2 * This file is part of the Palacios Virtual Machine Monitor developed
3 * by the V3VEE Project with funding from the United States National
4 * Science Foundation and the Department of Energy.
6 * The V3VEE Project is a joint project between Northwestern University
7 * and the University of New Mexico. You can find out more at
10 * Copyright (c) 2008, Jack Lange <jarusl@cs.northwestern.edu>
11 * Copyright (c) 2008, The V3VEE Project <http://www.v3vee.org>
12 * All rights reserved.
14 * Author: Jack Lange <jarusl@cs.northwestern.edu>
16 * This is free software. You are permitted to use,
17 * redistribute, and modify it as specified in the file "V3VEE_LICENSE".
20 #include <palacios/vmm.h>
21 #include <palacios/vm_guest.h>
22 #include <palacios/vmm_mem_hook.h>
23 #include <palacios/vmm_emulator.h>
24 #include <palacios/vm_guest_mem.h>
25 #include <palacios/vmm_hashtable.h>
26 #include <palacios/vmm_decoder.h>
30 // Called when data is read from a memory page
31 int (*read)(struct guest_info * core, addr_t guest_addr, void * dst, uint_t length, void * priv_data);
32 // Called when data is written to a memory page
33 int (*write)(struct guest_info * core, addr_t guest_addr, void * src, uint_t length, void * priv_data);
34 // Called when memory page is accessed
35 int (*access)(struct guest_info *core, addr_t guest_va, addr_t guest_pa, struct v3_mem_region *region, pf_error_t access_info, void *priv_data);
38 struct v3_mem_region * region;
41 struct list_head hook_node;
46 static int free_hook(struct v3_vm_info * vm, struct mem_hook * hook);
48 static uint_t mem_hash_fn(addr_t key) {
49 return v3_hash_long(key, sizeof(void *) * 8);
52 static int mem_eq_fn(addr_t key1, addr_t key2) {
53 return (key1 == key2);
56 int v3_init_mem_hooks(struct v3_vm_info * vm) {
59 struct v3_mem_hooks * hooks = &(vm->mem_hooks);
61 temp = V3_AllocPages(vm->num_cores);
64 PrintError(vm, VCORE_NONE, "Cannot allocate space for mem hooks\n");
68 hooks->hook_hvas_1 = V3_VAddr(temp);
70 temp = V3_AllocPages(vm->num_cores);
73 PrintError(vm, VCORE_NONE,"Cannot allocate space for mem hooks\n");
74 V3_FreePages(hooks->hook_hvas_1,vm->num_cores);
78 hooks->hook_hvas_2 = V3_VAddr(temp);
80 INIT_LIST_HEAD(&(hooks->hook_list));
82 hooks->reg_table = v3_create_htable(0, mem_hash_fn, mem_eq_fn);
88 // We'll assume the actual hooks were either already cleared,
89 // or will be cleared by the memory map
90 int v3_deinit_mem_hooks(struct v3_vm_info * vm) {
91 struct v3_mem_hooks * hooks = &(vm->mem_hooks);
92 struct mem_hook * hook = NULL;
93 struct mem_hook * tmp = NULL;
97 // We delete the hook info but leave its memory region intact
98 // We rely on the memory map to clean up any orphaned regions as a result of this
99 // This needs to be fixed at some point...
100 list_for_each_entry_safe(hook, tmp, &(hooks->hook_list), hook_node) {
105 v3_free_htable(hooks->reg_table, 0, 0);
107 V3_FreePages(V3_PAddr(hooks->hook_hvas_1), vm->num_cores);
108 V3_FreePages(V3_PAddr(hooks->hook_hvas_2), vm->num_cores);
115 static inline int get_op_length(struct x86_instr * instr, struct x86_operand * operand, addr_t tgt_addr) {
117 if (instr->is_str_op) {
118 if ((instr->str_op_length * operand->size) < (0x1000 - PAGE_OFFSET_4KB(tgt_addr))) {
119 return (instr->str_op_length * operand->size);
121 return (0x1000 - PAGE_OFFSET_4KB(tgt_addr));
124 return instr->src_operand.size;
131 static int handle_mem_hook(struct guest_info * core, addr_t guest_va, addr_t guest_pa,
132 struct v3_mem_region * reg, pf_error_t access_info) {
133 struct v3_mem_hooks * hooks = &(core->vm_info->mem_hooks);
134 struct x86_instr instr;
135 void * instr_ptr = NULL;
136 int bytes_emulated = 0;
140 struct mem_hook * src_hook = NULL;
141 addr_t src_mem_op_hva = 0;
142 addr_t src_mem_op_gpa = 0;
143 int src_req_size = -1;
145 struct mem_hook * dst_hook = NULL;
146 addr_t dst_mem_op_hva = 0;
147 addr_t dst_mem_op_gpa = 0;
148 int dst_req_size = -1;
151 struct mem_hook *access_hook = NULL;
153 // Let access hooks take priority
154 access_hook = (struct mem_hook *) reg->priv_data;
155 if (access_hook && access_hook->access) {
156 return access_hook->access(core, guest_va, guest_pa, reg, access_info, access_hook->priv_data);
160 /* Find and decode hooked instruction */
161 if (core->mem_mode == PHYSICAL_MEM) {
162 ret = v3_gpa_to_hva(core, get_addr_linear(core, core->rip, &(core->segments.cs)), (addr_t *)&instr_ptr);
164 ret = v3_gva_to_hva(core, get_addr_linear(core, core->rip, &(core->segments.cs)), (addr_t *)&instr_ptr);
168 PrintError(core->vm_info, core, "Could not translate Instruction Address (%p)\n", (void *)(addr_t)core->rip);
172 if (v3_decode(core, (addr_t)instr_ptr, &instr) == -1) {
173 PrintError(core->vm_info, core, "Decoding Error\n");
179 // Test source operand, if it's memory we need to do some translations, and handle a possible hook
180 if (instr.src_operand.type == MEM_OPERAND) {
181 struct v3_mem_region * src_reg = NULL;
183 if (core->mem_mode == PHYSICAL_MEM) {
184 src_mem_op_gpa = instr.src_operand.operand;
186 if (v3_gva_to_gpa(core, instr.src_operand.operand, &src_mem_op_gpa) == -1) {
187 pf_error_t error = access_info;
190 v3_inject_guest_pf(core, instr.src_operand.operand, error);
196 if ((src_mem_op_gpa >= reg->guest_start) &&
197 (src_mem_op_gpa < reg->guest_end)) {
198 // Src address corresponds to faulted region
201 // Note that this should only trigger for string operations
202 src_reg = v3_get_mem_region(core->vm_info, core->vcpu_id, src_mem_op_gpa);
205 if (src_reg == NULL) {
206 PrintError(core->vm_info, core, "Error finding Source region (addr=%p)\n", (void *)src_mem_op_gpa);
210 src_hook = (struct mem_hook *)v3_htable_search(hooks->reg_table, (addr_t)src_reg);
212 // We don't check whether the region is a hook here because it doesn't yet matter.
213 // These hva calculations will be true regardless
214 if (src_reg->flags.alloced == 0) {
215 src_mem_op_hva = (addr_t)(hooks->hook_hvas_1 + (PAGE_SIZE * core->vcpu_id));
217 // We already have the region so we can do the conversion ourselves
218 src_mem_op_hva = (addr_t)V3_VAddr((void *)((src_mem_op_gpa - src_reg->guest_start) + src_reg->host_addr));
221 src_req_size = get_op_length(&instr, &(instr.src_operand), src_mem_op_hva);
224 // Now do the same translation / hook handling for the second operand
225 if (instr.dst_operand.type == MEM_OPERAND) {
226 struct v3_mem_region * dst_reg = NULL;
229 if (core->mem_mode == PHYSICAL_MEM) {
230 dst_mem_op_gpa = instr.dst_operand.operand;
232 if (v3_gva_to_gpa(core, instr.dst_operand.operand, &dst_mem_op_gpa) == -1) {
233 pf_error_t error = access_info;
236 v3_inject_guest_pf(core, instr.dst_operand.operand, error);
242 if ((dst_mem_op_gpa >= reg->guest_start) &&
243 (dst_mem_op_gpa < reg->guest_end)) {
244 // Dst address corresponds to faulted region
247 // Note that this should only trigger for string operations
248 dst_reg = v3_get_mem_region(core->vm_info, core->vcpu_id, dst_mem_op_gpa);
251 if (dst_reg == NULL) {
252 PrintError(core->vm_info, core, "Error finding Source region (addr=%p)\n", (void *)dst_mem_op_gpa);
256 dst_hook = (struct mem_hook *)v3_htable_search(hooks->reg_table, (addr_t)dst_reg);
258 // We don't check whether the region is a hook here because it doesn't yet matter.
259 // These hva calculations will be true regardless
260 if (dst_reg->flags.alloced == 0) {
261 dst_mem_op_hva = (addr_t)(hooks->hook_hvas_2 + (PAGE_SIZE * core->vcpu_id));
263 // We already have the region so we can do the conversion ourselves
264 dst_mem_op_hva = (addr_t)V3_VAddr((void *)((dst_mem_op_gpa - dst_reg->guest_start) + dst_reg->host_addr));
267 dst_req_size = get_op_length(&instr, &(instr.dst_operand), dst_mem_op_hva);
271 mem_op_size = ((uint_t)src_req_size < (uint_t)dst_req_size) ? src_req_size : dst_req_size;
273 if (mem_op_size == -1) {
274 PrintError(core->vm_info, core, "Error: Did not detect any memory operands...\n");
279 /* Now handle the hooks if necessary */
280 if ( (src_hook != NULL) && (src_hook->read != NULL) &&
281 (instr.src_operand.read == 1) ) {
283 // Read in data from hook
285 if (src_hook->read(core, src_mem_op_gpa, (void *)src_mem_op_hva, mem_op_size, src_hook->priv_data) == -1) {
286 PrintError(core->vm_info, core, "Read hook error at src_mem_op_gpa=%p\n", (void *)src_mem_op_gpa);
291 if ( (dst_hook != NULL) && (dst_hook->read != NULL) &&
292 (instr.dst_operand.read == 1) ) {
294 // Read in data from hook
296 if (dst_hook->read(core, dst_mem_op_gpa, (void *)dst_mem_op_hva, mem_op_size, dst_hook->priv_data) == -1) {
297 PrintError(core->vm_info, core, "Read hook error at dst_mem_op_gpa=%p\n", (void *)dst_mem_op_gpa);
302 bytes_emulated = v3_emulate(core, &instr, mem_op_size, src_mem_op_hva, dst_mem_op_hva);
304 if (bytes_emulated == -1) {
305 PrintError(core->vm_info, core, "Error emulating instruction\n");
310 if ( (src_hook != NULL) && (src_hook->write != NULL) &&
311 (instr.src_operand.write == 1) ) {
313 if (src_hook->write(core, src_mem_op_gpa, (void *)src_mem_op_hva, bytes_emulated, src_hook->priv_data) == -1) {
314 PrintError(core->vm_info, core, "Write hook error at src_mem_op_gpa=%p\n", (void *)src_mem_op_gpa);
321 if ( (dst_hook != NULL) && (dst_hook->write != NULL) &&
322 (instr.dst_operand.write == 1) ) {
324 if (dst_hook->write(core, dst_mem_op_gpa, (void *)dst_mem_op_hva, bytes_emulated, dst_hook->priv_data) == -1) {
325 PrintError(core->vm_info, core, "Write hook error at dst_mem_op_gpa=%p\n", (void *)dst_mem_op_gpa);
331 if (instr.is_str_op == 0) {
332 core->rip += instr.instr_length;
341 int v3_hook_write_mem(struct v3_vm_info * vm, uint16_t core_id,
342 addr_t guest_addr_start, addr_t guest_addr_end, addr_t host_addr,
343 int (*write)(struct guest_info * core, addr_t guest_addr, void * src, uint_t length, void * priv_data),
345 struct v3_mem_region * entry = NULL;
346 struct mem_hook * hook = V3_Malloc(sizeof(struct mem_hook));
347 struct v3_mem_hooks * hooks = &(vm->mem_hooks);
350 PrintError(vm, VCORE_NONE, "Cannot allocate in hooking memory for full access\n");
354 memset(hook, 0, sizeof(struct mem_hook));
358 hook->priv_data = priv_data;
360 entry = v3_create_mem_region(vm, core_id, guest_addr_start, guest_addr_end);
362 hook->region = entry;
364 entry->host_addr = host_addr;
365 entry->unhandled = handle_mem_hook;
366 entry->priv_data = hook;
368 entry->flags.read = 1;
369 entry->flags.exec = 1;
370 entry->flags.alloced = 1;
372 if (v3_insert_mem_region(vm, entry) == -1) {
378 v3_htable_insert(hooks->reg_table, (addr_t)entry, (addr_t)hook);
379 list_add(&(hook->hook_node), &(hooks->hook_list));
386 int v3_hook_full_mem(struct v3_vm_info * vm, uint16_t core_id,
387 addr_t guest_addr_start, addr_t guest_addr_end,
388 int (*read)(struct guest_info * core, addr_t guest_addr, void * dst, uint_t length, void * priv_data),
389 int (*write)(struct guest_info * core, addr_t guest_addr, void * src, uint_t length, void * priv_data),
392 struct v3_mem_region * entry = NULL;
393 struct mem_hook * hook = V3_Malloc(sizeof(struct mem_hook));
394 struct v3_mem_hooks * hooks = &(vm->mem_hooks);
397 PrintError(vm, VCORE_NONE, "Cannot allocate in hooking memory for writing\n");
401 memset(hook, 0, sizeof(struct mem_hook));
405 hook->priv_data = priv_data;
407 entry = v3_create_mem_region(vm, core_id, guest_addr_start, guest_addr_end);
410 PrintError(vm, VCORE_NONE, "Cannot create memory region\n");
415 hook->region = entry;
417 entry->unhandled = handle_mem_hook;
418 entry->priv_data = hook;
420 if (v3_insert_mem_region(vm, entry)) {
421 PrintError(vm, VCORE_NONE, "Cannot insert memory region\n");
427 list_add(&(hook->hook_node), &(hooks->hook_list));
428 v3_htable_insert(hooks->reg_table, (addr_t)entry, (addr_t)hook);
435 int v3_hook_access_mem(struct v3_vm_info * vm, uint16_t core_id,
436 addr_t guest_addr_start, addr_t guest_addr_end,
437 int (*access)(struct guest_info * core,
440 struct v3_mem_region *reg,
441 pf_error_t access_info,
446 struct v3_mem_region * entry = NULL;
447 struct mem_hook * hook = V3_Malloc(sizeof(struct mem_hook));
448 struct v3_mem_hooks * hooks = &(vm->mem_hooks);
451 PrintError(vm, VCORE_NONE,"Cannot allocate in hooking memory for access\n");
455 memset(hook, 0, sizeof(struct mem_hook));
457 hook->access = access;
458 hook->priv_data = priv_data;
460 entry = v3_create_mem_region(vm, core_id, guest_addr_start, guest_addr_end);
463 PrintError(vm, VCORE_NONE, "Cannot create memory region\n");
468 hook->region = entry;
470 entry->unhandled = handle_mem_hook;
471 entry->priv_data = hook;
473 if (v3_insert_mem_region(vm, entry)) {
474 PrintError(vm, VCORE_NONE, "Cannot insert memory region\n");
480 list_add(&(hook->hook_node), &(hooks->hook_list));
481 v3_htable_insert(hooks->reg_table, (addr_t)entry, (addr_t)hook);
487 static int free_hook(struct v3_vm_info * vm, struct mem_hook * hook) {
488 v3_delete_mem_region(vm, hook->region);
489 list_del(&(hook->hook_node));
497 // This will unhook the memory hook registered at start address
498 // We do not support unhooking subregions
499 int v3_unhook_mem(struct v3_vm_info * vm, uint16_t core_id, addr_t guest_addr_start) {
500 struct v3_mem_region * reg = v3_get_mem_region(vm, core_id, guest_addr_start);
501 struct mem_hook * hook = NULL;
504 PrintError(vm, VCORE_NONE, "Could not find region at %p\n", (void *)guest_addr_start);
508 hook = reg->priv_data;
511 PrintError(vm, VCORE_NONE, "Trying to unhook region that is not a hook at %p\n", (void *)guest_addr_start);
