Update pri_taint hypercall for LAVA - Some interesting issue of infinite loop is coming up

AndrewQuijano · AndrewQuijano · commit bbbed20bb835 · 2025-02-21T21:56:09.000-05:00
diff --git a/panda/plugins/hypercaller/README.md b/panda/plugins/hypercaller/README.md
@@ -51,7 +51,7 @@ This was designed primarily for Python use cases:
 MAGIC = 0x12345678
 @panda.hypercall(MAGIC)
 def hypercall(cpu):
-    print("Hello from my hypercall!"
+    print("Hello from my hypercall!")
 
 ```
 
@@ -64,7 +64,7 @@ It's much easier to handle this from Python, but here's an example of how you mi
 #include <panda/plugin.h>
 #include <hypercaller/hypercaller.h>
 
-hypercall_t* register_hypercall;
+register_hypercall_t register_hypercall;
 
 void my_hypercall(CPUState *cpu) {
     printf("Hello from my hypercall!\n");
@@ -76,7 +76,7 @@ bool init_plugin(void *self) {
       panda_require("hypercaller");
       hypercaller = panda_get_plugin_by_name("hypercaller");
     }
-    register_hypercall = (hypercall_t*)dlsym(hypercaller, "register_hypercall");
+    register_hypercall_t register_hypercall = (register_hypercall_t) dlsym(hypercaller, "register_hypercall");
     register_hypercall(0x12345678, my_hypercall);
     return true;
 }
diff --git a/panda/plugins/hypercaller/hypercaller.h b/panda/plugins/hypercaller/hypercaller.h
@@ -6,6 +6,7 @@
 // files in this directory that contain subsections like this one.
 
 typedef void (*hypercall_t)(CPUState *cpu);
+typedef void (*register_hypercall_t)(uint32_t, hypercall_t);
 void register_hypercall(uint32_t magic, hypercall_t);
 void unregister_hypercall(uint32_t magic);
 
diff --git a/panda/plugins/pri_taint/pri_taint.cpp b/panda/plugins/pri_taint/pri_taint.cpp
@@ -15,6 +15,8 @@
 #include "callstack_instr/callstack_instr.h"
 
 extern "C" {
+// hypercalls
+#include <hypercaller/hypercaller.h>
 
 #include "panda/rr/rr_log.h"
 #include "panda/plog.h"
@@ -37,10 +39,11 @@ extern "C" {
 bool init_plugin(void *);
 void uninit_plugin(void *);
 
-int get_loglevel() ;
+int get_loglevel();
 void set_loglevel(int new_loglevel);
 }
 
+#define LAVA_MAGIC 0xabcd
 const char *global_src_filename = NULL;
 uint64_t global_src_linenum;
 unsigned global_ast_loc_id;
@@ -308,6 +311,8 @@ void pfun(void *var_ty_void, const char *var_nm, LocType loc_t, target_ulong loc
     }
     // free(si);
 }
+#endif
+
 /*
 void on_line_change(CPUState *cpu, target_ulong pc, const char *file_Name, const char *funct_name, unsigned long long lno){
     if (taint2_enabled()){
@@ -334,63 +339,69 @@ void hypercall_log_trace(unsigned ast_loc_id) {
 */
 #ifdef TARGET_I386
 // Support all features of label and query program
-bool i386_hypercall_callback(CPUState *cpu) {
+void i386_hypercall_callback(CPUState *cpu) {
     if (debug) {
         printf("[pri_taint] Calling i386 hypercall callback!\n");
     }
-    bool ret = false;
-    CPUArchState *env = (CPUArchState*)cpu->env_ptr;
+    CPUArchState *env = (CPUArchState*) cpu->env_ptr;
     if (taint2_enabled()) {
         // LAVA Hypercall
-        target_ulong addr = panda_virt_to_phys(cpu, env->regs[R_EAX]);
-        if ((int)addr == -1) {
-            printf ("[pri_taint] panda hypercall with ptr to invalid PandaHypercallStruct: vaddr=0x%x paddr=0x%x\n",
-                    (uint32_t) env->regs[R_EAX], (uint32_t) addr);
+        #ifdef TARGET_X86_64
+            target_ulong addr = panda_virt_to_phys(cpu, env->regs[R_EDI]);
+        #else
+            target_ulong addr = panda_virt_to_phys(cpu, env->regs[R_EBX]);
+        #endif
+        
+        if ((int) addr == -1) {
+            #ifdef TARGET_X86_64
+                printf ("[pri_taint] panda hypercall with ptr to invalid PandaHypercallStruct: vaddr=0x%x paddr=0x%x\n",
+                    (uint32_t) env->regs[R_EDI], (uint32_t) addr);
+            #else
+                printf ("[pri_taint] panda hypercall with ptr to invalid PandaHypercallStruct: vaddr=0x%x paddr=0x%x\n",
+                    (uint32_t) env->regs[R_EBX], (uint32_t) addr);
+            #endif
         }
         else if (pandalog) {
             if (debug) {
                 printf("[pri_taint] Hypercall is OK and Panda Log is set\n");
             }
             PandaHypercallStruct phs;
-            panda_virtual_memory_read(cpu, env->regs[R_EAX], (uint8_t *) &phs, sizeof(phs));
+            #ifdef TARGET_X86_64
+                panda_virtual_memory_read(cpu, env->regs[R_EDI], (uint8_t *) &phs, sizeof(phs));
+            #else
+                panda_virtual_memory_read(cpu, env->regs[R_EBX], (uint8_t *) &phs, sizeof(phs));
+            #endif
 
             // To be used for chaff bugs?
             uint64_t funcaddr = 0;
             panda_virtual_memory_read(cpu, phs.info, (uint8_t*)&funcaddr, sizeof(target_ulong));
 
-            if (phs.magic == 0xabcd) {
-                // if the phs action is a pri_query point, see
-                // lava/include/pirate_mark_lava.h
-                if (phs.action == 13) {
-                    target_ulong pc = panda_current_pc(cpu);
-                    SrcInfo info;
-                    int rc = pri_get_pc_source_info(cpu, pc, &info);
-                    if (!rc) {
-                        struct args args = {cpu, info.filename, info.line_number, phs.src_filename, funcaddr};
-                        dprintf("[pri_taint] panda hypercall: [%s], "
-                                "ln: %4ld, pc @ 0x" TARGET_FMT_lx "\n",
-                                info.filename,
-                                info.line_number,pc);
-                        pri_funct_livevar_iter(cpu, pc, (liveVarCB) pfun, (void *)&args);
-                        //lava_attack_point(phs);
-                    }
-                    else {
-                        if (debug) {
-                            printf("[pri_taint] pri_get_pc_src_info has failed: %d != 0.\n", rc);
-                        }
-                    }
-                    ret = true;
-                    // hypercall_log_trace(phs.src_filename);
+            // if the phs action is a pri_query point, see
+            // lava/include/pirate_mark_lava.h
+            if (phs.action == 13) {
+                target_ulong pc = panda_current_pc(cpu);
+                SrcInfo info;
+                int rc = pri_get_pc_source_info(cpu, pc, &info);
+                if (!rc) {
+                    struct args args = {cpu, info.filename, info.line_number, phs.src_filename, funcaddr};
+                    dprintf("[pri_taint] panda hypercall: [%s], "
+                            "ln: %4ld, pc @ 0x" TARGET_FMT_lx "\n",
+                            info.filename,
+                            info.line_number,pc);
+                    pri_funct_livevar_iter(cpu, pc, (liveVarCB) pfun, (void *)&args);
                 }
                 else {
                     if (debug) {
-                        printf("[pri_taint] Invalid action value in PHS struct: %d != 13.\n", phs.action);
-                    }   
+                        printf("[pri_taint] pri_get_pc_src_info has failed: %d != 0.\n", rc);
+                    }
                 }
+                // hypercall_log_trace(phs.src_filename);
             }
             else {
-                printf("[pri_taint] Invalid magic value in PHS struct: %x != 0xabcd.\n", phs.magic);
-            }
+                if (debug) {
+                    printf("[pri_taint] Invalid action value in PHS struct: %d != 13.\n", phs.action);
+                }   
+            } 
         }
         else {
             if (debug) {
@@ -403,24 +414,9 @@ bool i386_hypercall_callback(CPUState *cpu) {
             printf("[pri_taint] taint2 is not enabled (hypercall)\n");
         }
     }
-    return ret;
 }
 #endif // TARGET_I386
 
-
-bool guest_hypercall_callback(CPUState *cpu) {
-#ifdef TARGET_I386
-    return i386_hypercall_callback(cpu);
-#endif
-
-#ifdef TARGET_ARM
-    // not implemented for now
-    //arm_hypercall_callback(cpu);
-#endif
-
-    return false;
-}
-#endif
 /*
 void on_taint_change(Addr a, uint64_t size){
     uint32_t num_tainted = 0;
@@ -448,26 +444,27 @@ bool init_plugin(void *self) {
     panda_require("taint2");
     assert(init_taint2_api());
 
-    panda_cb pcb;
-    pcb.guest_hypercall = guest_hypercall_callback;
-    panda_register_callback(self, PANDA_CB_GUEST_HYPERCALL, pcb);
-    printf("[pri_taint] This plugin is activated!\n");
-
     // If taint isn't already enabled, turn it on.
     if (!taint2_enabled()) {
         printf("[pri_taint] enabling taint now!\n");
         taint2_enable_taint();
     }
+
+    panda_require("hypercaller");
+    void * hypercaller = panda_get_plugin_by_name("hypercaller");
+    register_hypercall_t register_hypercall = (register_hypercall_t) dlsym(hypercaller, "register_hypercall");
+    register_hypercall(LAVA_MAGIC, i386_hypercall_callback);
+
+    printf("[pri_taint] This plugin is activated!\n");
     return true;
 #else
     printf("[pri_taint] This plugin is only supported on x86\n");
     return false;
-    //taint2_track_taint_state();
 #endif
 }
 
-
-
 void uninit_plugin(void *self) {
+    unregister_hypercall(LAVA_MAGIC);
+    printf("[pri_taint] Unloading plugin\n");
 }
 
