// Support all features of label and query program
void i386_hypercall_callback(CPUState *env){
if (taintEnabled && pandalog) {
// LAVA Hypercall
#ifdef TAINT_LEGACY_HYPERCALL
target_ulong buf_start = EBX;
target_ulong buf_len = ECX;
long label = EDI;
// call to label data
// EBX contains addr of that data
// ECX contains size of data
// EDI is the label integer
// EDX = starting offset (for positional labels only)
// -mostly not used, this is managed in pirate_utils
if (EAX == 7 || EAX == 8){
if (!taintEnabled){
printf("Taint plugin: Label operation detected\n");
printf("Enabling taint processing\n");
__taint2_enable_taint();
}
if (EAX == 7){
// Standard buffer label
printf("taint2: single taint label\n");
taint2_add_taint_ram_single_label(env, (uint64_t)buf_start,
(int)buf_len, label);
}
else if (EAX == 8){
// Positional buffer label
printf("taint2: positional taint label\n");
taint2_add_taint_ram_pos(env, (uint64_t)buf_start, (int)buf_len);
}
}
/*
//mz Query taint on this buffer
//mz EBX = start of buffer (VA)
//mz ECX = size of buffer (bytes)
// EDX = starting offset - for file queries
// -mostly not used, this is managed in pirate_utils
else if (env->regs[R_EAX] == 9){ //Query taint on label
if (taintEnabled){
printf("Taint plugin: Query operation detected\n");
Addr a = make_maddr(buf_start);
bufplot(env, shadow, &a, (int)buf_len);
}
//printf("Disabling taint processing\n");
//taintEnabled = false;
//taintJustDisabled = true;
//printf("Label occurrences on HD: %d\n", shad_dir_occ_64(shadow->hd));
}
else if (env->regs[R_EAX] == 10){
// Guest util done - reset positional label counter
taint_pos_count = 0;
}
*/
#else
target_ulong addr = panda_virt_to_phys(env, EAX);
if ((int)addr == -1) {
printf ("panda hypercall with ptr to invalid PandaHypercallStruct: vaddr=0x%x paddr=0x%x\n",
(uint32_t) EAX, (uint32_t) addr);
}
else {
PandaHypercallStruct phs;
panda_virtual_memory_rw(env, EAX, (uint8_t *) &phs, sizeof(phs), false);
if (phs.magic == 0xabcd) {
if (phs.action == 11) {
// it's a lava query
lava_taint_query(phs);
}
else if (phs.action == 12) {
// it's an attack point sighting
lava_attack_point(phs);
}
else {
printf("Unknown hypercall action %d\n", phs.action);
}
}
else {
printf ("Invalid magic value in PHS struct: %x != 0xabcd.\n", phs.magic);
}
}
#endif // TAINT_LEGACY_HYPERCALL
}
}
// Support all features of label and query program
void i386_hypercall_callback(CPUState *env){
#if 0
if (EAX == 0xabcd) {
printf ("\n hypercall pc=0x%x\n", (int) panda_current_pc(env));
for (uint32_t i=0; i<8; i++) {
printf ("reg[%d] = 0x%x\n", i, (int) env->regs[i]);
}
}
#endif
//printf("taint2: Hypercall! B " TARGET_FMT_lx " C " TARGET_FMT_lx " D " TARGET_FMT_lx "\n",
// env->regs[R_EBX], env->regs[R_ECX], env->regs[R_EDX]);
#if 0
// Label op.
// EBX contains addr of that data
// ECX contains size of data
// EDX contains the label; ~0UL for autoenc.
if ((env->regs[R_EAX] == 7 || env->regs[R_EAX] == 8)) {
printf ("hypercall -- EAX=0x%x\n", EAX);
target_ulong addr = panda_virt_to_phys(env, env->regs[R_EBX]);
target_ulong size = env->regs[R_ECX];
target_ulong label = env->regs[R_EDX];
if (!taintEnabled){
printf("taint2: Label operation detected @ %lu\n",
rr_get_guest_instr_count());
printf("taint2: Labeling " TARGET_FMT_lx " to " TARGET_FMT_lx
" with label " TARGET_FMT_lx ".\n", addr, addr + size, label);
__taint2_enable_taint();
}
LabelSetP ls = NULL;
if (label != (target_ulong)~0UL) {
ls = label_set_singleton(label);
} // otherwise autoinc.
qemu_log_mask(CPU_LOG_TAINT_OPS, "label: %lx[%lx+%lx] <- %lx (%lx)\n",
(uint64_t)shadow->ram, (uint64_t)addr, (uint64_t)size, (uint64_t)label,
(uint64_t)ls);
for (unsigned i = 0; i < size; i++) {
//printf("label %u\n", i);
shadow->ram->set(addr + i,
label_set_singleton(i));
}
}
#endif
if (pandalog && env->regs[R_EAX] == 0xabcd) {
// LAVA Hypercall
target_ulong addr = panda_virt_to_phys(env, ECX);
if ((int)addr == -1) {
printf ("panda hypercall with ptr to invalid PandaHypercallStruct: vaddr=0x%x paddr=0x%x\n",
(uint32_t) ECX, (uint32_t) addr);
}
else {
PandaHypercallStruct phs;
panda_virtual_memory_rw(env, ECX, (uint8_t *) &phs, sizeof(phs), false);
if (phs.action == 11) {
// it's a lava query
lava_taint_query(phs);
}
if (phs.action == 12) {
// it's an attack point sighting
lava_attack_point(phs);
}
}
}
}
int guest_hypercall_callback(CPUState *cpu) {
#if defined(TARGET_I386)
CPUArchState *env = (CPUArchState*)cpu->env_ptr;
if (taintEnabled) {
if (EAX == 7 || EAX == 8) {
target_ulong buf_start = EBX;
target_ulong buf_len = ECX;
long label = EDI;
if (R_EAX == 7) {
// Standard buffer label
printf("taint2: single taint label\n");
taint2_add_taint_ram_single_label(cpu, (uint64_t)buf_start,
(int)buf_len, label);
}
else if (R_EAX == 8) {
// Positional buffer label
printf("taint2: positional taint label\n");
taint2_add_taint_ram_pos(cpu, (uint64_t)buf_start, (int)buf_len, label);
}
}
else {
// LAVA Hypercall
target_ulong addr = panda_virt_to_phys(cpu, env->regs[R_EAX]);
if ((int)addr == -1) {
// if EAX is not a valid ptr, then it is unlikely that this is a
// PandaHypercall which requires EAX to point to a block of memory
// defined by PandaHypercallStruct
printf ("cpuid with invalid ptr in EAX: vaddr=0x%x paddr=0x%x. Probably not a Panda Hypercall\n",
(uint32_t) env->regs[R_EAX], (uint32_t) addr);
}
else if (pandalog) {
PandaHypercallStruct phs;
panda_virtual_memory_rw(cpu, env->regs[R_EAX], (uint8_t *) &phs, sizeof(phs), false);
if (phs.magic == 0xabcd) {
if (phs.action == 11) {
// it's a lava query
taint_query_hypercall(phs);
}
else if (phs.action == 12) {
// it's an attack point sighting
lava_attack_point(phs);
}
else if (phs.action == 13) {
// it's a pri taint query point
// do nothing and let pri_taint with hypercall
// option handle it
}
else if (phs.action == 14) {
// reserved for taint-exploitability
}
else {
printf("Unknown hypercall action %d\n", phs.action);
}
}
else {
printf ("Invalid magic value in PHS struct: %x != 0xabcd.\n", phs.magic);
}
}
}
}
return 1;
#elif defined(TARGET_ARM)
// R0 is command (label or query)
// R1 is buf_start
// R2 is length
// R3 is offset (not currently implemented)
CPUArchState *env = (CPUArchState*)cpu->env_ptr;
if (env->regs[0] == 7 || env->regs[0] == 8) { //Taint label
if (!taintEnabled) {
printf("Taint plugin: Label operation detected @ %lu\n", rr_get_guest_instr_count());
printf("Enabling taint processing\n");
taint2_enable_taint();
}
// FIXME: do labeling here.
}
else if (env->regs[0] == 9) { //Query taint on label
if (taintEnabled) {
printf("Taint plugin: Query operation detected @ %lu\n", rr_get_guest_instr_count());
}
}
return 1;
#else
// other architectures
return 0;
#endif
}
