Hi Rowan, thanks for this submission!
On 12/6/24 02:26, Rowan Hart wrote:
This patch set follows a previous patch which added the qemu_plugin_read_memory_vaddr function and adds a set of similar functions to read and write registers, virtual memory, and physical memory. The use case I have in mind is for use of QEMU for program analysis and testing. For example, a fuzzer which uses QEMU for emulation might wish to inject test data into a program at runtime using qemu_plugin_write_memory_vaddr (and likewise if testing an operating system or bare metal application using qemu_plugin_write_memory_hwaddr). It may also wish to read the initial contents of memory using qemu_plugin_read_memory_vaddr/hwaddr.
I am personally in favor to adding such features in upstream QEMU, but we should discuss it with the maintainers, because it would allow to change the state of execution, which is something qemu plugins actively didn't try to do. It's a real paradigm shift for plugins.
By writing to memory/registers, we can start replacing instructions and control flow, and there is a whole set of consequences to that.
Similarly, a testing framework may wish to fake register values, perhaps to simulate a device failure, perhaps by using qemu_plugin_write_register to set a register value to an error code. I think all this functionality works together to make QEMU plugins more powerful and versatile, hopefully removing barriers to using upstream QEMU for these tasks which have historically required maintaining a QEMU fork downstream (like QEMUAFL https://github.com/AFLplusplus/qemuafl), which is tedious, error prone, and results in users missing out on enhancements to QEMU. A test is provided, compile: gcc -o tests/tcg/x86_64/inject-target tests/tcg/x86_64/inject-target.c And run: ./build/qemu-x86_64 -d plugin --plugin build/tests/tcg/plugins/libinject.so tests/tcg/x86_64/inject-target Hopefully after a number of tries, the inject plugin will inject the right value into the target program, leading to a victory message. This plugin handles simple "hypercalls", only one of which is implemented and injects data into guest memory.
The hypercall functionality would be useful for plugins as a whole. And I think it definitely deserves to be worked on, if maintainers are open to that as well.
novafacing (3): Expose gdb_write_register function to consumers of gdbstub Add plugin API functions for register R/W, hwaddr R/W, vaddr W Add inject plugin and x86_64 target for the inject plugin gdbstub/gdbstub.c | 2 +- include/exec/gdbstub.h | 14 +++ include/qemu/qemu-plugin.h | 116 +++++++++++++++-- plugins/api.c | 66 +++++++++- tests/tcg/plugins/inject.c | 206 +++++++++++++++++++++++++++++++ tests/tcg/plugins/meson.build | 2 +- tests/tcg/x86_64/Makefile.target | 1 + tests/tcg/x86_64/inject-target.c | 27 ++++ 8 files changed, 418 insertions(+), 16 deletions(-) create mode 100644 tests/tcg/plugins/inject.c create mode 100644 tests/tcg/x86_64/inject-target.c
Regards, Pierrick
