add uc_mem_read_virtual (#2121)

* x86 mmu allow probe requests

* add api to access memory by virtuall addresses

New api to read from, translate, or write to a virtual address. When
using the MMU it's useful to direct use the virtual addresses.

* fixup! add api to access memory by virtuall addresses

Author: PhilippTakacs

bindings/rust/src/ffi.rs

@@ -48,6 +48,19 @@ extern "C" {
         bytes: *mut u8,
         size: u64,
     ) -> uc_error;
+    pub fn uc_vmem_read(
+        engine: uc_handle,
+        address: u64,
+        prot: u32,
+        bytes: *mut u8,
+        size: libc::size_t,
+    ) -> uc_error;
+    pub fn uc_vmem_translate(
+        engine: uc_handle,
+        address: u64,
+        prot: u32,
+        paddr: *mut u64,
+    ) -> uc_error;
     pub fn uc_mem_map(engine: uc_handle, address: u64, size: u64, perms: u32) -> uc_error;
     pub fn uc_mem_map_ptr(
         engine: uc_handle,

bindings/rust/src/lib.rs

@@ -328,6 +328,17 @@ impl<'a, D> Unicorn<'a, D> {
         .and(Ok(buf))
     }
 
+    /// Read a range of bytes from memory at the specified emulated virtual address.
+    pub fn vmem_read(&self, address: u64, prot: Prot, buf: &mut [u8]) -> Result<(), uc_error> {
+        unsafe { uc_vmem_read(self.get_handle(), address, prot.0 as _, buf.as_mut_ptr() as _, buf.len()) }.into()
+    }
+
+    /// Return a range of bytes from memory at the specified emulated virtual address as vector.
+    pub fn vmem_read_as_vec(&self, address: u64, prot: Prot, size: usize) -> Result<Vec<u8>, uc_error> {
+        let mut buf = vec![0; size];
+        unsafe { uc_vmem_read(self.get_handle(), address, prot.0 as _, buf.as_mut_ptr() as _, buf.len()) }.and(Ok(buf))
+    }
+
     /// Write the data in `bytes` to the emulated physical address `address`
     pub fn mem_write(&mut self, address: u64, bytes: &[u8]) -> Result<(), uc_error> {
         unsafe {
@@ -341,6 +352,16 @@ impl<'a, D> Unicorn<'a, D> {
         .into()
     }
 
+    /// translate virtual to physical address
+    pub fn vmem_translate(&mut self, address: u64, prot: Prot) -> Result<u64, uc_error> {
+        let mut physical: u64 = 0;
+        let err = unsafe { uc_vmem_translate(self.get_handle(), address, prot.0 as _, &mut physical) };
+        if err != uc_error::OK {
+            return Err(err);
+        }
+        return Ok(physical);
+    }
+
     /// Map an existing memory region in the emulator at the specified address.
     ///
     /// # Safety

include/uc_priv.h

@@ -80,6 +80,12 @@ typedef bool (*uc_write_mem_t)(AddressSpace *as, hwaddr addr,
 typedef bool (*uc_read_mem_t)(AddressSpace *as, hwaddr addr, uint8_t *buf,
                               hwaddr len);
 
+typedef bool (*uc_read_mem_virtual_t)(struct uc_struct *uc, vaddr addr,
+                                      uint32_t prot, uint8_t *buf, int len);
+
+typedef bool (*uc_virtual_to_physical_t)(struct uc_struct *uc, vaddr addr,
+                                      uint32_t prot, uint64_t *res);
+
 typedef MemoryRegion *(*uc_mem_cow_t)(struct uc_struct *uc,
                                       MemoryRegion *current, hwaddr begin,
                                       size_t size);
@@ -276,6 +282,8 @@ struct uc_struct {
 
     uc_write_mem_t write_mem;
     uc_read_mem_t read_mem;
+    uc_read_mem_virtual_t read_mem_virtual;
+    uc_virtual_to_physical_t virtual_to_physical;
     uc_mem_cow_t memory_cow;
     uc_args_void_t release;  // release resource when uc_close()
     uc_args_uc_u64_t set_pc; // set PC for tracecode

include/unicorn/unicorn.h

@@ -934,6 +934,82 @@ uc_err uc_mem_write(uc_engine *uc, uint64_t address, const void *bytes,
 UNICORN_EXPORT
 uc_err uc_mem_read(uc_engine *uc, uint64_t address, void *bytes, uint64_t size);
 
+/*
+ Read a range of bytes in memory after mmu translation.
+
+ @uc:      handle returned by uc_open()
+ @address: starting virtual memory address of bytes to get.
+ @prot:    The access type for the tlb lookup
+ @bytes:   pointer to a variable containing data copied from memory.
+ @size:    size of memory to read.
+
+ NOTE: @bytes must be big enough to contain @size bytes.
+
+ This function will translate the address with the MMU. Therefore all
+ pages needs to be memory mapped with the proper access rights. The MMU
+ will not translate the virtual address when the pages are not mapped
+ with the given access rights.
+
+ When the pages are mapped with the given access rights the read will
+ happen indipenden from the access rights of the mapping. So when you
+ have a page write only mapped, a call with prot == UC_PROT_WRITE will
+ be able to read the stored data.
+
+ @return UC_ERR_OK on success, or other value on failure (refer to uc_err enum
+   for detailed error).
+*/
+UNICORN_EXPORT
+uc_err uc_vmem_read(uc_engine *uc, uint64_t address, uint32_t prot,
+                           void *bytes, size_t size);
+
+/*
+ Write to a range of bytes in memory after mmu translation.
+
+ @uc: handle returned by uc_open()
+ @address: starting memory address of bytes to set.
+ @prot:    The access type for the tlb lookup
+ @bytes:   pointer to a variable containing data to be written to memory.
+ @size:   size of memory to write to.
+
+ This function will translate the address with the MMU. Therefore all
+ pages needs to be memory mapped with the proper access rights. The MMU
+ will not translate the virtual address when the pages are not mapped
+ with the given access rights.
+
+ When the pages are mapped with the given access rights the write will
+ happen indipenden from the access rights of the mapping. So when you
+ have a page read only mapped, a call with prot == UC_PROT_READ will
+ be able to write the data.
+
+ NOTE: @bytes must be big enough to contain @size bytes.
+
+ @return UC_ERR_OK on success, or other value on failure (refer to uc_err enum
+   for detailed error).
+*/
+UNICORN_EXPORT
+uc_err uc_vmem_write(uc_engine *uc, uint64_t address, uint32_t prot,
+                           void *bytes, size_t size);
+
+/*
+ Translate a virtuall address to a physical address
+
+ @uc:
+ @address:  virtual address to translate
+ @prot:     The access type for the tlb lookup
+ @paddress: A pointer to store the result
+
+ This function will translate the address with the MMU. Therefore all
+ pages needs to be memory mapped with the proper access rights. The MMU
+ will not translate the virtual address when the pages are not mapped
+ with the given access rights.
+
+ @return UC_ERR_OK on success, or other value on failure (refer to uc_err enum
+   for detailed error).
+*/
+UNICORN_EXPORT
+uc_err uc_vmem_translate(uc_engine *uc, uint64_t address, uint32_t prot,
+                              uint64_t *paddress);
+
 /*
  Emulate machine code in a specific duration of time.
 

qemu/aarch64.h

@@ -797,6 +797,7 @@
 #define get_page_addr_code get_page_addr_code_aarch64
 #define probe_access probe_access_aarch64
 #define tlb_vaddr_to_host tlb_vaddr_to_host_aarch64
+#define tlb_vaddr_to_paddr tlb_vaddr_to_paddr_aarch64
 #define helper_ret_ldub_mmu helper_ret_ldub_mmu_aarch64
 #define helper_le_lduw_mmu helper_le_lduw_mmu_aarch64
 #define helper_be_lduw_mmu helper_be_lduw_mmu_aarch64

qemu/accel/tcg/cputlb.c

@@ -1296,6 +1296,53 @@ void *probe_access(CPUArchState *env, target_ulong addr, int size,
     return (void *)((uintptr_t)addr + entry->addend);
 }
 
+bool tlb_vaddr_to_paddr(CPUArchState *env, abi_ptr addr,
+                        MMUAccessType access_type, int mmu_idx, target_ulong *paddr)
+{
+    struct uc_struct *uc = env->uc;
+    CPUTLBEntry *entry = tlb_entry(env, mmu_idx, addr);
+    target_ulong tlb_addr, page;
+    size_t elt_ofs = 0;
+
+    switch (access_type) {
+    case MMU_DATA_LOAD:
+        elt_ofs = offsetof(CPUTLBEntry, addr_read);
+        break;
+    case MMU_DATA_STORE:
+        elt_ofs = offsetof(CPUTLBEntry, addr_write);
+        break;
+    case MMU_INST_FETCH:
+        elt_ofs = offsetof(CPUTLBEntry, addr_code);
+        break;
+    default:
+        g_assert_not_reached();
+    }
+
+    page = addr & TARGET_PAGE_MASK;
+    tlb_addr = tlb_read_ofs(entry, elt_ofs);
+
+    if (!tlb_hit_page(uc, tlb_addr, page)) {
+        uintptr_t index = tlb_index(env, mmu_idx, addr);
+
+        if (!victim_tlb_hit(env, mmu_idx, index, elt_ofs, page)) {
+            CPUState *cs = env_cpu(env);
+            CPUClass *cc = CPU_GET_CLASS(cs);
+
+            if (!cc->tlb_fill(cs, addr, 0, access_type, mmu_idx, true, 0)) {
+                /* Non-faulting page table read failed.  */
+                return false;
+            }
+
+            /* TLB resize via tlb_fill may have moved the entry.  */
+            entry = tlb_entry(env, mmu_idx, addr);
+        }
+        tlb_addr = tlb_read_ofs(entry, elt_ofs);
+    }
+
+    *paddr = entry->paddr | (addr & ~TARGET_PAGE_MASK);
+    return true;
+}
+
 void *tlb_vaddr_to_host(CPUArchState *env, abi_ptr addr,
                         MMUAccessType access_type, int mmu_idx)
 {

qemu/arm.h

@@ -797,6 +797,7 @@
 #define get_page_addr_code get_page_addr_code_arm
 #define probe_access probe_access_arm
 #define tlb_vaddr_to_host tlb_vaddr_to_host_arm
+#define tlb_vaddr_to_paddr tlb_vaddr_to_paddr_arm
 #define helper_ret_ldub_mmu helper_ret_ldub_mmu_arm
 #define helper_le_lduw_mmu helper_le_lduw_mmu_arm
 #define helper_be_lduw_mmu helper_be_lduw_mmu_arm

qemu/include/exec/cpu_ldst.h

@@ -168,4 +168,22 @@ static inline int cpu_ldsw_code(CPUArchState *env, abi_ptr addr)
 void *tlb_vaddr_to_host(CPUArchState *env, abi_ptr addr,
                         MMUAccessType access_type, int mmu_idx);
 
+
+/**
+ * tlb_vaddr_to_paddr:
+ * @env: CPUArchState
+ * @addr: guest virtual address to look up
+ * @access_type: 0 for read, 1 for write, 2 for execute
+ * @mmu_idx: MMU index to use for lookup
+ * @paddr: pointer to store the physical address
+ *
+ * Look up the specified guest virtual index in the TCG softmmu TLB.
+ * If we can translate a host virtual address to a host physical address,
+ * without causing a guest exception, then save the physical address in
+ * paddr pointer.
+ *
+ * Returns true when posible to translate, otherwhise false
+ */
+bool tlb_vaddr_to_paddr(CPUArchState *env, abi_ptr addr,
+		        MMUAccessType access_type, int mmu_idx, target_ulong *paddr);
 #endif /* CPU_LDST_H */

qemu/m68k.h

@@ -797,6 +797,7 @@
 #define get_page_addr_code get_page_addr_code_m68k
 #define probe_access probe_access_m68k
 #define tlb_vaddr_to_host tlb_vaddr_to_host_m68k
+#define tlb_vaddr_to_paddr tlb_vaddr_to_paddr_m68k
 #define helper_ret_ldub_mmu helper_ret_ldub_mmu_m68k
 #define helper_le_lduw_mmu helper_le_lduw_mmu_m68k
 #define helper_be_lduw_mmu helper_be_lduw_mmu_m68k

qemu/mips.h

@@ -797,6 +797,7 @@
 #define get_page_addr_code get_page_addr_code_mips
 #define probe_access probe_access_mips
 #define tlb_vaddr_to_host tlb_vaddr_to_host_mips
+#define tlb_vaddr_to_paddr tlb_vaddr_to_paddr_mips
 #define helper_ret_ldub_mmu helper_ret_ldub_mmu_mips
 #define helper_le_lduw_mmu helper_le_lduw_mmu_mips
 #define helper_be_lduw_mmu helper_be_lduw_mmu_mips