int tbranch_after_block_exec(CPUState *env, TranslationBlock *tb, TranslationBlock *next_tb) {
if ((taint2_enabled()) && first_enable_taint) {
first_enable_taint = false;
PPP_REG_CB("taint2", on_branch2, tbranch_on_branch_taint2);
printf ("enabling on_branch taint api callbacks\n");
}
return 0;
}
int dead_data_after_block_exec(CPUState *cpu, TranslationBlock *tb) {
if ((taint2_enabled()) && (first_enable_taint)) {
first_enable_taint = false;
total_instr = replay_get_total_num_instructions();
PPP_REG_CB("taint2", on_branch2, dead_data_on_branch);
printf ("enabling on_branch taint api callbacks\n");
}
return 0;
}
int file_taint_enable(CPUState *cpu, target_ulong pc) {
if (!no_taint && !taint2_enabled()) {
uint64_t ins = rr_get_guest_instr_count();
if (ins > first_instr) {
taint2_enable_taint();
if (debug) printf (" enabled taint2 @ ins %" PRId64 "\n", ins);
}
}
return 0;
}
// turn on taint at right instr count
int tstringsearch_enable_taint(CPUState *env, target_ulong pc) {
// enable taint if close to instruction count
uint64_t ic = rr_get_guest_instr_count();
if (!taint2_enabled()) {
if (ic + 100 > enable_taint_instr_count) {
printf ("enabling taint at instr count %" PRIu64 "\n", ic);
taint2_enable_taint();
}
}
return 0;
}
void open_enter(CPUState *cpu, target_ulong pc, std::string filename, int32_t flags, int32_t mode) {
if (!filename.empty()) {
if (debug) printf ("open_enter: saw open of [%s]\n", filename.c_str());
}
if (filename.find(taint_filename) != std::string::npos) {
saw_open = true;
printf ("saw open of file we want to taint: [%s] insn %" PRId64 "\n", taint_filename, rr_get_guest_instr_count());
the_asid = panda_current_asid(cpu);
if (enable_taint_on_open && !no_taint && !taint2_enabled()) {
uint64_t ins = rr_get_guest_instr_count();
taint2_enable_taint();
if (debug) printf ("file_taint: enabled taint2 @ ins %" PRId64 "\n", ins);
}
}
}
// hypercall-initiated taint query of some src-level extent
void lava_taint_query (Panda__SrcInfoPri *si, target_ulong buf, target_ulong buf_len) {
extern CPUState *cpu_single_env;
CPUState *env = cpu_single_env;
//if (pandalog && taintEnabled && (taint2_num_labels_applied() > 0)){
if (pandalog && taint2_enabled() && (taint2_num_labels_applied() > 0)){
// okay, taint is on and some labels have actually been applied
// is there *any* taint on this extent
uint32_t num_tainted = 0;
bool is_strnlen = false;
//bool is_strnlen = ((int) phs.len == -1);
uint32_t offset=0;
while (true) {
// for (uint32_t offset=0; offset<phs.len; offset++) {
uint32_t va = buf + offset;
//uint32_t va = phs.buf + offset;
uint32_t pa = panda_virt_to_phys(env, va);
if (is_strnlen) {
uint8_t c;
panda_virtual_memory_rw(env, pa, &c, 1, false);
// null terminator
if (c==0) break;
}
if ((int) pa != -1) {
Addr a = make_maddr(pa);
if (taint2_query(a)) {
num_tainted ++;
}
}
offset ++;
// end of query by length or max string length
if (!is_strnlen && offset == buf_len) break;
//if (!is_strnlen && offset == phs.len) break;
if (is_strnlen && (offset == LAVA_TAINT_QUERY_MAX_LEN)) break;
}
uint32_t len = offset;
if (num_tainted) {
printf("logging lava query\n");
// ok at least one byte in the extent is tainted
// 1. write the pandalog entry that tells us something was tainted on this extent
Panda__TaintQueryPri *tqh = (Panda__TaintQueryPri *) malloc (sizeof (Panda__TaintQueryPri));
*tqh = PANDA__TAINT_QUERY_PRI__INIT;
tqh->buf = buf;
//tqh->buf = phs.buf;
tqh->len = len;
tqh->num_tainted = num_tainted;
// obtain the actual data out of memory
// NOTE: first X bytes only!
uint32_t data[LAVA_TAINT_QUERY_MAX_LEN];
uint32_t n = len;
// grab at most X bytes from memory to pandalog
// this is just a snippet. we dont want to write 1M buffer
if (LAVA_TAINT_QUERY_MAX_LEN < len) n = LAVA_TAINT_QUERY_MAX_LEN;
for (uint32_t i=0; i<n; i++) {
data[i] = 0;
uint8_t c;
panda_virtual_memory_rw(env, buf+i, &c, 1, false);
//panda_virtual_memory_rw(env, phs.buf+i, &c, 1, false);
data[i] = c;
}
tqh->n_data = n;
tqh->data = data;
// 2. write out src-level info
//Panda__SrcInfoPri *si = pandalog_src_info_create(phs);
tqh->src_info = si;
// 3. write out callstack info
Panda__CallStack *cs = pandalog_callstack_create();
tqh->call_stack = cs;
// 4. iterate over the bytes in the extent and pandalog detailed info about taint
std::vector<Panda__TaintQuery *> tq;
for (uint32_t offset=0; offset<len; offset++) {
uint32_t va = buf + offset;
//uint32_t va = phs.buf + offset;
uint32_t pa = panda_virt_to_phys(env, va);
if ((int) pa != -1) {
Addr a = make_maddr(pa);
if (taint2_query(a)) {
tq.push_back(taint2_query_pandalog(a, offset));
}
}
}
tqh->n_taint_query = tq.size();
tqh->taint_query = (Panda__TaintQuery **) malloc(sizeof(Panda__TaintQuery *) * tqh->n_taint_query);
for (uint32_t i=0; i<tqh->n_taint_query; i++) {
tqh->taint_query[i] = tq[i];
}
Panda__LogEntry ple = PANDA__LOG_ENTRY__INIT;
ple.taint_query_pri = tqh;
printf("about to write out taint query entry\n");
pandalog_write_entry(&ple);
free(tqh->src_info);
pandalog_callstack_free(tqh->call_stack);
for (uint32_t i=0; i<tqh->n_taint_query; i++) {
pandalog_taint_query_free(tqh->taint_query[i]);
}
free(tqh);
}
}
}
