Persistent mode for PPC32 targets (#50)

WorksButNotTested · Your Name · web-flow · commit b0abbe2e74ed · 2023-05-11T20:55:39.000+02:00
* Add QASAN support for PPC

* Support persistent mode on PPC

---------

Co-authored-by: Your Name &lt;you@example.com&gt;
diff --git a/qemuafl/api.h b/qemuafl/api.h
@@ -205,4 +205,11 @@ struct mips_regs {
 };
 #endif
 
+struct ppc_regs {
+  target_ulong gpr[32];  /* general purpose registers */
+  target_ulong lr;
+  target_ulong ctr;
+  uint32_t crf[8];       /* condition register */
+};
+
 #endif
diff --git a/qemuafl/common.h b/qemuafl/common.h
@@ -57,6 +57,8 @@
 /* MIPS_PATCH */
 #elif defined(TARGET_MIPS) || defined(TARGET_MIPS64)
 #define api_regs mips_regs
+#elif defined(TARGET_PPC)
+#define api_regs ppc_regs
 #else
 struct generic_api_regs { int v; };
 #define api_regs generic_api_regs
@@ -141,7 +143,7 @@ void afl_float_compcov_log_80(target_ulong cur_loc, floatx80 arg1,
 abi_ulong afl_get_brk(void);
 abi_ulong afl_set_brk(abi_ulong new_brk);
 
-#if defined(TARGET_X86_64) || defined(TARGET_I386) || defined(TARGET_AARCH64) || defined(TARGET_ARM) || defined(TARGET_MIPS) || defined(TARGET_MIPS64)
+#if defined(TARGET_X86_64) || defined(TARGET_I386) || defined(TARGET_AARCH64) || defined(TARGET_ARM) || defined(TARGET_MIPS) || defined(TARGET_MIPS64) || defined(TARGET_PPC)
 void afl_save_regs(struct api_regs* regs, CPUArchState* env);
 void afl_restore_regs(struct api_regs* regs, CPUArchState* env);
 #else
diff --git a/qemuafl/qasan-qemu.h b/qemuafl/qasan-qemu.h
@@ -46,7 +46,7 @@ struct shadow_stack_block {
 
   int index;
   target_ulong buf[SHADOW_BK_SIZE];
-  
+
   struct shadow_stack_block* next;
 
 };
@@ -87,6 +87,17 @@ extern __thread struct shadow_stack qasan_shadow_stack;
 #define BP_GET(env) ((env)->active_tc.gpr[29])
 #define SP_GET(env) ((env)->active_tc.gpr[30])
 
+#elif defined(TARGET_PPC)
+
+#define PC_GET(env) ((env)->nip)
+/*
+ * PPC doesn't really have a frame pointer since stack frames are built into a
+ * linked list. The BP is used only for display purposes in any case, so we will
+ * just use the SP here.
+ */
+#define BP_GET(env) ((env)->gpr[1])
+#define SP_GET(env) ((env)->gpr[1])
+
 #else
 //#error "Target not supported by asan-giovese"
 #define DO_NOT_USE_QASAN 1
diff --git a/target/ppc/translate.c b/target/ppc/translate.c
@@ -37,6 +37,47 @@
 #include "exec/log.h"
 #include "qemu/atomic128.h"
 
+#include "qemuafl/cpu-translate.h"
+
+#define AFL_QEMU_TARGET_PPC_SNIPPET                                            \
+  if (is_persistent) {                                                         \
+                                                                               \
+    if (ctx->base.pc_next == afl_persistent_addr) {                            \
+                                                                               \
+      gen_helper_afl_persistent_routine(cpu_env);                              \
+                                                                               \
+      if (afl_persistent_ret_addr == 0 && !persistent_exits) {                 \
+                                                                               \
+        tcg_gen_movi_i32(cpu_lr, afl_persistent_addr);                         \
+                                                                               \
+      }                                                                        \
+                                                                               \
+      if (!persistent_save_gpr) afl_gen_tcg_plain_call(&afl_persistent_loop);  \
+                                                                               \
+    } else if (afl_persistent_ret_addr &&                                      \
+               ctx->base.pc_next == afl_persistent_ret_addr) {                 \
+                                                                               \
+      gen_setlr(ctx, afl_persistent_addr);                                     \
+      gen_bclr(ctx);                                                           \
+                                                                               \
+    }                                                                          \
+                                                                               \
+  }
+
+void afl_save_regs(struct api_regs* r, CPUArchState* env) {
+    memcpy(r->gpr, env->gpr, sizeof(r->gpr));
+    r->lr = env->lr;
+    r->ctr = env->ctr;
+    memcpy(r->crf, env->crf, sizeof(r->crf));
+}
+
+void afl_restore_regs(struct api_regs* r, CPUArchState* env) {
+    memcpy(env->gpr, r->gpr, sizeof(r->gpr));
+    env->lr = r->lr;
+    env->ctr = r->ctr;
+    memcpy(env->crf, r->crf, sizeof(r->crf));
+}
+
 
 #define CPU_SINGLE_STEP 0x1
 #define CPU_BRANCH_STEP 0x2
@@ -8002,6 +8043,10 @@ static void ppc_tr_translate_insn(DisasContextBase *dcbase, CPUState *cs)
     LOG_DISAS("nip=" TARGET_FMT_lx " super=%d ir=%d\n",
               ctx->base.pc_next, ctx->mem_idx, (int)msr_ir);
 
+#if defined(TARGET_PPC)
+    AFL_QEMU_TARGET_PPC_SNIPPET
+#endif
+
     ctx->opcode = translator_ldl_swap(env, ctx->base.pc_next,
                                       need_byteswap(ctx));
 
