Update pri_taint hypercall for LAVA - Just dwarf2 fix now

AndrewQuijano · AndrewQuijano · commit c16ffdb60b5b · 2025-03-17T19:25:31.000-04:00
diff --git a/panda/plugins/hypercaller/README.md b/panda/plugins/hypercaller/README.md
@@ -51,7 +51,7 @@ This was designed primarily for Python use cases:
 MAGIC = 0x12345678
 @panda.hypercall(MAGIC)
 def hypercall(cpu):
-    print("Hello from my hypercall!"
+    print("Hello from my hypercall!")
 
 ```
 
@@ -64,7 +64,7 @@ It's much easier to handle this from Python, but here's an example of how you mi
 #include <panda/plugin.h>
 #include <hypercaller/hypercaller.h>
 
-hypercall_t* register_hypercall;
+register_hypercall_t register_hypercall;
 
 void my_hypercall(CPUState *cpu) {
     printf("Hello from my hypercall!\n");
@@ -76,7 +76,7 @@ bool init_plugin(void *self) {
       panda_require("hypercaller");
       hypercaller = panda_get_plugin_by_name("hypercaller");
     }
-    register_hypercall = (hypercall_t*)dlsym(hypercaller, "register_hypercall");
+    register_hypercall_t register_hypercall = (register_hypercall_t) dlsym(hypercaller, "register_hypercall");
     register_hypercall(0x12345678, my_hypercall);
     return true;
 }
diff --git a/panda/plugins/hypercaller/hypercaller.h b/panda/plugins/hypercaller/hypercaller.h
@@ -6,6 +6,7 @@
 // files in this directory that contain subsections like this one.
 
 typedef void (*hypercall_t)(CPUState *cpu);
+typedef void (*register_hypercall_t)(uint32_t, hypercall_t);
 void register_hypercall(uint32_t magic, hypercall_t);
 void unregister_hypercall(uint32_t magic);
 
diff --git a/panda/plugins/pri_taint/pri_taint.cpp b/panda/plugins/pri_taint/pri_taint.cpp
@@ -15,6 +15,7 @@
 #include "callstack_instr/callstack_instr.h"
 
 extern "C" {
+#include <hypercaller/hypercaller.h>
 
 #include "panda/rr/rr_log.h"
 #include "panda/plog.h"
@@ -37,14 +38,15 @@ extern "C" {
 bool init_plugin(void *);
 void uninit_plugin(void *);
 
-int get_loglevel() ;
+int get_loglevel();
 void set_loglevel(int new_loglevel);
 }
 
+#define LAVA_MAGIC 0xabcd
 const char *global_src_filename = NULL;
 uint64_t global_src_linenum;
 unsigned global_ast_loc_id;
-uint64_t global_funcaddr;
+// uint64_t global_funcaddr;
 bool debug = false;
 
 #define dprintf(...) if (debug) { printf(__VA_ARGS__); fflush(stdout); }
@@ -237,7 +239,7 @@ struct args {
     const char *src_filename;
     uint64_t src_linenum;
     unsigned ast_loc_id;
-    uint64_t funcaddr;
+    // uint64_t funcaddr;
 };
 
 #if defined(TARGET_I386)
@@ -264,7 +266,7 @@ void pfun(void *var_ty_void, const char *var_nm, LocType loc_t, target_ulong loc
     global_src_filename = args->src_filename;
     global_src_linenum = args->src_linenum;
     global_ast_loc_id = args->ast_loc_id;
-    global_funcaddr = args->funcaddr;
+    // global_funcaddr = args->funcaddr;
     //target_ulong guest_dword;
     //std::string ty_string = std::string(var_ty);
     //size_t num_derefs = std::count(ty_string.begin(), ty_string.end(), '*');
@@ -289,8 +291,9 @@ void pfun(void *var_ty_void, const char *var_nm, LocType loc_t, target_ulong loc
         default:
             assert(1==0);
     }
-    // free(si);
 }
+#endif
+
 /*
 void on_line_change(CPUState *cpu, target_ulong pc, const char *file_Name, const char *funct_name, unsigned long long lno){
     if (taint2_enabled()){
@@ -319,7 +322,6 @@ void hypercall_log_trace(unsigned ast_loc_id) {
 // Support all features of label and query program
 void i386_hypercall_callback(CPUState *cpu) {
     dprintf("[pri_taint] Calling lava hypercall!\n");
-    
     CPUArchState *env = (CPUArchState*) cpu->env_ptr;
     if (taint2_enabled()) {
         // LAVA Hypercall
@@ -335,17 +337,21 @@ void i386_hypercall_callback(CPUState *cpu) {
                     (uint32_t) env->regs[R_EDI], (uint32_t) addr);
             #else
                 dprintf("[pri_taint] panda hypercall with ptr to invalid PandaHypercallStruct: vaddr=0x%x paddr=0x%x\n",
-                    (uint32_t) env->regs[R_EBX], (uint32_t) addr);
+                (uint32_t) env->regs[R_EBX], (uint32_t) addr);
             #endif
         }
         else if (pandalog) {
             dprintf("[pri_taint] Hypercall is OK and Panda Log is set\n");  
             PandaHypercallStruct phs;
-            panda_virtual_memory_read(cpu, env->regs[R_EAX], (uint8_t *) &phs, sizeof(phs));
+            #ifdef TARGET_X86_64
+                panda_virtual_memory_read(cpu, env->regs[R_EDI], (uint8_t *) &phs, sizeof(phs));
+            #else
+                panda_virtual_memory_read(cpu, env->regs[R_EBX], (uint8_t *) &phs, sizeof(phs));
+            #endif
 
             // To be used for chaff bugs?
-            uint64_t funcaddr = 0;
-            panda_virtual_memory_read(cpu, phs.info, (uint8_t*)&funcaddr, sizeof(target_ulong));
+            // uint64_t funcaddr = 0;
+            // panda_virtual_memory_read(cpu, phs.info, (uint8_t*)&funcaddr, sizeof(target_ulong));
             // if the phs action is a pri_query point, see
             // lava/include/pirate_mark_lava.h
             if (phs.action == 13) {
@@ -360,6 +366,7 @@ void i386_hypercall_callback(CPUState *cpu) {
                             "ln: %4ld, pc @ 0x" TARGET_FMT_lx "\n",
                             info.filename,
                             info.line_number,pc);
+
                     // Calls 'pri_funct_livevar_iter' in pri.c, which calls 'on_funct_livevar_iter'
                     // In Dwarf2, the function 'on_funct_livevar_iter' is mapped to 'dwarf_funct_livevar_iter'
                     // This is passing the function 'pfun' to 'pri_funct_livevar_iter', which is called at the end
@@ -368,6 +375,7 @@ void i386_hypercall_callback(CPUState *cpu) {
                 else {
                     dprintf("[pri_taint] pri_get_pc_src_info has failed: %d != 0.\n", rc);
                 }
+                // hypercall_log_trace(phs.src_filename);
             }
             else {
                 dprintf("[pri_taint] Invalid action value in PHS struct: %d != 13.\n", phs.action);  
@@ -380,24 +388,9 @@ void i386_hypercall_callback(CPUState *cpu) {
     else {
         dprintf("[pri_taint] taint2 is not enabled (hypercall)\n");
     }
-    return ret;
 }
 #endif // TARGET_I386
 
-
-bool guest_hypercall_callback(CPUState *cpu) {
-#ifdef TARGET_I386
-    return i386_hypercall_callback(cpu);
-#endif
-
-#ifdef TARGET_ARM
-    // not implemented for now
-    //arm_hypercall_callback(cpu);
-#endif
-
-    return false;
-}
-#endif
 /*
 void on_taint_change(Addr a, uint64_t size){
     uint32_t num_tainted = 0;
@@ -425,26 +418,26 @@ bool init_plugin(void *self) {
     panda_require("taint2");
     assert(init_taint2_api());
 
-    panda_cb pcb;
-    pcb.guest_hypercall = guest_hypercall_callback;
-    panda_register_callback(self, PANDA_CB_GUEST_HYPERCALL, pcb);
-    printf("[pri_taint] This plugin is activated!\n");
-
     // If taint isn't already enabled, turn it on.
     if (!taint2_enabled()) {
         printf("[pri_taint] enabling taint now!\n");
         taint2_enable_taint();
     }
+
+    panda_require("hypercaller");
+    void * hypercaller = panda_get_plugin_by_name("hypercaller");
+    register_hypercall_t register_hypercall = (register_hypercall_t) dlsym(hypercaller, "register_hypercall");
+    register_hypercall(LAVA_MAGIC, i386_hypercall_callback);
+
+    printf("[pri_taint] This plugin is activated!\n");
     return true;
 #else
     printf("[pri_taint] This plugin is only supported on x86\n");
     return false;
-    //taint2_track_taint_state();
 #endif
 }
 
-
-
 void uninit_plugin(void *self) {
+    // You don't need to unregister the hypercall!
+    printf("[pri_taint] Unloading plugin complete!\n");
 }
-
