTTOPATCH)(pPatchToGuestRec+1);
1367
1368 Assert(pGuestToPatchRec->Core.Key);
1369 pNode2 = RTAvlU32Remove(&pPatch->Guest2PatchAddrTree, pGuestToPatchRec->Core.Key);
1370 Assert(pNode2);
1371 }
1372 pNode = RTAvlU32Remove(&pPatch->Patch2GuestAddrTree, pPatchToGuestRec->Core.Key);
1373 Assert(pNode);
1374
1375 MMR3HeapFree(pPatchToGuestRec);
1376 pPatch->nrPatch2GuestRecs--;
1377 }
1378}
1379
1380
1381/**
1382 * RTAvlPVDestroy callback.
1383 */
1384static DECLCALLBACK(int) patmEmptyTreePVCallback(PAVLPVNODECORE pNode, void *)
1385{
1386 MMR3HeapFree(pNode);
1387 return 0;
1388}
1389
1390/**
1391 * Empty the specified tree (PV tree, MMR3 heap)
1392 *
1393 * @param pVM The cross context VM structure.
1394 * @param ppTree Tree to empty
1395 */
1396static void patmEmptyTree(PVM pVM, PAVLPVNODECORE *ppTree)
1397{
1398 NOREF(pVM);
1399 RTAvlPVDestroy(ppTree, patmEmptyTreePVCallback, NULL);
1400}
1401
1402
1403/**
1404 * RTAvlU32Destroy callback.
1405 */
1406static DECLCALLBACK(int) patmEmptyTreeU32Callback(PAVLU32NODECORE pNode, void *)
1407{
1408 MMR3HeapFree(pNode);
1409 return 0;
1410}
1411
1412/**
1413 * Empty the specified tree (U32 tree, MMR3 heap)
1414 *
1415 * @param pVM The cross context VM structure.
1416 * @param ppTree Tree to empty
1417 */
1418static void patmEmptyTreeU32(PVM pVM, PPAVLU32NODECORE ppTree)
1419{
1420 NOREF(pVM);
1421 RTAvlU32Destroy(ppTree, patmEmptyTreeU32Callback, NULL);
1422}
1423
1424
1425/**
1426 * Analyses the instructions following the cli for compliance with our heuristics for cli & pushf
1427 *
1428 * @returns VBox status code.
1429 * @param pVM The cross context VM structure.
1430 * @param pCpu CPU disassembly state
1431 * @param pInstrGC Guest context pointer to privileged instruction
1432 * @param pCurInstrGC Guest context pointer to the current instruction
1433 * @param pCacheRec Cache record ptr
1434 *
1435 */
1436static int patmAnalyseBlockCallback(PVM pVM, DISCPUSTATE *pCpu, RCPTRTYPE(uint8_t *) pInstrGC, RCPTRTYPE(uint8_t *) pCurInstrGC, PPATMP2GLOOKUPREC pCacheRec)
1437{
1438 PPATCHINFO pPatch = (PPATCHINFO)pCacheRec->pPatch;
1439 bool fIllegalInstr = false;
1440
1441 /*
1442 * Preliminary heuristics:
1443 *- no call instructions without a fixed displacement between cli and sti/popf
1444 *- no jumps in the instructions following cli (4+ bytes; enough for the replacement jump (5 bytes))
1445 *- no nested pushf/cli
1446 *- sti/popf should be the (eventual) target of all branches
1447 *- no near or far returns; no int xx, no into
1448 *
1449 * Note: Later on we can impose less stricter guidelines if the need arises
1450 */
1451
1452 /* Bail out if the patch gets too big. */
1453 if (pPatch->cbPatchBlockSize >= MAX_PATCH_SIZE)
1454 {
1455 Log(("Code block too big (%x) for patch at %RRv!!\n", pPatch->cbPatchBlockSize, pCurInstrGC));
1456 fIllegalInstr = true;
1457 patmAddIllegalInstrRecord(pVM, pPatch, pCurInstrGC);
1458 }
1459 else
1460 {
1461 /* No unconditional jumps or calls without fixed displacements. */
1462 if ( (pCpu->pCurInstr->fOpType & DISOPTYPE_CONTROLFLOW)
1463 && (pCpu->pCurInstr->uOpcode == OP_JMP || pCpu->pCurInstr->uOpcode == OP_CALL)
1464 )
1465 {
1466 Assert(pCpu->Param1.cb <= 4 || pCpu->Param1.cb == 6);
1467 if ( pCpu->Param1.cb == 6 /* far call/jmp */
1468 || (pCpu->pCurInstr->uOpcode == OP_CALL && !(pPatch->flags & PATMFL_SUPPORT_CALLS))
1469 || (OP_PARM_VTYPE(pCpu->pCurInstr->fParam1) != OP_PARM_J && !(pPatch->flags & PATMFL_SUPPORT_INDIRECT_CALLS))
1470 )
1471 {
1472 fIllegalInstr = true;
1473 patmAddIllegalInstrRecord(pVM, pPatch, pCurInstrGC);
1474 }
1475 }
1476
1477 /* An unconditional (short) jump right after a cli is a potential problem; we will overwrite whichever function comes afterwards */
1478 if (pPatch->opcode == OP_CLI && pCpu->pCurInstr->uOpcode == OP_JMP)
1479 {
1480 if ( pCurInstrGC > pPatch->pPrivInstrGC
1481 && pCurInstrGC + pCpu->cbInstr < pPatch->pPrivInstrGC + SIZEOF_NEARJUMP32) /* hardcoded patch jump size; cbPatchJump is still zero */
1482 {
1483 Log(("Dangerous unconditional jump ends in our generated patch jump!! (%x vs %x)\n", pCurInstrGC, pPatch->pPrivInstrGC));
1484 /* We turn this one into a int 3 callable patch. */
1485 pPatch->flags |= PATMFL_INT3_REPLACEMENT_BLOCK;
1486 }
1487 }
1488 else
1489 /* no nested pushfs just yet; nested cli is allowed for cli patches though. */
1490 if (pPatch->opcode == OP_PUSHF)
1491 {
1492 if (pCurInstrGC != pInstrGC && pCpu->pCurInstr->uOpcode == OP_PUSHF)
1493 {
1494 fIllegalInstr = true;
1495 patmAddIllegalInstrRecord(pVM, pPatch, pCurInstrGC);
1496 }
1497 }
1498
1499 /* no far returns */
1500 if (pCpu->pCurInstr->uOpcode == OP_RETF)
1501 {
1502 pPatch->pTempInfo->nrRetInstr++;
1503 fIllegalInstr = true;
1504 patmAddIllegalInstrRecord(pVM, pPatch, pCurInstrGC);
1505 }
1506 else if ( pCpu->pCurInstr->uOpcode == OP_INT3
1507 || pCpu->pCurInstr->uOpcode == OP_INT
1508 || pCpu->pCurInstr->uOpcode == OP_INTO)
1509 {
1510 /* No int xx or into either. */
1511 fIllegalInstr = true;
1512 patmAddIllegalInstrRecord(pVM, pPatch, pCurInstrGC);
1513 }
1514 }
1515
1516 pPatch->cbPatchBlockSize += pCpu->cbInstr;
1517
1518 /* Illegal instruction -> end of analysis phase for this code block */
1519 if (fIllegalInstr || patmIsIllegalInstr(pPatch, pCurInstrGC))
1520 return VINF_SUCCESS;
1521
1522 /* Check for exit points. */
1523 switch (pCpu->pCurInstr->uOpcode)
1524 {
1525 case OP_SYSEXIT:
1526 return VINF_SUCCESS; /* duplicate it; will fault or emulated in GC. */
1527
1528 case OP_SYSENTER:
1529 case OP_ILLUD2:
1530 /* This appears to be some kind of kernel panic in Linux 2.4; no point to analyse more. */
1531 Log(("Illegal opcode (0xf 0xb) -> return here\n"));
1532 return VINF_SUCCESS;
1533
1534 case OP_STI:
1535 case OP_POPF:
1536 Assert(!(pPatch->flags & (PATMFL_DUPLICATE_FUNCTION)));
1537 /* If out exit point lies within the generated patch jump, then we have to refuse!! */
1538 if (pCurInstrGC > pPatch->pPrivInstrGC && pCurInstrGC < pPatch->pPrivInstrGC + SIZEOF_NEARJUMP32) /* hardcoded patch jump size; cbPatchJump is still zero */
1539 {
1540 Log(("Exit point within patch jump itself!! (%x vs %x)\n", pCurInstrGC, pPatch->pPrivInstrGC));
1541 return VERR_PATCHING_REFUSED;
1542 }
1543 if (pPatch->opcode == OP_PUSHF)
1544 {
1545 if (pCpu->pCurInstr->uOpcode == OP_POPF)
1546 {
1547 if (pPatch->cbPatchBlockSize >= SIZEOF_NEARJUMP32)
1548 return VINF_SUCCESS;
1549
1550 /* Or else we need to duplicate more instructions, because we can't jump back yet! */
1551 Log(("WARNING: End of block reached, but we need to duplicate some extra instruction to avoid a conflict with the patch jump\n"));
1552 pPatch->flags |= PATMFL_CHECK_SIZE;
1553 }
1554 break; /* sti doesn't mark the end of a pushf block; only popf does. */
1555 }
1556 /* else: fall through. */
1557 case OP_RETN: /* exit point for function replacement */
1558 return VINF_SUCCESS;
1559
1560 case OP_IRET:
1561 return VINF_SUCCESS; /* exitpoint */
1562
1563 case OP_CPUID:
1564 case OP_CALL:
1565 case OP_JMP:
1566 break;
1567
1568#ifdef VBOX_WITH_SAFE_STR /** @todo remove DISOPTYPE_PRIVILEGED_NOTRAP from disasm table */
1569 case OP_STR:
1570 break;
1571#endif
1572
1573 default:
1574 if (pCpu->pCurInstr->fOpType & (DISOPTYPE_PRIVILEGED_NOTRAP))
1575 {
1576 patmAddIllegalInstrRecord(pVM, pPatch, pCurInstrGC);
1577 return VINF_SUCCESS; /* exit point */
1578 }
1579 break;
1580 }
1581
1582 /* If single instruction patch, we've copied enough instructions *and* the current instruction is not a relative jump. */
1583 if ((pPatch->flags & PATMFL_CHECK_SIZE) && pPatch->cbPatchBlockSize > SIZEOF_NEARJUMP32 && !(pCpu->pCurInstr->fOpType & DISOPTYPE_RELATIVE_CONTROLFLOW))
1584 {
1585 /* The end marker for this kind of patch is any instruction at a location outside our patch jump. */
1586 Log(("End of block at %RRv size %d\n", pCurInstrGC, pCpu->cbInstr));
1587 return VINF_SUCCESS;
1588 }
1589
1590 return VWRN_CONTINUE_ANALYSIS;
1591}
1592
1593/**
1594 * Analyses the instructions inside a function for compliance
1595 *
1596 * @returns VBox status code.
1597 * @param pVM The cross context VM structure.
1598 * @param pCpu CPU disassembly state
1599 * @param pInstrGC Guest context pointer to privileged instruction
1600 * @param pCurInstrGC Guest context pointer to the current instruction
1601 * @param pCacheRec Cache record ptr
1602 *
1603 */
1604static int patmAnalyseFunctionCallback(PVM pVM, DISCPUSTATE *pCpu, RCPTRTYPE(uint8_t *) pInstrGC, RCPTRTYPE(uint8_t *) pCurInstrGC, PPATMP2GLOOKUPREC pCacheRec)
1605{
1606 PPATCHINFO pPatch = (PPATCHINFO)pCacheRec->pPatch;
1607 bool fIllegalInstr = false;
1608 NOREF(pInstrGC);
1609
1610 //Preliminary heuristics:
1611 //- no call instructions
1612 //- ret ends a block
1613
1614 Assert(pPatch->flags & (PATMFL_DUPLICATE_FUNCTION));
1615
1616 // bail out if the patch gets too big
1617 if (pPatch->cbPatchBlockSize >= MAX_PATCH_SIZE)
1618 {
1619 Log(("Code block too big (%x) for function patch at %RRv!!\n", pPatch->cbPatchBlockSize, pCurInstrGC));
1620 fIllegalInstr = true;
1621 patmAddIllegalInstrRecord(pVM, pPatch, pCurInstrGC);
1622 }
1623 else
1624 {
1625 // no unconditional jumps or calls without fixed displacements
1626 if ( (pCpu->pCurInstr->fOpType & DISOPTYPE_CONTROLFLOW)
1627 && (pCpu->pCurInstr->uOpcode == OP_JMP || pCpu->pCurInstr->uOpcode == OP_CALL)
1628 )
1629 {
1630 Assert(pCpu->Param1.cb <= 4 || pCpu->Param1.cb == 6);
1631 if ( pCpu->Param1.cb == 6 /* far call/jmp */
1632 || (pCpu->pCurInstr->uOpcode == OP_CALL && !(pPatch->flags & PATMFL_SUPPORT_CALLS))
1633 || (OP_PARM_VTYPE(pCpu->pCurInstr->fParam1) != OP_PARM_J && !(pPatch->flags & PATMFL_SUPPORT_INDIRECT_CALLS))
1634 )
1635 {
1636 fIllegalInstr = true;
1637 patmAddIllegalInstrRecord(pVM, pPatch, pCurInstrGC);
1638 }
1639 }
1640 else /* no far returns */
1641 if (pCpu->pCurInstr->uOpcode == OP_RETF)
1642 {
1643 patmAddIllegalInstrRecord(pVM, pPatch, pCurInstrGC);
1644 fIllegalInstr = true;
1645 }
1646 else /* no int xx or into either */
1647 if (pCpu->pCurInstr->uOpcode == OP_INT3 || pCpu->pCurInstr->uOpcode == OP_INT || pCpu->pCurInstr->uOpcode == OP_INTO)
1648 {
1649 patmAddIllegalInstrRecord(pVM, pPatch, pCurInstrGC);
1650 fIllegalInstr = true;
1651 }
1652
1653 #if 0
1654 ///@todo we can handle certain in/out and privileged instructions in the guest context
1655 if (pCpu->pCurInstr->fOpType & DISOPTYPE_PRIVILEGED && pCpu->pCurInstr->uOpcode != OP_STI)
1656 {
1657 Log(("Illegal instructions for function patch!!\n"));
1658 return VERR_PATCHING_REFUSED;
1659 }
1660 #endif
1661 }
1662
1663 pPatch->cbPatchBlockSize += pCpu->cbInstr;
1664
1665 /* Illegal instruction -> end of analysis phase for this code block */
1666 if (fIllegalInstr || patmIsIllegalInstr(pPatch, pCurInstrGC))
1667 {
1668 return VINF_SUCCESS;
1669 }
1670
1671 // Check for exit points
1672 switch (pCpu->pCurInstr->uOpcode)
1673 {
1674 case OP_ILLUD2:
1675 //This appears to be some kind of kernel panic in Linux 2.4; no point to analyse more
1676 Log(("Illegal opcode (0xf 0xb) -> return here\n"));
1677 return VINF_SUCCESS;
1678
1679 case OP_IRET:
1680 case OP_SYSEXIT: /* will fault or emulated in GC */
1681 case OP_RETN:
1682 return VINF_SUCCESS;
1683
1684#ifdef VBOX_WITH_SAFE_STR /** @todo remove DISOPTYPE_PRIVILEGED_NOTRAP from disasm table */
1685 case OP_STR:
1686 break;
1687#endif
1688
1689 case OP_POPF:
1690 case OP_STI:
1691 return VWRN_CONTINUE_ANALYSIS;
1692 default:
1693 if (pCpu->pCurInstr->fOpType & (DISOPTYPE_PRIVILEGED_NOTRAP))
1694 {
1695 patmAddIllegalInstrRecord(pVM, pPatch, pCurInstrGC);
1696 return VINF_SUCCESS; /* exit point */
1697 }
1698 return VWRN_CONTINUE_ANALYSIS;
1699 }
1700
1701 return VWRN_CONTINUE_ANALYSIS;
1702}
1703
1704/**
1705 * Recompiles the instructions in a code block
1706 *
1707 * @returns VBox status code.
1708 * @param pVM The cross context VM structure.
1709 * @param pCpu CPU disassembly state
1710 * @param pInstrGC Guest context pointer to privileged instruction
1711 * @param pCurInstrGC Guest context pointer to the current instruction
1712 * @param pCacheRec Cache record ptr
1713 *
1714 */
1715static DECLCALLBACK(int) patmRecompileCallback(PVM pVM, DISCPUSTATE *pCpu, RCPTRTYPE(uint8_t *) pInstrGC, RCPTRTYPE(uint8_t *) pCurInstrGC, PPATMP2GLOOKUPREC pCacheRec)
1716{
1717 PPATCHINFO pPatch = (PPATCHINFO)pCacheRec->pPatch;
1718 int rc = VINF_SUCCESS;
1719 bool fInhibitIRQInstr = false; /* did the instruction cause PATMFL_INHIBITIRQS to be set? */
1720
1721 LogFlow(("patmRecompileCallback %RRv %RRv\n", pInstrGC, pCurInstrGC));
1722
1723 if ( patmGuestGCPtrToPatchGCPtr(pVM, pPatch, pCurInstrGC) != 0
1724 && !(pPatch->flags & PATMFL_RECOMPILE_NEXT)) /* do not do this when the next instruction *must* be executed! */
1725 {
1726 /*
1727 * Been there, done that; so insert a jump (we don't want to duplicate code)
1728 * no need to record this instruction as it's glue code that never crashes (it had better not!)
1729 */
1730 Log(("patmRecompileCallback: jump to code we've recompiled before %RRv!\n", pCurInstrGC));
1731 return patmPatchGenRelJump(pVM, pPatch, pCurInstrGC, OP_JMP, !!(pCpu->fPrefix & DISPREFIX_OPSIZE));
1732 }
1733
1734 if (pPatch->flags & (PATMFL_DUPLICATE_FUNCTION))
1735 {
1736 rc = patmAnalyseFunctionCallback(pVM, pCpu, pInstrGC, pCurInstrGC, pCacheRec);
1737 }
1738 else
1739 rc = patmAnalyseBlockCallback(pVM, pCpu, pInstrGC, pCurInstrGC, pCacheRec);
1740
1741 if (RT_FAILURE(rc))
1742 return rc;
1743
1744 /* Note: Never do a direct return unless a failure is encountered! */
1745
1746 /* Clear recompilation of next instruction flag; we are doing that right here. */
1747 if (pPatch->flags & PATMFL_RECOMPILE_NEXT)
1748 pPatch->flags &= ~PATMFL_RECOMPILE_NEXT;
1749
1750 /* Add lookup record for patch to guest address translation */
1751 patmR3AddP2GLookupRecord(pVM, pPatch, PATCHCODE_PTR_HC(pPatch) + pPatch->uCurPatchOffset, pCurInstrGC, PATM_LOOKUP_BOTHDIR);
1752
1753 /* Update lowest and highest instruction address for this patch */
1754 if (pCurInstrGC < pPatch->pInstrGCLowest)
1755 pPatch->pInstrGCLowest = pCurInstrGC;
1756 else
1757 if (pCurInstrGC > pPatch->pInstrGCHighest)
1758 pPatch->pInstrGCHighest = pCurInstrGC + pCpu->cbInstr;
1759
1760 /* Illegal instruction -> end of recompile phase for this code block. */
1761 if (patmIsIllegalInstr(pPatch, pCurInstrGC))
1762 {
1763 Log(("Illegal instruction at %RRv -> mark with int 3\n", pCurInstrGC));
1764 rc = patmPatchGenIllegalInstr(pVM, pPatch);
1765 goto end;
1766 }
1767
1768 /* For our first attempt, we'll handle only simple relative jumps (immediate offset coded in instruction).
1769 * Indirect calls are handled below.
1770 */
1771 if ( (pCpu->pCurInstr->fOpType & DISOPTYPE_CONTROLFLOW)
1772 && (pCpu->pCurInstr->uOpcode != OP_CALL || (pPatch->flags & PATMFL_SUPPORT_CALLS))
1773 && (OP_PARM_VTYPE(pCpu->pCurInstr->fParam1) == OP_PARM_J))
1774 {
1775 RCPTRTYPE(uint8_t *) pTargetGC = PATMResolveBranch(pCpu, pCurInstrGC);
1776 if (pTargetGC == 0)
1777 {
1778 Log(("We don't support far jumps here!! (%08X)\n", pCpu->Param1.fUse));
1779 return VERR_PATCHING_REFUSED;
1780 }
1781
1782 if (pCpu->pCurInstr->uOpcode == OP_CALL)
1783 {
1784 Assert(!PATMIsPatchGCAddr(pVM, pTargetGC));
1785 rc = patmPatchGenCall(pVM, pPatch, pCpu, pCurInstrGC, pTargetGC, false);
1786 if (RT_FAILURE(rc))
1787 goto end;
1788 }
1789 else
1790 rc = patmPatchGenRelJump(pVM, pPatch, pTargetGC, pCpu->pCurInstr->uOpcode, !!(pCpu->fPrefix & DISPREFIX_OPSIZE));
1791
1792 if (RT_SUCCESS(rc))
1793 rc = VWRN_CONTINUE_RECOMPILE;
1794
1795 goto end;
1796 }
1797
1798 switch (pCpu->pCurInstr->uOpcode)
1799 {
1800 case OP_CLI:
1801 {
1802 /* If a cli is found while duplicating instructions for another patch, then it's of vital importance to continue
1803 * until we've found the proper exit point(s).
1804 */
1805 if ( pCurInstrGC != pInstrGC
1806 && !(pPatch->flags & (PATMFL_DUPLICATE_FUNCTION))
1807 )
1808 {
1809 Log(("cli instruction found in other instruction patch block; force it to continue & find an exit point\n"));
1810 pPatch->flags &= ~(PATMFL_CHECK_SIZE | PATMFL_SINGLE_INSTRUCTION);
1811 }
1812 /* Set by irq inhibition; no longer valid now. */
1813 pPatch->flags &= ~PATMFL_GENERATE_JUMPTOGUEST;
1814
1815 rc = patmPatchGenCli(pVM, pPatch);
1816 if (RT_SUCCESS(rc))
1817 rc = VWRN_CONTINUE_RECOMPILE;
1818 break;
1819 }
1820
1821 case OP_MOV:
1822 if (pCpu->pCurInstr->fOpType & DISOPTYPE_POTENTIALLY_DANGEROUS)
1823 {
1824 /* mov ss, src? */
1825 if ( (pCpu->Param1.fUse & DISUSE_REG_SEG)
1826 && (pCpu->Param1.Base.idxSegReg == DISSELREG_SS))
1827 {
1828 Log(("Force recompilation of next instruction for OP_MOV at %RRv\n", pCurInstrGC));
1829 pPatch->flags |= PATMFL_RECOMPILE_NEXT;
1830 /** @todo this could cause a fault (ring 0 selector being loaded in ring 1) */
1831 }
1832#if 0 /* necessary for Haiku */
1833 else
1834 if ( (pCpu->Param2.fUse & DISUSE_REG_SEG)
1835 && (pCpu->Param2.Base.idxSegReg == USE_REG_SS)
1836 && (pCpu->Param1.fUse & (DISUSE_REG_GEN32|DISUSE_REG_GEN16))) /** @todo memory operand must in theory be handled too */
1837 {
1838 /* mov GPR, ss */
1839 rc = patmPatchGenMovFromSS(pVM, pPatch, pCpu, pCurInstrGC);
1840 if (RT_SUCCESS(rc))
1841 rc = VWRN_CONTINUE_RECOMPILE;
1842 break;
1843 }
1844#endif
1845 }
1846 goto duplicate_instr;
1847
1848 case OP_POP:
1849 /** @todo broken comparison!! should be if ((pCpu->Param1.fUse & DISUSE_REG_SEG) && (pCpu->Param1.Base.idxSegReg == DISSELREG_SS)) */
1850 if (pCpu->pCurInstr->fParam1 == OP_PARM_REG_SS)
1851 {
1852 Assert(pCpu->pCurInstr->fOpType & DISOPTYPE_INHIBIT_IRQS);
1853
1854 Log(("Force recompilation of next instruction for OP_MOV at %RRv\n", pCurInstrGC));
1855 pPatch->flags |= PATMFL_RECOMPILE_NEXT;
1856 }
1857 goto duplicate_instr;
1858
1859 case OP_STI:
1860 {
1861 RTRCPTR pNextInstrGC = 0; /* by default no inhibit irq */
1862
1863 /* In a sequence of instructions that inhibit irqs, only the first one actually inhibits irqs. */
1864 if (!(pPatch->flags & PATMFL_INHIBIT_IRQS))
1865 {
1866 pPatch->flags |= PATMFL_INHIBIT_IRQS | PATMFL_GENERATE_JUMPTOGUEST;
1867 fInhibitIRQInstr = true;
1868 pNextInstrGC = pCurInstrGC + pCpu->cbInstr;
1869 Log(("Inhibit irqs for instruction OP_STI at %RRv\n", pCurInstrGC));
1870 }
1871 rc = patmPatchGenSti(pVM, pPatch, pCurInstrGC, pNextInstrGC);
1872
1873 if (RT_SUCCESS(rc))
1874 {
1875 DISCPUSTATE cpu = *pCpu;
1876 unsigned cbInstr;
1877 int disret;
1878 RCPTRTYPE(uint8_t *) pReturnInstrGC;
1879
1880 pPatch->flags |= PATMFL_FOUND_PATCHEND;
1881
1882 pNextInstrGC = pCurInstrGC + pCpu->cbInstr;
1883 { /* Force pNextInstrHC out of scope after using it */
1884 uint8_t *pNextInstrHC = patmR3GCVirtToHCVirt(pVM, pCacheRec, pNextInstrGC);
1885 if (pNextInstrHC == NULL)
1886 {
1887 AssertFailed();
1888 return VERR_PATCHING_REFUSED;
1889 }
1890
1891 // Disassemble the next instruction
1892 disret = patmR3DisInstr(pVM, pPatch, pNextInstrGC, pNextInstrHC, PATMREAD_ORGCODE, &cpu, &cbInstr);
1893 }
1894 if (disret == false)
1895 {
1896 AssertMsgFailed(("STI: Disassembly failed (probably page not present) -> return to caller\n"));
1897 return VERR_PATCHING_REFUSED;
1898 }
1899 pReturnInstrGC = pNextInstrGC + cbInstr;
1900
1901 if ( (pPatch->flags & (PATMFL_DUPLICATE_FUNCTION))
1902 || pReturnInstrGC <= pInstrGC
1903 || pReturnInstrGC - pInstrGC >= SIZEOF_NEARJUMP32
1904 )
1905 {
1906 /* Not an exit point for function duplication patches */
1907 if ( (pPatch->flags & PATMFL_DUPLICATE_FUNCTION)
1908 && RT_SUCCESS(rc))
1909 {
1910 pPatch->flags &= ~PATMFL_GENERATE_JUMPTOGUEST; /* Don't generate a jump back */
1911 rc = VWRN_CONTINUE_RECOMPILE;
1912 }
1913 else
1914 rc = VINF_SUCCESS; //exit point
1915 }
1916 else {
1917 Log(("PATM: sti occurred too soon; refusing patch!\n"));
1918 rc = VERR_PATCHING_REFUSED; //not allowed!!
1919 }
1920 }
1921 break;
1922 }
1923
1924 case OP_POPF:
1925 {
1926 bool fGenerateJmpBack = (pCurInstrGC + pCpu->cbInstr - pInstrGC >= SIZEOF_NEARJUMP32);
1927
1928 /* Not an exit point for IDT handler or function replacement patches */
1929 /* Note: keep IOPL in mind when changing any of this!! (see comments in PATMA.asm, PATMPopf32Replacement) */
1930 if (pPatch->flags & (PATMFL_IDTHANDLER|PATMFL_DUPLICATE_FUNCTION))
1931 fGenerateJmpBack = false;
1932
1933 rc = patmPatchGenPopf(pVM, pPatch, pCurInstrGC + pCpu->cbInstr, !!(pCpu->fPrefix & DISPREFIX_OPSIZE), fGenerateJmpBack);
1934 if (RT_SUCCESS(rc))
1935 {
1936 if (fGenerateJmpBack == false)
1937 {
1938 /* Not an exit point for IDT handler or function replacement patches */
1939 rc = VWRN_CONTINUE_RECOMPILE;
1940 }
1941 else
1942 {
1943 pPatch->flags |= PATMFL_FOUND_PATCHEND;
1944 rc = VINF_SUCCESS; /* exit point! */
1945 }
1946 }
1947 break;
1948 }
1949
1950 case OP_PUSHF:
1951 rc = patmPatchGenPushf(pVM, pPatch, !!(pCpu->fPrefix & DISPREFIX_OPSIZE));
1952 if (RT_SUCCESS(rc))
1953 rc = VWRN_CONTINUE_RECOMPILE;
1954 break;
1955
1956 case OP_PUSH:
1957 /** @todo broken comparison!! should be if ((pCpu->Param1.fUse & DISUSE_REG_SEG) && (pCpu->Param1.Base.idxSegReg == DISSELREG_SS)) */
1958 if (pCpu->pCurInstr->fParam1 == OP_PARM_REG_CS)
1959 {
1960 rc = patmPatchGenPushCS(pVM, pPatch);
1961 if (RT_SUCCESS(rc))
1962 rc = VWRN_CONTINUE_RECOMPILE;
1963 break;
1964 }
1965 goto duplicate_instr;
1966
1967 case OP_IRET:
1968 Log(("IRET at %RRv\n", pCurInstrGC));
1969 rc = patmPatchGenIret(pVM, pPatch, pCurInstrGC, !!(pCpu->fPrefix & DISPREFIX_OPSIZE));
1970 if (RT_SUCCESS(rc))
1971 {
1972 pPatch->flags |= PATMFL_FOUND_PATCHEND;
1973 rc = VINF_SUCCESS; /* exit point by definition */
1974 }
1975 break;
1976
1977 case OP_ILLUD2:
1978 /* This appears to be some kind of kernel panic in Linux 2.4; no point to continue */
1979 rc = patmPatchGenIllegalInstr(pVM, pPatch);
1980 if (RT_SUCCESS(rc))
1981 rc = VINF_SUCCESS; /* exit point by definition */
1982 Log(("Illegal opcode (0xf 0xb)\n"));
1983 break;
1984
1985 case OP_CPUID:
1986 rc = patmPatchGenCpuid(pVM, pPatch, pCurInstrGC);
1987 if (RT_SUCCESS(rc))
1988 rc = VWRN_CONTINUE_RECOMPILE;
1989 break;
1990
1991 case OP_STR:
1992#ifdef VBOX_WITH_SAFE_STR /* @todo remove DISOPTYPE_PRIVILEGED_NOTRAP from disasm table and move OP_STR into #ifndef */
1993 /* Now safe because our shadow TR entry is identical to the guest's. */
1994 goto duplicate_instr;
1995#endif
1996 case OP_SLDT:
1997 rc = patmPatchGenSldtStr(pVM, pPatch, pCpu, pCurInstrGC);
1998 if (RT_SUCCESS(rc))
1999 rc = VWRN_CONTINUE_RECOMPILE;
2000 break;
2001
2002 case OP_SGDT:
2003 case OP_SIDT:
2004 rc = patmPatchGenSxDT(pVM, pPatch, pCpu, pCurInstrGC);
2005 if (RT_SUCCESS(rc))
2006 rc = VWRN_CONTINUE_RECOMPILE;
2007 break;
2008
2009 case OP_RETN:
2010 /* retn is an exit point for function patches */
2011 rc = patmPatchGenRet(pVM, pPatch, pCpu, pCurInstrGC);
2012 if (RT_SUCCESS(rc))
2013 rc = VINF_SUCCESS; /* exit point by definition */
2014 break;
2015
2016 case OP_SYSEXIT:
2017 /* Duplicate it, so it can be emulated in GC (or fault). */
2018 rc = patmPatchGenDuplicate(pVM, pPatch, pCpu, pCurInstrGC);
2019 if (RT_SUCCESS(rc))
2020 rc = VINF_SUCCESS; /* exit point by definition */
2021 break;
2022
2023 case OP_CALL:
2024 Assert(pPatch->flags & PATMFL_SUPPORT_INDIRECT_CALLS);
2025 /* In interrupt gate handlers it's possible to encounter jumps or calls when IF has been enabled again.
2026 * In that case we'll jump to the original instruction and continue from there. Otherwise an int 3 is executed.
2027 */
2028 Assert(pCpu->Param1.cb == 4 || pCpu->Param1.cb == 6);
2029 if (pPatch->flags & PATMFL_SUPPORT_INDIRECT_CALLS && pCpu->Param1.cb == 4 /* no far calls! */)
2030 {
2031 rc = patmPatchGenCall(pVM, pPatch, pCpu, pCurInstrGC, (RTRCPTR)0xDEADBEEF, true);
2032 if (RT_SUCCESS(rc))
2033 {
2034 rc = VWRN_CONTINUE_RECOMPILE;
2035 }
2036 break;
2037 }
2038 goto gen_illegal_instr;
2039
2040 case OP_JMP:
2041 Assert(pPatch->flags & PATMFL_SUPPORT_INDIRECT_CALLS);
2042 /* In interrupt gate handlers it's possible to encounter jumps or calls when IF has been enabled again.
2043 * In that case we'll jump to the original instruction and continue from there. Otherwise an int 3 is executed.
2044 */
2045 Assert(pCpu->Param1.cb == 4 || pCpu->Param1.cb == 6);
2046 if (pPatch->flags & PATMFL_SUPPORT_INDIRECT_CALLS && pCpu->Param1.cb == 4 /* no far jumps! */)
2047 {
2048 rc = patmPatchGenJump(pVM, pPatch, pCpu, pCurInstrGC);
2049 if (RT_SUCCESS(rc))
2050 rc = VINF_SUCCESS; /* end of branch */
2051 break;
2052 }
2053 goto gen_illegal_instr;
2054
2055 case OP_INT3:
2056 case OP_INT:
2057 case OP_INTO:
2058 goto gen_illegal_instr;
2059
2060 case OP_MOV_DR:
2061 /* Note: currently we let DRx writes cause a trap d; our trap handler will decide to interpret it or not. */
2062 if (pCpu->pCurInstr->fParam2 == OP_PARM_Dd)
2063 {
2064 rc = patmPatchGenMovDebug(pVM, pPatch, pCpu);
2065 if (RT_SUCCESS(rc))
2066 rc = VWRN_CONTINUE_RECOMPILE;
2067 break;
2068 }
2069 goto duplicate_instr;
2070
2071 case OP_MOV_CR:
2072 /* Note: currently we let CRx writes cause a trap d; our trap handler will decide to interpret it or not. */
2073 if (pCpu->pCurInstr->fParam2 == OP_PARM_Cd)
2074 {
2075 rc = patmPatchGenMovControl(pVM, pPatch, pCpu);
2076 if (RT_SUCCESS(rc))
2077 rc = VWRN_CONTINUE_RECOMPILE;
2078 break;
2079 }
2080 goto duplicate_instr;
2081
2082 default:
2083 if (pCpu->pCurInstr->fOpType & (DISOPTYPE_CONTROLFLOW | DISOPTYPE_PRIVILEGED_NOTRAP))
2084 {
2085gen_illegal_instr:
2086 rc = patmPatchGenIllegalInstr(pVM, pPatch);
2087 if (RT_SUCCESS(rc))
2088 rc = VINF_SUCCESS; /* exit point by definition */
2089 }
2090 else
2091 {
2092duplicate_instr:
2093 Log(("patmPatchGenDuplicate\n"));
2094 rc = patmPatchGenDuplicate(pVM, pPatch, pCpu, pCurInstrGC);
2095 if (RT_SUCCESS(rc))
2096 rc = VWRN_CONTINUE_RECOMPILE;
2097 }
2098 break;
2099 }
2100
2101end:
2102
2103 if ( !fInhibitIRQInstr
2104 && (pPatch->flags & PATMFL_INHIBIT_IRQS))
2105 {
2106 int rc2;
2107 RTRCPTR pNextInstrGC = pCurInstrGC + pCpu->cbInstr;
2108
2109 pPatch->flags &= ~PATMFL_INHIBIT_IRQS;
2110 Log(("Clear inhibit IRQ flag at %RRv\n", pCurInstrGC));
2111 if (pPatch->flags & PATMFL_GENERATE_JUMPTOGUEST)
2112 {
2113 Log(("patmRecompileCallback: generate jump back to guest (%RRv) after fused instruction\n", pNextInstrGC));
2114
2115 rc2 = patmPatchGenJumpToGuest(pVM, pPatch, pNextInstrGC, true /* clear inhibit irq flag */);
2116 pPatch->flags &= ~PATMFL_GENERATE_JUMPTOGUEST;
2117 rc = VINF_SUCCESS; /* end of the line */
2118 }
2119 else
2120 {
2121 rc2 = patmPatchGenClearInhibitIRQ(pVM, pPatch, pNextInstrGC);
2122 }
2123 if (RT_FAILURE(rc2))
2124 rc = rc2;
2125 }
2126
2127 if (RT_SUCCESS(rc))
2128 {
2129 // If single instruction patch, we've copied enough instructions *and* the current instruction is not a relative jump
2130 if ( (pPatch->flags & PATMFL_CHECK_SIZE)
2131 && pCurInstrGC + pCpu->cbInstr - pInstrGC >= SIZEOF_NEARJUMP32
2132 && !(pCpu->pCurInstr->fOpType & DISOPTYPE_RELATIVE_CONTROLFLOW)
2133 && !(pPatch->flags & PATMFL_RECOMPILE_NEXT) /* do not do this when the next instruction *must* be executed! */
2134 )
2135 {
2136 RTRCPTR pNextInstrGC = pCurInstrGC + pCpu->cbInstr;
2137
2138 // The end marker for this kind of patch is any instruction at a location outside our patch jump
2139 Log(("patmRecompileCallback: end found for single instruction patch at %RRv cbInstr %d\n", pNextInstrGC, pCpu->cbInstr));
2140
2141 rc = patmPatchGenJumpToGuest(pVM, pPatch, pNextInstrGC);
2142 AssertRC(rc);
2143 }
2144 }
2145 return rc;
2146}
2147
2148
2149#ifdef LOG_ENABLED
2150
2151/**
2152 * Add a disasm jump record (temporary for prevent duplicate analysis)
2153 *
2154 * @param pVM The cross context VM structure.
2155 * @param pPatch Patch structure ptr
2156 * @param pInstrGC Guest context pointer to privileged instruction
2157 *
2158 */
2159static void patmPatchAddDisasmJump(PVM pVM, PPATCHINFO pPatch, RTRCPTR pInstrGC)
2160{
2161 PAVLPVNODECORE pRec;
2162
2163 pRec = (PAVLPVNODECORE)MMR3HeapAllocZ(pVM, MM_TAG_PATM_PATCH, sizeof(*pRec));
2164 Assert(pRec);
2165 pRec->Key = (AVLPVKEY)(uintptr_t)pInstrGC;
2166
2167 int ret = RTAvlPVInsert(&pPatch->pTempInfo->DisasmJumpTree, pRec);
2168 Assert(ret);
2169}
2170
2171/**
2172 * Checks if jump target has been analysed before.
2173 *
2174 * @returns VBox status code.
2175 * @param pPatch Patch struct
2176 * @param pInstrGC Jump target
2177 *
2178 */
2179static bool patmIsKnownDisasmJump(PPATCHINFO pPatch, RTRCPTR pInstrGC)
2180{
2181 PAVLPVNODECORE pRec;
2182
2183 pRec = RTAvlPVGet(&pPatch->pTempInfo->DisasmJumpTree, (AVLPVKEY)(uintptr_t)pInstrGC);
2184 if (pRec)
2185 return true;
2186 return false;
2187}
2188
2189/**
2190 * For proper disassembly of the final patch block
2191 *
2192 * @returns VBox status code.
2193 * @param pVM The cross context VM structure.
2194 * @param pCpu CPU disassembly state
2195 * @param pInstrGC Guest context pointer to privileged instruction
2196 * @param pCurInstrGC Guest context pointer to the current instruction
2197 * @param pCacheRec Cache record ptr
2198 *
2199 */
2200DECLCALLBACK(int) patmR3DisasmCallback(PVM pVM, DISCPUSTATE *pCpu, RCPTRTYPE(uint8_t *) pInstrGC,
2201 RCPTRTYPE(uint8_t *) pCurInstrGC, PPATMP2GLOOKUPREC pCacheRec)
2202{
2203 PPATCHINFO pPatch = (PPATCHINFO)pCacheRec->pPatch;
2204 NOREF(pInstrGC);
2205
2206 if (pCpu->pCurInstr->uOpcode == OP_INT3)
2207 {
2208 /* Could be an int3 inserted in a call patch. Check to be sure */
2209 DISCPUSTATE cpu;
2210 RTRCPTR pOrgJumpGC;
2211
2212 pOrgJumpGC = patmPatchGCPtr2GuestGCPtr(pVM, pPatch, pCurInstrGC);
2213
2214 { /* Force pOrgJumpHC out of scope after using it */
2215 uint8_t *pOrgJumpHC = patmR3GCVirtToHCVirt(pVM, pCacheRec, pOrgJumpGC);
2216
2217 bool disret = patmR3DisInstr(pVM, pPatch, pOrgJumpGC, pOrgJumpHC, PATMREAD_ORGCODE, &cpu, NULL);
2218 if (!disret || cpu.pCurInstr->uOpcode != OP_CALL || cpu.Param1.cb != 4 /* only near calls */)
2219 return VINF_SUCCESS;
2220 }
2221 return VWRN_CONTINUE_ANALYSIS;
2222 }
2223
2224 if ( pCpu->pCurInstr->uOpcode == OP_ILLUD2
2225 && PATMIsPatchGCAddr(pVM, pCurInstrGC))
2226 {
2227 /* the indirect call patch contains an 0xF/0xB illegal instr to call for assistance; check for this and continue */
2228 return VWRN_CONTINUE_ANALYSIS;
2229 }
2230
2231 if ( (pCpu->pCurInstr->uOpcode == OP_CALL && !(pPatch->flags & PATMFL_SUPPORT_CALLS))
2232 || pCpu->pCurInstr->uOpcode == OP_INT
2233 || pCpu->pCurInstr->uOpcode == OP_IRET
2234 || pCpu->pCurInstr->uOpcode == OP_RETN
2235 || pCpu->pCurInstr->uOpcode == OP_RETF
2236 )
2237 {
2238 return VINF_SUCCESS;
2239 }
2240
2241 if (pCpu->pCurInstr->uOpcode == OP_ILLUD2)
2242 return VINF_SUCCESS;
2243
2244 return VWRN_CONTINUE_ANALYSIS;
2245}
2246
2247
2248/**
2249 * Disassembles the code stream until the callback function detects a failure or decides everything is acceptable
2250 *
2251 * @returns VBox status code.
2252 * @param pVM The cross context VM structure.
2253 * @param pInstrGC Guest context pointer to the initial privileged instruction
2254 * @param pCurInstrGC Guest context pointer to the current instruction
2255 * @param pfnPATMR3Disasm Callback for testing the disassembled instruction
2256 * @param pCacheRec Cache record ptr
2257 *
2258 */
2259int patmr3DisasmCode(PVM pVM, RCPTRTYPE(uint8_t *) pInstrGC, RCPTRTYPE(uint8_t *) pCurInstrGC, PFN_PATMR3ANALYSE pfnPATMR3Disasm, PPATMP2GLOOKUPREC pCacheRec)
2260{
2261 DISCPUSTATE cpu;
2262 PPATCHINFO pPatch = (PPATCHINFO)pCacheRec->pPatch;
2263 int rc = VWRN_CONTINUE_ANALYSIS;
2264 uint32_t cbInstr, delta;
2265 R3PTRTYPE(uint8_t *) pCurInstrHC = 0;
2266 bool disret;
2267 char szOutput[256];
2268
2269 Assert(pCurInstrHC != PATCHCODE_PTR_HC(pPatch) || pPatch->pTempInfo->DisasmJumpTree == 0);
2270
2271 /* We need this to determine branch targets (and for disassembling). */
2272 delta = pVM->patm.s.pPatchMemGC - (uintptr_t)pVM->patm.s.pPatchMemHC;
2273
2274 while (rc == VWRN_CONTINUE_ANALYSIS)
2275 {
2276 pCurInstrHC = patmR3GCVirtToHCVirt(pVM, pCacheRec, pCurInstrGC);
2277 if (pCurInstrHC == NULL)
2278 {
2279 rc = VERR_PATCHING_REFUSED;
2280 goto end;
2281 }
2282
2283 disret = patmR3DisInstrToStr(pVM, pPatch, pCurInstrGC, pCurInstrHC, PATMREAD_RAWCODE,
2284 &cpu, &cbInstr, szOutput, sizeof(szOutput));
2285 if (PATMIsPatchGCAddr(pVM, pCurInstrGC))
2286 {
2287 RTRCPTR pOrgInstrGC = patmPatchGCPtr2GuestGCPtr(pVM, pPatch, pCurInstrGC);
2288
2289 if (pOrgInstrGC != pPatch->pTempInfo->pLastDisasmInstrGC)
2290 Log(("DIS %RRv<-%s", pOrgInstrGC, szOutput));
2291 else
2292 Log(("DIS %s", szOutput));
2293
2294 pPatch->pTempInfo->pLastDisasmInstrGC = pOrgInstrGC;
2295 if (patmIsIllegalInstr(pPatch, pOrgInstrGC))
2296 {
2297 rc = VINF_SUCCESS;
2298 goto end;
2299 }
2300 }
2301 else
2302 Log(("DIS: %s", szOutput));
2303
2304 if (disret == false)
2305 {
2306 Log(("Disassembly failed (probably page not present) -> return to caller\n"));
2307 rc = VINF_SUCCESS;
2308 goto end;
2309 }
2310
2311 rc = pfnPATMR3Disasm(pVM, &cpu, pInstrGC, pCurInstrGC, pCacheRec);
2312 if (rc != VWRN_CONTINUE_ANALYSIS) {
2313 break; //done!
2314 }
2315
2316 /* For our first attempt, we'll handle only simple relative jumps and calls (immediate offset coded in instruction) */
2317 if ( (cpu.pCurInstr->fOpType & DISOPTYPE_CONTROLFLOW)
2318 && (OP_PARM_VTYPE(cpu.pCurInstr->fParam1) == OP_PARM_J)
2319 && cpu.pCurInstr->uOpcode != OP_CALL /* complete functions are replaced; don't bother here. */
2320 )
2321 {
2322 RTRCPTR pTargetGC = PATMResolveBranch(&cpu, pCurInstrGC);
2323 RTRCPTR pOrgTargetGC;
2324
2325 if (pTargetGC == 0)
2326 {
2327 Log(("We don't support far jumps here!! (%08X)\n", cpu.Param1.fUse));
2328 rc = VERR_PATCHING_REFUSED;
2329 break;
2330 }
2331
2332 if (!PATMIsPatchGCAddr(pVM, pTargetGC))
2333 {
2334 //jump back to guest code
2335 rc = VINF_SUCCESS;
2336 goto end;
2337 }
2338 pOrgTargetGC = PATMR3PatchToGCPtr(pVM, pTargetGC, 0);
2339
2340 if (patmIsCommonIDTHandlerPatch(pVM, pOrgTargetGC))
2341 {
2342 rc = VINF_SUCCESS;
2343 goto end;
2344 }
2345
2346 if (patmIsKnownDisasmJump(pPatch, pTargetGC) == false)
2347 {
2348 /* New jump, let's check it. */
2349 patmPatchAddDisasmJump(pVM, pPatch, pTargetGC);
2350
2351 if (cpu.pCurInstr->uOpcode == OP_CALL) pPatch->pTempInfo->nrCalls++;
2352 rc = patmr3DisasmCode(pVM, pInstrGC, pTargetGC, pfnPATMR3Disasm, pCacheRec);
2353 if (cpu.pCurInstr->uOpcode == OP_CALL) pPatch->pTempInfo->nrCalls--;
2354
2355 if (rc != VINF_SUCCESS) {
2356 break; //done!
2357 }
2358 }
2359 if (cpu.pCurInstr->uOpcode == OP_JMP)
2360 {
2361 /* Unconditional jump; return to caller. */
2362 rc = VINF_SUCCESS;
2363 goto end;
2364 }
2365
2366 rc = VWRN_CONTINUE_ANALYSIS;
2367 }
2368 pCurInstrGC += cbInstr;
2369 }
2370end:
2371 return rc;
2372}
2373
2374/**
2375 * Disassembles the code stream until the callback function detects a failure or decides everything is acceptable
2376 *
2377 * @returns VBox status code.
2378 * @param pVM The cross context VM structure.
2379 * @param pInstrGC Guest context pointer to the initial privileged instruction
2380 * @param pCurInstrGC Guest context pointer to the current instruction
2381 * @param pfnPATMR3Disasm Callback for testing the disassembled instruction
2382 * @param pCacheRec Cache record ptr
2383 *
2384 */
2385int patmr3DisasmCodeStream(PVM pVM, RCPTRTYPE(uint8_t *) pInstrGC, RCPTRTYPE(uint8_t *) pCurInstrGC, PFN_PATMR3ANALYSE pfnPATMR3Disasm, PPATMP2GLOOKUPREC pCacheRec)
2386{
2387 PPATCHINFO pPatch = (PPATCHINFO)pCacheRec->pPatch;
2388
2389 int rc = patmr3DisasmCode(pVM, pInstrGC, pCurInstrGC, pfnPATMR3Disasm, pCacheRec);
2390 /* Free all disasm jump records. */
2391 patmEmptyTree(pVM, &pPatch->pTempInfo->DisasmJumpTree);
2392 return rc;
2393}
2394
2395#endif /* LOG_ENABLED */
2396
2397/**
2398 * Detects it the specified address falls within a 5 byte jump generated for an active patch.
2399 * If so, this patch is permanently disabled.
2400 *
2401 * @param pVM The cross context VM structure.
2402 * @param pInstrGC Guest context pointer to instruction
2403 * @param pConflictGC Guest context pointer to check
2404 *
2405 * @note also checks for patch hints to make sure they can never be enabled if a conflict is present.
2406 *
2407 */
2408VMMR3_INT_DECL(int) PATMR3DetectConflict(PVM pVM, RTRCPTR pInstrGC, RTRCPTR pConflictGC)
2409{
2410 AssertReturn(!HMIsEnabled(pVM), VERR_PATCH_NO_CONFLICT);
2411 PPATCHINFO pTargetPatch = patmFindActivePatchByEntrypoint(pVM, pConflictGC, true /* include patch hints */);
2412 if (pTargetPatch)
2413 return patmDisableUnusablePatch(pVM, pInstrGC, pConflictGC, pTargetPatch);
2414 return VERR_PATCH_NO_CONFLICT;
2415}
2416
2417/**
2418 * Recompile the code stream until the callback function detects a failure or decides everything is acceptable
2419 *
2420 * @returns VBox status code.
2421 * @param pVM The cross context VM structure.
2422 * @param pInstrGC Guest context pointer to privileged instruction
2423 * @param pCurInstrGC Guest context pointer to the current instruction
2424 * @param pfnPATMR3Recompile Callback for testing the disassembled instruction
2425 * @param pCacheRec Cache record ptr
2426 *
2427 */
2428static int patmRecompileCodeStream(PVM pVM, RCPTRTYPE(uint8_t *) pInstrGC, RCPTRTYPE(uint8_t *) pCurInstrGC, PFN_PATMR3ANALYSE pfnPATMR3Recompile, PPATMP2GLOOKUPREC pCacheRec)
2429{
2430 DISCPUSTATE cpu;
2431 PPATCHINFO pPatch = (PPATCHINFO)pCacheRec->pPatch;
2432 int rc = VWRN_CONTINUE_ANALYSIS;
2433 uint32_t cbInstr;
2434 R3PTRTYPE(uint8_t *) pCurInstrHC = 0;
2435 bool disret;
2436#ifdef LOG_ENABLED
2437 char szOutput[256];
2438#endif
2439
2440 while (rc == VWRN_CONTINUE_RECOMPILE)
2441 {
2442 pCurInstrHC = patmR3GCVirtToHCVirt(pVM, pCacheRec, pCurInstrGC);
2443 if (pCurInstrHC == NULL)
2444 {
2445 rc = VERR_PATCHING_REFUSED; /* fatal in this case */
2446 goto end;
2447 }
2448#ifdef LOG_ENABLED
2449 disret = patmR3DisInstrToStr(pVM, pPatch, pCurInstrGC, pCurInstrHC, PATMREAD_ORGCODE,
2450 &cpu, &cbInstr, szOutput, sizeof(szOutput));
2451 Log(("Recompile: %s", szOutput));
2452#else
2453 disret = patmR3DisInstr(pVM, pPatch, pCurInstrGC, pCurInstrHC, PATMREAD_ORGCODE, &cpu, &cbInstr);
2454#endif
2455 if (disret == false)
2456 {
2457 Log(("Disassembly failed (probably page not present) -> return to caller\n"));
2458
2459 /* Add lookup record for patch to guest address translation */
2460 patmR3AddP2GLookupRecord(pVM, pPatch, PATCHCODE_PTR_HC(pPatch) + pPatch->uCurPatchOffset, pCurInstrGC, PATM_LOOKUP_BOTHDIR);
2461 patmPatchGenIllegalInstr(pVM, pPatch);
2462 rc = VINF_SUCCESS; /* Note: don't fail here; we might refuse an important patch!! */
2463 goto end;
2464 }
2465
2466 rc = pfnPATMR3Recompile(pVM, &cpu, pInstrGC, pCurInstrGC, pCacheRec);
2467 if (rc != VWRN_CONTINUE_RECOMPILE)
2468 {
2469 /* If irqs are inhibited because of the current instruction, then we must make sure the next one is executed! */
2470 if ( rc == VINF_SUCCESS
2471 && (pPatch->flags & PATMFL_INHIBIT_IRQS))
2472 {
2473 DISCPUSTATE cpunext;
2474 uint32_t opsizenext;
2475 uint8_t *pNextInstrHC;
2476 RTRCPTR pNextInstrGC = pCurInstrGC + cbInstr;
2477
2478 Log(("patmRecompileCodeStream: irqs inhibited by instruction %RRv\n", pNextInstrGC));
2479
2480 /* Certain instructions (e.g. sti) force the next instruction to be executed before any interrupts can occur.
2481 * Recompile the next instruction as well
2482 */
2483 pNextInstrHC = patmR3GCVirtToHCVirt(pVM, pCacheRec, pNextInstrGC);
2484 if (pNextInstrHC == NULL)
2485 {
2486 rc = VERR_PATCHING_REFUSED; /* fatal in this case */
2487 goto end;
2488 }
2489 disret = patmR3DisInstr(pVM, pPatch, pNextInstrGC, pNextInstrHC, PATMREAD_ORGCODE, &cpunext, &opsizenext);
2490 if (disret == false)
2491 {
2492 rc = VERR_PATCHING_REFUSED; /* fatal in this case */
2493 goto end;
2494 }
2495 switch(cpunext.pCurInstr->uOpcode)
2496 {
2497 case OP_IRET: /* inhibit cleared in generated code */
2498 case OP_SYSEXIT: /* faults; inhibit should be cleared in HC handling */
2499 case OP_HLT:
2500 break; /* recompile these */
2501
2502 default:
2503 if (cpunext.pCurInstr->fOpType & DISOPTYPE_CONTROLFLOW)
2504 {
2505 Log(("Unexpected control flow instruction after inhibit irq instruction\n"));
2506
2507 rc = patmPatchGenJumpToGuest(pVM, pPatch, pNextInstrGC, true /* clear inhibit irq flag */);
2508 AssertRC(rc);
2509 pPatch->flags &= ~PATMFL_INHIBIT_IRQS;
2510 goto end; /** @todo should be ok to ignore instruction fusing in this case */
2511 }
2512 break;
2513 }
2514
2515 /* Note: after a cli we must continue to a proper exit point */
2516 if (cpunext.pCurInstr->uOpcode != OP_CLI)
2517 {
2518 rc = pfnPATMR3Recompile(pVM, &cpunext, pInstrGC, pNextInstrGC, pCacheRec);
2519 if (RT_SUCCESS(rc))
2520 {
2521 rc = VINF_SUCCESS;
2522 goto end;
2523 }
2524 break;
2525 }
2526 else
2527 rc = VWRN_CONTINUE_RECOMPILE;
2528 }
2529 else
2530 break; /* done! */
2531 }
2532
2533 /** @todo continue with the instructions following the jump and then recompile the jump target code */
2534
2535
2536 /* For our first attempt, we'll handle only simple relative jumps and calls (immediate offset coded in instruction). */
2537 if ( (cpu.pCurInstr->fOpType & DISOPTYPE_CONTROLFLOW)
2538 && (OP_PARM_VTYPE(cpu.pCurInstr->fParam1) == OP_PARM_J)
2539 && cpu.pCurInstr->uOpcode != OP_CALL /* complete functions are replaced; don't bother here. */
2540 )
2541 {
2542 RCPTRTYPE(uint8_t *) addr = PATMResolveBranch(&cpu, pCurInstrGC);
2543 if (addr == 0)
2544 {
2545 Log(("We don't support far jumps here!! (%08X)\n", cpu.Param1.fUse));
2546 rc = VERR_PATCHING_REFUSED;
2547 break;
2548 }
2549
2550 Log(("Jump encountered target %RRv\n", addr));
2551
2552 /* We don't check if the branch target lies in a valid page as we've already done that in the analysis phase. */
2553 if (!(cpu.pCurInstr->fOpType & DISOPTYPE_UNCOND_CONTROLFLOW))
2554 {
2555 Log(("patmRecompileCodeStream continue passed conditional jump\n"));
2556 /* First we need to finish this linear code stream until the next exit point. */
2557 rc = patmRecompileCodeStream(pVM, pInstrGC, pCurInstrGC+cbInstr, pfnPATMR3Recompile, pCacheRec);
2558 if (RT_FAILURE(rc))
2559 {
2560 Log(("patmRecompileCodeStream fatal error %d\n", rc));
2561 break; //fatal error
2562 }
2563 }
2564
2565 if (patmGuestGCPtrToPatchGCPtr(pVM, pPatch, addr) == 0)
2566 {
2567 /* New code; let's recompile it. */
2568 Log(("patmRecompileCodeStream continue with jump\n"));
2569
2570 /*
2571 * If we are jumping to an existing patch (or within 5 bytes of the entrypoint), then we must temporarily disable
2572 * this patch so we can continue our analysis
2573 *
2574 * We rely on CSAM to detect and resolve conflicts
2575 */
2576 PPATCHINFO pTargetPatch = patmFindActivePatchByEntrypoint(pVM, addr);
2577 if(pTargetPatch)
2578 {
2579 Log(("Found active patch at target %RRv (%RRv) -> temporarily disabling it!!\n", addr, pTargetPatch->pPrivInstrGC));
2580 PATMR3DisablePatch(pVM, pTargetPatch->pPrivInstrGC);
2581 }
2582
2583 if (cpu.pCurInstr->uOpcode == OP_CALL) pPatch->pTempInfo->nrCalls++;
2584 rc = patmRecompileCodeStream(pVM, pInstrGC, addr, pfnPATMR3Recompile, pCacheRec);
2585 if (cpu.pCurInstr->uOpcode == OP_CALL) pPatch->pTempInfo->nrCalls--;
2586
2587 if(pTargetPatch)
2588 PATMR3EnablePatch(pVM, pTargetPatch->pPrivInstrGC);
2589
2590 if (RT_FAILURE(rc))
2591 {
2592 Log(("patmRecompileCodeStream fatal error %d\n", rc));
2593 break; //done!
2594 }
2595 }
2596 /* Always return to caller here; we're done! */
2597 rc = VINF_SUCCESS;
2598 goto end;
2599 }
2600 else
2601 if (cpu.pCurInstr->fOpType & DISOPTYPE_UNCOND_CONTROLFLOW)
2602 {
2603 rc = VINF_SUCCESS;
2604 goto end;
2605 }
2606 pCurInstrGC += cbInstr;
2607 }
2608end:
2609 Assert(!(pPatch->flags & PATMFL_RECOMPILE_NEXT));
2610 return rc;
2611}
2612
2613
2614/**
2615 * Generate the jump from guest to patch code
2616 *
2617 * @returns VBox status code.
2618 * @param pVM The cross context VM structure.
2619 * @param pPatch Patch record
2620 * @param pCacheRec Guest translation lookup cache record
2621 * @param fAddFixup Whether to add a fixup record.
2622 */
2623static int patmGenJumpToPatch(PVM pVM, PPATCHINFO pPatch, PPATMP2GLOOKUPREC pCacheRec, bool fAddFixup = true)
2624{
2625 uint8_t temp[8];
2626 uint8_t *pPB;
2627 int rc;
2628
2629 Assert(pPatch->cbPatchJump <= sizeof(temp));
2630 Assert(!(pPatch->flags & PATMFL_PATCHED_GUEST_CODE));
2631
2632 pPB = patmR3GCVirtToHCVirt(pVM, pCacheRec, pPatch->pPrivInstrGC);
2633 Assert(pPB);
2634
2635#ifdef PATM_RESOLVE_CONFLICTS_WITH_JUMP_PATCHES
2636 if (pPatch->flags & PATMFL_JUMP_CONFLICT)
2637 {
2638 Assert(pPatch->pPatchJumpDestGC);
2639
2640 if (pPatch->cbPatchJump == SIZEOF_NEARJUMP32)
2641 {
2642 // jmp [PatchCode]
2643 if (fAddFixup)
2644 {
2645 if (patmPatchAddReloc32(pVM, pPatch, &pPB[1], FIXUP_REL_JMPTOPATCH, pPatch->pPrivInstrGC + pPatch->cbPatchJump,
2646 pPatch->pPatchJumpDestGC) != VINF_SUCCESS)
2647 {
2648 Log(("Relocation failed for the jump in the guest code!!\n"));
2649 return VERR_PATCHING_REFUSED;
2650 }
2651 }
2652
2653 temp[0] = pPatch->aPrivInstr[0]; //jump opcode copied from original instruction
2654 *(uint32_t *)&temp[1] = (uint32_t)pPatch->pPatchJumpDestGC - ((uint32_t)pPatch->pPrivInstrGC + pPatch->cbPatchJump); //return address
2655 }
2656 else
2657 if (pPatch->cbPatchJump == SIZEOF_NEAR_COND_JUMP32)
2658 {
2659 // jmp [PatchCode]
2660 if (fAddFixup)
2661 {
2662 if (patmPatchAddReloc32(pVM, pPatch, &pPB[2], FIXUP_REL_JMPTOPATCH, pPatch->pPrivInstrGC + pPatch->cbPatchJump,
2663 pPatch->pPatchJumpDestGC) != VINF_SUCCESS)
2664 {
2665 Log(("Relocation failed for the jump in the guest code!!\n"));
2666 return VERR_PATCHING_REFUSED;
2667 }
2668 }
2669
2670 temp[0] = pPatch->aPrivInstr[0]; //jump opcode copied from original instruction
2671 temp[1] = pPatch->aPrivInstr[1]; //jump opcode copied from original instruction
2672 *(uint32_t *)&temp[2] = (uint32_t)pPatch->pPatchJumpDestGC - ((uint32_t)pPatch->pPrivInstrGC + pPatch->cbPatchJump); //return address
2673 }
2674 else
2675 {
2676 Assert(0);
2677 return VERR_PATCHING_REFUSED;
2678 }
2679 }
2680 else
2681#endif
2682 {
2683 Assert(pPatch->cbPatchJump == SIZEOF_NEARJUMP32);
2684
2685 // jmp [PatchCode]
2686 if (fAddFixup)
2687 {
2688 if (patmPatchAddReloc32(pVM, pPatch, &pPB[1], FIXUP_REL_JMPTOPATCH, pPatch->pPrivInstrGC + SIZEOF_NEARJUMP32,
2689 PATCHCODE_PTR_GC(pPatch)) != VINF_SUCCESS)
2690 {
2691 Log(("Relocation failed for the jump in the guest code!!\n"));
2692 return VERR_PATCHING_REFUSED;
2693 }
2694 }
2695 temp[0] = 0xE9; //jmp
2696 *(uint32_t *)&temp[1] = (RTRCUINTPTR)PATCHCODE_PTR_GC(pPatch) - ((RTRCUINTPTR)pPatch->pPrivInstrGC + SIZEOF_NEARJUMP32); //return address
2697 }
2698 rc = PGMPhysSimpleDirtyWriteGCPtr(VMMGetCpu0(pVM), pPatch->pPrivInstrGC, temp, pPatch->cbPatchJump);
2699 AssertRC(rc);
2700
2701 if (rc == VINF_SUCCESS)
2702 pPatch->flags |= PATMFL_PATCHED_GUEST_CODE;
2703
2704 return rc;
2705}
2706
2707/**
2708 * Remove the jump from guest to patch code
2709 *
2710 * @returns VBox status code.
2711 * @param pVM The cross context VM structure.
2712 * @param pPatch Patch record
2713 */
2714static int patmRemoveJumpToPatch(PVM pVM, PPATCHINFO pPatch)
2715{
2716#ifdef DEBUG
2717 DISCPUSTATE cpu;
2718 char szOutput[256];
2719 uint32_t cbInstr, i = 0;
2720 bool disret;
2721
2722 while (i < pPatch->cbPrivInstr)
2723 {
2724 disret = patmR3DisInstrToStr(pVM, pPatch, pPatch->pPrivInstrGC + i, NULL, PATMREAD_ORGCODE,
2725 &cpu, &cbInstr, szOutput, sizeof(szOutput));
2726 if (disret == false)
2727 break;
2728
2729 Log(("Org patch jump: %s", szOutput));
2730 Assert(cbInstr);
2731 i += cbInstr;
2732 }
2733#endif
2734
2735 /* Restore original code (privileged instruction + following instructions that were overwritten because of the 5/6 byte jmp). */
2736 int rc = PGMPhysSimpleDirtyWriteGCPtr(VMMGetCpu0(pVM), pPatch->pPrivInstrGC, pPatch->aPrivInstr, pPatch->cbPatchJump);
2737#ifdef DEBUG
2738 if (rc == VINF_SUCCESS)
2739 {
2740 i = 0;
2741 while (i < pPatch->cbPrivInstr)
2742 {
2743 disret = patmR3DisInstrToStr(pVM, pPatch, pPatch->pPrivInstrGC + i, NULL, PATMREAD_ORGCODE,
2744 &cpu, &cbInstr, szOutput, sizeof(szOutput));
2745 if (disret == false)
2746 break;
2747
2748 Log(("Org instr: %s", szOutput));
2749 Assert(cbInstr);
2750 i += cbInstr;
2751 }
2752 }
2753#endif
2754 pPatch->flags &= ~PATMFL_PATCHED_GUEST_CODE;
2755 return rc;
2756}
2757
2758/**
2759 * Generate the call from guest to patch code
2760 *
2761 * @returns VBox status code.
2762 * @param pVM The cross context VM structure.
2763 * @param pPatch Patch record
2764 * @param pTargetGC The target of the fixup (i.e. the patch code we're
2765 * calling into).
2766 * @param pCacheRec Guest translation cache record
2767 * @param fAddFixup Whether to add a fixup record.
2768 */
2769static int patmGenCallToPatch(PVM pVM, PPATCHINFO pPatch, RTRCPTR pTargetGC, PPATMP2GLOOKUPREC pCacheRec, bool fAddFixup = true)
2770{
2771 uint8_t temp[8];
2772 uint8_t *pPB;
2773 int rc;
2774
2775 Assert(pPatch->cbPatchJump <= sizeof(temp));
2776
2777 pPB = patmR3GCVirtToHCVirt(pVM, pCacheRec, pPatch->pPrivInstrGC);
2778 Assert(pPB);
2779
2780 Assert(pPatch->cbPatchJump == SIZEOF_NEARJUMP32);
2781
2782 // jmp [PatchCode]
2783 if (fAddFixup)
2784 {
2785 if (patmPatchAddReloc32(pVM, pPatch, &pPB[1], FIXUP_REL_JMPTOPATCH,
2786 pPatch->pPrivInstrGC + SIZEOF_NEARJUMP32, pTargetGC) != VINF_SUCCESS)
2787 {
2788 Log(("Relocation failed for the jump in the guest code!!\n"));
2789 return VERR_PATCHING_REFUSED;
2790 }
2791 }
2792
2793 Assert(pPatch->aPrivInstr[0] == 0xE8 || pPatch->aPrivInstr[0] == 0xE9); /* call or jmp */
2794 temp[0] = pPatch->aPrivInstr[0];
2795 *(uint32_t *)&temp[1] = (uint32_t)pTargetGC - ((uint32_t)pPatch->pPrivInstrGC + SIZEOF_NEARJUMP32); //return address
2796
2797 rc = PGMPhysSimpleDirtyWriteGCPtr(VMMGetCpu0(pVM), pPatch->pPrivInstrGC, temp, pPatch->cbPatchJump);
2798 AssertRC(rc);
2799
2800 return rc;
2801}
2802
2803
2804/**
2805 * Patch cli/sti pushf/popf instruction block at specified location
2806 *
2807 * @returns VBox status code.
2808 * @param pVM The cross context VM structure.
2809 * @param pInstrGC Guest context point to privileged instruction
2810 * @param pInstrHC Host context point to privileged instruction
2811 * @param uOpcode Instruction opcode
2812 * @param uOpSize Size of starting instruction
2813 * @param pPatchRec Patch record
2814 *
2815 * @note returns failure if patching is not allowed or possible
2816 *
2817 */
2818static int patmR3PatchBlock(PVM pVM, RTRCPTR pInstrGC, R3PTRTYPE(uint8_t *) pInstrHC,
2819 uint32_t uOpcode, uint32_t uOpSize, PPATMPATCHREC pPatchRec)
2820{
2821 PPATCHINFO pPatch = &pPatchRec->patch;
2822 int rc = VERR_PATCHING_REFUSED;
2823 uint32_t orgOffsetPatchMem = ~0;
2824 RTRCPTR pInstrStart;
2825 bool fInserted;
2826 NOREF(pInstrHC); NOREF(uOpSize);
2827
2828 /* Save original offset (in case of failures later on) */
2829 /** @todo use the hypervisor heap (that has quite a few consequences for save/restore though) */
2830 orgOffsetPatchMem = pVM->patm.s.offPatchMem;
2831
2832 Assert(!(pPatch->flags & (PATMFL_GUEST_SPECIFIC|PATMFL_USER_MODE|PATMFL_TRAPHANDLER)));
2833 switch (uOpcode)
2834 {
2835 case OP_MOV:
2836 break;
2837
2838 case OP_CLI:
2839 case OP_PUSHF:
2840 /* We can 'call' a cli or pushf patch. It will either return to the original guest code when IF is set again, or fault. */
2841 /* Note: special precautions are taken when disabling and enabling such patches. */
2842 pPatch->flags |= PATMFL_CALLABLE_AS_FUNCTION;
2843 break;
2844
2845 default:
2846 if (!(pPatch->flags & PATMFL_IDTHANDLER))
2847 {
2848 AssertMsg(0, ("patmR3PatchBlock: Invalid opcode %x\n", uOpcode));
2849 return VERR_INVALID_PARAMETER;
2850 }
2851 }
2852
2853 if (!(pPatch->flags & (PATMFL_IDTHANDLER|PATMFL_IDTHANDLER_WITHOUT_ENTRYPOINT|PATMFL_SYSENTER|PATMFL_INT3_REPLACEMENT_BLOCK)))
2854 pPatch->flags |= PATMFL_MUST_INSTALL_PATCHJMP;
2855
2856 /* If we're going to insert a patch jump, then the jump itself is not allowed to cross a page boundary. */
2857 if ( (pPatch->flags & PATMFL_MUST_INSTALL_PATCHJMP)
2858 && PAGE_ADDRESS(pInstrGC) != PAGE_ADDRESS(pInstrGC + SIZEOF_NEARJUMP32)
2859 )
2860 {
2861 STAM_COUNTER_INC(&pVM->patm.s.StatPageBoundaryCrossed);
2862 Log(("Patch jump would cross page boundary -> refuse!!\n"));
2863 rc = VERR_PATCHING_REFUSED;
2864 goto failure;
2865 }
2866
2867 pPatch->nrPatch2GuestRecs = 0;
2868 pInstrStart = pInstrGC;
2869
2870#ifdef PATM_ENABLE_CALL
2871 pPatch->flags |= PATMFL_SUPPORT_CALLS | PATMFL_SUPPORT_INDIRECT_CALLS;
2872#endif
2873
2874 pPatch->pPatchBlockOffset = pVM->patm.s.offPatchMem;
2875 pPatch->uCurPatchOffset = 0;
2876
2877 if ((pPatch->flags & (PATMFL_IDTHANDLER|PATMFL_IDTHANDLER_WITHOUT_ENTRYPOINT|PATMFL_SYSENTER)) == PATMFL_IDTHANDLER)
2878 {
2879 Assert(pPatch->flags & PATMFL_INTHANDLER);
2880
2881 /* Install fake cli patch (to clear the virtual IF and check int xx parameters) */
2882 rc = patmPatchGenIntEntry(pVM, pPatch, pInstrGC);
2883 if (RT_FAILURE(rc))
2884 goto failure;
2885 }
2886
2887 /***************************************************************************************************************************/
2888 /* Note: We can't insert *any* code before a sysenter handler; some linux guests have an invalid stack at this point!!!!! */
2889 /***************************************************************************************************************************/
2890#ifdef VBOX_WITH_STATISTICS
2891 if (!(pPatch->flags & PATMFL_SYSENTER))
2892 {
2893 rc = patmPatchGenStats(pVM, pPatch, pInstrGC);
2894 if (RT_FAILURE(rc))
2895 goto failure;
2896 }
2897#endif
2898
2899 PATMP2GLOOKUPREC cacheRec;
2900 RT_ZERO(cacheRec);
2901 cacheRec.pPatch = pPatch;
2902
2903 rc = patmRecompileCodeStream(pVM, pInstrGC, pInstrGC, patmRecompileCallback, &cacheRec);
2904 /* Free leftover lock if any. */
2905 if (cacheRec.Lock.pvMap)
2906 {
2907 PGMPhysReleasePageMappingLock(pVM, &cacheRec.Lock);
2908 cacheRec.Lock.pvMap = NULL;
2909 }
2910 if (rc != VINF_SUCCESS)
2911 {
2912 Log(("PATMR3PatchCli: patmRecompileCodeStream failed with %d\n", rc));
2913 goto failure;
2914 }
2915
2916 /* Calculated during analysis. */
2917 if (pPatch->cbPatchBlockSize < SIZEOF_NEARJUMP32)
2918 {
2919 /* Most likely cause: we encountered an illegal instruction very early on. */
2920 /** @todo could turn it into an int3 callable patch. */
2921 Log(("patmR3PatchBlock: patch block too small -> refuse\n"));
2922 rc = VERR_PATCHING_REFUSED;
2923 goto failure;
2924 }
2925
2926 /* size of patch block */
2927 pPatch->cbPatchBlockSize = pPatch->uCurPatchOffset;
2928
2929
2930 /* Update free pointer in patch memory. */
2931 pVM->patm.s.offPatchMem += pPatch->cbPatchBlockSize;
2932 /* Round to next 8 byte boundary. */
2933 pVM->patm.s.offPatchMem = RT_ALIGN_32(pVM->patm.s.offPatchMem, 8);
2934
2935 /*
2936 * Insert into patch to guest lookup tree
2937 */
2938 LogFlow(("Insert %RRv patch offset %RRv\n", pPatchRec->patch.pPrivInstrGC, pPatch->pPatchBlockOffset));
2939 pPatchRec->CoreOffset.Key = pPatch->pPatchBlockOffset;
2940 fInserted = RTAvloU32Insert(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr, &pPatchRec->CoreOffset);
2941 AssertMsg(fInserted, ("RTAvlULInsert failed for %x\n", pPatchRec->CoreOffset.Key));
2942 if (!fInserted)
2943 {
2944 rc = VERR_PATCHING_REFUSED;
2945 goto failure;
2946 }
2947
2948 /* Note that patmr3SetBranchTargets can install additional patches!! */
2949 rc = patmr3SetBranchTargets(pVM, pPatch);
2950 if (rc != VINF_SUCCESS)
2951 {
2952 Log(("PATMR3PatchCli: patmr3SetBranchTargets failed with %d\n", rc));
2953 goto failure;
2954 }
2955
2956#ifdef LOG_ENABLED
2957 Log(("Patch code ----------------------------------------------------------\n"));
2958 patmr3DisasmCodeStream(pVM, PATCHCODE_PTR_GC(pPatch), PATCHCODE_PTR_GC(pPatch), patmR3DisasmCallback, &cacheRec);
2959 /* Free leftover lock if any. */
2960 if (cacheRec.Lock.pvMap)
2961 {
2962 PGMPhysReleasePageMappingLock(pVM, &cacheRec.Lock);
2963 cacheRec.Lock.pvMap = NULL;
2964 }
2965 Log(("Patch code ends -----------------------------------------------------\n"));
2966#endif
2967
2968 /* make a copy of the guest code bytes that will be overwritten */
2969 pPatch->cbPatchJump = SIZEOF_NEARJUMP32;
2970
2971 rc = PGMPhysSimpleReadGCPtr(VMMGetCpu0(pVM), pPatch->aPrivInstr, pPatch->pPrivInstrGC, pPatch->cbPatchJump);
2972 AssertRC(rc);
2973
2974 if (pPatch->flags & PATMFL_INT3_REPLACEMENT_BLOCK)
2975 {
2976 /*uint8_t bASMInt3 = 0xCC; - unused */
2977
2978 Log(("patmR3PatchBlock %RRv -> int 3 callable patch.\n", pPatch->pPrivInstrGC));
2979 /* Replace first opcode byte with 'int 3'. */
2980 rc = patmActivateInt3Patch(pVM, pPatch);
2981 if (RT_FAILURE(rc))
2982 goto failure;
2983
2984 /* normal patch can be turned into an int3 patch -> clear patch jump installation flag. */
2985 pPatch->flags &= ~PATMFL_MUST_INSTALL_PATCHJMP;
2986
2987 pPatch->flags &= ~PATMFL_INSTR_HINT;
2988 STAM_COUNTER_INC(&pVM->patm.s.StatInt3Callable);
2989 }
2990 else
2991 if (pPatch->flags & PATMFL_MUST_INSTALL_PATCHJMP)
2992 {
2993 Assert(!(pPatch->flags & (PATMFL_IDTHANDLER|PATMFL_IDTHANDLER_WITHOUT_ENTRYPOINT|PATMFL_SYSENTER|PATMFL_INT3_REPLACEMENT_BLOCK)));
2994 /* now insert a jump in the guest code */
2995 rc = patmGenJumpToPatch(pVM, pPatch, &cacheRec, true);
2996 AssertRC(rc);
2997 if (RT_FAILURE(rc))
2998 goto failure;
2999
3000 }
3001
3002 patmR3DbgAddPatch(pVM, pPatchRec);
3003
3004 PATM_LOG_RAW_PATCH_INSTR(pVM, pPatch, patmGetInstructionString(pPatch->opcode, pPatch->flags));
3005
3006 patmEmptyTree(pVM, &pPatch->pTempInfo->IllegalInstrTree);
3007 pPatch->pTempInfo->nrIllegalInstr = 0;
3008
3009 Log(("Successfully installed %s patch at %RRv\n", patmGetInstructionString(pPatch->opcode, pPatch->flags), pInstrGC));
3010
3011 pPatch->uState = PATCH_ENABLED;
3012 return VINF_SUCCESS;
3013
3014failure:
3015 if (pPatchRec->CoreOffset.Key)
3016 RTAvloU32Remove(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr, pPatchRec->CoreOffset.Key);
3017
3018 patmEmptyTree(pVM, &pPatch->FixupTree);
3019 pPatch->nrFixups = 0;
3020
3021 patmEmptyTree(pVM, &pPatch->JumpTree);
3022 pPatch->nrJumpRecs = 0;
3023
3024 patmEmptyTree(pVM, &pPatch->pTempInfo->IllegalInstrTree);
3025 pPatch->pTempInfo->nrIllegalInstr = 0;
3026
3027 /* Turn this cli patch into a dummy. */
3028 pPatch->uState = PATCH_REFUSED;
3029 pPatch->pPatchBlockOffset = 0;
3030
3031 // Give back the patch memory we no longer need
3032 Assert(orgOffsetPatchMem != (uint32_t)~0);
3033 pVM->patm.s.offPatchMem = orgOffsetPatchMem;
3034
3035 return rc;
3036}
3037
3038/**
3039 * Patch IDT handler
3040 *
3041 * @returns VBox status code.
3042 * @param pVM The cross context VM structure.
3043 * @param pInstrGC Guest context point to privileged instruction
3044 * @param uOpSize Size of starting instruction
3045 * @param pPatchRec Patch record
3046 * @param pCacheRec Cache record ptr
3047 *
3048 * @note returns failure if patching is not allowed or possible
3049 *
3050 */
3051static int patmIdtHandler(PVM pVM, RTRCPTR pInstrGC, uint32_t uOpSize, PPATMPATCHREC pPatchRec, PPATMP2GLOOKUPREC pCacheRec)
3052{
3053 PPATCHINFO pPatch = &pPatchRec->patch;
3054 bool disret;
3055 DISCPUSTATE cpuPush, cpuJmp;
3056 uint32_t cbInstr;
3057 RTRCPTR pCurInstrGC = pInstrGC;
3058 uint8_t *pCurInstrHC, *pInstrHC;
3059 uint32_t orgOffsetPatchMem = ~0;
3060
3061 pInstrHC = pCurInstrHC = patmR3GCVirtToHCVirt(pVM, pCacheRec, pCurInstrGC);
3062 AssertReturn(pCurInstrHC, VERR_PAGE_NOT_PRESENT);
3063
3064 /*
3065 * In Linux it's often the case that many interrupt handlers push a predefined value onto the stack
3066 * and then jump to a common entrypoint. In order not to waste a lot of memory, we will check for this
3067 * condition here and only patch the common entypoint once.
3068 */
3069 disret = patmR3DisInstr(pVM, pPatch, pCurInstrGC, pCurInstrHC, PATMREAD_ORGCODE, &cpuPush, &cbInstr);
3070 Assert(disret);
3071 if (disret && cpuPush.pCurInstr->uOpcode == OP_PUSH)
3072 {
3073 RTRCPTR pJmpInstrGC;
3074 int rc;
3075 pCurInstrGC += cbInstr;
3076
3077 disret = patmR3DisInstr(pVM, pPatch, pCurInstrGC, pCurInstrHC, PATMREAD_ORGCODE, &cpuJmp, &cbInstr);
3078 if ( disret
3079 && cpuJmp.pCurInstr->uOpcode == OP_JMP
3080 && (pJmpInstrGC = PATMResolveBranch(&cpuJmp, pCurInstrGC))
3081 )
3082 {
3083 bool fInserted;
3084 PPATMPATCHREC pJmpPatch = (PPATMPATCHREC)RTAvloU32Get(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pJmpInstrGC);
3085 if (pJmpPatch == 0)
3086 {
3087 /* Patch it first! */
3088 rc = PATMR3InstallPatch(pVM, pJmpInstrGC, pPatch->flags | PATMFL_IDTHANDLER_WITHOUT_ENTRYPOINT);
3089 if (rc != VINF_SUCCESS)
3090 goto failure;
3091 pJmpPatch = (PPATMPATCHREC)RTAvloU32Get(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pJmpInstrGC);
3092 Assert(pJmpPatch);
3093 }
3094 if (pJmpPatch->patch.uState != PATCH_ENABLED)
3095 goto failure;
3096
3097 /* save original offset (in case of failures later on) */
3098 orgOffsetPatchMem = pVM->patm.s.offPatchMem;
3099
3100 pPatch->pPatchBlockOffset = pVM->patm.s.offPatchMem;
3101 pPatch->uCurPatchOffset = 0;
3102 pPatch->nrPatch2GuestRecs = 0;
3103
3104#ifdef VBOX_WITH_STATISTICS
3105 rc = patmPatchGenStats(pVM, pPatch, pInstrGC);
3106 if (RT_FAILURE(rc))
3107 goto failure;
3108#endif
3109
3110 /* Install fake cli patch (to clear the virtual IF) */
3111 rc = patmPatchGenIntEntry(pVM, pPatch, pInstrGC);
3112 if (RT_FAILURE(rc))
3113 goto failure;
3114
3115 /* Add lookup record for patch to guest address translation (for the push) */
3116 patmR3AddP2GLookupRecord(pVM, pPatch, PATCHCODE_PTR_HC(pPatch) + pPatch->uCurPatchOffset, pInstrGC, PATM_LOOKUP_BOTHDIR);
3117
3118 /* Duplicate push. */
3119 rc = patmPatchGenDuplicate(pVM, pPatch, &cpuPush, pInstrGC);
3120 if (RT_FAILURE(rc))
3121 goto failure;
3122
3123 /* Generate jump to common entrypoint. */
3124 rc = patmPatchGenPatchJump(pVM, pPatch, pCurInstrGC, PATCHCODE_PTR_GC(&pJmpPatch->patch));
3125 if (RT_FAILURE(rc))
3126 goto failure;
3127
3128 /* size of patch block */
3129 pPatch->cbPatchBlockSize = pPatch->uCurPatchOffset;
3130
3131 /* Update free pointer in patch memory. */
3132 pVM->patm.s.offPatchMem += pPatch->cbPatchBlockSize;
3133 /* Round to next 8 byte boundary */
3134 pVM->patm.s.offPatchMem = RT_ALIGN_32(pVM->patm.s.offPatchMem, 8);
3135
3136 /* There's no jump from guest to patch code. */
3137 pPatch->cbPatchJump = 0;
3138
3139
3140#ifdef LOG_ENABLED
3141 Log(("Patch code ----------------------------------------------------------\n"));
3142 patmr3DisasmCodeStream(pVM, PATCHCODE_PTR_GC(pPatch), PATCHCODE_PTR_GC(pPatch), patmR3DisasmCallback, pCacheRec);
3143 Log(("Patch code ends -----------------------------------------------------\n"));
3144#endif
3145 Log(("Successfully installed IDT handler patch at %RRv\n", pInstrGC));
3146
3147 /*
3148 * Insert into patch to guest lookup tree
3149 */
3150 LogFlow(("Insert %RRv patch offset %RRv\n", pPatchRec->patch.pPrivInstrGC, pPatch->pPatchBlockOffset));
3151 pPatchRec->CoreOffset.Key = pPatch->pPatchBlockOffset;
3152 fInserted = RTAvloU32Insert(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr, &pPatchRec->CoreOffset);
3153 AssertMsg(fInserted, ("RTAvlULInsert failed for %x\n", pPatchRec->CoreOffset.Key));
3154 patmR3DbgAddPatch(pVM, pPatchRec);
3155
3156 pPatch->uState = PATCH_ENABLED;
3157
3158 return VINF_SUCCESS;
3159 }
3160 }
3161failure:
3162 /* Give back the patch memory we no longer need */
3163 if (orgOffsetPatchMem != (uint32_t)~0)
3164 pVM->patm.s.offPatchMem = orgOffsetPatchMem;
3165
3166 return patmR3PatchBlock(pVM, pInstrGC, pInstrHC, OP_CLI, uOpSize, pPatchRec);
3167}
3168
3169/**
3170 * Install a trampoline to call a guest trap handler directly
3171 *
3172 * @returns VBox status code.
3173 * @param pVM The cross context VM structure.
3174 * @param pInstrGC Guest context point to privileged instruction
3175 * @param pPatchRec Patch record
3176 * @param pCacheRec Cache record ptr
3177 *
3178 */
3179static int patmInstallTrapTrampoline(PVM pVM, RTRCPTR pInstrGC, PPATMPATCHREC pPatchRec, PPATMP2GLOOKUPREC pCacheRec)
3180{
3181 PPATCHINFO pPatch = &pPatchRec->patch;
3182 int rc = VERR_PATCHING_REFUSED;
3183 uint32_t orgOffsetPatchMem = ~0;
3184 bool fInserted;
3185
3186 // save original offset (in case of failures later on)
3187 orgOffsetPatchMem = pVM->patm.s.offPatchMem;
3188
3189 pPatch->pPatchBlockOffset = pVM->patm.s.offPatchMem;
3190 pPatch->uCurPatchOffset = 0;
3191 pPatch->nrPatch2GuestRecs = 0;
3192
3193#ifdef VBOX_WITH_STATISTICS
3194 rc = patmPatchGenStats(pVM, pPatch, pInstrGC);
3195 if (RT_FAILURE(rc))
3196 goto failure;
3197#endif
3198
3199 rc = patmPatchGenTrapEntry(pVM, pPatch, pInstrGC);
3200 if (RT_FAILURE(rc))
3201 goto failure;
3202
3203 /* size of patch block */
3204 pPatch->cbPatchBlockSize = pPatch->uCurPatchOffset;
3205
3206 /* Update free pointer in patch memory. */
3207 pVM->patm.s.offPatchMem += pPatch->cbPatchBlockSize;
3208 /* Round to next 8 byte boundary */
3209 pVM->patm.s.offPatchMem = RT_ALIGN_32(pVM->patm.s.offPatchMem, 8);
3210
3211 /* There's no jump from guest to patch code. */
3212 pPatch->cbPatchJump = 0;
3213
3214#ifdef LOG_ENABLED
3215 Log(("Patch code ----------------------------------------------------------\n"));
3216 patmr3DisasmCodeStream(pVM, PATCHCODE_PTR_GC(pPatch), PATCHCODE_PTR_GC(pPatch), patmR3DisasmCallback, pCacheRec);
3217 Log(("Patch code ends -----------------------------------------------------\n"));
3218#endif
3219 PATM_LOG_ORG_PATCH_INSTR(pVM, pPatch, "TRAP handler");
3220 Log(("Successfully installed Trap Trampoline patch at %RRv\n", pInstrGC));
3221
3222 /*
3223 * Insert into patch to guest lookup tree
3224 */
3225 LogFlow(("Insert %RRv patch offset %RRv\n", pPatchRec->patch.pPrivInstrGC, pPatch->pPatchBlockOffset));
3226 pPatchRec->CoreOffset.Key = pPatch->pPatchBlockOffset;
3227 fInserted = RTAvloU32Insert(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr, &pPatchRec->CoreOffset);
3228 AssertMsg(fInserted, ("RTAvlULInsert failed for %x\n", pPatchRec->CoreOffset.Key));
3229 patmR3DbgAddPatch(pVM, pPatchRec);
3230
3231 pPatch->uState = PATCH_ENABLED;
3232 return VINF_SUCCESS;
3233
3234failure:
3235 AssertMsgFailed(("Failed to install trap handler trampoline!!\n"));
3236
3237 /* Turn this cli patch into a dummy. */
3238 pPatch->uState = PATCH_REFUSED;
3239 pPatch->pPatchBlockOffset = 0;
3240
3241 /* Give back the patch memory we no longer need */
3242 Assert(orgOffsetPatchMem != (uint32_t)~0);
3243 pVM->patm.s.offPatchMem = orgOffsetPatchMem;
3244
3245 return rc;
3246}
3247
3248
3249#ifdef LOG_ENABLED
3250/**
3251 * Check if the instruction is patched as a common idt handler
3252 *
3253 * @returns true or false
3254 * @param pVM The cross context VM structure.
3255 * @param pInstrGC Guest context point to the instruction
3256 *
3257 */
3258static bool patmIsCommonIDTHandlerPatch(PVM pVM, RTRCPTR pInstrGC)
3259{
3260 PPATMPATCHREC pRec;
3261
3262 pRec = (PPATMPATCHREC)RTAvloU32Get(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pInstrGC);
3263 if (pRec && pRec->patch.flags & PATMFL_IDTHANDLER_WITHOUT_ENTRYPOINT)
3264 return true;
3265 return false;
3266}
3267#endif //DEBUG
3268
3269
3270/**
3271 * Duplicates a complete function
3272 *
3273 * @returns VBox status code.
3274 * @param pVM The cross context VM structure.
3275 * @param pInstrGC Guest context point to privileged instruction
3276 * @param pPatchRec Patch record
3277 * @param pCacheRec Cache record ptr
3278 *
3279 */
3280static int patmDuplicateFunction(PVM pVM, RTRCPTR pInstrGC, PPATMPATCHREC pPatchRec, PPATMP2GLOOKUPREC pCacheRec)
3281{
3282 PPATCHINFO pPatch = &pPatchRec->patch;
3283 int rc = VERR_PATCHING_REFUSED;
3284 uint32_t orgOffsetPatchMem = ~0;
3285 bool fInserted;
3286
3287 Log(("patmDuplicateFunction %RRv\n", pInstrGC));
3288 /* Save original offset (in case of failures later on). */
3289 orgOffsetPatchMem = pVM->patm.s.offPatchMem;
3290
3291 /* We will not go on indefinitely with call instruction handling. */
3292 if (pVM->patm.s.ulCallDepth > PATM_MAX_CALL_DEPTH)
3293 {
3294 Log(("patmDuplicateFunction: maximum callback depth reached!!\n"));
3295 return VERR_PATCHING_REFUSED;
3296 }
3297
3298 pVM->patm.s.ulCallDepth++;
3299
3300#ifdef PATM_ENABLE_CALL
3301 pPatch->flags |= PATMFL_SUPPORT_CALLS | PATMFL_SUPPORT_INDIRECT_CALLS;
3302#endif
3303
3304 Assert(pPatch->flags & (PATMFL_DUPLICATE_FUNCTION));
3305
3306 pPatch->nrPatch2GuestRecs = 0;
3307 pPatch->pPatchBlockOffset = pVM->patm.s.offPatchMem;
3308 pPatch->uCurPatchOffset = 0;
3309
3310 /* Note: Set the PATM interrupt flag here; it was cleared before the patched call. (!!!) */
3311 rc = patmPatchGenSetPIF(pVM, pPatch, pInstrGC);
3312 if (RT_FAILURE(rc))
3313 goto failure;
3314
3315#ifdef VBOX_WITH_STATISTICS
3316 rc = patmPatchGenStats(pVM, pPatch, pInstrGC);
3317 if (RT_FAILURE(rc))
3318 goto failure;
3319#endif
3320
3321 rc = patmRecompileCodeStream(pVM, pInstrGC, pInstrGC, patmRecompileCallback, pCacheRec);
3322 if (rc != VINF_SUCCESS)
3323 {
3324 Log(("PATMR3PatchCli: patmRecompileCodeStream failed with %d\n", rc));
3325 goto failure;
3326 }
3327
3328 //size of patch block
3329 pPatch->cbPatchBlockSize = pPatch->uCurPatchOffset;
3330
3331 //update free pointer in patch memory
3332 pVM->patm.s.offPatchMem += pPatch->cbPatchBlockSize;
3333 /* Round to next 8 byte boundary. */
3334 pVM->patm.s.offPatchMem = RT_ALIGN_32(pVM->patm.s.offPatchMem, 8);
3335
3336 pPatch->uState = PATCH_ENABLED;
3337
3338 /*
3339 * Insert into patch to guest lookup tree
3340 */
3341 LogFlow(("Insert %RRv patch offset %RRv\n", pPatchRec->patch.pPrivInstrGC, pPatch->pPatchBlockOffset));
3342 pPatchRec->CoreOffset.Key = pPatch->pPatchBlockOffset;
3343 fInserted = RTAvloU32Insert(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr, &pPatchRec->CoreOffset);
3344 AssertMsg(fInserted, ("RTAvloU32Insert failed for %x\n", pPatchRec->CoreOffset.Key));
3345 if (!fInserted)
3346 {
3347 rc = VERR_PATCHING_REFUSED;
3348 goto failure;
3349 }
3350
3351 /* Note that patmr3SetBranchTargets can install additional patches!! */
3352 rc = patmr3SetBranchTargets(pVM, pPatch);
3353 if (rc != VINF_SUCCESS)
3354 {
3355 Log(("PATMR3PatchCli: patmr3SetBranchTargets failed with %d\n", rc));
3356 goto failure;
3357 }
3358
3359 patmR3DbgAddPatch(pVM, pPatchRec);
3360
3361#ifdef LOG_ENABLED
3362 Log(("Patch code ----------------------------------------------------------\n"));
3363 patmr3DisasmCodeStream(pVM, PATCHCODE_PTR_GC(pPatch), PATCHCODE_PTR_GC(pPatch), patmR3DisasmCallback, pCacheRec);
3364 Log(("Patch code ends -----------------------------------------------------\n"));
3365#endif
3366
3367 Log(("Successfully installed function duplication patch at %RRv\n", pInstrGC));
3368
3369 patmEmptyTree(pVM, &pPatch->pTempInfo->IllegalInstrTree);
3370 pPatch->pTempInfo->nrIllegalInstr = 0;
3371
3372 pVM->patm.s.ulCallDepth--;
3373 STAM_COUNTER_INC(&pVM->patm.s.StatInstalledFunctionPatches);
3374 return VINF_SUCCESS;
3375
3376failure:
3377 if (pPatchRec->CoreOffset.Key)
3378 RTAvloU32Remove(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr, pPatchRec->CoreOffset.Key);
3379
3380 patmEmptyTree(pVM, &pPatch->FixupTree);
3381 pPatch->nrFixups = 0;
3382
3383 patmEmptyTree(pVM, &pPatch->JumpTree);
3384 pPatch->nrJumpRecs = 0;
3385
3386 patmEmptyTree(pVM, &pPatch->pTempInfo->IllegalInstrTree);
3387 pPatch->pTempInfo->nrIllegalInstr = 0;
3388
3389 /* Turn this cli patch into a dummy. */
3390 pPatch->uState = PATCH_REFUSED;
3391 pPatch->pPatchBlockOffset = 0;
3392
3393 // Give back the patch memory we no longer need
3394 Assert(orgOffsetPatchMem != (uint32_t)~0);
3395 pVM->patm.s.offPatchMem = orgOffsetPatchMem;
3396
3397 pVM->patm.s.ulCallDepth--;
3398 Log(("patmDupicateFunction %RRv failed!!\n", pInstrGC));
3399 return rc;
3400}
3401
3402/**
3403 * Creates trampoline code to jump inside an existing patch
3404 *
3405 * @returns VBox status code.
3406 * @param pVM The cross context VM structure.
3407 * @param pInstrGC Guest context point to privileged instruction
3408 * @param pPatchRec Patch record
3409 *
3410 */
3411static int patmCreateTrampoline(PVM pVM, RTRCPTR pInstrGC, PPATMPATCHREC pPatchRec)
3412{
3413 PPATCHINFO pPatch = &pPatchRec->patch;
3414 RTRCPTR pPage, pPatchTargetGC = 0;
3415 uint32_t orgOffsetPatchMem = ~0;
3416 int rc = VERR_PATCHING_REFUSED;
3417 PPATCHINFO pPatchToJmp = NULL; /**< Patch the trampoline jumps to. */
3418 PTRAMPREC pTrampRec = NULL; /**< Trampoline record used to find the patch. */
3419 bool fInserted = false;
3420
3421 Log(("patmCreateTrampoline %RRv\n", pInstrGC));
3422 /* Save original offset (in case of failures later on). */
3423 orgOffsetPatchMem = pVM->patm.s.offPatchMem;
3424
3425 /* First we check if the duplicate function target lies in some existing function patch already. Will save some space. */
3426 /** @todo we already checked this before */
3427 pPage = pInstrGC & PAGE_BASE_GC_MASK;
3428
3429 PPATMPATCHPAGE pPatchPage = (PPATMPATCHPAGE)RTAvloU32Get(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPage, (RTRCPTR)pPage);
3430 if (pPatchPage)
3431 {
3432 uint32_t i;
3433
3434 for (i=0;i<pPatchPage->cCount;i++)
3435 {
3436 if (pPatchPage->papPatch[i])
3437 {
3438 pPatchToJmp = pPatchPage->papPatch[i];
3439
3440 if ( (pPatchToJmp->flags & PATMFL_DUPLICATE_FUNCTION)
3441 && pPatchToJmp->uState == PATCH_ENABLED)
3442 {
3443 pPatchTargetGC = patmGuestGCPtrToPatchGCPtr(pVM, pPatchToJmp, pInstrGC);
3444 if (pPatchTargetGC)
3445 {
3446 uint32_t offsetPatch = pPatchTargetGC - pVM->patm.s.pPatchMemGC;
3447 PRECPATCHTOGUEST pPatchToGuestRec = (PRECPATCHTOGUEST)RTAvlU32GetBestFit(&pPatchToJmp->Patch2GuestAddrTree, offsetPatch, false);
3448 Assert(pPatchToGuestRec);
3449
3450 pPatchToGuestRec->fJumpTarget = true;
3451 Assert(pPatchTargetGC != pPatchToJmp->pPrivInstrGC);
3452 Log(("patmCreateTrampoline: generating jump to code inside patch at %RRv (patch target %RRv)\n", pPatchToJmp->pPrivInstrGC, pPatchTargetGC));
3453 break;
3454 }
3455 }
3456 }
3457 }
3458 }
3459 AssertReturn(pPatchPage && pPatchTargetGC && pPatchToJmp, VERR_PATCHING_REFUSED);
3460
3461 /*
3462 * Only record the trampoline patch if this is the first patch to the target
3463 * or we recorded other patches already.
3464 * The goal is to refuse refreshing function duplicates if the guest
3465 * modifies code after a saved state was loaded because it is not possible
3466 * to save the relation between trampoline and target without changing the
3467 * saved satte version.
3468 */
3469 if ( !(pPatchToJmp->flags & PATMFL_EXTERNAL_JUMP_INSIDE)
3470 || pPatchToJmp->pTrampolinePatchesHead)
3471 {
3472 pPatchToJmp->flags |= PATMFL_EXTERNAL_JUMP_INSIDE;
3473 pTrampRec = (PTRAMPREC)MMR3HeapAllocZ(pVM, MM_TAG_PATM_PATCH, sizeof(*pTrampRec));
3474 if (!pTrampRec)
3475 return VERR_NO_MEMORY; /* or better return VERR_PATCHING_REFUSED to let the VM continue? */
3476
3477 pTrampRec->pPatchTrampoline = pPatchRec;
3478 }
3479
3480 pPatch->nrPatch2GuestRecs = 0;
3481 pPatch->pPatchBlockOffset = pVM->patm.s.offPatchMem;
3482 pPatch->uCurPatchOffset = 0;
3483
3484 /* Note: Set the PATM interrupt flag here; it was cleared before the patched call. (!!!) */
3485 rc = patmPatchGenSetPIF(pVM, pPatch, pInstrGC);
3486 if (RT_FAILURE(rc))
3487 goto failure;
3488
3489#ifdef VBOX_WITH_STATISTICS
3490 rc = patmPatchGenStats(pVM, pPatch, pInstrGC);
3491 if (RT_FAILURE(rc))
3492 goto failure;
3493#endif
3494
3495 rc = patmPatchGenPatchJump(pVM, pPatch, pInstrGC, pPatchTargetGC);
3496 if (RT_FAILURE(rc))
3497 goto failure;
3498
3499 /*
3500 * Insert into patch to guest lookup tree
3501 */
3502 LogFlow(("Insert %RRv patch offset %RRv\n", pPatchRec->patch.pPrivInstrGC, pPatch->pPatchBlockOffset));
3503 pPatchRec->CoreOffset.Key = pPatch->pPatchBlockOffset;
3504 fInserted = RTAvloU32Insert(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr, &pPatchRec->CoreOffset);
3505 AssertMsg(fInserted, ("RTAvloU32Insert failed for %x\n", pPatchRec->CoreOffset.Key));
3506 if (!fInserted)
3507 {
3508 rc = VERR_PATCHING_REFUSED;
3509 goto failure;
3510 }
3511 patmR3DbgAddPatch(pVM, pPatchRec);
3512
3513 /* size of patch block */
3514 pPatch->cbPatchBlockSize = pPatch->uCurPatchOffset;
3515
3516 /* Update free pointer in patch memory. */
3517 pVM->patm.s.offPatchMem += pPatch->cbPatchBlockSize;
3518 /* Round to next 8 byte boundary */
3519 pVM->patm.s.offPatchMem = RT_ALIGN_32(pVM->patm.s.offPatchMem, 8);
3520
3521 /* There's no jump from guest to patch code. */
3522 pPatch->cbPatchJump = 0;
3523
3524 /* Enable the patch. */
3525 pPatch->uState = PATCH_ENABLED;
3526 /* We allow this patch to be called as a function. */
3527 pPatch->flags |= PATMFL_CALLABLE_AS_FUNCTION;
3528
3529 if (pTrampRec)
3530 {
3531 pTrampRec->pNext = pPatchToJmp->pTrampolinePatchesHead;
3532 pPatchToJmp->pTrampolinePatchesHead = pTrampRec;
3533 }
3534 STAM_COUNTER_INC(&pVM->patm.s.StatInstalledTrampoline);
3535 return VINF_SUCCESS;
3536
3537failure:
3538 if (pPatchRec->CoreOffset.Key)
3539 RTAvloU32Remove(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr, pPatchRec->CoreOffset.Key);
3540
3541 patmEmptyTree(pVM, &pPatch->FixupTree);
3542 pPatch->nrFixups = 0;
3543
3544 patmEmptyTree(pVM, &pPatch->JumpTree);
3545 pPatch->nrJumpRecs = 0;
3546
3547 patmEmptyTree(pVM, &pPatch->pTempInfo->IllegalInstrTree);
3548 pPatch->pTempInfo->nrIllegalInstr = 0;
3549
3550 /* Turn this cli patch into a dummy. */
3551 pPatch->uState = PATCH_REFUSED;
3552 pPatch->pPatchBlockOffset = 0;
3553
3554 // Give back the patch memory we no longer need
3555 Assert(orgOffsetPatchMem != (uint32_t)~0);
3556 pVM->patm.s.offPatchMem = orgOffsetPatchMem;
3557
3558 if (pTrampRec)
3559 MMR3HeapFree(pTrampRec);
3560
3561 return rc;
3562}
3563
3564
3565/**
3566 * Patch branch target function for call/jump at specified location.
3567 * (in responds to a VINF_PATM_DUPLICATE_FUNCTION GC exit reason)
3568 *
3569 * @returns VBox status code.
3570 * @param pVM The cross context VM structure.
3571 * @param pCtx Pointer to the guest CPU context.
3572 *
3573 */
3574VMMR3_INT_DECL(int) PATMR3DuplicateFunctionRequest(PVM pVM, PCPUMCTX pCtx)
3575{
3576 RTRCPTR pBranchTarget, pPage;
3577 int rc;
3578 RTRCPTR pPatchTargetGC = 0;
3579 AssertReturn(!HMIsEnabled(pVM), VERR_PATM_HM_IPE);
3580
3581 pBranchTarget = pCtx->edx;
3582 pBranchTarget = SELMToFlat(pVM, DISSELREG_CS, CPUMCTX2CORE(pCtx), pBranchTarget);
3583
3584 /* First we check if the duplicate function target lies in some existing function patch already. Will save some space. */
3585 pPage = pBranchTarget & PAGE_BASE_GC_MASK;
3586
3587 PPATMPATCHPAGE pPatchPage = (PPATMPATCHPAGE)RTAvloU32Get(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPage, (RTRCPTR)pPage);
3588 if (pPatchPage)
3589 {
3590 uint32_t i;
3591
3592 for (i=0;i<pPatchPage->cCount;i++)
3593 {
3594 if (pPatchPage->papPatch[i])
3595 {
3596 PPATCHINFO pPatch = pPatchPage->papPatch[i];
3597
3598 if ( (pPatch->flags & PATMFL_DUPLICATE_FUNCTION)
3599 && pPatch->uState == PATCH_ENABLED)
3600 {
3601 pPatchTargetGC = patmGuestGCPtrToPatchGCPtr(pVM, pPatch, pBranchTarget);
3602 if (pPatchTargetGC)
3603 {
3604 STAM_COUNTER_INC(&pVM->patm.s.StatDuplicateUseExisting);
3605 break;
3606 }
3607 }
3608 }
3609 }
3610 }
3611
3612 if (pPatchTargetGC)
3613 {
3614 /* Create a trampoline that also sets PATM_ASMFIX_INTERRUPTFLAG. */
3615 rc = PATMR3InstallPatch(pVM, pBranchTarget, PATMFL_CODE32 | PATMFL_TRAMPOLINE);
3616 }
3617 else
3618 {
3619 rc = PATMR3InstallPatch(pVM, pBranchTarget, PATMFL_CODE32 | PATMFL_DUPLICATE_FUNCTION);
3620 }
3621
3622 if (rc == VINF_SUCCESS)
3623 {
3624 pPatchTargetGC = PATMR3QueryPatchGCPtr(pVM, pBranchTarget);
3625 Assert(pPatchTargetGC);
3626 }
3627
3628 if (pPatchTargetGC)
3629 {
3630 pCtx->eax = pPatchTargetGC;
3631 pCtx->eax = pCtx->eax - (RTRCUINTPTR)pVM->patm.s.pPatchMemGC; /* make it relative */
3632 }
3633 else
3634 {
3635 /* We add a dummy entry into the lookup cache so we won't get bombarded with the same requests over and over again. */
3636 pCtx->eax = 0;
3637 STAM_COUNTER_INC(&pVM->patm.s.StatDuplicateREQFailed);
3638 }
3639 Assert(PATMIsPatchGCAddr(pVM, pCtx->edi));
3640 rc = patmAddBranchToLookupCache(pVM, pCtx->edi, pBranchTarget, pCtx->eax);
3641 AssertRC(rc);
3642
3643 pCtx->eip += PATM_ILLEGAL_INSTR_SIZE;
3644 STAM_COUNTER_INC(&pVM->patm.s.StatDuplicateREQSuccess);
3645 return VINF_SUCCESS;
3646}
3647
3648/**
3649 * Replaces a function call by a call to an existing function duplicate (or jmp -> jmp)
3650 *
3651 * @returns VBox status code.
3652 * @param pVM The cross context VM structure.
3653 * @param pCpu Disassembly CPU structure ptr
3654 * @param pInstrGC Guest context point to privileged instruction
3655 * @param pCacheRec Cache record ptr
3656 *
3657 */
3658static int patmReplaceFunctionCall(PVM pVM, DISCPUSTATE *pCpu, RTRCPTR pInstrGC, PPATMP2GLOOKUPREC pCacheRec)
3659{
3660 PPATCHINFO pPatch = (PPATCHINFO)pCacheRec->pPatch;
3661 int rc = VERR_PATCHING_REFUSED;
3662 DISCPUSTATE cpu;
3663 RTRCPTR pTargetGC;
3664 PPATMPATCHREC pPatchFunction;
3665 uint32_t cbInstr;
3666 bool disret;
3667
3668 Assert(pPatch->flags & PATMFL_REPLACE_FUNCTION_CALL);
3669 Assert((pCpu->pCurInstr->uOpcode == OP_CALL || pCpu->pCurInstr->uOpcode == OP_JMP) && pCpu->cbInstr == SIZEOF_NEARJUMP32);
3670
3671 if ((pCpu->pCurInstr->uOpcode != OP_CALL && pCpu->pCurInstr->uOpcode != OP_JMP) || pCpu->cbInstr != SIZEOF_NEARJUMP32)
3672 {
3673 rc = VERR_PATCHING_REFUSED;
3674 goto failure;
3675 }
3676
3677 pTargetGC = PATMResolveBranch(pCpu, pInstrGC);
3678 if (pTargetGC == 0)
3679 {
3680 Log(("We don't support far jumps here!! (%08X)\n", pCpu->Param1.fUse));
3681 rc = VERR_PATCHING_REFUSED;
3682 goto failure;
3683 }
3684
3685 pPatchFunction = (PPATMPATCHREC)RTAvloU32Get(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pTargetGC);
3686 if (pPatchFunction == NULL)
3687 {
3688 for(;;)
3689 {
3690 /* It could be an indirect call (call -> jmp dest).
3691 * Note that it's dangerous to assume the jump will never change...
3692 */
3693 uint8_t *pTmpInstrHC;
3694
3695 pTmpInstrHC = patmR3GCVirtToHCVirt(pVM, pCacheRec, pTargetGC);
3696 Assert(pTmpInstrHC);
3697 if (pTmpInstrHC == 0)
3698 break;
3699
3700 disret = patmR3DisInstr(pVM, pPatch, pTargetGC, pTmpInstrHC, PATMREAD_ORGCODE, &cpu, &cbInstr);
3701 if (disret == false || cpu.pCurInstr->uOpcode != OP_JMP)
3702 break;
3703
3704 pTargetGC = PATMResolveBranch(&cpu, pTargetGC);
3705 if (pTargetGC == 0)
3706 {
3707 break;
3708 }
3709
3710 pPatchFunction = (PPATMPATCHREC)RTAvloU32Get(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pTargetGC);
3711 break;
3712 }
3713 if (pPatchFunction == 0)
3714 {
3715 AssertMsgFailed(("Unable to find duplicate function %RRv\n", pTargetGC));
3716 rc = VERR_PATCHING_REFUSED;
3717 goto failure;
3718 }
3719 }
3720
3721 // make a copy of the guest code bytes that will be overwritten
3722 pPatch->cbPatchJump = SIZEOF_NEARJUMP32;
3723
3724 rc = PGMPhysSimpleReadGCPtr(VMMGetCpu0(pVM), pPatch->aPrivInstr, pPatch->pPrivInstrGC, pPatch->cbPatchJump);
3725 AssertRC(rc);
3726
3727 /* Now replace the original call in the guest code */
3728 rc = patmGenCallToPatch(pVM, pPatch, PATCHCODE_PTR_GC(&pPatchFunction->patch), pCacheRec, true);
3729 AssertRC(rc);
3730 if (RT_FAILURE(rc))
3731 goto failure;
3732
3733 /* Lowest and highest address for write monitoring. */
3734 pPatch->pInstrGCLowest = pInstrGC;
3735 pPatch->pInstrGCHighest = pInstrGC + pCpu->cbInstr;
3736 PATM_LOG_ORG_PATCH_INSTR(pVM, pPatch, "Call");
3737
3738 Log(("Successfully installed function replacement patch at %RRv\n", pInstrGC));
3739
3740 pPatch->uState = PATCH_ENABLED;
3741 return VINF_SUCCESS;
3742
3743failure:
3744 /* Turn this patch into a dummy. */
3745 pPatch->uState = PATCH_REFUSED;
3746
3747 return rc;
3748}
3749
3750/**
3751 * Replace the address in an MMIO instruction with the cached version.
3752 *
3753 * @returns VBox status code.
3754 * @param pVM The cross context VM structure.
3755 * @param pInstrGC Guest context point to privileged instruction
3756 * @param pCpu Disassembly CPU structure ptr
3757 * @param pCacheRec Cache record ptr
3758 *
3759 * @note returns failure if patching is not allowed or possible
3760 *
3761 */
3762static int patmPatchMMIOInstr(PVM pVM, RTRCPTR pInstrGC, DISCPUSTATE *pCpu, PPATMP2GLOOKUPREC pCacheRec)
3763{
3764 PPATCHINFO pPatch = (PPATCHINFO)pCacheRec->pPatch;
3765 uint8_t *pPB;
3766 int rc = VERR_PATCHING_REFUSED;
3767
3768 Assert(pVM->patm.s.mmio.pCachedData);
3769 if (!pVM->patm.s.mmio.pCachedData)
3770 goto failure;
3771
3772 if (pCpu->Param2.fUse != DISUSE_DISPLACEMENT32)
3773 goto failure;
3774
3775 pPB = patmR3GCVirtToHCVirt(pVM, pCacheRec, pPatch->pPrivInstrGC);
3776 if (pPB == 0)
3777 goto failure;
3778
3779 /* Add relocation record for cached data access. */
3780 if (patmPatchAddReloc32(pVM, pPatch, &pPB[pCpu->cbInstr - sizeof(RTRCPTR)], FIXUP_ABSOLUTE, pPatch->pPrivInstrGC,
3781 pVM->patm.s.mmio.pCachedData) != VINF_SUCCESS)
3782 {
3783 Log(("Relocation failed for cached mmio address!!\n"));
3784 return VERR_PATCHING_REFUSED;
3785 }
3786 PATM_LOG_PATCH_INSTR(pVM, pPatch, PATMREAD_ORGCODE, "MMIO patch old instruction:", "");
3787
3788 /* Save original instruction. */
3789 rc = PGMPhysSimpleReadGCPtr(VMMGetCpu0(pVM), pPatch->aPrivInstr, pPatch->pPrivInstrGC, pPatch->cbPrivInstr);
3790 AssertRC(rc);
3791
3792 pPatch->cbPatchJump = pPatch->cbPrivInstr; /* bit of a misnomer in this case; size of replacement instruction. */
3793
3794 /* Replace address with that of the cached item. */
3795 rc = PGMPhysSimpleDirtyWriteGCPtr(VMMGetCpu0(pVM), pInstrGC + pCpu->cbInstr - sizeof(RTRCPTR),
3796 &pVM->patm.s.mmio.pCachedData, sizeof(RTRCPTR));
3797 AssertRC(rc);
3798 if (RT_FAILURE(rc))
3799 {
3800 goto failure;
3801 }
3802
3803 PATM_LOG_ORG_PATCH_INSTR(pVM, pPatch, "MMIO");
3804 pVM->patm.s.mmio.pCachedData = 0;
3805 pVM->patm.s.mmio.GCPhys = 0;
3806 pPatch->uState = PATCH_ENABLED;
3807 return VINF_SUCCESS;
3808
3809failure:
3810 /* Turn this patch into a dummy. */
3811 pPatch->uState = PATCH_REFUSED;
3812
3813 return rc;
3814}
3815
3816
3817/**
3818 * Replace the address in an MMIO instruction with the cached version. (instruction is part of an existing patch)
3819 *
3820 * @returns VBox status code.
3821 * @param pVM The cross context VM structure.
3822 * @param pInstrGC Guest context point to privileged instruction
3823 * @param pPatch Patch record
3824 *
3825 * @note returns failure if patching is not allowed or possible
3826 *
3827 */
3828static int patmPatchPATMMMIOInstr(PVM pVM, RTRCPTR pInstrGC, PPATCHINFO pPatch)
3829{
3830 DISCPUSTATE cpu;
3831 uint32_t cbInstr;
3832 bool disret;
3833 uint8_t *pInstrHC;
3834
3835 AssertReturn(pVM->patm.s.mmio.pCachedData, VERR_INVALID_PARAMETER);
3836
3837 /* Convert GC to HC address. */
3838 pInstrHC = patmPatchGCPtr2PatchHCPtr(pVM, pInstrGC);
3839 AssertReturn(pInstrHC, VERR_PATCHING_REFUSED);
3840
3841 /* Disassemble mmio instruction. */
3842 disret = patmR3DisInstrNoStrOpMode(pVM, pPatch, pInstrGC, pInstrHC, PATMREAD_ORGCODE,
3843 &cpu, &cbInstr);
3844 if (disret == false)
3845 {
3846 Log(("Disassembly failed (probably page not present) -> return to caller\n"));
3847 return VERR_PATCHING_REFUSED;
3848 }
3849
3850 AssertMsg(cbInstr <= MAX_INSTR_SIZE, ("privileged instruction too big %d!!\n", cbInstr));
3851 if (cbInstr > MAX_INSTR_SIZE)
3852 return VERR_PATCHING_REFUSED;
3853 if (cpu.Param2.fUse != DISUSE_DISPLACEMENT32)
3854 return VERR_PATCHING_REFUSED;
3855
3856 /* Add relocation record for cached data access. */
3857 if (patmPatchAddReloc32(pVM, pPatch, &pInstrHC[cpu.cbInstr - sizeof(RTRCPTR)], FIXUP_ABSOLUTE) != VINF_SUCCESS)
3858 {
3859 Log(("Relocation failed for cached mmio address!!\n"));
3860 return VERR_PATCHING_REFUSED;
3861 }
3862 /* Replace address with that of the cached item. */
3863 *(RTRCPTR *)&pInstrHC[cpu.cbInstr - sizeof(RTRCPTR)] = pVM->patm.s.mmio.pCachedData;
3864
3865 /* Lowest and highest address for write monitoring. */
3866 pPatch->pInstrGCLowest = pInstrGC;
3867 pPatch->pInstrGCHighest = pInstrGC + cpu.cbInstr;
3868
3869 PATM_LOG_ORG_PATCH_INSTR(pVM, pPatch, "MMIO");
3870 pVM->patm.s.mmio.pCachedData = 0;
3871 pVM->patm.s.mmio.GCPhys = 0;
3872 return VINF_SUCCESS;
3873}
3874
3875/**
3876 * Activates an int3 patch
3877 *
3878 * @returns VBox status code.
3879 * @param pVM The cross context VM structure.
3880 * @param pPatch Patch record
3881 */
3882static int patmActivateInt3Patch(PVM pVM, PPATCHINFO pPatch)
3883{
3884 uint8_t bASMInt3 = 0xCC;
3885 int rc;
3886
3887 Assert(pPatch->flags & (PATMFL_INT3_REPLACEMENT|PATMFL_INT3_REPLACEMENT_BLOCK));
3888 Assert(pPatch->uState != PATCH_ENABLED);
3889
3890 /* Replace first opcode byte with 'int 3'. */
3891 rc = PGMPhysSimpleDirtyWriteGCPtr(VMMGetCpu0(pVM), pPatch->pPrivInstrGC, &bASMInt3, sizeof(bASMInt3));
3892 AssertRC(rc);
3893
3894 pPatch->cbPatchJump = sizeof(bASMInt3);
3895
3896 return rc;
3897}
3898
3899/**
3900 * Deactivates an int3 patch
3901 *
3902 * @returns VBox status code.
3903 * @param pVM The cross context VM structure.
3904 * @param pPatch Patch record
3905 */
3906static int patmDeactivateInt3Patch(PVM pVM, PPATCHINFO pPatch)
3907{
3908 uint8_t ASMInt3 = 0xCC;
3909 int rc;
3910
3911 Assert(pPatch->flags & (PATMFL_INT3_REPLACEMENT|PATMFL_INT3_REPLACEMENT_BLOCK));
3912 Assert(pPatch->uState == PATCH_ENABLED || pPatch->uState == PATCH_DIRTY);
3913
3914 /* Restore first opcode byte. */
3915 rc = PGMPhysSimpleDirtyWriteGCPtr(VMMGetCpu0(pVM), pPatch->pPrivInstrGC, pPatch->aPrivInstr, sizeof(ASMInt3));
3916 AssertRC(rc);
3917 return rc;
3918}
3919
3920/**
3921 * Replace an instruction with a breakpoint (0xCC), that is handled dynamically
3922 * in the raw-mode context.
3923 *
3924 * @returns VBox status code.
3925 * @param pVM The cross context VM structure.
3926 * @param pInstrGC Guest context point to privileged instruction
3927 * @param pInstrHC Host context point to privileged instruction
3928 * @param pCpu Disassembly CPU structure ptr
3929 * @param pPatch Patch record
3930 *
3931 * @note returns failure if patching is not allowed or possible
3932 *
3933 */
3934int patmR3PatchInstrInt3(PVM pVM, RTRCPTR pInstrGC, R3PTRTYPE(uint8_t *) pInstrHC, DISCPUSTATE *pCpu, PPATCHINFO pPatch)
3935{
3936 uint8_t bASMInt3 = 0xCC;
3937 int rc;
3938
3939 /* Note: Do not use patch memory here! It might called during patch installation too. */
3940 PATM_LOG_PATCH_INSTR(pVM, pPatch, PATMREAD_ORGCODE, "patmR3PatchInstrInt3:", "");
3941
3942 /* Save the original instruction. */
3943 rc = PGMPhysSimpleReadGCPtr(VMMGetCpu0(pVM), pPatch->aPrivInstr, pPatch->pPrivInstrGC, pPatch->cbPrivInstr);
3944 AssertRC(rc);
3945 pPatch->cbPatchJump = sizeof(bASMInt3); /* bit of a misnomer in this case; size of replacement instruction. */
3946
3947 pPatch->flags |= PATMFL_INT3_REPLACEMENT;
3948
3949 /* Replace first opcode byte with 'int 3'. */
3950 rc = patmActivateInt3Patch(pVM, pPatch);
3951 if (RT_FAILURE(rc))
3952 goto failure;
3953
3954 /* Lowest and highest address for write monitoring. */
3955 pPatch->pInstrGCLowest = pInstrGC;
3956 pPatch->pInstrGCHighest = pInstrGC + pCpu->cbInstr;
3957
3958 pPatch->uState = PATCH_ENABLED;
3959 return VINF_SUCCESS;
3960
3961failure:
3962 /* Turn this patch into a dummy. */
3963 return VERR_PATCHING_REFUSED;
3964}
3965
3966#ifdef PATM_RESOLVE_CONFLICTS_WITH_JUMP_PATCHES
3967/**
3968 * Patch a jump instruction at specified location
3969 *
3970 * @returns VBox status code.
3971 * @param pVM The cross context VM structure.
3972 * @param pInstrGC Guest context point to privileged instruction
3973 * @param pInstrHC Host context point to privileged instruction
3974 * @param pCpu Disassembly CPU structure ptr
3975 * @param pPatchRec Patch record
3976 *
3977 * @note returns failure if patching is not allowed or possible
3978 *
3979 */
3980int patmPatchJump(PVM pVM, RTRCPTR pInstrGC, R3PTRTYPE(uint8_t *) pInstrHC, DISCPUSTATE *pCpu, PPATMPATCHREC pPatchRec)
3981{
3982 PPATCHINFO pPatch = &pPatchRec->patch;
3983 int rc = VERR_PATCHING_REFUSED;
3984
3985 pPatch->pPatchBlockOffset = 0; /* doesn't use patch memory */
3986 pPatch->uCurPatchOffset = 0;
3987 pPatch->cbPatchBlockSize = 0;
3988 pPatch->flags |= PATMFL_SINGLE_INSTRUCTION;
3989
3990 /*
3991 * Instruction replacements such as these should never be interrupted. I've added code to EM.cpp to
3992 * make sure this never happens. (unless a trap is triggered (intentionally or not))
3993 */
3994 switch (pCpu->pCurInstr->uOpcode)
3995 {
3996 case OP_JO:
3997 case OP_JNO:
3998 case OP_JC:
3999 case OP_JNC:
4000 case OP_JE:
4001 case OP_JNE:
4002 case OP_JBE:
4003 case OP_JNBE:
4004 case OP_JS:
4005 case OP_JNS:
4006 case OP_JP:
4007 case OP_JNP:
4008 case OP_JL:
4009 case OP_JNL:
4010 case OP_JLE:
4011 case OP_JNLE:
4012 case OP_JMP:
4013 Assert(pPatch->flags & PATMFL_JUMP_CONFLICT);
4014 Assert(pCpu->Param1.fUse & DISUSE_IMMEDIATE32_REL);
4015 if (!(pCpu->Param1.fUse & DISUSE_IMMEDIATE32_REL))
4016 goto failure;
4017
4018 Assert(pCpu->cbInstr == SIZEOF_NEARJUMP32 || pCpu->cbInstr == SIZEOF_NEAR_COND_JUMP32);
4019 if (pCpu->cbInstr != SIZEOF_NEARJUMP32 && pCpu->cbInstr != SIZEOF_NEAR_COND_JUMP32)
4020 goto failure;
4021
4022 if (PAGE_ADDRESS(pInstrGC) != PAGE_ADDRESS(pInstrGC + pCpu->cbInstr))
4023 {
4024 STAM_COUNTER_INC(&pVM->patm.s.StatPageBoundaryCrossed);
4025 AssertMsgFailed(("Patch jump would cross page boundary -> refuse!!\n"));
4026 rc = VERR_PATCHING_REFUSED;
4027 goto failure;
4028 }
4029
4030 break;
4031
4032 default:
4033 goto failure;
4034 }
4035
4036 // make a copy of the guest code bytes that will be overwritten
4037 Assert(pCpu->cbInstr <= sizeof(pPatch->aPrivInstr));
4038 Assert(pCpu->cbInstr >= SIZEOF_NEARJUMP32);
4039 pPatch->cbPatchJump = pCpu->cbInstr;
4040
4041 rc = PGMPhysSimpleReadGCPtr(VMMGetCpu0(pVM), pPatch->aPrivInstr, pPatch->pPrivInstrGC, pPatch->cbPatchJump);
4042 AssertRC(rc);
4043
4044 /* Now insert a jump in the guest code. */
4045 /*
4046 * A conflict jump patch needs to be treated differently; we'll just replace the relative jump address with one that
4047 * references the target instruction in the conflict patch.
4048 */
4049 RTRCPTR pJmpDest = patmR3GuestGCPtrToPatchGCPtrSimple(pVM, pInstrGC + pCpu->cbInstr + (int32_t)pCpu->Param1.uValue);
4050
4051 AssertMsg(pJmpDest, ("patmR3GuestGCPtrToPatchGCPtrSimple failed for %RRv\n", pInstrGC + pCpu->cbInstr + (int32_t)pCpu->Param1.uValue));
4052 pPatch->pPatchJumpDestGC = pJmpDest;
4053
4054 PATMP2GLOOKUPREC cacheRec;
4055 RT_ZERO(cacheRec);
4056 cacheRec.pPatch = pPatch;
4057
4058 rc = patmGenJumpToPatch(pVM, pPatch, &cacherec, true);
4059 /* Free leftover lock if any. */
4060 if (cacheRec.Lock.pvMap)
4061 {
4062 PGMPhysReleasePageMappingLock(pVM, &cacheRec.Lock);
4063 cacheRec.Lock.pvMap = NULL;
4064 }
4065 AssertRC(rc);
4066 if (RT_FAILURE(rc))
4067 goto failure;
4068
4069 pPatch->flags |= PATMFL_MUST_INSTALL_PATCHJMP;
4070
4071 PATM_LOG_ORG_PATCH_INSTR(pVM, pPatch, patmGetInstructionString(pPatch->opcode, pPatch->flags));
4072 Log(("Successfully installed %s patch at %RRv\n", patmGetInstructionString(pPatch->opcode, pPatch->flags), pInstrGC));
4073
4074 STAM_COUNTER_INC(&pVM->patm.s.StatInstalledJump);
4075
4076 /* Lowest and highest address for write monitoring. */
4077 pPatch->pInstrGCLowest = pInstrGC;
4078 pPatch->pInstrGCHighest = pInstrGC + pPatch->cbPatchJump;
4079
4080 pPatch->uState = PATCH_ENABLED;
4081 return VINF_SUCCESS;
4082
4083failure:
4084 /* Turn this cli patch into a dummy. */
4085 pPatch->uState = PATCH_REFUSED;
4086
4087 return rc;
4088}
4089#endif /* PATM_RESOLVE_CONFLICTS_WITH_JUMP_PATCHES */
4090
4091
4092/**
4093 * Gives hint to PATM about supervisor guest instructions
4094 *
4095 * @returns VBox status code.
4096 * @param pVM The cross context VM structure.
4097 * @param pInstrGC Guest context point to privileged instruction
4098 * @param flags Patch flags
4099 */
4100VMMR3_INT_DECL(int) PATMR3AddHint(PVM pVM, RTRCPTR pInstrGC, uint32_t flags)
4101{
4102 Assert(pInstrGC);
4103 Assert(flags == PATMFL_CODE32);
4104
4105 Log(("PATMR3AddHint %RRv\n", pInstrGC));
4106 return PATMR3InstallPatch(pVM, pInstrGC, PATMFL_CODE32 | PATMFL_INSTR_HINT);
4107}
4108
4109/**
4110 * Patch privileged instruction at specified location
4111 *
4112 * @returns VBox status code.
4113 * @param pVM The cross context VM structure.
4114 * @param pInstrGC Guest context point to privileged instruction (0:32 flat
4115 * address)
4116 * @param flags Patch flags
4117 *
4118 * @note returns failure if patching is not allowed or possible
4119 */
4120VMMR3_INT_DECL(int) PATMR3InstallPatch(PVM pVM, RTRCPTR pInstrGC, uint64_t flags)
4121{
4122 DISCPUSTATE cpu;
4123 R3PTRTYPE(uint8_t *) pInstrHC;
4124 uint32_t cbInstr;
4125 PPATMPATCHREC pPatchRec;
4126 PCPUMCTX pCtx = 0;
4127 bool disret;
4128 int rc;
4129 PVMCPU pVCpu = VMMGetCpu0(pVM);
4130 LogFlow(("PATMR3InstallPatch: %08x (%#llx)\n", pInstrGC, flags));
4131
4132 AssertReturn(!HMIsEnabled(pVM), VERR_PATM_HM_IPE);
4133
4134 if ( !pVM
4135 || pInstrGC == 0
4136 || (flags & ~(PATMFL_CODE32|PATMFL_IDTHANDLER|PATMFL_INTHANDLER|PATMFL_SYSENTER|PATMFL_TRAPHANDLER|PATMFL_DUPLICATE_FUNCTION|PATMFL_REPLACE_FUNCTION_CALL|PATMFL_GUEST_SPECIFIC|PATMFL_INT3_REPLACEMENT|PATMFL_TRAPHANDLER_WITH_ERRORCODE|PATMFL_IDTHANDLER_WITHOUT_ENTRYPOINT|PATMFL_MMIO_ACCESS|PATMFL_TRAMPOLINE|PATMFL_INSTR_HINT|PATMFL_JUMP_CONFLICT)))
4137 {
4138 AssertFailed();
4139 return VERR_INVALID_PARAMETER;
4140 }
4141
4142 if (PATMIsEnabled(pVM) == false)
4143 return VERR_PATCHING_REFUSED;
4144
4145 /* Test for patch conflict only with patches that actually change guest code. */
4146 if (!(flags & (PATMFL_GUEST_SPECIFIC|PATMFL_IDTHANDLER|PATMFL_INTHANDLER|PATMFL_TRAMPOLINE)))
4147 {
4148 PPATCHINFO pConflictPatch = patmFindActivePatchByEntrypoint(pVM, pInstrGC);
4149 AssertReleaseMsg(pConflictPatch == 0, ("Unable to patch overwritten instruction at %RRv (%RRv)\n", pInstrGC, pConflictPatch->pPrivInstrGC));
4150 if (pConflictPatch != 0)
4151 return VERR_PATCHING_REFUSED;
4152 }
4153
4154 if (!(flags & PATMFL_CODE32))
4155 {
4156 /** @todo Only 32 bits code right now */
4157 AssertMsgFailed(("PATMR3InstallPatch: We don't support 16 bits code at this moment!!\n"));
4158 return VERR_NOT_IMPLEMENTED;
4159 }
4160
4161 /* We ran out of patch memory; don't bother anymore. */
4162 if (pVM->patm.s.fOutOfMemory == true)
4163 return VERR_PATCHING_REFUSED;
4164
4165#if 1 /* DONT COMMIT ENABLED! */
4166 /* Blacklisted NT4SP1 areas - debugging why we sometimes crash early on, */
4167 if ( 0
4168 //|| (pInstrGC - 0x80010000U) < 0x10000U // NT4SP1 HAL
4169 //|| (pInstrGC - 0x80010000U) < 0x5000U // NT4SP1 HAL
4170 //|| (pInstrGC - 0x80013000U) < 0x2000U // NT4SP1 HAL
4171 //|| (pInstrGC - 0x80014000U) < 0x1000U // NT4SP1 HAL
4172 //|| (pInstrGC - 0x80014000U) < 0x800U // NT4SP1 HAL
4173 //|| (pInstrGC - 0x80014400U) < 0x400U // NT4SP1 HAL
4174 //|| (pInstrGC - 0x80014400U) < 0x200U // NT4SP1 HAL
4175 //|| (pInstrGC - 0x80014400U) < 0x100U // NT4SP1 HAL
4176 //|| (pInstrGC - 0x80014500U) < 0x100U // NT4SP1 HAL - negative
4177 //|| (pInstrGC - 0x80014400U) < 0x80U // NT4SP1 HAL
4178 //|| (pInstrGC - 0x80014400U) < 0x80U // NT4SP1 HAL
4179 //|| (pInstrGC - 0x80014440U) < 0x40U // NT4SP1 HAL
4180 //|| (pInstrGC - 0x80014440U) < 0x20U // NT4SP1 HAL
4181 || pInstrGC == 0x80014447 /* KfLowerIrql */
4182 || 0)
4183 {
4184 Log(("PATMR3InstallPatch: %08x is blacklisted\n", pInstrGC));
4185 return VERR_PATCHING_REFUSED;
4186 }
4187#endif
4188
4189 /* Make sure the code selector is wide open; otherwise refuse. */
4190 pCtx = CPUMQueryGuestCtxPtr(pVCpu);
4191 if (CPUMGetGuestCPL(pVCpu) == 0)
4192 {
4193 RTRCPTR pInstrGCFlat = SELMToFlat(pVM, DISSELREG_CS, CPUMCTX2CORE(pCtx), pInstrGC);
4194 if (pInstrGCFlat != pInstrGC)
4195 {
4196 Log(("PATMR3InstallPatch: code selector not wide open: %04x:%RRv != %RRv eflags=%08x\n", pCtx->cs.Sel, pInstrGCFlat, pInstrGC, pCtx->eflags.u32));
4197 return VERR_PATCHING_REFUSED;
4198 }
4199 }
4200
4201 /* Note: the OpenBSD specific check will break if we allow additional patches to be installed (int 3)) */
4202 if (!(flags & PATMFL_GUEST_SPECIFIC))
4203 {
4204 /* New code. Make sure CSAM has a go at it first. */
4205 CSAMR3CheckCode(pVM, pInstrGC);
4206 }
4207
4208 /* Note: obsolete */
4209 if ( PATMIsPatchGCAddr(pVM, pInstrGC)
4210 && (flags & PATMFL_MMIO_ACCESS))
4211 {
4212 RTRCUINTPTR offset;
4213 void *pvPatchCoreOffset;
4214
4215 /* Find the patch record. */
4216 offset = pInstrGC - pVM->patm.s.pPatchMemGC;
4217 pvPatchCoreOffset = RTAvloU32GetBestFit(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr, offset, false);
4218 if (pvPatchCoreOffset == NULL)
4219 {
4220 AssertMsgFailed(("PATMR3InstallPatch: patch not found at address %RRv!!\n", pInstrGC));
4221 return VERR_PATCH_NOT_FOUND; //fatal error
4222 }
4223 pPatchRec = PATM_PATCHREC_FROM_COREOFFSET(pvPatchCoreOffset);
4224
4225 return patmPatchPATMMMIOInstr(pVM, pInstrGC, &pPatchRec->patch);
4226 }
4227
4228 AssertReturn(!PATMIsPatchGCAddr(pVM, pInstrGC), VERR_PATCHING_REFUSED);
4229
4230 pPatchRec = (PPATMPATCHREC)RTAvloU32Get(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pInstrGC);
4231 if (pPatchRec)
4232 {
4233 Assert(!(flags & PATMFL_TRAMPOLINE));
4234
4235 /* Hints about existing patches are ignored. */
4236 if (flags & PATMFL_INSTR_HINT)
4237 return VERR_PATCHING_REFUSED;
4238
4239 if (pPatchRec->patch.uState == PATCH_DISABLE_PENDING)
4240 {
4241 Log(("PATMR3InstallPatch: disable operation is pending for patch at %RRv\n", pPatchRec->patch.pPrivInstrGC));
4242 PATMR3DisablePatch(pVM, pPatchRec->patch.pPrivInstrGC);
4243 Assert(pPatchRec->patch.uState == PATCH_DISABLED);
4244 }
4245
4246 if (pPatchRec->patch.uState == PATCH_DISABLED)
4247 {
4248 /* A patch, for which we previously received a hint, will be enabled and turned into a normal patch. */
4249 if (pPatchRec->patch.flags & PATMFL_INSTR_HINT)
4250 {
4251 Log(("Enabling HINTED patch %RRv\n", pInstrGC));
4252 pPatchRec->patch.flags &= ~PATMFL_INSTR_HINT;
4253 }
4254 else
4255 Log(("Enabling patch %RRv again\n", pInstrGC));
4256
4257 /** @todo we shouldn't disable and enable patches too often (it's relatively cheap, but pointless if it always happens) */
4258 rc = PATMR3EnablePatch(pVM, pInstrGC);
4259 if (RT_SUCCESS(rc))
4260 return VWRN_PATCH_ENABLED;
4261
4262 return rc;
4263 }
4264 if ( pPatchRec->patch.uState == PATCH_ENABLED
4265 || pPatchRec->patch.uState == PATCH_DIRTY)
4266 {
4267 /*
4268 * The patch might have been overwritten.
4269 */
4270 STAM_COUNTER_INC(&pVM->patm.s.StatOverwritten);
4271 if (pPatchRec->patch.uState != PATCH_REFUSED && pPatchRec->patch.uState != PATCH_UNUSABLE)
4272 {
4273 /* Patch must have been overwritten; remove it and pretend nothing happened. */
4274 Log(("Patch an existing patched instruction?!? (%RRv)\n", pInstrGC));
4275 if (pPatchRec->patch.flags & (PATMFL_DUPLICATE_FUNCTION|PATMFL_IDTHANDLER|PATMFL_MMIO_ACCESS|PATMFL_INT3_REPLACEMENT|PATMFL_INT3_REPLACEMENT_BLOCK))
4276 {
4277 if (flags & PATMFL_IDTHANDLER)
4278 pPatchRec->patch.flags |= (flags & (PATMFL_IDTHANDLER|PATMFL_TRAPHANDLER|PATMFL_INTHANDLER)); /* update the type */
4279
4280 return VERR_PATM_ALREADY_PATCHED; /* already done once */
4281 }
4282 }
4283 rc = PATMR3RemovePatch(pVM, pInstrGC);
4284 if (RT_FAILURE(rc))
4285 return VERR_PATCHING_REFUSED;
4286 }
4287 else
4288 {
4289 AssertMsg(pPatchRec->patch.uState == PATCH_REFUSED || pPatchRec->patch.uState == PATCH_UNUSABLE, ("Patch an existing patched instruction?!? (%RRv, state=%d)\n", pInstrGC, pPatchRec->patch.uState));
4290 /* already tried it once! */
4291 return VERR_PATCHING_REFUSED;
4292 }
4293 }
4294
4295 RTGCPHYS GCPhys;
4296 rc = PGMGstGetPage(pVCpu, pInstrGC, NULL, &GCPhys);
4297 if (rc != VINF_SUCCESS)
4298 {
4299 Log(("PGMGstGetPage failed with %Rrc\n", rc));
4300 return rc;
4301 }
4302 /* Disallow patching instructions inside ROM code; complete function duplication is allowed though. */
4303 if ( !(flags & (PATMFL_DUPLICATE_FUNCTION|PATMFL_TRAMPOLINE))
4304 && !PGMPhysIsGCPhysNormal(pVM, GCPhys))
4305 {
4306 Log(("Code at %RGv (phys %RGp) is in a ROM, MMIO or invalid page - refused\n", pInstrGC, GCPhys));
4307 return VERR_PATCHING_REFUSED;
4308 }
4309
4310 /* Initialize cache record for guest address translations. */
4311 bool fInserted;
4312 PATMP2GLOOKUPREC cacheRec;
4313 RT_ZERO(cacheRec);
4314
4315 pInstrHC = patmR3GCVirtToHCVirt(pVM, &cacheRec, pInstrGC);
4316 AssertReturn(pInstrHC, VERR_PATCHING_REFUSED);
4317
4318 /* Allocate patch record. */
4319 rc = MMHyperAlloc(pVM, sizeof(PATMPATCHREC), 0, MM_TAG_PATM_PATCH, (void **)&pPatchRec);
4320 if (RT_FAILURE(rc))
4321 {
4322 Log(("Out of memory!!!!\n"));
4323 return VERR_NO_MEMORY;
4324 }
4325 pPatchRec->Core.Key = pInstrGC;
4326 pPatchRec->patch.uState = PATCH_REFUSED; /* default value */
4327 /* Insert patch record into the lookup tree. */
4328 fInserted = RTAvloU32Insert(&pVM->patm.s.PatchLookupTreeHC->PatchTree, &pPatchRec->Core);
4329 Assert(fInserted);
4330
4331 pPatchRec->patch.pPrivInstrGC = pInstrGC;
4332 pPatchRec->patch.flags = flags;
4333 pPatchRec->patch.uOpMode = (flags & PATMFL_CODE32) ? DISCPUMODE_32BIT : DISCPUMODE_16BIT;
4334 pPatchRec->patch.pTrampolinePatchesHead = NULL;
4335
4336 pPatchRec->patch.pInstrGCLowest = pInstrGC;
4337 pPatchRec->patch.pInstrGCHighest = pInstrGC;
4338
4339 if (!(pPatchRec->patch.flags & (PATMFL_DUPLICATE_FUNCTION | PATMFL_IDTHANDLER | PATMFL_SYSENTER | PATMFL_TRAMPOLINE)))
4340 {
4341 /*
4342 * Close proximity to an unusable patch is a possible hint that this patch would turn out to be dangerous too!
4343 */
4344 PPATMPATCHREC pPatchNear = (PPATMPATCHREC)RTAvloU32GetBestFit(&pVM->patm.s.PatchLookupTreeHC->PatchTree, (pInstrGC + SIZEOF_NEARJUMP32 - 1), false);
4345 if (pPatchNear)
4346 {
4347 if (pPatchNear->patch.uState == PATCH_UNUSABLE && pInstrGC < pPatchNear->patch.pPrivInstrGC && pInstrGC + SIZEOF_NEARJUMP32 > pPatchNear->patch.pPrivInstrGC)
4348 {
4349 Log(("Dangerous patch; would overwrite the unusable patch at %RRv\n", pPatchNear->patch.pPrivInstrGC));
4350
4351 pPatchRec->patch.uState = PATCH_UNUSABLE;
4352 /*
4353 * Leave the new patch active as it's marked unusable; to prevent us from checking it over and over again
4354 */
4355 return VERR_PATCHING_REFUSED;
4356 }
4357 }
4358 }
4359
4360 pPatchRec->patch.pTempInfo = (PPATCHINFOTEMP)MMR3HeapAllocZ(pVM, MM_TAG_PATM_PATCH, sizeof(PATCHINFOTEMP));
4361 if (pPatchRec->patch.pTempInfo == 0)
4362 {
4363 Log(("Out of memory!!!!\n"));
4364 return VERR_NO_MEMORY;
4365 }
4366
4367 disret = patmR3DisInstrNoStrOpMode(pVM, &pPatchRec->patch, pInstrGC, NULL, PATMREAD_ORGCODE, &cpu, &cbInstr);
4368 if (disret == false)
4369 {
4370 Log(("Disassembly failed (probably page not present) -> return to caller\n"));
4371 return VERR_PATCHING_REFUSED;
4372 }
4373
4374 AssertMsg(cbInstr <= MAX_INSTR_SIZE, ("privileged instruction too big %d!!\n", cbInstr));
4375 if (cbInstr > MAX_INSTR_SIZE)
4376 return VERR_PATCHING_REFUSED;
4377
4378 pPatchRec->patch.cbPrivInstr = cbInstr;
4379 pPatchRec->patch.opcode = cpu.pCurInstr->uOpcode;
4380
4381 /* Restricted hinting for now. */
4382 Assert(!(flags & PATMFL_INSTR_HINT) || cpu.pCurInstr->uOpcode == OP_CLI);
4383
4384 /* Initialize cache record patch pointer. */
4385 cacheRec.pPatch = &pPatchRec->patch;
4386
4387 /* Allocate statistics slot */
4388 if (pVM->patm.s.uCurrentPatchIdx < PATM_STAT_MAX_COUNTERS)
4389 {
4390 pPatchRec->patch.uPatchIdx = pVM->patm.s.uCurrentPatchIdx++;
4391 }
4392 else
4393 {
4394 Log(("WARNING: Patch index wrap around!!\n"));
4395 pPatchRec->patch.uPatchIdx = PATM_STAT_INDEX_DUMMY;
4396 }
4397
4398 if (pPatchRec->patch.flags & PATMFL_TRAPHANDLER)
4399 {
4400 rc = patmInstallTrapTrampoline(pVM, pInstrGC, pPatchRec, &cacheRec);
4401 }
4402 else
4403 if (pPatchRec->patch.flags & (PATMFL_DUPLICATE_FUNCTION ))
4404 {
4405 rc = patmDuplicateFunction(pVM, pInstrGC, pPatchRec, &cacheRec);
4406 }
4407 else
4408 if (pPatchRec->patch.flags & PATMFL_TRAMPOLINE)
4409 {
4410 rc = patmCreateTrampoline(pVM, pInstrGC, pPatchRec);
4411 }
4412 else
4413 if (pPatchRec->patch.flags & PATMFL_REPLACE_FUNCTION_CALL)
4414 {
4415 rc = patmReplaceFunctionCall(pVM, &cpu, pInstrGC, &cacheRec);
4416 }
4417 else
4418 if (pPatchRec->patch.flags & PATMFL_INT3_REPLACEMENT)
4419 {
4420 rc = patmR3PatchInstrInt3(pVM, pInstrGC, pInstrHC, &cpu, &pPatchRec->patch);
4421 }
4422 else
4423 if (pPatchRec->patch.flags & PATMFL_MMIO_ACCESS)
4424 {
4425 rc = patmPatchMMIOInstr(pVM, pInstrGC, &cpu, &cacheRec);
4426 }
4427 else
4428 if (pPatchRec->patch.flags & (PATMFL_IDTHANDLER|PATMFL_SYSENTER))
4429 {
4430 if (pPatchRec->patch.flags & PATMFL_SYSENTER)
4431 pPatchRec->patch.flags |= PATMFL_IDTHANDLER; /* we treat a sysenter handler as an IDT handler */
4432
4433 rc = patmIdtHandler(pVM, pInstrGC, cbInstr, pPatchRec, &cacheRec);
4434#ifdef VBOX_WITH_STATISTICS
4435 if ( rc == VINF_SUCCESS
4436 && (pPatchRec->patch.flags & PATMFL_SYSENTER))
4437 {
4438 pVM->patm.s.uSysEnterPatchIdx = pPatchRec->patch.uPatchIdx;
4439 }
4440#endif
4441 }
4442 else
4443 if (pPatchRec->patch.flags & PATMFL_GUEST_SPECIFIC)
4444 {
4445 switch (cpu.pCurInstr->uOpcode)
4446 {
4447 case OP_SYSENTER:
4448 case OP_PUSH:
4449 rc = patmR3InstallGuestSpecificPatch(pVM, &cpu, pInstrGC, pInstrHC, pPatchRec);
4450 if (rc == VINF_SUCCESS)
4451 {
4452 if (rc == VINF_SUCCESS)
4453 Log(("PATMR3InstallPatch GUEST: %s %RRv code32=%d\n", patmGetInstructionString(pPatchRec->patch.opcode, pPatchRec->patch.flags), pInstrGC, (flags & PATMFL_CODE32) ? 1 : 0));
4454 return rc;
4455 }
4456 break;
4457
4458 default:
4459 rc = VERR_NOT_IMPLEMENTED;
4460 break;
4461 }
4462 }
4463 else
4464 {
4465 switch (cpu.pCurInstr->uOpcode)
4466 {
4467 case OP_SYSENTER:
4468 rc = patmR3InstallGuestSpecificPatch(pVM, &cpu, pInstrGC, pInstrHC, pPatchRec);
4469 if (rc == VINF_SUCCESS)
4470 {
4471 Log(("PATMR3InstallPatch GUEST: %s %RRv code32=%d\n", patmGetInstructionString(pPatchRec->patch.opcode, pPatchRec->patch.flags), pInstrGC, (flags & PATMFL_CODE32) ? 1 : 0));
4472 return VINF_SUCCESS;
4473 }
4474 break;
4475
4476#ifdef PATM_RESOLVE_CONFLICTS_WITH_JUMP_PATCHES
4477 case OP_JO:
4478 case OP_JNO:
4479 case OP_JC:
4480 case OP_JNC:
4481 case OP_JE:
4482 case OP_JNE:
4483 case OP_JBE:
4484 case OP_JNBE:
4485 case OP_JS:
4486 case OP_JNS:
4487 case OP_JP:
4488 case OP_JNP:
4489 case OP_JL:
4490 case OP_JNL:
4491 case OP_JLE:
4492 case OP_JNLE:
4493 case OP_JECXZ:
4494 case OP_LOOP:
4495 case OP_LOOPNE:
4496 case OP_LOOPE:
4497 case OP_JMP:
4498 if (pPatchRec->patch.flags & PATMFL_JUMP_CONFLICT)
4499 {
4500 rc = patmPatchJump(pVM, pInstrGC, pInstrHC, &cpu, pPatchRec);
4501 break;
4502 }
4503 return VERR_NOT_IMPLEMENTED;
4504#endif
4505
4506 case OP_PUSHF:
4507 case OP_CLI:
4508 Log(("PATMR3InstallPatch %s %RRv code32=%d\n", patmGetInstructionString(pPatchRec->patch.opcode, pPatchRec->patch.flags), pInstrGC, (flags & PATMFL_CODE32) ? 1 : 0));
4509 rc = patmR3PatchBlock(pVM, pInstrGC, pInstrHC, cpu.pCurInstr->uOpcode, cbInstr, pPatchRec);
4510 break;
4511
4512#ifndef VBOX_WITH_SAFE_STR
4513 case OP_STR:
4514#endif
4515 case OP_SGDT:
4516 case OP_SLDT:
4517 case OP_SIDT:
4518 case OP_CPUID:
4519 case OP_LSL:
4520 case OP_LAR:
4521 case OP_SMSW:
4522 case OP_VERW:
4523 case OP_VERR:
4524 case OP_IRET:
4525#ifdef VBOX_WITH_RAW_RING1
4526 case OP_MOV:
4527#endif
4528 rc = patmR3PatchInstrInt3(pVM, pInstrGC, pInstrHC, &cpu, &pPatchRec->patch);
4529 break;
4530
4531 default:
4532 return VERR_NOT_IMPLEMENTED;
4533 }
4534 }
4535
4536 if (rc != VINF_SUCCESS)
4537 {
4538 if (pPatchRec && pPatchRec->patch.nrPatch2GuestRecs)
4539 {
4540 patmEmptyTreeU32(pVM, &pPatchRec->patch.Patch2GuestAddrTree);
4541 pPatchRec->patch.nrPatch2GuestRecs = 0;
4542 }
4543 pVM->patm.s.uCurrentPatchIdx--;
4544 }
4545 else
4546 {
4547 rc = patmInsertPatchPages(pVM, &pPatchRec->patch);
4548 AssertRCReturn(rc, rc);
4549
4550 /* Keep track upper and lower boundaries of patched instructions */
4551 if (pPatchRec->patch.pInstrGCLowest < pVM->patm.s.pPatchedInstrGCLowest)
4552 pVM->patm.s.pPatchedInstrGCLowest = pPatchRec->patch.pInstrGCLowest;
4553 if (pPatchRec->patch.pInstrGCHighest > pVM->patm.s.pPatchedInstrGCHighest)
4554 pVM->patm.s.pPatchedInstrGCHighest = pPatchRec->patch.pInstrGCHighest;
4555
4556 Log(("Patch lowest %RRv highest %RRv\n", pPatchRec->patch.pInstrGCLowest, pPatchRec->patch.pInstrGCHighest));
4557 Log(("Global lowest %RRv highest %RRv\n", pVM->patm.s.pPatchedInstrGCLowest, pVM->patm.s.pPatchedInstrGCHighest));
4558
4559 STAM_COUNTER_ADD(&pVM->patm.s.StatInstalled, 1);
4560 STAM_COUNTER_ADD(&pVM->patm.s.StatPATMMemoryUsed, pPatchRec->patch.cbPatchBlockSize);
4561
4562 rc = VINF_SUCCESS;
4563
4564 /* Patch hints are not enabled by default. Only when the are actually encountered. */
4565 if (pPatchRec->patch.flags & PATMFL_INSTR_HINT)
4566 {
4567 rc = PATMR3DisablePatch(pVM, pInstrGC);
4568 AssertRCReturn(rc, rc);
4569 }
4570
4571#ifdef VBOX_WITH_STATISTICS
4572 /* Register statistics counter */
4573 if (PATM_STAT_INDEX_IS_VALID(pPatchRec->patch.uPatchIdx))
4574 {
4575 STAMR3RegisterCallback(pVM, &pPatchRec->patch, STAMVISIBILITY_NOT_GUI, STAMUNIT_GOOD_BAD, patmResetStat, patmPrintStat, "Patch statistics",
4576 "/PATM/Stats/Patch/0x%RRv", pPatchRec->patch.pPrivInstrGC);
4577#ifndef DEBUG_sandervl
4578 /* Full breakdown for the GUI. */
4579 STAMR3RegisterF(pVM, &pVM->patm.s.pStatsHC[pPatchRec->patch.uPatchIdx], STAMTYPE_RATIO_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_GOOD_BAD, PATMPatchType(pVM, &pPatchRec->patch),
4580 "/PATM/PatchBD/0x%RRv", pPatchRec->patch.pPrivInstrGC);
4581 STAMR3RegisterF(pVM, &pPatchRec->patch.pPatchBlockOffset,STAMTYPE_X32, STAMVISIBILITY_ALWAYS, STAMUNIT_BYTES, NULL, "/PATM/PatchBD/0x%RRv/offPatchBlock", pPatchRec->patch.pPrivInstrGC);
4582 STAMR3RegisterF(pVM, &pPatchRec->patch.cbPatchBlockSize,STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_BYTES, NULL, "/PATM/PatchBD/0x%RRv/cbPatchBlockSize", pPatchRec->patch.pPrivInstrGC);
4583 STAMR3RegisterF(pVM, &pPatchRec->patch.cbPatchJump, STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_BYTES, NULL, "/PATM/PatchBD/0x%RRv/cbPatchJump", pPatchRec->patch.pPrivInstrGC);
4584 STAMR3RegisterF(pVM, &pPatchRec->patch.cbPrivInstr, STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_BYTES, NULL, "/PATM/PatchBD/0x%RRv/cbPrivInstr", pPatchRec->patch.pPrivInstrGC);
4585 STAMR3RegisterF(pVM, &pPatchRec->patch.cCodeWrites, STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_OCCURENCES, NULL, "/PATM/PatchBD/0x%RRv/cCodeWrites", pPatchRec->patch.pPrivInstrGC);
4586 STAMR3RegisterF(pVM, &pPatchRec->patch.cInvalidWrites, STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_OCCURENCES, NULL, "/PATM/PatchBD/0x%RRv/cInvalidWrites", pPatchRec->patch.pPrivInstrGC);
4587 STAMR3RegisterF(pVM, &pPatchRec->patch.cTraps, STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_OCCURENCES, NULL, "/PATM/PatchBD/0x%RRv/cTraps", pPatchRec->patch.pPrivInstrGC);
4588 STAMR3RegisterF(pVM, &pPatchRec->patch.flags, STAMTYPE_X64, STAMVISIBILITY_ALWAYS, STAMUNIT_NONE, NULL, "/PATM/PatchBD/0x%RRv/flags", pPatchRec->patch.pPrivInstrGC);
4589 STAMR3RegisterF(pVM, &pPatchRec->patch.nrJumpRecs, STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_OCCURENCES, NULL, "/PATM/PatchBD/0x%RRv/nrJumpRecs", pPatchRec->patch.pPrivInstrGC);
4590 STAMR3RegisterF(pVM, &pPatchRec->patch.nrFixups, STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_OCCURENCES, NULL, "/PATM/PatchBD/0x%RRv/nrFixups", pPatchRec->patch.pPrivInstrGC);
4591 STAMR3RegisterF(pVM, &pPatchRec->patch.opcode, STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_OCCURENCES, NULL, "/PATM/PatchBD/0x%RRv/opcode", pPatchRec->patch.pPrivInstrGC);
4592 STAMR3RegisterF(pVM, &pPatchRec->patch.uOldState, STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_NONE, NULL, "/PATM/PatchBD/0x%RRv/uOldState", pPatchRec->patch.pPrivInstrGC);
4593 STAMR3RegisterF(pVM, &pPatchRec->patch.uOpMode, STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_NONE, NULL, "/PATM/PatchBD/0x%RRv/uOpMode", pPatchRec->patch.pPrivInstrGC);
4594 /// @todo change the state to be a callback so we can get a state mnemonic instead.
4595 STAMR3RegisterF(pVM, &pPatchRec->patch.uState, STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_NONE, NULL, "/PATM/PatchBD/0x%RRv/uState", pPatchRec->patch.pPrivInstrGC);
4596#endif
4597 }
4598#endif
4599
4600 /* Add debug symbol. */
4601 patmR3DbgAddPatch(pVM, pPatchRec);
4602 }
4603 /* Free leftover lock if any. */
4604 if (cacheRec.Lock.pvMap)
4605 PGMPhysReleasePageMappingLock(pVM, &cacheRec.Lock);
4606 return rc;
4607}
4608
4609/**
4610 * Query instruction size
4611 *
4612 * @returns VBox status code.
4613 * @param pVM The cross context VM structure.
4614 * @param pPatch Patch record
4615 * @param pInstrGC Instruction address
4616 */
4617static uint32_t patmGetInstrSize(PVM pVM, PPATCHINFO pPatch, RTRCPTR pInstrGC)
4618{
4619 uint8_t *pInstrHC;
4620 PGMPAGEMAPLOCK Lock;
4621
4622 int rc = PGMPhysGCPtr2CCPtrReadOnly(VMMGetCpu(pVM), pInstrGC, (const void **)&pInstrHC, &Lock);
4623 if (rc == VINF_SUCCESS)
4624 {
4625 DISCPUSTATE cpu;
4626 bool disret;
4627 uint32_t cbInstr;
4628
4629 disret = patmR3DisInstr(pVM, pPatch, pInstrGC, pInstrHC, PATMREAD_ORGCODE | PATMREAD_NOCHECK, &cpu, &cbInstr);
4630 PGMPhysReleasePageMappingLock(pVM, &Lock);
4631 if (disret)
4632 return cbInstr;
4633 }
4634 return 0;
4635}
4636
4637/**
4638 * Add patch to page record
4639 *
4640 * @returns VBox status code.
4641 * @param pVM The cross context VM structure.
4642 * @param pPage Page address
4643 * @param pPatch Patch record
4644 */
4645int patmAddPatchToPage(PVM pVM, RTRCUINTPTR pPage, PPATCHINFO pPatch)
4646{
4647 PPATMPATCHPAGE pPatchPage;
4648 int rc;
4649
4650 Log(("patmAddPatchToPage: insert patch %RHv to page %RRv\n", pPatch, pPage));
4651
4652 pPatchPage = (PPATMPATCHPAGE)RTAvloU32Get(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPage, pPage);
4653 if (pPatchPage)
4654 {
4655 Assert(pPatchPage->cCount <= pPatchPage->cMaxPatches);
4656 if (pPatchPage->cCount == pPatchPage->cMaxPatches)
4657 {
4658 uint32_t cMaxPatchesOld = pPatchPage->cMaxPatches;
4659 PPATCHINFO *papPatchOld = pPatchPage->papPatch;
4660
4661 pPatchPage->cMaxPatches += PATMPATCHPAGE_PREALLOC_INCREMENT;
4662 rc = MMHyperAlloc(pVM, sizeof(pPatchPage->papPatch[0]) * pPatchPage->cMaxPatches, 0, MM_TAG_PATM_PATCH,
4663 (void **)&pPatchPage->papPatch);
4664 if (RT_FAILURE(rc))
4665 {
4666 Log(("Out of memory!!!!\n"));
4667 return VERR_NO_MEMORY;
4668 }
4669 memcpy(pPatchPage->papPatch, papPatchOld, cMaxPatchesOld * sizeof(pPatchPage->papPatch[0]));
4670 MMHyperFree(pVM, papPatchOld);
4671 }
4672 pPatchPage->papPatch[pPatchPage->cCount] = pPatch;
4673 pPatchPage->cCount++;
4674 }
4675 else
4676 {
4677 bool fInserted;
4678
4679 rc = MMHyperAlloc(pVM, sizeof(PATMPATCHPAGE), 0, MM_TAG_PATM_PATCH, (void **)&pPatchPage);
4680 if (RT_FAILURE(rc))
4681 {
4682 Log(("Out of memory!!!!\n"));
4683 return VERR_NO_MEMORY;
4684 }
4685 pPatchPage->Core.Key = pPage;
4686 pPatchPage->cCount = 1;
4687 pPatchPage->cMaxPatches = PATMPATCHPAGE_PREALLOC_INCREMENT;
4688
4689 rc = MMHyperAlloc(pVM, sizeof(pPatchPage->papPatch[0]) * PATMPATCHPAGE_PREALLOC_INCREMENT, 0, MM_TAG_PATM_PATCH,
4690 (void **)&pPatchPage->papPatch);
4691 if (RT_FAILURE(rc))
4692 {
4693 Log(("Out of memory!!!!\n"));
4694 MMHyperFree(pVM, pPatchPage);
4695 return VERR_NO_MEMORY;
4696 }
4697 pPatchPage->papPatch[0] = pPatch;
4698
4699 fInserted = RTAvloU32Insert(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPage, &pPatchPage->Core);
4700 Assert(fInserted);
4701 pVM->patm.s.cPageRecords++;
4702
4703 STAM_COUNTER_INC(&pVM->patm.s.StatPatchPageInserted);
4704 }
4705 CSAMR3MonitorPage(pVM, pPage, CSAM_TAG_PATM);
4706
4707 /* Get the closest guest instruction (from below) */
4708 PRECGUESTTOPATCH pGuestToPatchRec = (PRECGUESTTOPATCH)RTAvlU32GetBestFit(&pPatch->Guest2PatchAddrTree, pPage, true);
4709 Assert(pGuestToPatchRec);
4710 if (pGuestToPatchRec)
4711 {
4712 LogFlow(("patmAddPatchToPage: lowest patch page address %RRv current lowest %RRv\n", pGuestToPatchRec->Core.Key, pPatchPage->pLowestAddrGC));
4713 if ( pPatchPage->pLowestAddrGC == 0
4714 || pPatchPage->pLowestAddrGC > (RTRCPTR)pGuestToPatchRec->Core.Key)
4715 {
4716 RTRCUINTPTR offset;
4717
4718 pPatchPage->pLowestAddrGC = (RTRCPTR)pGuestToPatchRec->Core.Key;
4719
4720 offset = pPatchPage->pLowestAddrGC & PAGE_OFFSET_MASK;
4721 /* If we're too close to the page boundary, then make sure an
4722 instruction from the previous page doesn't cross the
4723 boundary itself. */
4724 if (offset && offset < MAX_INSTR_SIZE)
4725 {
4726 /* Get the closest guest instruction (from above) */
4727 pGuestToPatchRec = (PRECGUESTTOPATCH)RTAvlU32GetBestFit(&pPatch->Guest2PatchAddrTree, pPage-1, false);
4728
4729 if (pGuestToPatchRec)
4730 {
4731 uint32_t size = patmGetInstrSize(pVM, pPatch, (RTRCPTR)pGuestToPatchRec->Core.Key);
4732 if ((RTRCUINTPTR)pGuestToPatchRec->Core.Key + size > pPage)
4733 {
4734 pPatchPage->pLowestAddrGC = pPage;
4735 LogFlow(("patmAddPatchToPage: new lowest %RRv\n", pPatchPage->pLowestAddrGC));
4736 }
4737 }
4738 }
4739 }
4740 }
4741
4742 /* Get the closest guest instruction (from above) */
4743 pGuestToPatchRec = (PRECGUESTTOPATCH)RTAvlU32GetBestFit(&pPatch->Guest2PatchAddrTree, pPage+PAGE_SIZE-1, false);
4744 Assert(pGuestToPatchRec);
4745 if (pGuestToPatchRec)
4746 {
4747 LogFlow(("patmAddPatchToPage: highest patch page address %RRv current highest %RRv\n", pGuestToPatchRec->Core.Key, pPatchPage->pHighestAddrGC));
4748 if ( pPatchPage->pHighestAddrGC == 0
4749 || pPatchPage->pHighestAddrGC <= (RTRCPTR)pGuestToPatchRec->Core.Key)
4750 {
4751 pPatchPage->pHighestAddrGC = (RTRCPTR)pGuestToPatchRec->Core.Key;
4752 /* Increase by instruction size. */
4753 uint32_t size = patmGetInstrSize(pVM, pPatch, pPatchPage->pHighestAddrGC);
4754//// Assert(size);
4755 pPatchPage->pHighestAddrGC += size;
4756 LogFlow(("patmAddPatchToPage: new highest %RRv\n", pPatchPage->pHighestAddrGC));
4757 }
4758 }
4759
4760 return VINF_SUCCESS;
4761}
4762
4763/**
4764 * Remove patch from page record
4765 *
4766 * @returns VBox status code.
4767 * @param pVM The cross context VM structure.
4768 * @param pPage Page address
4769 * @param pPatch Patch record
4770 */
4771int patmRemovePatchFromPage(PVM pVM, RTRCUINTPTR pPage, PPATCHINFO pPatch)
4772{
4773 PPATMPATCHPAGE pPatchPage;
4774 int rc;
4775
4776 pPatchPage = (PPATMPATCHPAGE)RTAvloU32Get(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPage, pPage);
4777 Assert(pPatchPage);
4778
4779 if (!pPatchPage)
4780 return VERR_INVALID_PARAMETER;
4781
4782 Assert(pPatchPage->cCount <= pPatchPage->cMaxPatches);
4783
4784 Log(("patmRemovePatchPage: remove patch %RHv from page %RRv\n", pPatch, pPage));
4785 if (pPatchPage->cCount > 1)
4786 {
4787 uint32_t i;
4788
4789 /* Used by multiple patches */
4790 for (i = 0; i < pPatchPage->cCount; i++)
4791 {
4792 if (pPatchPage->papPatch[i] == pPatch)
4793 {
4794 /* close the gap between the remaining pointers. */
4795 uint32_t cNew = --pPatchPage->cCount;
4796 if (i < cNew)
4797 pPatchPage->papPatch[i] = pPatchPage->papPatch[cNew];
4798 pPatchPage->papPatch[cNew] = NULL;
4799 return VINF_SUCCESS;
4800 }
4801 }
4802 AssertMsgFailed(("Unable to find patch %RHv in page %RRv\n", pPatch, pPage));
4803 }
4804 else
4805 {
4806 PPATMPATCHPAGE pPatchNode;
4807
4808 Log(("patmRemovePatchFromPage %RRv\n", pPage));
4809
4810 STAM_COUNTER_INC(&pVM->patm.s.StatPatchPageRemoved);
4811 pPatchNode = (PPATMPATCHPAGE)RTAvloU32Remove(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPage, pPage);
4812 Assert(pPatchNode && pPatchNode == pPatchPage);
4813
4814 Assert(pPatchPage->papPatch);
4815 rc = MMHyperFree(pVM, pPatchPage->papPatch);
4816 AssertRC(rc);
4817 rc = MMHyperFree(pVM, pPatchPage);
4818 AssertRC(rc);
4819 pVM->patm.s.cPageRecords--;
4820 }
4821 return VINF_SUCCESS;
4822}
4823
4824/**
4825 * Insert page records for all guest pages that contain instructions that were recompiled for this patch
4826 *
4827 * @returns VBox status code.
4828 * @param pVM The cross context VM structure.
4829 * @param pPatch Patch record
4830 */
4831int patmInsertPatchPages(PVM pVM, PPATCHINFO pPatch)
4832{
4833 int rc;
4834 RTRCUINTPTR pPatchPageStart, pPatchPageEnd, pPage;
4835
4836 /* Insert the pages that contain patched instructions into a lookup tree for detecting self-modifying code. */
4837 pPatchPageStart = (RTRCUINTPTR)pPatch->pInstrGCLowest & PAGE_BASE_GC_MASK;
4838 pPatchPageEnd = (RTRCUINTPTR)pPatch->pInstrGCHighest & PAGE_BASE_GC_MASK;
4839
4840 /** @todo optimize better (large gaps between current and next used page) */
4841 for(pPage = pPatchPageStart; pPage <= pPatchPageEnd; pPage += PAGE_SIZE)
4842 {
4843 /* Get the closest guest instruction (from above) */
4844 PRECGUESTTOPATCH pGuestToPatchRec = (PRECGUESTTOPATCH)RTAvlU32GetBestFit(&pPatch->Guest2PatchAddrTree, pPage, true);
4845 if ( pGuestToPatchRec
4846 && PAGE_ADDRESS(pGuestToPatchRec->Core.Key) == PAGE_ADDRESS(pPage)
4847 )
4848 {
4849 /* Code in page really patched -> add record */
4850 rc = patmAddPatchToPage(pVM, pPage, pPatch);
4851 AssertRC(rc);
4852 }
4853 }
4854 pPatch->flags |= PATMFL_CODE_MONITORED;
4855 return VINF_SUCCESS;
4856}
4857
4858/**
4859 * Remove page records for all guest pages that contain instructions that were recompiled for this patch
4860 *
4861 * @returns VBox status code.
4862 * @param pVM The cross context VM structure.
4863 * @param pPatch Patch record
4864 */
4865static int patmRemovePatchPages(PVM pVM, PPATCHINFO pPatch)
4866{
4867 int rc;
4868 RTRCUINTPTR pPatchPageStart, pPatchPageEnd, pPage;
4869
4870 /* Insert the pages that contain patched instructions into a lookup tree for detecting self-modifying code. */
4871 pPatchPageStart = (RTRCUINTPTR)pPatch->pInstrGCLowest & PAGE_BASE_GC_MASK;
4872 pPatchPageEnd = (RTRCUINTPTR)pPatch->pInstrGCHighest & PAGE_BASE_GC_MASK;
4873
4874 for(pPage = pPatchPageStart; pPage <= pPatchPageEnd; pPage += PAGE_SIZE)
4875 {
4876 /* Get the closest guest instruction (from above) */
4877 PRECGUESTTOPATCH pGuestToPatchRec = (PRECGUESTTOPATCH)RTAvlU32GetBestFit(&pPatch->Guest2PatchAddrTree, pPage, true);
4878 if ( pGuestToPatchRec
4879 && PAGE_ADDRESS(pGuestToPatchRec->Core.Key) == PAGE_ADDRESS(pPage) /** @todo bird: PAGE_ADDRESS is for the current context really. check out these. */
4880 )
4881 {
4882 /* Code in page really patched -> remove record */
4883 rc = patmRemovePatchFromPage(pVM, pPage, pPatch);
4884 AssertRC(rc);
4885 }
4886 }
4887 pPatch->flags &= ~PATMFL_CODE_MONITORED;
4888 return VINF_SUCCESS;
4889}
4890
4891/**
4892 * Notifies PATM about a (potential) write to code that has been patched.
4893 *
4894 * @returns VBox status code.
4895 * @param pVM The cross context VM structure.
4896 * @param GCPtr GC pointer to write address
4897 * @param cbWrite Nr of bytes to write
4898 *
4899 */
4900VMMR3_INT_DECL(int) PATMR3PatchWrite(PVM pVM, RTRCPTR GCPtr, uint32_t cbWrite)
4901{
4902 RTRCUINTPTR pWritePageStart, pWritePageEnd, pPage;
4903
4904 Log(("PATMR3PatchWrite %RRv %x\n", GCPtr, cbWrite));
4905
4906 Assert(VM_IS_EMT(pVM));
4907 AssertReturn(!HMIsEnabled(pVM), VERR_PATM_HM_IPE);
4908
4909 /* Quick boundary check */
4910 if ( GCPtr < pVM->patm.s.pPatchedInstrGCLowest
4911 || GCPtr > pVM->patm.s.pPatchedInstrGCHighest
4912 )
4913 return VINF_SUCCESS;
4914
4915 STAM_PROFILE_ADV_START(&pVM->patm.s.StatPatchWrite, a);
4916
4917 pWritePageStart = (RTRCUINTPTR)GCPtr & PAGE_BASE_GC_MASK;
4918 pWritePageEnd = ((RTRCUINTPTR)GCPtr + cbWrite - 1) & PAGE_BASE_GC_MASK;
4919
4920 for (pPage = pWritePageStart; pPage <= pWritePageEnd; pPage += PAGE_SIZE)
4921 {
4922loop_start:
4923 PPATMPATCHPAGE pPatchPage = (PPATMPATCHPAGE)RTAvloU32Get(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPage, (RTRCPTR)pPage);
4924 if (pPatchPage)
4925 {
4926 uint32_t i;
4927 bool fValidPatchWrite = false;
4928
4929 /* Quick check to see if the write is in the patched part of the page */
4930 if ( pPatchPage->pLowestAddrGC > (RTRCPTR)((RTRCUINTPTR)GCPtr + cbWrite - 1)
4931 || pPatchPage->pHighestAddrGC < GCPtr)
4932 {
4933 break;
4934 }
4935
4936 for (i=0;i<pPatchPage->cCount;i++)
4937 {
4938 if (pPatchPage->papPatch[i])
4939 {
4940 PPATCHINFO pPatch = pPatchPage->papPatch[i];
4941 RTRCPTR pPatchInstrGC;
4942 //unused: bool fForceBreak = false;
4943
4944 Assert(pPatchPage->papPatch[i]->flags & PATMFL_CODE_MONITORED);
4945 /** @todo inefficient and includes redundant checks for multiple pages. */
4946 for (uint32_t j=0; j<cbWrite; j++)
4947 {
4948 RTRCPTR pGuestPtrGC = (RTRCPTR)((RTRCUINTPTR)GCPtr + j);
4949
4950 if ( pPatch->cbPatchJump
4951 && pGuestPtrGC >= pPatch->pPrivInstrGC
4952 && pGuestPtrGC < pPatch->pPrivInstrGC + pPatch->cbPatchJump)
4953 {
4954 /* The guest is about to overwrite the 5 byte jump to patch code. Remove the patch. */
4955 Log(("PATMR3PatchWrite: overwriting jump to patch code -> remove patch.\n"));
4956 int rc = PATMR3RemovePatch(pVM, pPatch->pPrivInstrGC);
4957 if (rc == VINF_SUCCESS)
4958 /* Note: jump back to the start as the pPatchPage has been deleted or changed */
4959 goto loop_start;
4960
4961 continue;
4962 }
4963
4964 /* Find the closest instruction from below; the above quick check ensured that we are indeed in patched code */
4965 pPatchInstrGC = patmGuestGCPtrToPatchGCPtr(pVM, pPatch, pGuestPtrGC);
4966 if (!pPatchInstrGC)
4967 {
4968 RTRCPTR pClosestInstrGC;
4969 uint32_t size;
4970
4971 pPatchInstrGC = patmGuestGCPtrToClosestPatchGCPtr(pVM, pPatch, pGuestPtrGC);
4972 if (pPatchInstrGC)
4973 {
4974 pClosestInstrGC = patmPatchGCPtr2GuestGCPtr(pVM, pPatch, pPatchInstrGC);
4975 Assert(pClosestInstrGC <= pGuestPtrGC);
4976 size = patmGetInstrSize(pVM, pPatch, pClosestInstrGC);
4977 /* Check if this is not a write into a gap between two patches */
4978 if (pClosestInstrGC + size - 1 < pGuestPtrGC)
4979 pPatchInstrGC = 0;
4980 }
4981 }
4982 if (pPatchInstrGC)
4983 {
4984 uint32_t PatchOffset = pPatchInstrGC - pVM->patm.s.pPatchMemGC; /* Offset in memory reserved for PATM. */
4985
4986 fValidPatchWrite = true;
4987
4988 PRECPATCHTOGUEST pPatchToGuestRec = (PRECPATCHTOGUEST)RTAvlU32Get(&pPatch->Patch2GuestAddrTree, PatchOffset);
4989 Assert(pPatchToGuestRec);
4990 if (pPatchToGuestRec && !pPatchToGuestRec->fDirty)
4991 {
4992 Log(("PATMR3PatchWrite: Found patched instruction %RRv -> %RRv\n", pGuestPtrGC, pPatchInstrGC));
4993
4994 if (++pPatch->cCodeWrites > PATM_MAX_CODE_WRITES)
4995 {
4996 LogRel(("PATM: Disable block at %RRv - write %RRv-%RRv\n", pPatch->pPrivInstrGC, pGuestPtrGC, pGuestPtrGC+cbWrite));
4997
4998 patmR3MarkDirtyPatch(pVM, pPatch);
4999
5000 /* Note: jump back to the start as the pPatchPage has been deleted or changed */
5001 goto loop_start;
5002 }
5003 else
5004 {
5005 /* Replace the patch instruction with a breakpoint; when it's hit, then we'll attempt to recompile the instruction again. */
5006 uint8_t *pInstrHC = patmPatchGCPtr2PatchHCPtr(pVM, pPatchInstrGC);
5007
5008 pPatchToGuestRec->u8DirtyOpcode = *pInstrHC;
5009 pPatchToGuestRec->fDirty = true;
5010
5011 *pInstrHC = 0xCC;
5012
5013 STAM_COUNTER_INC(&pVM->patm.s.StatInstrDirty);
5014 }
5015 }
5016 /* else already marked dirty */
5017 }
5018 }
5019 }
5020 } /* for each patch */
5021
5022 if (fValidPatchWrite == false)
5023 {
5024 /* Write to a part of the page that either:
5025 * - doesn't contain any code (shared code/data); rather unlikely
5026 * - old code page that's no longer in active use.
5027 */
5028invalid_write_loop_start:
5029 pPatchPage = (PPATMPATCHPAGE)RTAvloU32Get(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPage, (RTRCPTR)pPage);
5030
5031 if (pPatchPage)
5032 {
5033 for (i=0;i<pPatchPage->cCount;i++)
5034 {
5035 PPATCHINFO pPatch = pPatchPage->papPatch[i];
5036
5037 if (pPatch->cInvalidWrites > PATM_MAX_INVALID_WRITES)
5038 {
5039 /* Note: possibly dangerous assumption that all future writes will be harmless. */
5040 if (pPatch->flags & PATMFL_IDTHANDLER)
5041 {
5042 LogRel(("PATM: Stop monitoring IDT handler pages at %RRv - invalid write %RRv-%RRv (this is not a fatal error)\n", pPatch->pPrivInstrGC, GCPtr, GCPtr+cbWrite));
5043
5044 Assert(pPatch->flags & PATMFL_CODE_MONITORED);
5045 int rc = patmRemovePatchPages(pVM, pPatch);
5046 AssertRC(rc);
5047 }
5048 else
5049 {
5050 LogRel(("PATM: Disable block at %RRv - invalid write %RRv-%RRv \n", pPatch->pPrivInstrGC, GCPtr, GCPtr+cbWrite));
5051 patmR3MarkDirtyPatch(pVM, pPatch);
5052 }
5053 /* Note: jump back to the start as the pPatchPage has been deleted or changed */
5054 goto invalid_write_loop_start;
5055 }
5056 } /* for */
5057 }
5058 }
5059 }
5060 }
5061 STAM_PROFILE_ADV_STOP(&pVM->patm.s.StatPatchWrite, a);
5062 return VINF_SUCCESS;
5063
5064}
5065
5066/**
5067 * Disable all patches in a flushed page
5068 *
5069 * @returns VBox status code
5070 * @param pVM The cross context VM structure.
5071 * @param addr GC address of the page to flush
5072 * @note Currently only called by CSAMR3FlushPage; optimization to avoid
5073 * having to double check if the physical address has changed
5074 */
5075VMMR3_INT_DECL(int) PATMR3FlushPage(PVM pVM, RTRCPTR addr)
5076{
5077 AssertReturn(!HMIsEnabled(pVM), VERR_PATM_HM_IPE);
5078
5079 addr &= PAGE_BASE_GC_MASK;
5080
5081 PPATMPATCHPAGE pPatchPage = (PPATMPATCHPAGE)RTAvloU32Get(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPage, addr);
5082 if (pPatchPage)
5083 {
5084 int i;
5085
5086 /* From top to bottom as the array is modified by PATMR3MarkDirtyPatch. */
5087 for (i=(int)pPatchPage->cCount-1;i>=0;i--)
5088 {
5089 if (pPatchPage->papPatch[i])
5090 {
5091 PPATCHINFO pPatch = pPatchPage->papPatch[i];
5092
5093 Log(("PATMR3FlushPage %RRv remove patch at %RRv\n", addr, pPatch->pPrivInstrGC));
5094 patmR3MarkDirtyPatch(pVM, pPatch);
5095 }
5096 }
5097 STAM_COUNTER_INC(&pVM->patm.s.StatFlushed);
5098 }
5099 return VINF_SUCCESS;
5100}
5101
5102/**
5103 * Checks if the instructions at the specified address has been patched already.
5104 *
5105 * @returns boolean, patched or not
5106 * @param pVM The cross context VM structure.
5107 * @param pInstrGC Guest context pointer to instruction
5108 */
5109VMMR3_INT_DECL(bool) PATMR3HasBeenPatched(PVM pVM, RTRCPTR pInstrGC)
5110{
5111 Assert(!HMIsEnabled(pVM));
5112 PPATMPATCHREC pPatchRec;
5113 pPatchRec = (PPATMPATCHREC)RTAvloU32Get(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pInstrGC);
5114 if (pPatchRec && pPatchRec->patch.uState == PATCH_ENABLED)
5115 return true;
5116 return false;
5117}
5118
5119/**
5120 * Query the opcode of the original code that was overwritten by the 5 bytes patch jump
5121 *
5122 * @returns VBox status code.
5123 * @param pVM The cross context VM structure.
5124 * @param pInstrGC GC address of instr
5125 * @param pByte opcode byte pointer (OUT)
5126 *
5127 */
5128VMMR3DECL(int) PATMR3QueryOpcode(PVM pVM, RTRCPTR pInstrGC, uint8_t *pByte)
5129{
5130 PPATMPATCHREC pPatchRec;
5131
5132 /** @todo this will not work for aliased pages! (never has, but so far not a problem for us) */
5133
5134 /* Shortcut. */
5135 if (!PATMIsEnabled(pVM))
5136 return VERR_PATCH_NOT_FOUND;
5137 Assert(!HMIsEnabled(pVM));
5138 if ( pInstrGC < pVM->patm.s.pPatchedInstrGCLowest
5139 || pInstrGC > pVM->patm.s.pPatchedInstrGCHighest)
5140 return VERR_PATCH_NOT_FOUND;
5141
5142 pPatchRec = (PPATMPATCHREC)RTAvloU32GetBestFit(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pInstrGC, false);
5143 // if the patch is enabled and the pointer lies within 5 bytes of this priv instr ptr, then we've got a hit!
5144 if ( pPatchRec
5145 && pPatchRec->patch.uState == PATCH_ENABLED
5146 && pInstrGC >= pPatchRec->patch.pPrivInstrGC
5147 && pInstrGC < pPatchRec->patch.pPrivInstrGC + pPatchRec->patch.cbPatchJump)
5148 {
5149 RTRCPTR offset = pInstrGC - pPatchRec->patch.pPrivInstrGC;
5150 *pByte = pPatchRec->patch.aPrivInstr[offset];
5151
5152 if (pPatchRec->patch.cbPatchJump == 1)
5153 {
5154 Log(("PATMR3QueryOpcode: returning opcode %2X for instruction at %RRv\n", *pByte, pInstrGC));
5155 }
5156 STAM_COUNTER_ADD(&pVM->patm.s.StatNrOpcodeRead, 1);
5157 return VINF_SUCCESS;
5158 }
5159 return VERR_PATCH_NOT_FOUND;
5160}
5161
5162/**
5163 * Read instruction bytes of the original code that was overwritten by the 5
5164 * bytes patch jump.
5165 *
5166 * @returns VINF_SUCCESS or VERR_PATCH_NOT_FOUND.
5167 * @param pVM The cross context VM structure.
5168 * @param GCPtrInstr GC address of instr
5169 * @param pbDst The output buffer.
5170 * @param cbToRead The maximum number bytes to read.
5171 * @param pcbRead Where to return the acutal number of bytes read.
5172 */
5173VMMR3_INT_DECL(int) PATMR3ReadOrgInstr(PVM pVM, RTGCPTR32 GCPtrInstr, uint8_t *pbDst, size_t cbToRead, size_t *pcbRead)
5174{
5175 /* Shortcut. */
5176 if (!PATMIsEnabled(pVM))
5177 return VERR_PATCH_NOT_FOUND;
5178 Assert(!HMIsEnabled(pVM));
5179 if ( GCPtrInstr < pVM->patm.s.pPatchedInstrGCLowest
5180 || GCPtrInstr > pVM->patm.s.pPatchedInstrGCHighest)
5181 return VERR_PATCH_NOT_FOUND;
5182
5183 /** @todo this will not work for aliased pages! (never has, but so far not a problem for us) */
5184
5185 /*
5186 * If the patch is enabled and the pointer lies within 5 bytes of this
5187 * priv instr ptr, then we've got a hit!
5188 */
5189 RTGCPTR32 off;
5190 PPATMPATCHREC pPatchRec = (PPATMPATCHREC)RTAvloU32GetBestFit(&pVM->patm.s.PatchLookupTreeHC->PatchTree,
5191 GCPtrInstr, false /*fAbove*/);
5192 if ( pPatchRec
5193 && pPatchRec->patch.uState == PATCH_ENABLED
5194 && (off = GCPtrInstr - pPatchRec->patch.pPrivInstrGC) < pPatchRec->patch.cbPatchJump)
5195 {
5196 uint8_t const *pbSrc = &pPatchRec->patch.aPrivInstr[off];
5197 uint32_t const cbMax = pPatchRec->patch.cbPatchJump - off;
5198 if (cbToRead > cbMax)
5199 cbToRead = cbMax;
5200 switch (cbToRead)
5201 {
5202 case 5: pbDst[4] = pbSrc[4];
5203 case 4: pbDst[3] = pbSrc[3];
5204 case 3: pbDst[2] = pbSrc[2];
5205 case 2: pbDst[1] = pbSrc[1];
5206 case 1: pbDst[0] = pbSrc[0];
5207 break;
5208 default:
5209 memcpy(pbDst, pbSrc, cbToRead);
5210 }
5211 *pcbRead = cbToRead;
5212
5213 if (pPatchRec->patch.cbPatchJump == 1)
5214 Log(("PATMR3ReadOrgInstr: returning opcode %.*Rhxs for instruction at %RX32\n", cbToRead, pbSrc, GCPtrInstr));
5215 STAM_COUNTER_ADD(&pVM->patm.s.StatNrOpcodeRead, 1);
5216 return VINF_SUCCESS;
5217 }
5218
5219 return VERR_PATCH_NOT_FOUND;
5220}
5221
5222/**
5223 * Disable patch for privileged instruction at specified location
5224 *
5225 * @returns VBox status code.
5226 * @param pVM The cross context VM structure.
5227 * @param pInstrGC Guest context point to privileged instruction
5228 *
5229 * @note returns failure if patching is not allowed or possible
5230 *
5231 */
5232VMMR3_INT_DECL(int) PATMR3DisablePatch(PVM pVM, RTRCPTR pInstrGC)
5233{
5234 PPATMPATCHREC pPatchRec;
5235 PPATCHINFO pPatch;
5236
5237 Log(("PATMR3DisablePatch: %RRv\n", pInstrGC));
5238 AssertReturn(!HMIsEnabled(pVM), VERR_PATM_HM_IPE);
5239 pPatchRec = (PPATMPATCHREC)RTAvloU32Get(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pInstrGC);
5240 if (pPatchRec)
5241 {
5242 int rc = VINF_SUCCESS;
5243
5244 pPatch = &pPatchRec->patch;
5245
5246 /* Already disabled? */
5247 if (pPatch->uState == PATCH_DISABLED)
5248 return VINF_SUCCESS;
5249
5250 /* Clear the IDT entries for the patch we're disabling. */
5251 /* Note: very important as we clear IF in the patch itself */
5252 /** @todo this needs to be changed */
5253 if (pPatch->flags & PATMFL_IDTHANDLER)
5254 {
5255 uint32_t iGate;
5256
5257 iGate = TRPMR3QueryGateByHandler(pVM, PATCHCODE_PTR_GC(pPatch));
5258 if (iGate != (uint32_t)~0)
5259 {
5260 TRPMR3SetGuestTrapHandler(pVM, iGate, TRPM_INVALID_HANDLER);
5261 if (++cIDTHandlersDisabled < 256)
5262 LogRel(("PATM: Disabling IDT %x patch handler %RRv\n", iGate, pInstrGC));
5263 }
5264 }
5265
5266 /* Mark the entry with a breakpoint in case somebody else calls it later on (cli patch used as a function, function, trampoline or idt patches) */
5267 if ( pPatch->pPatchBlockOffset
5268 && pPatch->uState == PATCH_ENABLED)
5269 {
5270 Log(("Invalidate patch at %RRv (HC=%RRv)\n", PATCHCODE_PTR_GC(pPatch), PATCHCODE_PTR_HC(pPatch)));
5271 pPatch->bDirtyOpcode = *PATCHCODE_PTR_HC(pPatch);
5272 *PATCHCODE_PTR_HC(pPatch) = 0xCC;
5273 }
5274
5275 /* IDT or function patches haven't changed any guest code. */
5276 if (pPatch->flags & PATMFL_PATCHED_GUEST_CODE)
5277 {
5278 Assert(pPatch->flags & PATMFL_MUST_INSTALL_PATCHJMP);
5279 Assert(!(pPatch->flags & (PATMFL_DUPLICATE_FUNCTION|PATMFL_IDTHANDLER|PATMFL_TRAMPOLINE|PATMFL_INT3_REPLACEMENT|PATMFL_INT3_REPLACEMENT_BLOCK)));
5280
5281 if (pPatch->uState != PATCH_REFUSED)
5282 {
5283 uint8_t temp[16];
5284
5285 Assert(pPatch->cbPatchJump < sizeof(temp));
5286
5287 /* Let's first check if the guest code is still the same. */
5288 rc = PGMPhysSimpleReadGCPtr(VMMGetCpu0(pVM), temp, pPatch->pPrivInstrGC, pPatch->cbPatchJump);
5289 Assert(rc == VINF_SUCCESS || rc == VERR_PAGE_TABLE_NOT_PRESENT || rc == VERR_PAGE_NOT_PRESENT);
5290 if (rc == VINF_SUCCESS)
5291 {
5292 RTRCINTPTR displ = (RTRCUINTPTR)PATCHCODE_PTR_GC(pPatch) - ((RTRCUINTPTR)pPatch->pPrivInstrGC + SIZEOF_NEARJUMP32);
5293
5294 if ( temp[0] != 0xE9 /* jmp opcode */
5295 || *(RTRCINTPTR *)(&temp[1]) != displ
5296 )
5297 {
5298 Log(("PATMR3DisablePatch: Can't disable a patch who's guest code has changed!!\n"));
5299 STAM_COUNTER_INC(&pVM->patm.s.StatOverwritten);
5300 /* Remove it completely */
5301 pPatch->uState = PATCH_DISABLED; /* don't call PATMR3DisablePatch again */
5302 rc = PATMR3RemovePatch(pVM, pInstrGC);
5303 AssertRC(rc);
5304 return VWRN_PATCH_REMOVED;
5305 }
5306 patmRemoveJumpToPatch(pVM, pPatch);
5307 }
5308 else
5309 {
5310 Log(("PATMR3DisablePatch: unable to disable patch -> mark PATCH_DISABLE_PENDING\n"));
5311 pPatch->uState = PATCH_DISABLE_PENDING;
5312 }
5313 }
5314 else
5315 {
5316 AssertMsgFailed(("Patch was refused!\n"));
5317 return VERR_PATCH_ALREADY_DISABLED;
5318 }
5319 }
5320 else
5321 if (pPatch->flags & (PATMFL_INT3_REPLACEMENT|PATMFL_INT3_REPLACEMENT_BLOCK))
5322 {
5323 uint8_t temp[16];
5324
5325 Assert(pPatch->cbPatchJump < sizeof(temp));
5326
5327 /* Let's first check if the guest code is still the same. */
5328 rc = PGMPhysSimpleReadGCPtr(VMMGetCpu0(pVM), temp, pPatch->pPrivInstrGC, pPatch->cbPatchJump);
5329 Assert(rc == VINF_SUCCESS || rc == VERR_PAGE_TABLE_NOT_PRESENT || rc == VERR_PAGE_NOT_PRESENT);
5330 if (rc == VINF_SUCCESS)
5331 {
5332 if (temp[0] != 0xCC)
5333 {
5334 Log(("PATMR3DisablePatch: Can't disable a patch who's guest code has changed!!\n"));
5335 STAM_COUNTER_INC(&pVM->patm.s.StatOverwritten);
5336 /* Remove it completely */
5337 pPatch->uState = PATCH_DISABLED; /* don't call PATMR3DisablePatch again */
5338 rc = PATMR3RemovePatch(pVM, pInstrGC);
5339 AssertRC(rc);
5340 return VWRN_PATCH_REMOVED;
5341 }
5342 patmDeactivateInt3Patch(pVM, pPatch);
5343 }
5344 }
5345
5346 if (rc == VINF_SUCCESS)
5347 {
5348 /* Save old state and mark this one as disabled (so it can be enabled later on). */
5349 if (pPatch->uState == PATCH_DISABLE_PENDING)
5350 {
5351 /* Just to be safe, let's make sure this one can never be reused; the patch might be marked dirty already (int3 at start) */
5352 pPatch->uState = PATCH_UNUSABLE;
5353 }
5354 else
5355 if (pPatch->uState != PATCH_DIRTY)
5356 {
5357 pPatch->uOldState = pPatch->uState;
5358 pPatch->uState = PATCH_DISABLED;
5359 }
5360 STAM_COUNTER_ADD(&pVM->patm.s.StatDisabled, 1);
5361 }
5362
5363 Log(("PATMR3DisablePatch: disabled patch at %RRv\n", pInstrGC));
5364 return VINF_SUCCESS;
5365 }
5366 Log(("Patch not found!\n"));
5367 return VERR_PATCH_NOT_FOUND;
5368}
5369
5370/**
5371 * Permanently disable patch for privileged instruction at specified location
5372 *
5373 * @returns VBox status code.
5374 * @param pVM The cross context VM structure.
5375 * @param pInstrGC Guest context instruction pointer
5376 * @param pConflictAddr Guest context pointer which conflicts with specified patch
5377 * @param pConflictPatch Conflicting patch
5378 *
5379 */
5380static int patmDisableUnusablePatch(PVM pVM, RTRCPTR pInstrGC, RTRCPTR pConflictAddr, PPATCHINFO pConflictPatch)
5381{
5382 NOREF(pConflictAddr);
5383#ifdef PATM_RESOLVE_CONFLICTS_WITH_JUMP_PATCHES
5384 PATCHINFO patch;
5385 DISCPUSTATE cpu;
5386 R3PTRTYPE(uint8_t *) pInstrHC;
5387 uint32_t cbInstr;
5388 bool disret;
5389 int rc;
5390
5391 RT_ZERO(patch);
5392 pInstrHC = patmR3GCVirtToHCVirt(pVM, &patch, pInstrGC);
5393 disret = patmR3DisInstr(pVM, &patch, pInstrGC, pInstrHC, PATMREAD_ORGCODE, &cpu, &cbInstr);
5394 /*
5395 * If it's a 5 byte relative jump, then we can work around the problem by replacing the 32 bits relative offset
5396 * with one that jumps right into the conflict patch.
5397 * Otherwise we must disable the conflicting patch to avoid serious problems.
5398 */
5399 if ( disret == true
5400 && (pConflictPatch->flags & PATMFL_CODE32)
5401 && (cpu.pCurInstr->uOpcode == OP_JMP || (cpu.pCurInstr->fOpType & DISOPTYPE_COND_CONTROLFLOW))
5402 && (cpu.Param1.fUse & DISUSE_IMMEDIATE32_REL))
5403 {
5404 /* Hint patches must be enabled first. */
5405 if (pConflictPatch->flags & PATMFL_INSTR_HINT)
5406 {
5407 Log(("Enabling HINTED patch %RRv\n", pConflictPatch->pPrivInstrGC));
5408 pConflictPatch->flags &= ~PATMFL_INSTR_HINT;
5409 rc = PATMR3EnablePatch(pVM, pConflictPatch->pPrivInstrGC);
5410 Assert(rc == VINF_SUCCESS || rc == VERR_PATCH_NOT_FOUND);
5411 /* Enabling might fail if the patched code has changed in the meantime. */
5412 if (rc != VINF_SUCCESS)
5413 return rc;
5414 }
5415
5416 rc = PATMR3InstallPatch(pVM, pInstrGC, PATMFL_CODE32 | PATMFL_JUMP_CONFLICT);
5417 if (RT_SUCCESS(rc))
5418 {
5419 Log(("PATM -> CONFLICT: Installed JMP patch for patch conflict at %RRv\n", pInstrGC));
5420 STAM_COUNTER_INC(&pVM->patm.s.StatFixedConflicts);
5421 return VINF_SUCCESS;
5422 }
5423 }
5424#endif
5425
5426 if (pConflictPatch->opcode == OP_CLI)
5427 {
5428 /* Turn it into an int3 patch; our GC trap handler will call the generated code manually. */
5429 Log(("PATM -> CONFLICT: Found active patch at instruction %RRv with target %RRv -> turn into int 3 patch!!\n", pInstrGC, pConflictPatch->pPrivInstrGC));
5430 int rc = PATMR3DisablePatch(pVM, pConflictPatch->pPrivInstrGC);
5431 if (rc == VWRN_PATCH_REMOVED)
5432 return VINF_SUCCESS;
5433 if (RT_SUCCESS(rc))
5434 {
5435 pConflictPatch->flags &= ~(PATMFL_MUST_INSTALL_PATCHJMP|PATMFL_INSTR_HINT);
5436 pConflictPatch->flags |= PATMFL_INT3_REPLACEMENT_BLOCK;
5437 rc = PATMR3EnablePatch(pVM, pConflictPatch->pPrivInstrGC);
5438 if (rc == VERR_PATCH_NOT_FOUND)
5439 return VINF_SUCCESS; /* removed already */
5440
5441 AssertRC(rc);
5442 if (RT_SUCCESS(rc))
5443 {
5444 STAM_COUNTER_INC(&pVM->patm.s.StatInt3Callable);
5445 return VINF_SUCCESS;
5446 }
5447 }
5448 /* else turned into unusable patch (see below) */
5449 }
5450 else
5451 {
5452 Log(("PATM -> CONFLICT: Found active patch at instruction %RRv with target %RRv -> DISABLING it!!\n", pInstrGC, pConflictPatch->pPrivInstrGC));
5453 int rc = PATMR3DisablePatch(pVM, pConflictPatch->pPrivInstrGC);
5454 if (rc == VWRN_PATCH_REMOVED)
5455 return VINF_SUCCESS;
5456 }
5457
5458 /* No need to monitor the code anymore. */
5459 if (pConflictPatch->flags & PATMFL_CODE_MONITORED)
5460 {
5461 int rc = patmRemovePatchPages(pVM, pConflictPatch);
5462 AssertRC(rc);
5463 }
5464 pConflictPatch->uState = PATCH_UNUSABLE;
5465 STAM_COUNTER_INC(&pVM->patm.s.StatUnusable);
5466 return VERR_PATCH_DISABLED;
5467}
5468
5469/**
5470 * Enable patch for privileged instruction at specified location
5471 *
5472 * @returns VBox status code.
5473 * @param pVM The cross context VM structure.
5474 * @param pInstrGC Guest context point to privileged instruction
5475 *
5476 * @note returns failure if patching is not allowed or possible
5477 *
5478 */
5479VMMR3_INT_DECL(int) PATMR3EnablePatch(PVM pVM, RTRCPTR pInstrGC)
5480{
5481 PPATMPATCHREC pPatchRec;
5482 PPATCHINFO pPatch;
5483
5484 Log(("PATMR3EnablePatch %RRv\n", pInstrGC));
5485 AssertReturn(!HMIsEnabled(pVM), VERR_PATM_HM_IPE);
5486 pPatchRec = (PPATMPATCHREC)RTAvloU32Get(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pInstrGC);
5487 if (pPatchRec)
5488 {
5489 int rc = VINF_SUCCESS;
5490
5491 pPatch = &pPatchRec->patch;
5492
5493 if (pPatch->uState == PATCH_DISABLED)
5494 {
5495 if (pPatch->flags & PATMFL_MUST_INSTALL_PATCHJMP)
5496 {
5497 Assert(!(pPatch->flags & PATMFL_PATCHED_GUEST_CODE));
5498 uint8_t temp[16];
5499
5500 Assert(pPatch->cbPatchJump < sizeof(temp));
5501
5502 /* Let's first check if the guest code is still the same. */
5503 int rc2 = PGMPhysSimpleReadGCPtr(VMMGetCpu0(pVM), temp, pPatch->pPrivInstrGC, pPatch->cbPatchJump);
5504 AssertRC(rc2);
5505 if (rc2 == VINF_SUCCESS)
5506 {
5507 if (memcmp(temp, pPatch->aPrivInstr, pPatch->cbPatchJump))
5508 {
5509 Log(("PATMR3EnablePatch: Can't enable a patch who's guest code has changed!!\n"));
5510 STAM_COUNTER_INC(&pVM->patm.s.StatOverwritten);
5511 /* Remove it completely */
5512 rc = PATMR3RemovePatch(pVM, pInstrGC);
5513 AssertRC(rc);
5514 return VERR_PATCH_NOT_FOUND;
5515 }
5516
5517 PATMP2GLOOKUPREC cacheRec;
5518 RT_ZERO(cacheRec);
5519 cacheRec.pPatch = pPatch;
5520
5521 rc2 = patmGenJumpToPatch(pVM, pPatch, &cacheRec, false);
5522 /* Free leftover lock if any. */
5523 if (cacheRec.Lock.pvMap)
5524 {
5525 PGMPhysReleasePageMappingLock(pVM, &cacheRec.Lock);
5526 cacheRec.Lock.pvMap = NULL;
5527 }
5528 AssertRC(rc2);
5529 if (RT_FAILURE(rc2))
5530 return rc2;
5531
5532#ifdef DEBUG
5533 {
5534 DISCPUSTATE cpu;
5535 char szOutput[256];
5536 uint32_t cbInstr;
5537 uint32_t i = 0;
5538 bool disret;
5539 while(i < pPatch->cbPatchJump)
5540 {
5541 disret = patmR3DisInstrToStr(pVM, pPatch, pPatch->pPrivInstrGC + i, NULL, PATMREAD_ORGCODE,
5542 &cpu, &cbInstr, szOutput, sizeof(szOutput));
5543 Log(("Renewed patch instr: %s", szOutput));
5544 i += cbInstr;
5545 }
5546 }
5547#endif
5548 }
5549 }
5550 else
5551 if (pPatch->flags & (PATMFL_INT3_REPLACEMENT|PATMFL_INT3_REPLACEMENT_BLOCK))
5552 {
5553 uint8_t temp[16];
5554
5555 Assert(pPatch->cbPatchJump < sizeof(temp));
5556
5557 /* Let's first check if the guest code is still the same. */
5558 int rc2 = PGMPhysSimpleReadGCPtr(VMMGetCpu0(pVM), temp, pPatch->pPrivInstrGC, pPatch->cbPatchJump);
5559 AssertRC(rc2);
5560
5561 if (memcmp(temp, pPatch->aPrivInstr, pPatch->cbPatchJump))
5562 {
5563 Log(("PATMR3EnablePatch: Can't enable a patch who's guest code has changed!!\n"));
5564 STAM_COUNTER_INC(&pVM->patm.s.StatOverwritten);
5565 rc = PATMR3RemovePatch(pVM, pInstrGC);
5566 AssertRC(rc);
5567 return VERR_PATCH_NOT_FOUND;
5568 }
5569
5570 rc2 = patmActivateInt3Patch(pVM, pPatch);
5571 if (RT_FAILURE(rc2))
5572 return rc2;
5573 }
5574
5575 pPatch->uState = pPatch->uOldState; //restore state
5576
5577 /* Restore the entry breakpoint with the original opcode (see PATMR3DisablePatch). */
5578 if (pPatch->pPatchBlockOffset)
5579 *PATCHCODE_PTR_HC(pPatch) = pPatch->bDirtyOpcode;
5580
5581 STAM_COUNTER_ADD(&pVM->patm.s.StatEnabled, 1);
5582 }
5583 else
5584 Log(("PATMR3EnablePatch: Unable to enable patch %RRv with state %d\n", pInstrGC, pPatch->uState));
5585
5586 return rc;
5587 }
5588 return VERR_PATCH_NOT_FOUND;
5589}
5590
5591/**
5592 * Remove patch for privileged instruction at specified location
5593 *
5594 * @returns VBox status code.
5595 * @param pVM The cross context VM structure.
5596 * @param pPatchRec Patch record
5597 * @param fForceRemove Remove *all* patches
5598 */
5599int patmR3RemovePatch(PVM pVM, PPATMPATCHREC pPatchRec, bool fForceRemove)
5600{
5601 PPATCHINFO pPatch;
5602
5603 pPatch = &pPatchRec->patch;
5604
5605 /* Strictly forbidden to remove such patches. There can be dependencies!! */
5606 if (!fForceRemove && (pPatch->flags & (PATMFL_DUPLICATE_FUNCTION|PATMFL_CODE_REFERENCED)))
5607 {
5608 Log(("PATMRemovePatch %RRv REFUSED!\n", pPatch->pPrivInstrGC));
5609 return VERR_ACCESS_DENIED;
5610 }
5611 Log(("PATMRemovePatch %RRv\n", pPatch->pPrivInstrGC));
5612
5613 /* Note: NEVER EVER REUSE PATCH MEMORY */
5614 /* Note: PATMR3DisablePatch puts a breakpoint (0xCC) at the entry of this patch */
5615
5616 if (pPatchRec->patch.pPatchBlockOffset)
5617 {
5618 PAVLOU32NODECORE pNode;
5619
5620 pNode = RTAvloU32Remove(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr, pPatchRec->patch.pPatchBlockOffset);
5621 Assert(pNode);
5622 }
5623
5624 if (pPatchRec->patch.flags & PATMFL_CODE_MONITORED)
5625 {
5626 int rc = patmRemovePatchPages(pVM, &pPatchRec->patch);
5627 AssertRC(rc);
5628 }
5629
5630#ifdef VBOX_WITH_STATISTICS
5631 if (PATM_STAT_INDEX_IS_VALID(pPatchRec->patch.uPatchIdx))
5632 {
5633 STAMR3DeregisterF(pVM->pUVM, "/PATM/Stats/Patch/0x%RRv", pPatchRec->patch.pPrivInstrGC);
5634 STAMR3DeregisterF(pVM->pUVM, "/PATM/PatchBD/0x%RRv*", pPatchRec->patch.pPrivInstrGC);
5635 }
5636#endif
5637
5638 /* Note: no need to free Guest2PatchAddrTree as those records share memory with Patch2GuestAddrTree records. */
5639 patmEmptyTreeU32(pVM, &pPatch->Patch2GuestAddrTree);
5640 pPatch->nrPatch2GuestRecs = 0;
5641 Assert(pPatch->Patch2GuestAddrTree == 0);
5642
5643 patmEmptyTree(pVM, &pPatch->FixupTree);
5644 pPatch->nrFixups = 0;
5645 Assert(pPatch->FixupTree == 0);
5646
5647 if (pPatchRec->patch.pTempInfo)
5648 MMR3HeapFree(pPatchRec->patch.pTempInfo);
5649
5650 /* Note: might fail, because it has already been removed (e.g. during reset). */
5651 RTAvloU32Remove(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pPatchRec->Core.Key);
5652
5653 /* Free the patch record */
5654 MMHyperFree(pVM, pPatchRec);
5655 return VINF_SUCCESS;
5656}
5657
5658/**
5659 * RTAvlU32DoWithAll() worker.
5660 * Checks whether the current trampoline instruction is the jump to the target patch
5661 * and updates the displacement to jump to the new target.
5662 *
5663 * @returns VBox status code.
5664 * @retval VERR_ALREADY_EXISTS if the jump was found.
5665 * @param pNode The current patch to guest record to check.
5666 * @param pvUser The refresh state.
5667 */
5668static DECLCALLBACK(int) patmR3PatchRefreshFindTrampolinePatch(PAVLU32NODECORE pNode, void *pvUser)
5669{
5670 PRECPATCHTOGUEST pPatch2GuestRec = (PRECPATCHTOGUEST)pNode;
5671 PPATMREFRESHPATCH pRefreshPatchState = (PPATMREFRESHPATCH)pvUser;
5672 PVM pVM = pRefreshPatchState->pVM;
5673
5674 uint8_t *pPatchInstr = (uint8_t *)(pVM->patm.s.pPatchMemHC + pPatch2GuestRec->Core.Key);
5675
5676 /*
5677 * Check if the patch instruction starts with a jump.
5678 * ASSUMES that there is no other patch to guest record that starts
5679 * with a jump.
5680 */
5681 if (*pPatchInstr == 0xE9)
5682 {
5683 /* Jump found, update the displacement. */
5684 RTRCPTR pPatchTargetGC = patmGuestGCPtrToPatchGCPtr(pVM, pRefreshPatchState->pPatchRec,
5685 pRefreshPatchState->pPatchTrampoline->pPrivInstrGC);
5686 int32_t displ = pPatchTargetGC - (pVM->patm.s.pPatchMemGC + pPatch2GuestRec->Core.Key + SIZEOF_NEARJUMP32);
5687
5688 LogFlow(("Updating trampoline patch new patch target %RRv, new displacment %d (old was %d)\n",
5689 pPatchTargetGC, displ, *(uint32_t *)&pPatchInstr[1]));
5690
5691 *(uint32_t *)&pPatchInstr[1] = displ;
5692 return VERR_ALREADY_EXISTS; /** @todo better return code */
5693 }
5694
5695 return VINF_SUCCESS;
5696}
5697
5698/**
5699 * Attempt to refresh the patch by recompiling its entire code block
5700 *
5701 * @returns VBox status code.
5702 * @param pVM The cross context VM structure.
5703 * @param pPatchRec Patch record
5704 */
5705int patmR3RefreshPatch(PVM pVM, PPATMPATCHREC pPatchRec)
5706{
5707 PPATCHINFO pPatch;
5708 int rc;
5709 RTRCPTR pInstrGC = pPatchRec->patch.pPrivInstrGC;
5710 PTRAMPREC pTrampolinePatchesHead = NULL;
5711
5712 Log(("patmR3RefreshPatch: attempt to refresh patch at %RRv\n", pInstrGC));
5713
5714 pPatch = &pPatchRec->patch;
5715 AssertReturn(pPatch->flags & (PATMFL_DUPLICATE_FUNCTION|PATMFL_IDTHANDLER|PATMFL_TRAPHANDLER), VERR_PATCHING_REFUSED);
5716 if (pPatch->flags & PATMFL_EXTERNAL_JUMP_INSIDE)
5717 {
5718 if (!pPatch->pTrampolinePatchesHead)
5719 {
5720 /*
5721 * It is sometimes possible that there are trampoline patches to this patch
5722 * but they are not recorded (after a saved state load for example).
5723 * Refuse to refresh those patches.
5724 * Can hurt performance in theory if the patched code is modified by the guest
5725 * and is executed often. However most of the time states are saved after the guest
5726 * code was modified and is not updated anymore afterwards so this shouldn't be a
5727 * big problem.
5728 */
5729 Log(("patmR3RefreshPatch: refused because external jumps to this patch exist but the jumps are not recorded\n"));
5730 return VERR_PATCHING_REFUSED;
5731 }
5732 Log(("patmR3RefreshPatch: external jumps to this patch exist, updating\n"));
5733 pTrampolinePatchesHead = pPatch->pTrampolinePatchesHead;
5734 }
5735
5736 /* Note: quite ugly to enable/disable/remove/insert old and new patches, but there's no easy way around it. */
5737
5738 rc = PATMR3DisablePatch(pVM, pInstrGC);
5739 AssertRC(rc);
5740
5741 /* Kick it out of the lookup tree to make sure PATMR3InstallPatch doesn't fail (hack alert) */
5742 RTAvloU32Remove(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pPatchRec->Core.Key);
5743#ifdef VBOX_WITH_STATISTICS
5744 if (PATM_STAT_INDEX_IS_VALID(pPatchRec->patch.uPatchIdx))
5745 {
5746 STAMR3DeregisterF(pVM->pUVM, "/PATM/Stats/Patch/0x%RRv", pPatchRec->patch.pPrivInstrGC);
5747 STAMR3DeregisterF(pVM->pUVM, "/PATM/PatchBD/0x%RRv*", pPatchRec->patch.pPrivInstrGC);
5748 }
5749#endif
5750
5751 /** Note: We don't attempt to reuse patch memory here as it's quite common that the new code block requires more memory. */
5752
5753 /* Attempt to install a new patch. */
5754 rc = PATMR3InstallPatch(pVM, pInstrGC, pPatch->flags & (PATMFL_CODE32|PATMFL_IDTHANDLER|PATMFL_INTHANDLER|PATMFL_TRAPHANDLER|PATMFL_DUPLICATE_FUNCTION|PATMFL_TRAPHANDLER_WITH_ERRORCODE|PATMFL_IDTHANDLER_WITHOUT_ENTRYPOINT));
5755 if (RT_SUCCESS(rc))
5756 {
5757 RTRCPTR pPatchTargetGC;
5758 PPATMPATCHREC pNewPatchRec;
5759
5760 /* Determine target address in new patch */
5761 pPatchTargetGC = PATMR3QueryPatchGCPtr(pVM, pInstrGC);
5762 Assert(pPatchTargetGC);
5763 if (!pPatchTargetGC)
5764 {
5765 rc = VERR_PATCHING_REFUSED;
5766 goto failure;
5767 }
5768
5769 /* Reset offset into patch memory to put the next code blocks right at the beginning. */
5770 pPatch->uCurPatchOffset = 0;
5771
5772 /* insert jump to new patch in old patch block */
5773 rc = patmPatchGenPatchJump(pVM, pPatch, pInstrGC, pPatchTargetGC, false /* no lookup record */);
5774 if (RT_FAILURE(rc))
5775 goto failure;
5776
5777 pNewPatchRec = (PPATMPATCHREC)RTAvloU32Get(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pInstrGC);
5778 Assert(pNewPatchRec); /* can't fail */
5779
5780 /* Remove old patch (only do that when everything is finished) */
5781 int rc2 = patmR3RemovePatch(pVM, pPatchRec, true /* force removal */);
5782 AssertRC(rc2);
5783
5784 /* Put the new patch back into the tree, because removing the old one kicked this one out. (hack alert) */
5785 bool fInserted = RTAvloU32Insert(&pVM->patm.s.PatchLookupTreeHC->PatchTree, &pNewPatchRec->Core);
5786 Assert(fInserted); NOREF(fInserted);
5787
5788 Log(("PATM: patmR3RefreshPatch: succeeded to refresh patch at %RRv \n", pInstrGC));
5789 STAM_COUNTER_INC(&pVM->patm.s.StatPatchRefreshSuccess);
5790
5791 /* Used by another patch, so don't remove it! */
5792 pNewPatchRec->patch.flags |= PATMFL_CODE_REFERENCED;
5793
5794 if (pTrampolinePatchesHead)
5795 {
5796 /* Update all trampoline patches to jump to the new patch. */
5797 PTRAMPREC pTrampRec = NULL;
5798 PATMREFRESHPATCH RefreshPatch;
5799
5800 RefreshPatch.pVM = pVM;
5801 RefreshPatch.pPatchRec = &pNewPatchRec->patch;
5802
5803 pTrampRec = pTrampolinePatchesHead;
5804
5805 while (pTrampRec)
5806 {
5807 PPATCHINFO pPatchTrampoline = &pTrampRec->pPatchTrampoline->patch;
5808
5809 RefreshPatch.pPatchTrampoline = pPatchTrampoline;
5810 /*
5811 * We have to find the right patch2guest record because there might be others
5812 * for statistics.
5813 */
5814 rc = RTAvlU32DoWithAll(&pPatchTrampoline->Patch2GuestAddrTree, true,
5815 patmR3PatchRefreshFindTrampolinePatch, &RefreshPatch);
5816 Assert(rc == VERR_ALREADY_EXISTS);
5817 rc = VINF_SUCCESS;
5818 pTrampRec = pTrampRec->pNext;
5819 }
5820 pNewPatchRec->patch.pTrampolinePatchesHead = pTrampolinePatchesHead;
5821 pNewPatchRec->patch.flags |= PATMFL_EXTERNAL_JUMP_INSIDE;
5822 /* Clear the list of trampoline patches for the old patch (safety precaution). */
5823 pPatchRec->patch.pTrampolinePatchesHead = NULL;
5824 }
5825 }
5826
5827failure:
5828 if (RT_FAILURE(rc))
5829 {
5830 LogRel(("PATM: patmR3RefreshPatch: failed to refresh patch at %RRv. Reactiving old one. \n", pInstrGC));
5831
5832 /* Remove the new inactive patch */
5833 rc = PATMR3RemovePatch(pVM, pInstrGC);
5834 AssertRC(rc);
5835
5836 /* Put the old patch back into the tree (or else it won't be saved) (hack alert) */
5837 bool fInserted = RTAvloU32Insert(&pVM->patm.s.PatchLookupTreeHC->PatchTree, &pPatchRec->Core);
5838 Assert(fInserted); NOREF(fInserted);
5839
5840 /* Enable again in case the dirty instruction is near the end and there are safe code paths. */
5841 int rc2 = PATMR3EnablePatch(pVM, pInstrGC);
5842 AssertRC(rc2);
5843
5844 STAM_COUNTER_INC(&pVM->patm.s.StatPatchRefreshFailed);
5845 }
5846 return rc;
5847}
5848
5849/**
5850 * Find patch for privileged instruction at specified location
5851 *
5852 * @returns Patch structure pointer if found; else NULL
5853 * @param pVM The cross context VM structure.
5854 * @param pInstrGC Guest context point to instruction that might lie
5855 * within 5 bytes of an existing patch jump
5856 * @param fIncludeHints Include hinted patches or not
5857 */
5858PPATCHINFO patmFindActivePatchByEntrypoint(PVM pVM, RTRCPTR pInstrGC, bool fIncludeHints)
5859{
5860 PPATMPATCHREC pPatchRec = (PPATMPATCHREC)RTAvloU32GetBestFit(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pInstrGC, false);
5861 /* if the patch is enabled, the pointer is not identical to the privileged patch ptr and it lies within 5 bytes of this priv instr ptr, then we've got a hit! */
5862 if (pPatchRec)
5863 {
5864 if ( pPatchRec->patch.uState == PATCH_ENABLED
5865 && (pPatchRec->patch.flags & PATMFL_PATCHED_GUEST_CODE)
5866 && pInstrGC > pPatchRec->patch.pPrivInstrGC
5867 && pInstrGC < pPatchRec->patch.pPrivInstrGC + pPatchRec->patch.cbPatchJump)
5868 {
5869 Log(("Found active patch at %RRv (org %RRv)\n", pInstrGC, pPatchRec->patch.pPrivInstrGC));
5870 return &pPatchRec->patch;
5871 }
5872 else
5873 if ( fIncludeHints
5874 && pPatchRec->patch.uState == PATCH_DISABLED
5875 && (pPatchRec->patch.flags & PATMFL_INSTR_HINT)
5876 && pInstrGC > pPatchRec->patch.pPrivInstrGC
5877 && pInstrGC < pPatchRec->patch.pPrivInstrGC + pPatchRec->patch.cbPatchJump)
5878 {
5879 Log(("Found HINT patch at %RRv (org %RRv)\n", pInstrGC, pPatchRec->patch.pPrivInstrGC));
5880 return &pPatchRec->patch;
5881 }
5882 }
5883 return NULL;
5884}
5885
5886/**
5887 * Checks whether the GC address is inside a generated patch jump
5888 *
5889 * @returns true -> yes, false -> no
5890 * @param pVM The cross context VM structure.
5891 * @param pAddr Guest context address.
5892 * @param pPatchAddr Guest context patch address (if true).
5893 */
5894VMMR3_INT_DECL(bool) PATMR3IsInsidePatchJump(PVM pVM, RTRCPTR pAddr, PRTGCPTR32 pPatchAddr)
5895{
5896 RTRCPTR addr;
5897 PPATCHINFO pPatch;
5898
5899 Assert(!HMIsEnabled(pVM));
5900 if (PATMIsEnabled(pVM) == false)
5901 return false;
5902
5903 if (pPatchAddr == NULL)
5904 pPatchAddr = &addr;
5905
5906 *pPatchAddr = 0;
5907
5908 pPatch = patmFindActivePatchByEntrypoint(pVM, pAddr);
5909 if (pPatch)
5910 *pPatchAddr = pPatch->pPrivInstrGC;
5911
5912 return *pPatchAddr == 0 ? false : true;
5913}
5914
5915/**
5916 * Remove patch for privileged instruction at specified location
5917 *
5918 * @returns VBox status code.
5919 * @param pVM The cross context VM structure.
5920 * @param pInstrGC Guest context point to privileged instruction
5921 *
5922 * @note returns failure if patching is not allowed or possible
5923 *
5924 */
5925VMMR3_INT_DECL(int) PATMR3RemovePatch(PVM pVM, RTRCPTR pInstrGC)
5926{
5927 PPATMPATCHREC pPatchRec;
5928
5929 AssertReturn(!HMIsEnabled(pVM), VERR_PATM_HM_IPE);
5930 pPatchRec = (PPATMPATCHREC)RTAvloU32Get(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pInstrGC);
5931 if (pPatchRec)
5932 {
5933 int rc = PATMR3DisablePatch(pVM, pInstrGC);
5934 if (rc == VWRN_PATCH_REMOVED)
5935 return VINF_SUCCESS;
5936
5937 return patmR3RemovePatch(pVM, pPatchRec, false);
5938 }
5939 AssertFailed();
5940 return VERR_PATCH_NOT_FOUND;
5941}
5942
5943/**
5944 * Mark patch as dirty
5945 *
5946 * @returns VBox status code.
5947 * @param pVM The cross context VM structure.
5948 * @param pPatch Patch record
5949 *
5950 * @note returns failure if patching is not allowed or possible
5951 *
5952 */
5953static int patmR3MarkDirtyPatch(PVM pVM, PPATCHINFO pPatch)
5954{
5955 if (pPatch->pPatchBlockOffset)
5956 {
5957 Log(("Invalidate patch at %RRv (HC=%RRv)\n", PATCHCODE_PTR_GC(pPatch), PATCHCODE_PTR_HC(pPatch)));
5958 pPatch->bDirtyOpcode = *PATCHCODE_PTR_HC(pPatch);
5959 *PATCHCODE_PTR_HC(pPatch) = 0xCC;
5960 }
5961
5962 STAM_COUNTER_INC(&pVM->patm.s.StatDirty);
5963 /* Put back the replaced instruction. */
5964 int rc = PATMR3DisablePatch(pVM, pPatch->pPrivInstrGC);
5965 if (rc == VWRN_PATCH_REMOVED)
5966 return VINF_SUCCESS;
5967
5968 /* Note: we don't restore patch pages for patches that are not enabled! */
5969 /* Note: be careful when changing this behaviour!! */
5970
5971 /* The patch pages are no longer marked for self-modifying code detection */
5972 if (pPatch->flags & PATMFL_CODE_MONITORED)
5973 {
5974 rc = patmRemovePatchPages(pVM, pPatch);
5975 AssertRCReturn(rc, rc);
5976 }
5977 pPatch->uState = PATCH_DIRTY;
5978
5979 /* Paranoia; make sure this patch is not somewhere in the callchain, so prevent ret instructions from succeeding. */
5980 CTXSUFF(pVM->patm.s.pGCState)->Psp = PATM_STACK_SIZE;
5981
5982 return VINF_SUCCESS;
5983}
5984
5985/**
5986 * Query the corresponding GC instruction pointer from a pointer inside the patch block itself
5987 *
5988 * @returns VBox status code.
5989 * @param pVM The cross context VM structure.
5990 * @param pPatch Patch block structure pointer
5991 * @param pPatchGC GC address in patch block
5992 */
5993RTRCPTR patmPatchGCPtr2GuestGCPtr(PVM pVM, PPATCHINFO pPatch, RCPTRTYPE(uint8_t *) pPatchGC)
5994{
5995 Assert(pPatch->Patch2GuestAddrTree);
5996 /* Get the closest record from below. */
5997 PRECPATCHTOGUEST pPatchToGuestRec = (PRECPATCHTOGUEST)RTAvlU32GetBestFit(&pPatch->Patch2GuestAddrTree, pPatchGC - pVM->patm.s.pPatchMemGC, false);
5998 if (pPatchToGuestRec)
5999 return pPatchToGuestRec->pOrgInstrGC;
6000
6001 return 0;
6002}
6003
6004/**
6005 * Converts Guest code GC ptr to Patch code GC ptr (if found)
6006 *
6007 * @returns corresponding GC pointer in patch block
6008 * @param pVM The cross context VM structure.
6009 * @param pPatch Current patch block pointer
6010 * @param pInstrGC Guest context pointer to privileged instruction
6011 *
6012 */
6013RTRCPTR patmGuestGCPtrToPatchGCPtr(PVM pVM, PPATCHINFO pPatch, RCPTRTYPE(uint8_t*) pInstrGC)
6014{
6015 if (pPatch->Guest2PatchAddrTree)
6016 {
6017 PRECGUESTTOPATCH pGuestToPatchRec = (PRECGUESTTOPATCH)RTAvlU32Get(&pPatch->Guest2PatchAddrTree, pInstrGC);
6018 if (pGuestToPatchRec)
6019 return pVM->patm.s.pPatchMemGC + pGuestToPatchRec->PatchOffset;
6020 }
6021
6022 return 0;
6023}
6024
6025/**
6026 * Converts Guest code GC ptr to Patch code GC ptr (if found)
6027 *
6028 * @returns corresponding GC pointer in patch block
6029 * @param pVM The cross context VM structure.
6030 * @param pInstrGC Guest context pointer to privileged instruction
6031 */
6032static RTRCPTR patmR3GuestGCPtrToPatchGCPtrSimple(PVM pVM, RCPTRTYPE(uint8_t*) pInstrGC)
6033{
6034 PPATMPATCHREC pPatchRec = (PPATMPATCHREC)RTAvloU32GetBestFit(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pInstrGC, false);
6035 if (pPatchRec && pPatchRec->patch.uState == PATCH_ENABLED && pInstrGC >= pPatchRec->patch.pPrivInstrGC)
6036 return patmGuestGCPtrToPatchGCPtr(pVM, &pPatchRec->patch, pInstrGC);
6037 return NIL_RTRCPTR;
6038}
6039
6040/**
6041 * Converts Guest code GC ptr to Patch code GC ptr (or nearest from below if no
6042 * identical match)
6043 *
6044 * @returns corresponding GC pointer in patch block
6045 * @param pVM The cross context VM structure.
6046 * @param pPatch Current patch block pointer
6047 * @param pInstrGC Guest context pointer to privileged instruction
6048 *
6049 */
6050RTRCPTR patmGuestGCPtrToClosestPatchGCPtr(PVM pVM, PPATCHINFO pPatch, RCPTRTYPE(uint8_t*) pInstrGC)
6051{
6052 PRECGUESTTOPATCH pGuestToPatchRec = (PRECGUESTTOPATCH)RTAvlU32GetBestFit(&pPatch->Guest2PatchAddrTree, pInstrGC, false);
6053 if (pGuestToPatchRec)
6054 return pVM->patm.s.pPatchMemGC + pGuestToPatchRec->PatchOffset;
6055 return NIL_RTRCPTR;
6056}
6057
6058/**
6059 * Query the corresponding GC instruction pointer from a pointer inside the patch block itself
6060 *
6061 * @returns original GC instruction pointer or 0 if not found
6062 * @param pVM The cross context VM structure.
6063 * @param pPatchGC GC address in patch block
6064 * @param pEnmState State of the translated address (out)
6065 *
6066 */
6067VMMR3_INT_DECL(RTRCPTR) PATMR3PatchToGCPtr(PVM pVM, RTRCPTR pPatchGC, PATMTRANSSTATE *pEnmState)
6068{
6069 PPATMPATCHREC pPatchRec;
6070 void *pvPatchCoreOffset;
6071 RTRCPTR pPrivInstrGC;
6072
6073 Assert(PATMIsPatchGCAddr(pVM, pPatchGC));
6074 Assert(!HMIsEnabled(pVM));
6075 pvPatchCoreOffset = RTAvloU32GetBestFit(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr, pPatchGC - pVM->patm.s.pPatchMemGC, false);
6076 if (pvPatchCoreOffset == 0)
6077 {
6078 Log(("PATMR3PatchToGCPtr failed for %RRv offset %x\n", pPatchGC, pPatchGC - pVM->patm.s.pPatchMemGC));
6079 return 0;
6080 }
6081 pPatchRec = PATM_PATCHREC_FROM_COREOFFSET(pvPatchCoreOffset);
6082 pPrivInstrGC = patmPatchGCPtr2GuestGCPtr(pVM, &pPatchRec->patch, pPatchGC);
6083 if (pEnmState)
6084 {
6085 AssertMsg(pPrivInstrGC && ( pPatchRec->patch.uState == PATCH_ENABLED
6086 || pPatchRec->patch.uState == PATCH_DIRTY
6087 || pPatchRec->patch.uState == PATCH_DISABLE_PENDING
6088 || pPatchRec->patch.uState == PATCH_UNUSABLE),
6089 ("pPrivInstrGC=%RRv uState=%d\n", pPrivInstrGC, pPatchRec->patch.uState));
6090
6091 if ( !pPrivInstrGC
6092 || pPatchRec->patch.uState == PATCH_UNUSABLE
6093 || pPatchRec->patch.uState == PATCH_REFUSED)
6094 {
6095 pPrivInstrGC = 0;
6096 *pEnmState = PATMTRANS_FAILED;
6097 }
6098 else
6099 if (pVM->patm.s.pGCStateHC->GCPtrInhibitInterrupts == pPrivInstrGC)
6100 {
6101 *pEnmState = PATMTRANS_INHIBITIRQ;
6102 }
6103 else
6104 if ( pPatchRec->patch.uState == PATCH_ENABLED
6105 && !(pPatchRec->patch.flags & (PATMFL_DUPLICATE_FUNCTION|PATMFL_IDTHANDLER|PATMFL_TRAMPOLINE))
6106 && pPrivInstrGC > pPatchRec->patch.pPrivInstrGC
6107 && pPrivInstrGC < pPatchRec->patch.pPrivInstrGC + pPatchRec->patch.cbPatchJump)
6108 {
6109 *pEnmState = PATMTRANS_OVERWRITTEN;
6110 }
6111 else
6112 if (patmFindActivePatchByEntrypoint(pVM, pPrivInstrGC))
6113 {
6114 *pEnmState = PATMTRANS_OVERWRITTEN;
6115 }
6116 else
6117 if (pPrivInstrGC == pPatchRec->patch.pPrivInstrGC)
6118 {
6119 *pEnmState = PATMTRANS_PATCHSTART;
6120 }
6121 else
6122 *pEnmState = PATMTRANS_SAFE;
6123 }
6124 return pPrivInstrGC;
6125}
6126
6127/**
6128 * Returns the GC pointer of the patch for the specified GC address
6129 *
6130 * @returns VBox status code.
6131 * @param pVM The cross context VM structure.
6132 * @param pAddrGC Guest context address
6133 */
6134VMMR3_INT_DECL(RTRCPTR) PATMR3QueryPatchGCPtr(PVM pVM, RTRCPTR pAddrGC)
6135{
6136 PPATMPATCHREC pPatchRec;
6137
6138 Assert(!HMIsEnabled(pVM));
6139
6140 /* Find the patch record. */
6141 pPatchRec = (PPATMPATCHREC)RTAvloU32Get(&pVM->patm.s.PatchLookupTreeHC->PatchTree, pAddrGC);
6142 /** @todo we should only use patches that are enabled! always did this, but it's incorrect! */
6143 if (pPatchRec && (pPatchRec->patch.uState == PATCH_ENABLED || pPatchRec->patch.uState == PATCH_DIRTY))
6144 return PATCHCODE_PTR_GC(&pPatchRec->patch);
6145 return NIL_RTRCPTR;
6146}
6147
6148/**
6149 * Attempt to recover dirty instructions
6150 *
6151 * @returns VBox status code.
6152 * @param pVM The cross context VM structure.
6153 * @param pCtx Pointer to the guest CPU context.
6154 * @param pPatch Patch record.
6155 * @param pPatchToGuestRec Patch to guest address record.
6156 * @param pEip GC pointer of trapping instruction.
6157 */
6158static int patmR3HandleDirtyInstr(PVM pVM, PCPUMCTX pCtx, PPATMPATCHREC pPatch, PRECPATCHTOGUEST pPatchToGuestRec, RTRCPTR pEip)
6159{
6160 DISCPUSTATE CpuOld, CpuNew;
6161 uint8_t *pPatchInstrHC, *pCurPatchInstrHC;
6162 int rc;
6163 RTRCPTR pCurInstrGC, pCurPatchInstrGC;
6164 uint32_t cbDirty;
6165 PRECPATCHTOGUEST pRec;
6166 RTRCPTR const pOrgInstrGC = pPatchToGuestRec->pOrgInstrGC;
6167 PVMCPU pVCpu = VMMGetCpu0(pVM);
6168 Log(("patmR3HandleDirtyInstr: dirty instruction at %RRv (%RRv)\n", pEip, pOrgInstrGC));
6169
6170 pRec = pPatchToGuestRec;
6171 pCurInstrGC = pOrgInstrGC;
6172 pCurPatchInstrGC = pEip;
6173 cbDirty = 0;
6174 pPatchInstrHC = patmPatchGCPtr2PatchHCPtr(pVM, pCurPatchInstrGC);
6175
6176 /* Find all adjacent dirty instructions */
6177 while (true)
6178 {
6179 if (pRec->fJumpTarget)
6180 {
6181 LogRel(("PATM: patmR3HandleDirtyInstr: dirty instruction at %RRv (%RRv) ignored, because instruction in function was reused as target of jump\n", pEip, pOrgInstrGC));
6182 pRec->fDirty = false;
6183 return VERR_PATCHING_REFUSED;
6184 }
6185
6186 /* Restore original instruction opcode byte so we can check if the write was indeed safe. */
6187 pCurPatchInstrHC = patmPatchGCPtr2PatchHCPtr(pVM, pCurPatchInstrGC);
6188 *pCurPatchInstrHC = pRec->u8DirtyOpcode;
6189
6190 /* Only harmless instructions are acceptable. */
6191 rc = CPUMR3DisasmInstrCPU(pVM, pVCpu, pCtx, pCurPatchInstrGC, &CpuOld, 0);
6192 if ( RT_FAILURE(rc)
6193 || !(CpuOld.pCurInstr->fOpType & DISOPTYPE_HARMLESS))
6194 {
6195 if (RT_SUCCESS(rc))
6196 cbDirty += CpuOld.cbInstr;
6197 else
6198 if (!cbDirty)
6199 cbDirty = 1;
6200 break;
6201 }
6202
6203#ifdef DEBUG
6204 char szBuf[256];
6205 DBGFR3DisasInstrEx(pVM->pUVM, pVCpu->idCpu, pCtx->cs.Sel, pCurPatchInstrGC, DBGF_DISAS_FLAGS_DEFAULT_MODE,
6206 szBuf, sizeof(szBuf), NULL);
6207 Log(("DIRTY: %s\n", szBuf));
6208#endif
6209 /* Mark as clean; if we fail we'll let it always fault. */
6210 pRec->fDirty = false;
6211
6212 /* Remove old lookup record. */
6213 patmr3RemoveP2GLookupRecord(pVM, &pPatch->patch, pCurPatchInstrGC);
6214 pPatchToGuestRec = NULL;
6215
6216 pCurPatchInstrGC += CpuOld.cbInstr;
6217 cbDirty += CpuOld.cbInstr;
6218
6219 /* Let's see if there's another dirty instruction right after. */
6220 pRec = (PRECPATCHTOGUEST)RTAvlU32GetBestFit(&pPatch->patch.Patch2GuestAddrTree, pCurPatchInstrGC - pVM->patm.s.pPatchMemGC, true);
6221 if (!pRec || !pRec->fDirty)
6222 break; /* no more dirty instructions */
6223
6224 /* In case of complex instructions the next guest instruction could be quite far off. */
6225 pCurPatchInstrGC = pRec->Core.Key + pVM->patm.s.pPatchMemGC;
6226 }
6227
6228 if ( RT_SUCCESS(rc)
6229 && (CpuOld.pCurInstr->fOpType & DISOPTYPE_HARMLESS)
6230 )
6231 {
6232 uint32_t cbLeft;
6233
6234 pCurPatchInstrHC = pPatchInstrHC;
6235 pCurPatchInstrGC = pEip;
6236 cbLeft = cbDirty;
6237
6238 while (cbLeft && RT_SUCCESS(rc))
6239 {
6240 bool fValidInstr;
6241
6242 rc = CPUMR3DisasmInstrCPU(pVM, pVCpu, pCtx, pCurInstrGC, &CpuNew, 0);
6243
6244 fValidInstr = !!(CpuNew.pCurInstr->fOpType & DISOPTYPE_HARMLESS);
6245 if ( !fValidInstr
6246 && (CpuNew.pCurInstr->fOpType & DISOPTYPE_RELATIVE_CONTROLFLOW)
6247 )
6248 {
6249 RTRCPTR pTargetGC = PATMResolveBranch(&CpuNew, pCurInstrGC);
6250
6251 if ( pTargetGC >= pOrgInstrGC
6252 && pTargetGC <= pOrgInstrGC + cbDirty
6253 )
6254 {
6255 /* A relative jump to an instruction inside or to the end of the dirty block is acceptable. */
6256 fValidInstr = true;
6257 }
6258 }
6259
6260 /* If the instruction is completely harmless (which implies a 1:1 patch copy). */
6261 if ( rc == VINF_SUCCESS
6262 && CpuNew.cbInstr <= cbLeft /* must still fit */
6263 && fValidInstr
6264 )
6265 {
6266#ifdef DEBUG
6267 char szBuf[256];
6268 DBGFR3DisasInstrEx(pVM->pUVM, pVCpu->idCpu, pCtx->cs.Sel, pCurInstrGC, DBGF_DISAS_FLAGS_DEFAULT_MODE,
6269 szBuf, sizeof(szBuf), NULL);
6270 Log(("NEW: %s\n", szBuf));
6271#endif
6272
6273 /* Copy the new instruction. */
6274 rc = PGMPhysSimpleReadGCPtr(VMMGetCpu0(pVM), pCurPatchInstrHC, pCurInstrGC, CpuNew.cbInstr);
6275 AssertRC(rc);
6276
6277 /* Add a new lookup record for the duplicated instruction. */
6278 patmR3AddP2GLookupRecord(pVM, &pPatch->patch, pCurPatchInstrHC, pCurInstrGC, PATM_LOOKUP_BOTHDIR);
6279 }
6280 else
6281 {
6282#ifdef DEBUG
6283 char szBuf[256];
6284 DBGFR3DisasInstrEx(pVM->pUVM, pVCpu->idCpu, pCtx->cs.Sel, pCurInstrGC, DBGF_DISAS_FLAGS_DEFAULT_MODE,
6285 szBuf, sizeof(szBuf), NULL);
6286 Log(("NEW: %s (FAILED)\n", szBuf));
6287#endif
6288 /* Restore the old lookup record for the duplicated instruction. */
6289 patmR3AddP2GLookupRecord(pVM, &pPatch->patch, pCurPatchInstrHC, pCurInstrGC, PATM_LOOKUP_BOTHDIR);
6290
6291 /** @todo in theory we need to restore the lookup records for the remaining dirty instructions too! */
6292 rc = VERR_PATCHING_REFUSED;
6293 break;
6294 }
6295 pCurInstrGC += CpuNew.cbInstr;
6296 pCurPatchInstrHC += CpuNew.cbInstr;
6297 pCurPatchInstrGC += CpuNew.cbInstr;
6298 cbLeft -= CpuNew.cbInstr;
6299
6300 /* Check if we expanded a complex guest instruction into a patch stream (e.g. call) */
6301 if (!cbLeft)
6302 {
6303 /* If the next patch instruction doesn't correspond to the next guest instruction, then we have some extra room to fill. */
6304 if (RTAvlU32Get(&pPatch->patch.Patch2GuestAddrTree, pCurPatchInstrGC - pVM->patm.s.pPatchMemGC) == NULL)
6305 {
6306 pRec = (PRECPATCHTOGUEST)RTAvlU32GetBestFit(&pPatch->patch.Patch2GuestAddrTree, pCurPatchInstrGC - pVM->patm.s.pPatchMemGC, true);
6307 if (pRec)
6308 {
6309 unsigned cbFiller = pRec->Core.Key + pVM->patm.s.pPatchMemGC - pCurPatchInstrGC;
6310 uint8_t *pPatchFillHC = patmPatchGCPtr2PatchHCPtr(pVM, pCurPatchInstrGC);
6311
6312 Assert(!pRec->fDirty);
6313
6314 Log(("Room left in patched instruction stream (%d bytes)\n", cbFiller));
6315 if (cbFiller >= SIZEOF_NEARJUMP32)
6316 {
6317 pPatchFillHC[0] = 0xE9;
6318 *(uint32_t *)&pPatchFillHC[1] = cbFiller - SIZEOF_NEARJUMP32;
6319#ifdef DEBUG
6320 char szBuf[256];
6321 DBGFR3DisasInstrEx(pVM->pUVM, pVCpu->idCpu, pCtx->cs.Sel, pCurPatchInstrGC,
6322 DBGF_DISAS_FLAGS_DEFAULT_MODE, szBuf, sizeof(szBuf), NULL);
6323 Log(("FILL: %s\n", szBuf));
6324#endif
6325 }
6326 else
6327 {
6328 for (unsigned i = 0; i < cbFiller; i++)
6329 {
6330 pPatchFillHC[i] = 0x90; /* NOP */
6331#ifdef DEBUG
6332 char szBuf[256];
6333 DBGFR3DisasInstrEx(pVM->pUVM, pVCpu->idCpu, pCtx->cs.Sel, pCurPatchInstrGC + i,
6334 DBGF_DISAS_FLAGS_DEFAULT_MODE, szBuf, sizeof(szBuf), NULL);
6335 Log(("FILL: %s\n", szBuf));
6336#endif
6337 }
6338 }
6339 }
6340 }
6341 }
6342 }
6343 }
6344 else
6345 rc = VERR_PATCHING_REFUSED;
6346
6347 if (RT_SUCCESS(rc))
6348 {
6349 STAM_COUNTER_INC(&pVM->patm.s.StatInstrDirtyGood);
6350 }
6351 else
6352 {
6353 STAM_COUNTER_INC(&pVM->patm.s.StatInstrDirtyBad);
6354 Assert(cbDirty);
6355
6356 /* Mark the whole instruction stream with breakpoints. */
6357 if (cbDirty)
6358 memset(pPatchInstrHC, 0xCC, cbDirty);
6359
6360 if ( pVM->patm.s.fOutOfMemory == false
6361 && (pPatch->patch.flags & (PATMFL_DUPLICATE_FUNCTION|PATMFL_IDTHANDLER|PATMFL_TRAPHANDLER)))
6362 {
6363 rc = patmR3RefreshPatch(pVM, pPatch);
6364 if (RT_FAILURE(rc))
6365 {
6366 LogRel(("PATM: Failed to refresh dirty patch at %RRv. Disabling it.\n", pPatch->patch.pPrivInstrGC));
6367 }
6368 /* Even if we succeed, we must go back to the original instruction as the patched one could be invalid. */
6369 rc = VERR_PATCHING_REFUSED;
6370 }
6371 }
6372 return rc;
6373}
6374
6375/**
6376 * Handle trap inside patch code
6377 *
6378 * @returns VBox status code.
6379 * @param pVM The cross context VM structure.
6380 * @param pCtx Pointer to the guest CPU context.
6381 * @param pEip GC pointer of trapping instruction.
6382 * @param ppNewEip GC pointer to new instruction.
6383 */
6384VMMR3_INT_DECL(int) PATMR3HandleTrap(PVM pVM, PCPUMCTX pCtx, RTRCPTR pEip, RTGCPTR *ppNewEip)
6385{
6386 PPATMPATCHREC pPatch = 0;
6387 void *pvPatchCoreOffset;
6388 RTRCUINTPTR offset;
6389 RTRCPTR pNewEip;
6390 int rc ;
6391 PRECPATCHTOGUEST pPatchToGuestRec = 0;
6392 PVMCPU pVCpu = VMMGetCpu0(pVM);
6393
6394 AssertReturn(!HMIsEnabled(pVM), VERR_PATM_HM_IPE);
6395 Assert(pVM->cCpus == 1);
6396
6397 pNewEip = 0;
6398 *ppNewEip = 0;
6399
6400 STAM_PROFILE_ADV_START(&pVM->patm.s.StatHandleTrap, a);
6401
6402 /* Find the patch record. */
6403 /* Note: there might not be a patch to guest translation record (global function) */
6404 offset = pEip - pVM->patm.s.pPatchMemGC;
6405 pvPatchCoreOffset = RTAvloU32GetBestFit(&pVM->patm.s.PatchLookupTreeHC->PatchTreeByPatchAddr, offset, false);
6406 if (pvPatchCoreOffset)
6407 {
6408 pPatch = PATM_PATCHREC_FROM_COREOFFSET(pvPatchCoreOffset);
6409
6410 Assert(offset >= pPatch->patch.pPatchBlockOffset && offset < pPatch->patch.pPatchBlockOffset + pPatch->patch.cbPatchBlockSize);
6411
6412 if (pPatch->patch.uState == PATCH_DIRTY)
6413 {
6414 Log(("PATMR3HandleTrap: trap in dirty patch at %RRv\n", pEip));
6415 if (pPatch->patch.flags & (PATMFL_DUPLICATE_FUNCTION|PATMFL_CODE_REFERENCED))
6416 {
6417 /* Function duplication patches set fPIF to 1 on entry */
6418 pVM->patm.s.pGCStateHC->fPIF = 1;
6419 }
6420 }
6421 else
6422 if (pPatch->patch.uState == PATCH_DISABLED)
6423 {
6424 Log(("PATMR3HandleTrap: trap in disabled patch at %RRv\n", pEip));
6425 if (pPatch->patch.flags & (PATMFL_DUPLICATE_FUNCTION|PATMFL_CODE_REFERENCED))
6426 {
6427 /* Function duplication patches set fPIF to 1 on entry */
6428 pVM->patm.s.pGCStateHC->fPIF = 1;
6429 }
6430 }
6431 else
6432 if (pPatch->patch.uState == PATCH_DISABLE_PENDING)
6433 {
6434 RTRCPTR pPrivInstrGC = pPatch->patch.pPrivInstrGC;
6435
6436 Log(("PATMR3HandleTrap: disable operation is pending for patch at %RRv\n", pPatch->patch.pPrivInstrGC));
6437 rc = PATMR3DisablePatch(pVM, pPatch->patch.pPrivInstrGC);
6438 AssertReleaseMsg(rc != VWRN_PATCH_REMOVED, ("PATMR3DisablePatch removed patch at %RRv\n", pPrivInstrGC));
6439 AssertMsg(pPatch->patch.uState == PATCH_DISABLED || pPatch->patch.uState == PATCH_UNUSABLE, ("Unexpected failure to disable patch state=%d rc=%Rrc\n", pPatch->patch.uState, rc));
6440 }
6441
6442 pPatchToGuestRec = (PRECPATCHTOGUEST)RTAvlU32GetBestFit(&pPatch->patch.Patch2GuestAddrTree, offset, false);
6443 AssertReleaseMsg(pPatchToGuestRec, ("PATMR3HandleTrap: Unable to find corresponding guest address for %RRv (offset %x)\n", pEip, offset));
6444
6445 pNewEip = pPatchToGuestRec->pOrgInstrGC;
6446 pPatch->patch.cTraps++;
6447 PATM_STAT_FAULT_INC(&pPatch->patch);
6448 }
6449 else
6450 AssertReleaseMsg(pVM->patm.s.pGCStateHC->fPIF == 0, ("PATMR3HandleTrap: Unable to find translation record for %RRv (PIF=0)\n", pEip));
6451
6452 /* Check if we were interrupted in PATM generated instruction code. */
6453 if (pVM->patm.s.pGCStateHC->fPIF == 0)
6454 {
6455 DISCPUSTATE Cpu;
6456 rc = CPUMR3DisasmInstrCPU(pVM, pVCpu, pCtx, pEip, &Cpu, "PIF Trap: ");
6457 AssertRC(rc);
6458
6459 if ( rc == VINF_SUCCESS
6460 && ( Cpu.pCurInstr->uOpcode == OP_PUSHF
6461 || Cpu.pCurInstr->uOpcode == OP_PUSH
6462 || Cpu.pCurInstr->uOpcode == OP_CALL)
6463 )
6464 {
6465 uint64_t fFlags;
6466
6467 STAM_COUNTER_INC(&pVM->patm.s.StatPushTrap);
6468
6469 if (Cpu.pCurInstr->uOpcode == OP_PUSH)
6470 {
6471 rc = PGMShwGetPage(pVCpu, pCtx->esp, &fFlags, NULL);
6472 if ( rc == VINF_SUCCESS
6473 && ((fFlags & (X86_PTE_P|X86_PTE_RW)) == (X86_PTE_P|X86_PTE_RW)) )
6474 {
6475 /* The stack address is fine, so the push argument is a pointer -> emulate this instruction */
6476
6477 /* Reset the PATM stack. */
6478 CTXSUFF(pVM->patm.s.pGCState)->Psp = PATM_STACK_SIZE;
6479
6480 pVM->patm.s.pGCStateHC->fPIF = 1;
6481
6482 Log(("Faulting push -> go back to the original instruction\n"));
6483
6484 /* continue at the original instruction */
6485 *ppNewEip = pNewEip - SELMToFlat(pVM, DISSELREG_CS, CPUMCTX2CORE(pCtx), 0);
6486 STAM_PROFILE_ADV_STOP(&pVM->patm.s.StatHandleTrap, a);
6487 return VINF_SUCCESS;
6488 }
6489 }
6490
6491 /* Typical pushf (most patches)/push (call patch) trap because of a monitored page. */
6492 rc = PGMShwMakePageWritable(pVCpu, pCtx->esp, 0 /*fFlags*/);
6493 AssertMsgRC(rc, ("PGMShwModifyPage -> rc=%Rrc\n", rc));
6494 if (rc == VINF_SUCCESS)
6495 {
6496 /* The guest page *must* be present. */
6497 rc = PGMGstGetPage(pVCpu, pCtx->esp, &fFlags, NULL);
6498 if ( rc == VINF_SUCCESS
6499 && (fFlags & X86_PTE_P))
6500 {
6501 STAM_PROFILE_ADV_STOP(&pVM->patm.s.StatHandleTrap, a);
6502 return VINF_PATCH_CONTINUE;
6503 }
6504 }
6505 }
6506 else
6507 if (pPatch->patch.pPrivInstrGC == pNewEip)
6508 {
6509 /* Invalidated patch or first instruction overwritten.
6510 * We can ignore the fPIF state in this case.
6511 */
6512 /* Reset the PATM stack. */
6513 CTXSUFF(pVM->patm.s.pGCState)->Psp = PATM_STACK_SIZE;
6514
6515 Log(("Call to invalidated patch -> go back to the original instruction\n"));
6516
6517 pVM->patm.s.pGCStateHC->fPIF = 1;
6518
6519 /* continue at the original instruction */
6520 *ppNewEip = pNewEip - SELMToFlat(pVM, DISSELREG_CS, CPUMCTX2CORE(pCtx), 0);
6521 STAM_PROFILE_ADV_STOP(&pVM->patm.s.StatHandleTrap, a);
6522 return VINF_SUCCESS;
6523 }
6524
6525 char szBuf[256];
6526 DBGFR3DisasInstrEx(pVM->pUVM, pVCpu->idCpu, pCtx->cs.Sel, pEip, DBGF_DISAS_FLAGS_DEFAULT_MODE, szBuf, sizeof(szBuf), NULL);
6527
6528 /* Very bad. We crashed in emitted code. Probably stack? */
6529 if (pPatch)
6530 {
6531 AssertLogRelMsg(pVM->patm.s.pGCStateHC->fPIF == 1,
6532 ("Crash in patch code %RRv (%RRv) esp=%RX32\nPatch state=%x flags=%RX64 fDirty=%d\n%s\n",
6533 pEip, pNewEip, CPUMGetGuestESP(pVCpu), pPatch->patch.uState, pPatch->patch.flags,
6534 pPatchToGuestRec->fDirty, szBuf));
6535 }
6536 else
6537 AssertLogRelMsg(pVM->patm.s.pGCStateHC->fPIF == 1,
6538 ("Crash in patch code %RRv (%RRv) esp=%RX32\n%s\n", pEip, pNewEip, CPUMGetGuestESP(pVCpu), szBuf));
6539 EMR3FatalError(pVCpu, VERR_PATM_IPE_TRAP_IN_PATCH_CODE);
6540 }
6541
6542 /* From here on, we must have a valid patch to guest translation. */
6543 if (pvPatchCoreOffset == 0)
6544 {
6545 STAM_PROFILE_ADV_STOP(&pVM->patm.s.StatHandleTrap, a);
6546 AssertMsgFailed(("PATMR3HandleTrap: patch not found at address %RRv!!\n", pEip));
6547 return VERR_PATCH_NOT_FOUND;
6548 }
6549
6550 /* Take care of dirty/changed instructions. */
6551 if (pPatchToGuestRec->fDirty)
6552 {
6553 Assert(pPatchToGuestRec->Core.Key == offset);
6554 Assert(pVM->patm.s.pGCStateHC->fPIF == 1);
6555
6556 rc = patmR3HandleDirtyInstr(pVM, pCtx, pPatch, pPatchToGuestRec, pEip);
6557 if (RT_SUCCESS(rc))
6558 {
6559 /* Retry the current instruction. */
6560 pNewEip = pEip;
6561 rc = VINF_PATCH_CONTINUE; /* Continue at current patch instruction. */
6562 }
6563 else
6564 {
6565 /* Reset the PATM stack. */
6566 CTXSUFF(pVM->patm.s.pGCState)->Psp = PATM_STACK_SIZE;
6567
6568 rc = VINF_SUCCESS; /* Continue at original instruction. */
6569 }
6570
6571 *ppNewEip = pNewEip - SELMToFlat(pVM, DISSELREG_CS, CPUMCTX2CORE(pCtx), 0);
6572 STAM_PROFILE_ADV_STOP(&pVM->patm.s.StatHandleTrap, a);
6573 return rc;
6574 }
6575
6576#ifdef VBOX_STRICT
6577 if (pPatch->patch.flags & PATMFL_DUPLICATE_FUNCTION)
6578 {
6579 DISCPUSTATE cpu;
6580 bool disret;
6581 uint32_t cbInstr;
6582 PATMP2GLOOKUPREC cacheRec;
6583 RT_ZERO(cacheRec);
6584 cacheRec.pPatch = &pPatch->patch;
6585
6586 disret = patmR3DisInstr(pVM, &pPatch->patch, pNewEip, patmR3GCVirtToHCVirt(pVM, &cacheRec, pNewEip), PATMREAD_RAWCODE,
6587 &cpu, &cbInstr);
6588 if (cacheRec.Lock.pvMap)
6589 PGMPhysReleasePageMappingLock(pVM, &cacheRec.Lock);
6590
6591 if (disret && cpu.pCurInstr->uOpcode == OP_RETN)
6592 {
6593 RTRCPTR retaddr;
6594 PCPUMCTX pCtx2;
6595
6596 pCtx2 = CPUMQueryGuestCtxPtr(pVCpu);
6597
6598 rc = PGMPhysSimpleReadGCPtr(pVCpu, &retaddr, pCtx2->esp, sizeof(retaddr));
6599 AssertRC(rc);
6600
6601 Log(("Return failed at %RRv (%RRv)\n", pEip, pNewEip));
6602 Log(("Expected return address %RRv found address %RRv Psp=%x\n", pVM->patm.s.pGCStackHC[(pVM->patm.s.pGCStateHC->Psp+PATM_STACK_SIZE)/sizeof(RTRCPTR)], retaddr, pVM->patm.s.pGCStateHC->Psp));
6603 }
6604 }
6605#endif
6606
6607 /* Return original address, correct by subtracting the CS base address. */
6608 *ppNewEip = pNewEip - SELMToFlat(pVM, DISSELREG_CS, CPUMCTX2CORE(pCtx), 0);
6609
6610 /* Reset the PATM stack. */
6611 CTXSUFF(pVM->patm.s.pGCState)->Psp = PATM_STACK_SIZE;
6612
6613 if (pVM->patm.s.pGCStateHC->GCPtrInhibitInterrupts == pNewEip)
6614 {
6615 /* Must be a faulting instruction after sti; currently only sysexit, hlt or iret */
6616 Log(("PATMR3HandleTrap %RRv -> inhibit irqs set!\n", pEip));
6617#ifdef VBOX_STRICT
6618 DISCPUSTATE cpu;
6619 bool disret;
6620 uint32_t cbInstr;
6621 PATMP2GLOOKUPREC cacheRec;
6622 RT_ZERO(cacheRec);
6623 cacheRec.pPatch = &pPatch->patch;
6624
6625 disret = patmR3DisInstr(pVM, &pPatch->patch, pNewEip, patmR3GCVirtToHCVirt(pVM, &cacheRec, pNewEip), PATMREAD_ORGCODE,
6626 &cpu, &cbInstr);
6627 if (cacheRec.Lock.pvMap)
6628 PGMPhysReleasePageMappingLock(pVM, &cacheRec.Lock);
6629
6630 if (disret && (cpu.pCurInstr->uOpcode == OP_SYSEXIT || cpu.pCurInstr->uOpcode == OP_HLT || cpu.pCurInstr->uOpcode == OP_INT3))
6631 {
6632 disret = patmR3DisInstr(pVM, &pPatch->patch, pNewEip, patmR3GCVirtToHCVirt(pVM, &cacheRec, pNewEip), PATMREAD_RAWCODE,
6633 &cpu, &cbInstr);
6634 if (cacheRec.Lock.pvMap)
6635 PGMPhysReleasePageMappingLock(pVM, &cacheRec.Lock);
6636
6637 Assert(cpu.pCurInstr->uOpcode == OP_SYSEXIT || cpu.pCurInstr->uOpcode == OP_HLT || cpu.pCurInstr->uOpcode == OP_IRET);
6638 }
6639#endif
6640 EMSetInhibitInterruptsPC(pVCpu, pNewEip);
6641 pVM->patm.s.pGCStateHC->GCPtrInhibitInterrupts = 0;
6642 }
6643
6644 Log2(("pPatchBlockGC %RRv - pEip %RRv corresponding GC address %RRv\n", PATCHCODE_PTR_GC(&pPatch->patch), pEip, pNewEip));
6645 DBGFR3_DISAS_INSTR_LOG(pVCpu, pCtx->cs.Sel, pNewEip, "PATCHRET: ");
6646 if (pNewEip >= pPatch->patch.pPrivInstrGC && pNewEip < pPatch->patch.pPrivInstrGC + pPatch->patch.cbPatchJump)
6647 {
6648 /* We can't jump back to code that we've overwritten with a 5 byte jump! */
6649 Log(("Disabling patch at location %RRv due to trap too close to the privileged instruction \n", pPatch->patch.pPrivInstrGC));
6650 PATMR3DisablePatch(pVM, pPatch->patch.pPrivInstrGC);
6651 STAM_PROFILE_ADV_STOP(&pVM->patm.s.StatHandleTrap, a);
6652 return VERR_PATCH_DISABLED;
6653 }
6654
6655#ifdef PATM_REMOVE_PATCH_ON_TOO_MANY_TRAPS
6656 /** @todo compare to nr of successful runs. add some aging algorithm and determine the best time to disable the patch */
6657 if (pPatch->patch.cTraps > MAX_PATCH_TRAPS)
6658 {
6659 Log(("Disabling patch at location %RRv due to too many traps inside patch code\n", pPatch->patch.pPrivInstrGC));
6660 //we are only wasting time, back out the patch
6661 PATMR3DisablePatch(pVM, pPatch->patch.pPrivInstrGC);
6662 pTrapRec->pNextPatchInstr = 0;
6663 STAM_PROFILE_ADV_STOP(&pVM->patm.s.StatHandleTrap, a);
6664 return VERR_PATCH_DISABLED;
6665 }
6666#endif
6667
6668 STAM_PROFILE_ADV_STOP(&pVM->patm.s.StatHandleTrap, a);
6669 return VINF_SUCCESS;
6670}
6671
6672
6673/**
6674 * Handle page-fault in monitored page
6675 *
6676 * @returns VBox status code.
6677 * @param pVM The cross context VM structure.
6678 */
6679VMMR3_INT_DECL(int) PATMR3HandleMonitoredPage(PVM pVM)
6680{
6681 AssertReturn(!HMIsEnabled(pVM), VERR_PATM_HM_IPE);
6682 PVMCPU pVCpu = VMMGetCpu0(pVM);
6683
6684 RTRCPTR addr = pVM->patm.s.pvFaultMonitor;
6685 addr &= PAGE_BASE_GC_MASK;
6686
6687 int rc = PGMHandlerVirtualDeregister(pVM, pVCpu, addr, false /*fHypervisor*/);
6688 AssertRC(rc); NOREF(rc);
6689
6690 PPATMPATCHREC pPatchRec = (PPATMPATCHREC)RTAvloU32GetBestFit(&pVM->patm.s.PatchLookupTreeHC->PatchTree, addr, false);
6691 if (pPatchRec && pPatchRec->patch.uState == PATCH_ENABLED && PAGE_ADDRESS(pPatchRec->patch.pPrivInstrGC) == PAGE_ADDRESS(addr))
6692 {
6693 STAM_COUNTER_INC(&pVM->patm.s.StatMonitored);
6694 Log(("Renewing patch at %RRv\n", pPatchRec->patch.pPrivInstrGC));
6695 rc = PATMR3DisablePatch(pVM, pPatchRec->patch.pPrivInstrGC);
6696 if (rc == VWRN_PATCH_REMOVED)
6697 return VINF_SUCCESS;
6698
6699 PATMR3EnablePatch(pVM, pPatchRec->patch.pPrivInstrGC);
6700
6701 if (addr == pPatchRec->patch.pPrivInstrGC)
6702 addr++;
6703 }
6704
6705 for(;;)
6706 {
6707 pPatchRec = (PPATMPATCHREC)RTAvloU32GetBestFit(&pVM->patm.s.PatchLookupTreeHC->PatchTree, addr, true);
6708
6709 if (!pPatchRec || PAGE_ADDRESS(pPatchRec->patch.pPrivInstrGC) != PAGE_ADDRESS(addr))
6710 break;
6711
6712 if (pPatchRec && pPatchRec->patch.uState == PATCH_ENABLED)
6713 {
6714 STAM_COUNTER_INC(&pVM->patm.s.StatMonitored);
6715 Log(("Renewing patch at %RRv\n", pPatchRec->patch.pPrivInstrGC));
6716 PATMR3DisablePatch(pVM, pPatchRec->patch.pPrivInstrGC);
6717 PATMR3EnablePatch(pVM, pPatchRec->patch.pPrivInstrGC);
6718 }
6719 addr = pPatchRec->patch.pPrivInstrGC + 1;
6720 }
6721
6722 pVM->patm.s.pvFaultMonitor = 0;
6723 return VINF_SUCCESS;
6724}
6725
6726
6727#ifdef VBOX_WITH_STATISTICS
6728
6729static const char *PATMPatchType(PVM pVM, PPATCHINFO pPatch)
6730{
6731 if (pPatch->flags & PATMFL_SYSENTER)
6732 {
6733 return "SYSENT";
6734 }
6735 else
6736 if (pPatch->flags & (PATMFL_TRAPHANDLER|PATMFL_INTHANDLER))
6737 {
6738 static char szTrap[16];
6739 uint32_t iGate;
6740
6741 iGate = TRPMR3QueryGateByHandler(pVM, PATCHCODE_PTR_GC(pPatch));
6742 if (iGate < 256)
6743 RTStrPrintf(szTrap, sizeof(szTrap), (pPatch->flags & PATMFL_INTHANDLER) ? "INT-%2X" : "TRAP-%2X", iGate);
6744 else
6745 RTStrPrintf(szTrap, sizeof(szTrap), (pPatch->flags & PATMFL_INTHANDLER) ? "INT-??" : "TRAP-??");
6746 return szTrap;
6747 }
6748 else
6749 if (pPatch->flags & (PATMFL_DUPLICATE_FUNCTION))
6750 return "DUPFUNC";
6751 else
6752 if (pPatch->flags & PATMFL_REPLACE_FUNCTION_CALL)
6753 return "FUNCCALL";
6754 else
6755 if (pPatch->flags & PATMFL_TRAMPOLINE)
6756 return "TRAMP";
6757 else
6758 return patmGetInstructionString(pPatch->opcode, pPatch->flags);
6759}
6760
6761static const char *PATMPatchState(PVM pVM, PPATCHINFO pPatch)
6762{
6763 NOREF(pVM);
6764 switch(pPatch->uState)
6765 {
6766 case PATCH_ENABLED:
6767 return "ENA";
6768 case PATCH_DISABLED:
6769 return "DIS";
6770 case PATCH_DIRTY:
6771 return "DIR";
6772 case PATCH_UNUSABLE:
6773 return "UNU";
6774 case PATCH_REFUSED:
6775 return "REF";
6776 case PATCH_DISABLE_PENDING:
6777 return "DIP";
6778 default:
6779 AssertFailed();
6780 return " ";
6781 }
6782}
6783
6784/**
6785 * Resets the sample.
6786 * @param pVM The cross context VM structure.
6787 * @param pvSample The sample registered using STAMR3RegisterCallback.
6788 */
6789static void patmResetStat(PVM pVM, void *pvSample)
6790{
6791 PPATCHINFO pPatch = (PPATCHINFO)pvSample;
6792 Assert(pPatch);
6793
6794 pVM->patm.s.pStatsHC[pPatch->uPatchIdx].u32A = 0;
6795 pVM->patm.s.pStatsHC[pPatch->uPatchIdx].u32B = 0;
6796}
6797
6798/**
6799 * Prints the sample into the buffer.
6800 *
6801 * @param pVM The cross context VM structure.
6802 * @param pvSample The sample registered using STAMR3RegisterCallback.
6803 * @param pszBuf The buffer to print into.
6804 * @param cchBuf The size of the buffer.
6805 */
6806static void patmPrintStat(PVM pVM, void *pvSample, char *pszBuf, size_t cchBuf)
6807{
6808 PPATCHINFO pPatch = (PPATCHINFO)pvSample;
6809 Assert(pPatch);
6810
6811 Assert(pPatch->uState != PATCH_REFUSED);
6812 Assert(!(pPatch->flags & (PATMFL_REPLACE_FUNCTION_CALL|PATMFL_MMIO_ACCESS)));
6813
6814 RTStrPrintf(pszBuf, cchBuf, "size %04x ->%3s %8s - %08d - %08d",
6815 pPatch->cbPatchBlockSize, PATMPatchState(pVM, pPatch), PATMPatchType(pVM, pPatch),
6816 pVM->patm.s.pStatsHC[pPatch->uPatchIdx].u32A, pVM->patm.s.pStatsHC[pPatch->uPatchIdx].u32B);
6817}
6818
6819/**
6820 * Returns the GC address of the corresponding patch statistics counter
6821 *
6822 * @returns Stat address
6823 * @param pVM The cross context VM structure.
6824 * @param pPatch Patch structure
6825 */
6826RTRCPTR patmPatchQueryStatAddress(PVM pVM, PPATCHINFO pPatch)
6827{
6828 Assert(pPatch->uPatchIdx != PATM_STAT_INDEX_NONE);
6829 return pVM->patm.s.pStatsGC + sizeof(STAMRATIOU32) * pPatch->uPatchIdx + RT_OFFSETOF(STAMRATIOU32, u32A);
6830}
6831
6832#endif /* VBOX_WITH_STATISTICS */
6833#ifdef VBOX_WITH_DEBUGGER
6834
6835/**
6836 * @callback_method_impl{FNDBGCCMD, The '.patmoff' command.}
6837 */
6838static DECLCALLBACK(int) patmr3CmdOff(PCDBGCCMD pCmd, PDBGCCMDHLP pCmdHlp, PUVM pUVM, PCDBGCVAR paArgs, unsigned cArgs)
6839{
6840 /*
6841 * Validate input.
6842 */
6843 NOREF(cArgs); NOREF(paArgs);
6844 DBGC_CMDHLP_REQ_UVM_RET(pCmdHlp, pCmd, pUVM);
6845 PVM pVM = pUVM->pVM;
6846 VM_ASSERT_VALID_EXT_RETURN(pVM, VERR_INVALID_VM_HANDLE);
6847
6848 if (HMIsEnabled(pVM))
6849 return DBGCCmdHlpPrintf(pCmdHlp, "PATM is permanently disabled by HM.\n");
6850
6851 RTAvloU32DoWithAll(&pVM->patm.s.PatchLookupTreeHC->PatchTree, true, DisableAllPatches, pVM);
6852 PATMR3AllowPatching(pVM->pUVM, false);
6853 return pCmdHlp->pfnPrintf(pCmdHlp, NULL, "Patching disabled\n");
6854}
6855
6856/**
6857 * @callback_method_impl{FNDBGCCMD, The '.patmon' command.}
6858 */
6859static DECLCALLBACK(int) patmr3CmdOn(PCDBGCCMD pCmd, PDBGCCMDHLP pCmdHlp, PUVM pUVM, PCDBGCVAR paArgs, unsigned cArgs)
6860{
6861 /*
6862 * Validate input.
6863 */
6864 NOREF(cArgs); NOREF(paArgs);
6865 DBGC_CMDHLP_REQ_UVM_RET(pCmdHlp, pCmd, pUVM);
6866 PVM pVM = pUVM->pVM;
6867 VM_ASSERT_VALID_EXT_RETURN(pVM, VERR_INVALID_VM_HANDLE);
6868
6869 if (HMIsEnabled(pVM))
6870 return DBGCCmdHlpPrintf(pCmdHlp, "PATM is permanently disabled by HM.\n");
6871
6872 PATMR3AllowPatching(pVM->pUVM, true);
6873 RTAvloU32DoWithAll(&pVM->patm.s.PatchLookupTreeHC->PatchTree, true, EnableAllPatches, pVM);
6874 return pCmdHlp->pfnPrintf(pCmdHlp, NULL, "Patching enabled\n");
6875}
6876
6877#endif /* VBOX_WITH_DEBUGGER */
6878
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette