]>
Commit | Line | Data |
---|---|---|
1 | /* | |
2 | * Windows crashdump (target specific implementations) | |
3 | * | |
4 | * Copyright (c) 2018 Virtuozzo International GmbH | |
5 | * | |
6 | * This work is licensed under the terms of the GNU GPL, version 2 or later. | |
7 | * See the COPYING file in the top-level directory. | |
8 | * | |
9 | */ | |
10 | ||
11 | #include "qemu/osdep.h" | |
12 | #include "sysemu/dump.h" | |
13 | #include "qapi/error.h" | |
14 | #include "qapi/qmp/qerror.h" | |
15 | #include "exec/cpu-defs.h" | |
16 | #include "hw/core/cpu.h" | |
17 | #include "qemu/win_dump_defs.h" | |
18 | #include "win_dump.h" | |
19 | #include "cpu.h" | |
20 | ||
21 | #if defined(TARGET_X86_64) | |
22 | ||
23 | bool win_dump_available(Error **errp) | |
24 | { | |
25 | return true; | |
26 | } | |
27 | ||
28 | static size_t win_dump_ptr_size(bool x64) | |
29 | { | |
30 | return x64 ? sizeof(uint64_t) : sizeof(uint32_t); | |
31 | } | |
32 | ||
33 | #define _WIN_DUMP_FIELD(f) (x64 ? h->x64.f : h->x32.f) | |
34 | #define WIN_DUMP_FIELD(field) _WIN_DUMP_FIELD(field) | |
35 | ||
36 | #define _WIN_DUMP_FIELD_PTR(f) (x64 ? (void *)&h->x64.f : (void *)&h->x32.f) | |
37 | #define WIN_DUMP_FIELD_PTR(field) _WIN_DUMP_FIELD_PTR(field) | |
38 | ||
39 | #define _WIN_DUMP_FIELD_SIZE(f) (x64 ? sizeof(h->x64.f) : sizeof(h->x32.f)) | |
40 | #define WIN_DUMP_FIELD_SIZE(field) _WIN_DUMP_FIELD_SIZE(field) | |
41 | ||
42 | static size_t win_dump_ctx_size(bool x64) | |
43 | { | |
44 | return x64 ? sizeof(WinContext64) : sizeof(WinContext32); | |
45 | } | |
46 | ||
47 | static size_t write_run(uint64_t base_page, uint64_t page_count, | |
48 | int fd, Error **errp) | |
49 | { | |
50 | void *buf; | |
51 | uint64_t addr = base_page << TARGET_PAGE_BITS; | |
52 | uint64_t size = page_count << TARGET_PAGE_BITS; | |
53 | uint64_t len, l; | |
54 | size_t total = 0; | |
55 | ||
56 | while (size) { | |
57 | len = size; | |
58 | ||
59 | buf = cpu_physical_memory_map(addr, &len, false); | |
60 | if (!buf) { | |
61 | error_setg(errp, "win-dump: failed to map physical range" | |
62 | " 0x%016" PRIx64 "-0x%016" PRIx64, addr, addr + size - 1); | |
63 | return 0; | |
64 | } | |
65 | ||
66 | l = qemu_write_full(fd, buf, len); | |
67 | cpu_physical_memory_unmap(buf, addr, false, len); | |
68 | if (l != len) { | |
69 | error_setg(errp, QERR_IO_ERROR); | |
70 | return 0; | |
71 | } | |
72 | ||
73 | addr += l; | |
74 | size -= l; | |
75 | total += l; | |
76 | } | |
77 | ||
78 | return total; | |
79 | } | |
80 | ||
81 | static void write_runs(DumpState *s, WinDumpHeader *h, bool x64, Error **errp) | |
82 | { | |
83 | uint64_t BasePage, PageCount; | |
84 | Error *local_err = NULL; | |
85 | int i; | |
86 | ||
87 | for (i = 0; i < WIN_DUMP_FIELD(PhysicalMemoryBlock.NumberOfRuns); i++) { | |
88 | BasePage = WIN_DUMP_FIELD(PhysicalMemoryBlock.Run[i].BasePage); | |
89 | PageCount = WIN_DUMP_FIELD(PhysicalMemoryBlock.Run[i].PageCount); | |
90 | s->written_size += write_run(BasePage, PageCount, s->fd, &local_err); | |
91 | if (local_err) { | |
92 | error_propagate(errp, local_err); | |
93 | return; | |
94 | } | |
95 | } | |
96 | } | |
97 | ||
98 | static int cpu_read_ptr(bool x64, CPUState *cpu, uint64_t addr, uint64_t *ptr) | |
99 | { | |
100 | int ret; | |
101 | uint32_t ptr32; | |
102 | uint64_t ptr64; | |
103 | ||
104 | ret = cpu_memory_rw_debug(cpu, addr, x64 ? (void *)&ptr64 : (void *)&ptr32, | |
105 | win_dump_ptr_size(x64), 0); | |
106 | ||
107 | *ptr = x64 ? ptr64 : ptr32; | |
108 | ||
109 | return ret; | |
110 | } | |
111 | ||
112 | static void patch_mm_pfn_database(WinDumpHeader *h, bool x64, Error **errp) | |
113 | { | |
114 | if (cpu_memory_rw_debug(first_cpu, | |
115 | WIN_DUMP_FIELD(KdDebuggerDataBlock) + KDBG_MM_PFN_DATABASE_OFFSET, | |
116 | WIN_DUMP_FIELD_PTR(PfnDatabase), | |
117 | WIN_DUMP_FIELD_SIZE(PfnDatabase), 0)) { | |
118 | error_setg(errp, "win-dump: failed to read MmPfnDatabase"); | |
119 | return; | |
120 | } | |
121 | } | |
122 | ||
123 | static void patch_bugcheck_data(WinDumpHeader *h, bool x64, Error **errp) | |
124 | { | |
125 | uint64_t KiBugcheckData; | |
126 | ||
127 | if (cpu_read_ptr(x64, first_cpu, | |
128 | WIN_DUMP_FIELD(KdDebuggerDataBlock) + KDBG_KI_BUGCHECK_DATA_OFFSET, | |
129 | &KiBugcheckData)) { | |
130 | error_setg(errp, "win-dump: failed to read KiBugcheckData"); | |
131 | return; | |
132 | } | |
133 | ||
134 | if (cpu_memory_rw_debug(first_cpu, KiBugcheckData, | |
135 | WIN_DUMP_FIELD(BugcheckData), | |
136 | WIN_DUMP_FIELD_SIZE(BugcheckData), 0)) { | |
137 | error_setg(errp, "win-dump: failed to read bugcheck data"); | |
138 | return; | |
139 | } | |
140 | ||
141 | /* | |
142 | * If BugcheckCode wasn't saved, we consider guest OS as alive. | |
143 | */ | |
144 | ||
145 | if (!WIN_DUMP_FIELD(BugcheckCode)) { | |
146 | *(uint32_t *)WIN_DUMP_FIELD_PTR(BugcheckCode) = LIVE_SYSTEM_DUMP; | |
147 | } | |
148 | } | |
149 | ||
150 | /* | |
151 | * This routine tries to correct mistakes in crashdump header. | |
152 | */ | |
153 | static void patch_header(WinDumpHeader *h, bool x64) | |
154 | { | |
155 | Error *local_err = NULL; | |
156 | ||
157 | if (x64) { | |
158 | h->x64.RequiredDumpSpace = sizeof(WinDumpHeader64) + | |
159 | (h->x64.PhysicalMemoryBlock.NumberOfPages << TARGET_PAGE_BITS); | |
160 | h->x64.PhysicalMemoryBlock.unused = 0; | |
161 | h->x64.unused1 = 0; | |
162 | } else { | |
163 | h->x32.RequiredDumpSpace = sizeof(WinDumpHeader32) + | |
164 | (h->x32.PhysicalMemoryBlock.NumberOfPages << TARGET_PAGE_BITS); | |
165 | } | |
166 | ||
167 | patch_mm_pfn_database(h, x64, &local_err); | |
168 | if (local_err) { | |
169 | warn_report_err(local_err); | |
170 | local_err = NULL; | |
171 | } | |
172 | patch_bugcheck_data(h, x64, &local_err); | |
173 | if (local_err) { | |
174 | warn_report_err(local_err); | |
175 | } | |
176 | } | |
177 | ||
178 | static bool check_header(WinDumpHeader *h, bool *x64, Error **errp) | |
179 | { | |
180 | const char Signature[] = "PAGE"; | |
181 | ||
182 | if (memcmp(h->Signature, Signature, sizeof(h->Signature))) { | |
183 | error_setg(errp, "win-dump: invalid header, expected '%.4s'," | |
184 | " got '%.4s'", Signature, h->Signature); | |
185 | return false; | |
186 | } | |
187 | ||
188 | if (!memcmp(h->ValidDump, "DUMP", sizeof(h->ValidDump))) { | |
189 | *x64 = false; | |
190 | } else if (!memcmp(h->ValidDump, "DU64", sizeof(h->ValidDump))) { | |
191 | *x64 = true; | |
192 | } else { | |
193 | error_setg(errp, "win-dump: invalid header, expected 'DUMP' or 'DU64'," | |
194 | " got '%.4s'", h->ValidDump); | |
195 | return false; | |
196 | } | |
197 | ||
198 | return true; | |
199 | } | |
200 | ||
201 | static void check_kdbg(WinDumpHeader *h, bool x64, Error **errp) | |
202 | { | |
203 | const char OwnerTag[] = "KDBG"; | |
204 | char read_OwnerTag[4]; | |
205 | uint64_t KdDebuggerDataBlock = WIN_DUMP_FIELD(KdDebuggerDataBlock); | |
206 | bool try_fallback = true; | |
207 | ||
208 | try_again: | |
209 | if (cpu_memory_rw_debug(first_cpu, | |
210 | KdDebuggerDataBlock + KDBG_OWNER_TAG_OFFSET, | |
211 | (uint8_t *)&read_OwnerTag, sizeof(read_OwnerTag), 0)) { | |
212 | error_setg(errp, "win-dump: failed to read OwnerTag"); | |
213 | return; | |
214 | } | |
215 | ||
216 | if (memcmp(read_OwnerTag, OwnerTag, sizeof(read_OwnerTag))) { | |
217 | if (try_fallback) { | |
218 | /* | |
219 | * If attempt to use original KDBG failed | |
220 | * (most likely because of its encryption), | |
221 | * we try to use KDBG obtained by guest driver. | |
222 | */ | |
223 | ||
224 | KdDebuggerDataBlock = WIN_DUMP_FIELD(BugcheckParameter1); | |
225 | try_fallback = false; | |
226 | goto try_again; | |
227 | } else { | |
228 | error_setg(errp, "win-dump: invalid KDBG OwnerTag," | |
229 | " expected '%.4s', got '%.4s'", | |
230 | OwnerTag, read_OwnerTag); | |
231 | return; | |
232 | } | |
233 | } | |
234 | ||
235 | if (x64) { | |
236 | h->x64.KdDebuggerDataBlock = KdDebuggerDataBlock; | |
237 | } else { | |
238 | h->x32.KdDebuggerDataBlock = KdDebuggerDataBlock; | |
239 | } | |
240 | } | |
241 | ||
242 | struct saved_context { | |
243 | WinContext ctx; | |
244 | uint64_t addr; | |
245 | }; | |
246 | ||
247 | static void patch_and_save_context(WinDumpHeader *h, bool x64, | |
248 | struct saved_context *saved_ctx, | |
249 | Error **errp) | |
250 | { | |
251 | uint64_t KdDebuggerDataBlock = WIN_DUMP_FIELD(KdDebuggerDataBlock); | |
252 | uint64_t KiProcessorBlock; | |
253 | uint16_t OffsetPrcbContext; | |
254 | CPUState *cpu; | |
255 | int i = 0; | |
256 | ||
257 | if (cpu_read_ptr(x64, first_cpu, | |
258 | KdDebuggerDataBlock + KDBG_KI_PROCESSOR_BLOCK_OFFSET, | |
259 | &KiProcessorBlock)) { | |
260 | error_setg(errp, "win-dump: failed to read KiProcessorBlock"); | |
261 | return; | |
262 | } | |
263 | ||
264 | if (cpu_memory_rw_debug(first_cpu, | |
265 | KdDebuggerDataBlock + KDBG_OFFSET_PRCB_CONTEXT_OFFSET, | |
266 | (uint8_t *)&OffsetPrcbContext, sizeof(OffsetPrcbContext), 0)) { | |
267 | error_setg(errp, "win-dump: failed to read OffsetPrcbContext"); | |
268 | return; | |
269 | } | |
270 | ||
271 | CPU_FOREACH(cpu) { | |
272 | X86CPU *x86_cpu = X86_CPU(cpu); | |
273 | CPUX86State *env = &x86_cpu->env; | |
274 | uint64_t Prcb; | |
275 | uint64_t Context; | |
276 | WinContext ctx; | |
277 | ||
278 | if (i >= WIN_DUMP_FIELD(NumberProcessors)) { | |
279 | warn_report("win-dump: number of QEMU CPUs is bigger than" | |
280 | " NumberProcessors (%u) in guest Windows", | |
281 | WIN_DUMP_FIELD(NumberProcessors)); | |
282 | return; | |
283 | } | |
284 | ||
285 | if (cpu_read_ptr(x64, first_cpu, | |
286 | KiProcessorBlock + i * win_dump_ptr_size(x64), | |
287 | &Prcb)) { | |
288 | error_setg(errp, "win-dump: failed to read" | |
289 | " CPU #%d PRCB location", i); | |
290 | return; | |
291 | } | |
292 | ||
293 | if (cpu_read_ptr(x64, first_cpu, | |
294 | Prcb + OffsetPrcbContext, | |
295 | &Context)) { | |
296 | error_setg(errp, "win-dump: failed to read" | |
297 | " CPU #%d ContextFrame location", i); | |
298 | return; | |
299 | } | |
300 | ||
301 | saved_ctx[i].addr = Context; | |
302 | ||
303 | if (x64) { | |
304 | ctx.x64 = (WinContext64){ | |
305 | .ContextFlags = WIN_CTX64_ALL, | |
306 | .MxCsr = env->mxcsr, | |
307 | ||
308 | .SegEs = env->segs[0].selector, | |
309 | .SegCs = env->segs[1].selector, | |
310 | .SegSs = env->segs[2].selector, | |
311 | .SegDs = env->segs[3].selector, | |
312 | .SegFs = env->segs[4].selector, | |
313 | .SegGs = env->segs[5].selector, | |
314 | .EFlags = cpu_compute_eflags(env), | |
315 | ||
316 | .Dr0 = env->dr[0], | |
317 | .Dr1 = env->dr[1], | |
318 | .Dr2 = env->dr[2], | |
319 | .Dr3 = env->dr[3], | |
320 | .Dr6 = env->dr[6], | |
321 | .Dr7 = env->dr[7], | |
322 | ||
323 | .Rax = env->regs[R_EAX], | |
324 | .Rbx = env->regs[R_EBX], | |
325 | .Rcx = env->regs[R_ECX], | |
326 | .Rdx = env->regs[R_EDX], | |
327 | .Rsp = env->regs[R_ESP], | |
328 | .Rbp = env->regs[R_EBP], | |
329 | .Rsi = env->regs[R_ESI], | |
330 | .Rdi = env->regs[R_EDI], | |
331 | .R8 = env->regs[8], | |
332 | .R9 = env->regs[9], | |
333 | .R10 = env->regs[10], | |
334 | .R11 = env->regs[11], | |
335 | .R12 = env->regs[12], | |
336 | .R13 = env->regs[13], | |
337 | .R14 = env->regs[14], | |
338 | .R15 = env->regs[15], | |
339 | ||
340 | .Rip = env->eip, | |
341 | .FltSave = { | |
342 | .MxCsr = env->mxcsr, | |
343 | }, | |
344 | }; | |
345 | } else { | |
346 | ctx.x32 = (WinContext32){ | |
347 | .ContextFlags = WIN_CTX32_FULL | WIN_CTX_DBG, | |
348 | ||
349 | .SegEs = env->segs[0].selector, | |
350 | .SegCs = env->segs[1].selector, | |
351 | .SegSs = env->segs[2].selector, | |
352 | .SegDs = env->segs[3].selector, | |
353 | .SegFs = env->segs[4].selector, | |
354 | .SegGs = env->segs[5].selector, | |
355 | .EFlags = cpu_compute_eflags(env), | |
356 | ||
357 | .Dr0 = env->dr[0], | |
358 | .Dr1 = env->dr[1], | |
359 | .Dr2 = env->dr[2], | |
360 | .Dr3 = env->dr[3], | |
361 | .Dr6 = env->dr[6], | |
362 | .Dr7 = env->dr[7], | |
363 | ||
364 | .Eax = env->regs[R_EAX], | |
365 | .Ebx = env->regs[R_EBX], | |
366 | .Ecx = env->regs[R_ECX], | |
367 | .Edx = env->regs[R_EDX], | |
368 | .Esp = env->regs[R_ESP], | |
369 | .Ebp = env->regs[R_EBP], | |
370 | .Esi = env->regs[R_ESI], | |
371 | .Edi = env->regs[R_EDI], | |
372 | ||
373 | .Eip = env->eip, | |
374 | }; | |
375 | } | |
376 | ||
377 | if (cpu_memory_rw_debug(first_cpu, Context, | |
378 | &saved_ctx[i].ctx, win_dump_ctx_size(x64), 0)) { | |
379 | error_setg(errp, "win-dump: failed to save CPU #%d context", i); | |
380 | return; | |
381 | } | |
382 | ||
383 | if (cpu_memory_rw_debug(first_cpu, Context, | |
384 | &ctx, win_dump_ctx_size(x64), 1)) { | |
385 | error_setg(errp, "win-dump: failed to write CPU #%d context", i); | |
386 | return; | |
387 | } | |
388 | ||
389 | i++; | |
390 | } | |
391 | } | |
392 | ||
393 | static void restore_context(WinDumpHeader *h, bool x64, | |
394 | struct saved_context *saved_ctx) | |
395 | { | |
396 | int i; | |
397 | ||
398 | for (i = 0; i < WIN_DUMP_FIELD(NumberProcessors); i++) { | |
399 | if (cpu_memory_rw_debug(first_cpu, saved_ctx[i].addr, | |
400 | &saved_ctx[i].ctx, win_dump_ctx_size(x64), 1)) { | |
401 | warn_report("win-dump: failed to restore CPU #%d context", i); | |
402 | } | |
403 | } | |
404 | } | |
405 | ||
406 | void create_win_dump(DumpState *s, Error **errp) | |
407 | { | |
408 | WinDumpHeader *h = (void *)(s->guest_note + VMCOREINFO_ELF_NOTE_HDR_SIZE); | |
409 | X86CPU *first_x86_cpu = X86_CPU(first_cpu); | |
410 | uint64_t saved_cr3 = first_x86_cpu->env.cr[3]; | |
411 | struct saved_context *saved_ctx = NULL; | |
412 | Error *local_err = NULL; | |
413 | bool x64 = true; | |
414 | size_t hdr_size; | |
415 | ||
416 | if (s->guest_note_size != VMCOREINFO_WIN_DUMP_NOTE_SIZE32 && | |
417 | s->guest_note_size != VMCOREINFO_WIN_DUMP_NOTE_SIZE64) { | |
418 | error_setg(errp, "win-dump: invalid vmcoreinfo note size"); | |
419 | return; | |
420 | } | |
421 | ||
422 | if (!check_header(h, &x64, &local_err)) { | |
423 | error_propagate(errp, local_err); | |
424 | return; | |
425 | } | |
426 | ||
427 | hdr_size = x64 ? sizeof(WinDumpHeader64) : sizeof(WinDumpHeader32); | |
428 | ||
429 | /* | |
430 | * Further access to kernel structures by virtual addresses | |
431 | * should be made from system context. | |
432 | */ | |
433 | ||
434 | first_x86_cpu->env.cr[3] = WIN_DUMP_FIELD(DirectoryTableBase); | |
435 | ||
436 | check_kdbg(h, x64, &local_err); | |
437 | if (local_err) { | |
438 | error_propagate(errp, local_err); | |
439 | goto out_cr3; | |
440 | } | |
441 | ||
442 | patch_header(h, x64); | |
443 | ||
444 | saved_ctx = g_new(struct saved_context, WIN_DUMP_FIELD(NumberProcessors)); | |
445 | ||
446 | /* | |
447 | * Always patch context because there is no way | |
448 | * to determine if the system-saved context is valid | |
449 | */ | |
450 | ||
451 | patch_and_save_context(h, x64, saved_ctx, &local_err); | |
452 | if (local_err) { | |
453 | error_propagate(errp, local_err); | |
454 | goto out_free; | |
455 | } | |
456 | ||
457 | s->total_size = WIN_DUMP_FIELD(RequiredDumpSpace); | |
458 | ||
459 | s->written_size = qemu_write_full(s->fd, h, hdr_size); | |
460 | if (s->written_size != hdr_size) { | |
461 | error_setg(errp, QERR_IO_ERROR); | |
462 | goto out_restore; | |
463 | } | |
464 | ||
465 | write_runs(s, h, x64, &local_err); | |
466 | if (local_err) { | |
467 | error_propagate(errp, local_err); | |
468 | goto out_restore; | |
469 | } | |
470 | ||
471 | out_restore: | |
472 | restore_context(h, x64, saved_ctx); | |
473 | out_free: | |
474 | g_free(saved_ctx); | |
475 | out_cr3: | |
476 | first_x86_cpu->env.cr[3] = saved_cr3; | |
477 | ||
478 | return; | |
479 | } | |
480 | ||
481 | #else /* !TARGET_X86_64 */ | |
482 | ||
483 | bool win_dump_available(Error **errp) | |
484 | { | |
485 | error_setg(errp, "Windows dump is only available for x86-64"); | |
486 | ||
487 | return false; | |
488 | } | |
489 | ||
490 | void create_win_dump(DumpState *s, Error **errp) | |
491 | { | |
492 | win_dump_available(errp); | |
493 | } | |
494 | ||
495 | #endif |