Cleanup page fault code

AndrewFasano · AndrewFasano · commit 89abdc0b9975 · 2021-10-21T10:32:25.000-04:00
diff --git a/panda/python/examples/fault.py b/panda/python/examples/fault.py
@@ -1,19 +1,33 @@
 from pandare import Panda
 
-panda = Panda(generic="i386")
+panda = Panda(generic="arm")
+#panda = Panda(generic="i386")
+#panda = Panda(generic="x86_64")
+#panda = Panda(generic="mips64")
+
 panda.load_plugin("syscalls2", {"load-info": True})
 
 @panda.queue_blocking
 def drive():
     panda.revert_sync('root')
-    print(panda.run_serial_cmd("md5sum $(which whoami); find /etc/ | md5sum"))
+    print(panda.run_serial_cmd("md5sum $(which whoami); find /etc/ | md5sum; apt-get update -yy"))
     panda.end_analysis()
 
+last_fault = None
+def fault(panda, cpu, addr, pc):
+    global last_fault
+    if last_fault == addr:
+        raise MemoryError(f"Double fault of {addr:x}")
+    last_fault = addr
+    panda.libpanda.panda_page_fault(cpu, addr, pc)
+
+
 @panda.ppp("syscalls2", "on_all_sys_enter2")
 def all_sys(cpu, pc, call, rp):
     args = panda.ffi.cast("target_ulong**", rp.args)
 
-    print(f"{pc:#08x} (from block starting at {panda.current_pc(cpu):#08x}): {panda.ffi.string(call.name).decode()}(", end="")
+    sc_name = panda.ffi.string(call.name).decode() if call.name != panda.ffi.NULL else 'err'
+    print(f"{pc:#08x} (from block starting at {panda.current_pc(cpu):#08x}): {sc_name}(", end="")
     if call.nargs == 0:
         print(")", end="")
 
@@ -25,29 +39,29 @@ def all_sys(cpu, pc, call, rp):
         if call.argt[i] not in [0x20, 0x21, 0x22]:
             val = int(panda.ffi.cast("unsigned int", args[i]))
             print(hex(val), end="")
+            continue
+
+        # It's a pointer type
+        addr = int(panda.ffi.cast("unsigned int", args[i]))
+        if addr < 0xFFFF:
+            # Probably not a pointer?
+            print(hex(addr), end="")
         else:
-            addr = int(panda.ffi.cast("unsigned int", args[i]))
-            if addr < 0xFFFF:
-                # Probably not a pointer?
-                print(hex(addr), end="")
-            else:
-                try:
-                    mem = panda.virtual_memory_read(cpu, addr, 8)
-                except ValueError:
-                    # ignore other args until fault is resolved
+            try:
+                s = panda.read_str(cpu, addr)
+            except ValueError:
+                # This argument can't be read - let's raise a fault on it
+                if last_fault != addr:
                     print(f"{addr:#x} => Can't read - INJECT PANDA PAGE FAULT") # newline
+                    fault(panda, cpu, addr, pc)
+                    return # Raised a fault, hope it's gonna work
+                else:
+                    s = "still can't read"
 
-                    # DO FAULT
-                    panda.libpanda.panda_page_fault(cpu, addr, pc)
-                    # After fault is handled, we'll then re-run the syscall insn (and the TCG-based callback)
-                    break
-
-                # No fault
-                print(f"{addr:#x} => {repr(panda.read_str(cpu, addr))}", end="")
+            # No fault
+            print(f"{addr:#x} => {repr(s)}", end="")
 
         print(sep, end="") # , or )
-    else:
-        print()
 
 @panda.ppp("syscalls2", "on_all_sys_return2")
 def all_ret(cpu, pc, call, rp):
diff --git a/panda/src/panda_api.c b/panda/src/panda_api.c
@@ -291,8 +291,10 @@ void _panda_set_library_mode(const bool b) {
 
 // Raise a page fault on address, then return execution to retaddr
 void panda_page_fault(CPUState* cpu, target_ulong address, target_ulong retaddr) {
+  // Update the CPUArchstate so the PC is the desired return address, then call
+  // tlb_fill. This ensures that we always go back to retaddr
 
-#ifdef TARGET_I386
+#if defined(TARGET_I386) //|| defined(TARGET_X86_64)
     CPUX86State *env = cpu->env_ptr;
 
     // We want to set up CPU state with x86_cpu_handle_mmu_fault
@@ -301,34 +303,16 @@ void panda_page_fault(CPUState* cpu, target_ulong address, target_ulong retaddr)
     // instead of restarting the block
     env->eip = retaddr;
     tlb_fill(cpu, address, MMU_DATA_LOAD, 0, retaddr);
+//#elif defined (TARGET_ARM)
+//    CPUARMState *env = cpu->env_ptr;
+//    env->pc = retaddr;
+//    tlb_fill(cpu, address, MMU_DATA_LOAD, 0, retaddr);
+
 #elif defined(TARGET_MIPS)
     CPUMIPSState *env = cpu->env_ptr;
-    CPUState *cs = CPU(mips_env_get_cpu(env));
-    int exception = 26; //26 is EXCP_TLBL. 27 is TLBS
-    int error_code = 1; // EXCP_TLB_NOMATCH;
-
-    env->CP0_BadVAddr = address;
-    env->CP0_Context = (env->CP0_Context & ~0x007fffff) |
-                       ((address >> 9) & 0x007ffff0);
-    target_ulong val = (env->CP0_EntryHi & env->CP0_EntryHi_ASID_mask) |
-                       (env->CP0_EntryHi & (1 << CP0EnHi_EHINV)) |
-                       (address & (TARGET_PAGE_MASK << 1));
-
-    // XXX skip panda callback here - unlike in mips/helper.c
-    env->CP0_EntryHi = val;
-
-#if defined(TARGET_MIPS64)
-    env->CP0_EntryHi &= env->SEGMask;
-    env->CP0_XContext =
-        /* PTEBase */   (env->CP0_XContext & ((~0ULL) << (env->SEGBITS - 7))) |
-        /* R */         (extract64(address, 62, 2) << (env->SEGBITS - 9)) |
-        /* BadVPN2 */   (extract64(address, 13, env->SEGBITS - 13) << 4);
-#endif
-    cs->exception_index = exception;
-    env->error_code = error_code;
-
-    // Break out of the current block so the fault can be handled, then return to our current addr
-    cpu_loop_exit_restore(cs, retaddr);
-
+    env->active_tc.PC = retaddr;
+    tlb_fill(cpu, address, MMU_DATA_LOAD, 0, retaddr);
+#else
+    printf("ERROR: Unsupported architecture for panda_page_fault\n");
 #endif
 }
