diff options
| author | comex | 2015-01-25 01:26:43 -0500 |
|---|---|---|
| committer | comex | 2015-01-25 01:26:43 -0500 |
| commit | d3ea2155062131724c01d7f6727fdf90a4063b4d (patch) | |
| tree | 6b3d4989b4f7ff9df464c8c18fffce488673274f | |
| parent | fixes (diff) | |
| download | substitute-d3ea2155062131724c01d7f6727fdf90a4063b4d.tar.gz | |
fixes
| -rw-r--r-- | Makefile | 2 | ||||
| -rw-r--r-- | lib/arm/misc.h | 2 | ||||
| -rw-r--r-- | lib/arm64/assemble.h | 9 | ||||
| -rw-r--r-- | lib/arm64/jump-patch.h | 8 | ||||
| -rw-r--r-- | lib/execmem.h | 4 | ||||
| -rw-r--r-- | lib/hook-functions.c | 29 | ||||
| -rw-r--r-- | lib/substitute.h | 8 |
7 files changed, 40 insertions, 22 deletions
@@ -14,7 +14,7 @@ all: \ $(shell mkdir -p out generated) -HEADERS := lib/*.h lib/darwin/*.h +HEADERS := lib/*.h lib/*/*.h GENERATED := generated/generic-dis-arm.inc.h generated/generic-dis-thumb.inc.h generated/generic-dis-thumb2.inc.h generated/generic-dis-arm64.inc.h define do_prefix generated/generic-dis-$(1).inc.h: diff --git a/lib/arm/misc.h b/lib/arm/misc.h index 7ce1c05..f8d593e 100644 --- a/lib/arm/misc.h +++ b/lib/arm/misc.h @@ -10,5 +10,3 @@ struct arch_dis_ctx { }; enum { IS_LDRD_STRD = 1 << 16 }; -#define JUMP_PATCH_SIZE 8 -#define MAX_REWRITTEN_SIZE (12 * 4) /* actually should be less */ diff --git a/lib/arm64/assemble.h b/lib/arm64/assemble.h index c20c219..8a98b7b 100644 --- a/lib/arm64/assemble.h +++ b/lib/arm64/assemble.h @@ -4,8 +4,8 @@ static inline void MOVi64(void **codep, int Rd, uint64_t val) { int shift_nybbles = 0; do { int k = shift_nybbles != 0 ? 1 : 0; - op32(codep, 0x69400000 | k << 28 | Rd | (val & 0xffff) << 4 | - shift_nybbles << 20); + op32(codep, 0xd2800000 | k << 29 | Rd | (val & 0xffff) << 5 | + shift_nybbles << 21); shift_nybbles++; val >>= 16; } while(val); @@ -16,6 +16,7 @@ static inline void LDRxi(void **codep, int Rt, int Rn, uint32_t off, int size, opc; bool sign, simd; switch (load_mode) { + case PLM_ADR: return; case PLM_U8: size = 0; sign = false; simd = false; break; case PLM_S8: size = 0; sign = true; simd = false; break; case PLM_U16: size = 1; sign = false; simd = false; break; @@ -41,8 +42,8 @@ static inline void LDRxi(void **codep, int Rt, int Rn, uint32_t off, static inline void ADRP_ADD(void **codep, int reg, uint64_t pc, uint64_t dpc) { uintptr_t diff = (dpc & ~0xfff) - (pc & ~0xfff); /* ADRP reg, dpc */ - op32(codep, 0x90000000 | reg | (diff & 0x3000) << 17 | (diff & 0xffffc000) >> 8); - uint32_t lo = pc & 0xfff; + op32(codep, 0x90000000 | reg | (diff & 0x3000) << 17 | (diff & 0x1ffffc000) >> 9); + uint32_t lo = dpc & 0xfff; if (lo) { /* ADD reg, reg, #lo */ op32(codep, 0x91000000 | reg | reg << 5 | lo << 10); diff --git a/lib/arm64/jump-patch.h b/lib/arm64/jump-patch.h index c42c730..aa818d3 100644 --- a/lib/arm64/jump-patch.h +++ b/lib/arm64/jump-patch.h @@ -3,20 +3,20 @@ #define MAX_JUMP_PATCH_SIZE 12 #define MAX_REWRITTEN_SIZE (7 * 2 * 4) /* also conservative */ static inline int jump_patch_size(uintptr_t pc, uintptr_t dpc, - struct arch_dis_ctx arch, + UNUSED struct arch_dis_ctx arch, bool force) { intptr_t diff = (dpc & ~0xfff) - (pc & ~0xfff); if (!(diff >= -0x100000000 && diff < 0x100000000)) return force ? 16 : -1; - else if (pc & 0xfff) + else if (!(dpc & 0xfff)) return 8; else return 12; } static inline void make_jump_patch(void **codep, uintptr_t pc, uintptr_t dpc, - struct arch_dis_ctx arch) { - int reg = 12; /* XXX */ + UNUSED struct arch_dis_ctx arch) { + int reg = 15; intptr_t diff = (dpc & ~0xfff) - (pc & ~0xfff); if (!(diff >= -0x100000000 && diff < 0x100000000)) MOVi64(codep, reg, dpc); diff --git a/lib/execmem.h b/lib/execmem.h index a1cd47e..b4860e9 100644 --- a/lib/execmem.h +++ b/lib/execmem.h @@ -1,9 +1,9 @@ #pragma once #include <stdlib.h> -/* write to a foreign page which is already RX / with unknown permissions */ +/* Write to a foreign page which is already RX / with unknown permissions. */ int execmem_write(void *dest, const void *src, size_t len); -/* for allocating trampolines */ +/* For allocating trampolines - this is just a mmap wrapper. */ int execmem_alloc_unsealed(uintptr_t hint, void **page_p, size_t *size_p); int execmem_seal(void *page); void execmem_free(void *page); diff --git a/lib/hook-functions.c b/lib/hook-functions.c index 38d2a80..cc8bd3e 100644 --- a/lib/hook-functions.c +++ b/lib/hook-functions.c @@ -8,7 +8,7 @@ #include TARGET_JUMP_PATCH_HDR struct hook_internal { - int offset_by_pcdiff[JUMP_PATCH_SIZE + 1]; + int offset_by_pcdiff[MAX_JUMP_PATCH_SIZE + 1]; uint8_t jump_patch[MAX_JUMP_PATCH_SIZE]; size_t jump_patch_size; void *code; @@ -21,6 +21,7 @@ struct hook_internal { struct pc_callback_info { struct hook_internal *his; size_t nhooks; + bool encountered_bad_pc; }; static uintptr_t pc_callback(void *ctx, uintptr_t pc) { @@ -32,8 +33,14 @@ static uintptr_t pc_callback(void *ctx, uintptr_t pc) { for (size_t i = 0; i < info->nhooks; i++) { struct hook_internal *hi = &info->his[i]; uintptr_t diff = real_pc - (uintptr_t) hi->code; - if (diff < hi->jump_patch_size) - return (uintptr_t) hi->outro_trampoline + hi->offset_by_pcdiff[diff]; + if (diff < hi->jump_patch_size) { + int offset = hi->offset_by_pcdiff[diff]; + if (offset == -1) { + info->encountered_bad_pc = true; + return pc; + } + return (uintptr_t) hi->outro_trampoline + offset; + } } return pc; } @@ -76,9 +83,9 @@ static int check_intro_trampoline(void **trampoline_ptr_p, if (*patch_size_p != -1 && (size_t) *patch_size_p <= *trampoline_size_left_p) return SUBSTITUTE_OK; - /* Allocate new trampoline - try after dpc. If this fails, we can try - * before dpc before giving up. */ - int ret = execmem_alloc_unsealed(dpc, &trampoline_ptr, &trampoline_size_left); + /* Allocate new trampoline - try after pc. If this fails, we can try + * before pc before giving up. */ + int ret = execmem_alloc_unsealed(pc, &trampoline_ptr, &trampoline_size_left); if (ret) goto skip_after; @@ -93,8 +100,8 @@ static int check_intro_trampoline(void **trampoline_ptr_p, execmem_free(trampoline_ptr); skip_after:; - /* Allocate new trampoline - try before dpc (xxx only meaningful on arm64) */ - uintptr_t start_address = dpc - 0xffff0000; + /* Allocate new trampoline - try before pc (xxx only meaningful on arm64) */ + uintptr_t start_address = pc - 0xffff0000; ret = execmem_alloc_unsealed(start_address, &trampoline_ptr, &trampoline_size_left); if (ret) return ret; @@ -234,9 +241,13 @@ int substitute_hook_functions(const struct substitute_function_hook *hooks, /* *sigh of relief* now we can rewrite the PCs. */ if (stopped) { - struct pc_callback_info info = {his, nhooks}; + struct pc_callback_info info = {his, nhooks, false}; if ((ret = apply_pc_patch_callback(stop_token, pc_callback, &info))) goto end; + if (info.encountered_bad_pc) { + ret = SUBSTITURE_ERR_UNEXPECTED_PC_ON_OTHER_THREAD; + goto end; + } } end: diff --git a/lib/substitute.h b/lib/substitute.h index 250106b..2aa7ed8 100644 --- a/lib/substitute.h +++ b/lib/substitute.h @@ -51,6 +51,14 @@ enum { * SUBSTITUTE_DONT_STOP_THREADS */ SUBSTITUTE_ERR_NOT_ON_MAIN_THREAD, + /* substitute_hook_functions: when trying to patch the PC of other threads + * (in case they were inside the patched prolog when they were suspended), + * found a PC that was in the patch region but seemingly not at an + * instruction boundary + * The hooks were otherwise completed, but the thread in question will + * probably crash now that its code has changed under it. */ + SUBSTITURE_ERR_UNEXPECTED_PC_ON_OTHER_THREAD, + /* substitute_hook_functions: destination was out of range, and mmap * wouldn't give us a trampoline in range */ SUBSTITUTE_ERR_OUT_OF_RANGE, |