qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v2 0/3] Add additional plugin API functions to read and write

From: Pierrick Bouvier
Subject: Re: [PATCH v2 0/3] Add additional plugin API functions to read and write memory and registers
Date: Fri, 6 Dec 2024 11:43:14 -0800
User-agent: Mozilla Thunderbird 
Hi Rowan,

thanks for this submission!

On 12/6/24 02:26, Rowan Hart wrote:

This patch set follows a previous patch which added the
qemu_plugin_read_memory_vaddr function and adds a set of similar
functions to read and write registers, virtual memory, and
physical memory.

The use case I have in mind is for use of QEMU for program analysis and
testing. For example, a fuzzer which uses QEMU for emulation might wish to
inject test data into a program at runtime using qemu_plugin_write_memory_vaddr
(and likewise if testing an operating system or bare metal application using
qemu_plugin_write_memory_hwaddr). It may also wish to read the initial contents
of memory using qemu_plugin_read_memory_vaddr/hwaddr.
I am personally in favor to adding such features in upstream QEMU, but we should discuss it with the maintainers, because it would allow to change the state of execution, which is something qemu plugins actively didn't try to do. It's a real paradigm shift for plugins.
By writing to memory/registers, we can start replacing instructions and control flow, and there is a whole set of consequences to that. 


Similarly, a testing framework may wish to fake register values, perhaps to
simulate a device failure, perhaps by using qemu_plugin_write_register to set a
register value to an error code.

I think all this functionality works together to make QEMU
plugins more powerful and versatile, hopefully removing barriers
to using upstream QEMU for these tasks which have historically
required maintaining a QEMU fork downstream (like QEMUAFL
https://github.com/AFLplusplus/qemuafl), which is tedious, error
prone, and results in users missing out on enhancements to QEMU.

A test is provided, compile:

gcc -o tests/tcg/x86_64/inject-target tests/tcg/x86_64/inject-target.c

And run:

./build/qemu-x86_64 -d plugin --plugin build/tests/tcg/plugins/libinject.so 
tests/tcg/x86_64/inject-target

Hopefully after a number of tries, the inject plugin will inject the right
value into the target program, leading to a victory message. This plugin
handles simple "hypercalls", only one of which is implemented and injects
data into guest memory.
The hypercall functionality would be useful for plugins as a whole. And I think it definitely deserves to be worked on, if maintainers are open to that as well. 


novafacing (3):
   Expose gdb_write_register function to consumers of gdbstub
   Add plugin API functions for register R/W, hwaddr R/W, vaddr W
   Add inject plugin and x86_64 target for the inject plugin

  gdbstub/gdbstub.c                |   2 +-
  include/exec/gdbstub.h           |  14 +++
  include/qemu/qemu-plugin.h       | 116 +++++++++++++++--
  plugins/api.c                    |  66 +++++++++-
  tests/tcg/plugins/inject.c       | 206 +++++++++++++++++++++++++++++++
  tests/tcg/plugins/meson.build    |   2 +-
  tests/tcg/x86_64/Makefile.target |   1 +
  tests/tcg/x86_64/inject-target.c |  27 ++++
  8 files changed, 418 insertions(+), 16 deletions(-)
  create mode 100644 tests/tcg/plugins/inject.c
  create mode 100644 tests/tcg/x86_64/inject-target.c



Regards,
Pierrick
reply via email to
[Prev in Thread] Current Thread [Next in Thread]