You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

390 lines
11KB

  1. /*
  2. * Windows crashdump
  3. *
  4. * Copyright (c) 2018 Virtuozzo International GmbH
  5. *
  6. * This work is licensed under the terms of the GNU GPL, version 2 or later.
  7. * See the COPYING file in the top-level directory.
  8. *
  9. */
  10. #include "qemu/osdep.h"
  11. #include "qemu/cutils.h"
  12. #include "elf.h"
  13. #include "cpu.h"
  14. #include "exec/hwaddr.h"
  15. #include "monitor/monitor.h"
  16. #include "sysemu/kvm.h"
  17. #include "sysemu/dump.h"
  18. #include "sysemu/sysemu.h"
  19. #include "sysemu/memory_mapping.h"
  20. #include "sysemu/cpus.h"
  21. #include "qapi/error.h"
  22. #include "qapi/qmp/qerror.h"
  23. #include "qemu/error-report.h"
  24. #include "hw/misc/vmcoreinfo.h"
  25. #include "win_dump.h"
  26. static size_t write_run(WinDumpPhyMemRun64 *run, int fd, Error **errp)
  27. {
  28. void *buf;
  29. uint64_t addr = run->BasePage << TARGET_PAGE_BITS;
  30. uint64_t size = run->PageCount << TARGET_PAGE_BITS;
  31. uint64_t len, l;
  32. size_t total = 0;
  33. while (size) {
  34. len = size;
  35. buf = cpu_physical_memory_map(addr, &len, false);
  36. if (!buf) {
  37. error_setg(errp, "win-dump: failed to map physical range"
  38. " 0x%016" PRIx64 "-0x%016" PRIx64, addr, addr + size - 1);
  39. return 0;
  40. }
  41. l = qemu_write_full(fd, buf, len);
  42. cpu_physical_memory_unmap(buf, addr, false, len);
  43. if (l != len) {
  44. error_setg(errp, QERR_IO_ERROR);
  45. return 0;
  46. }
  47. addr += l;
  48. size -= l;
  49. total += l;
  50. }
  51. return total;
  52. }
  53. static void write_runs(DumpState *s, WinDumpHeader64 *h, Error **errp)
  54. {
  55. WinDumpPhyMemDesc64 *desc = &h->PhysicalMemoryBlock;
  56. WinDumpPhyMemRun64 *run = desc->Run;
  57. Error *local_err = NULL;
  58. int i;
  59. for (i = 0; i < desc->NumberOfRuns; i++) {
  60. s->written_size += write_run(run + i, s->fd, &local_err);
  61. if (local_err) {
  62. error_propagate(errp, local_err);
  63. return;
  64. }
  65. }
  66. }
  67. static void patch_mm_pfn_database(WinDumpHeader64 *h, Error **errp)
  68. {
  69. if (cpu_memory_rw_debug(first_cpu,
  70. h->KdDebuggerDataBlock + KDBG_MM_PFN_DATABASE_OFFSET64,
  71. (uint8_t *)&h->PfnDatabase, sizeof(h->PfnDatabase), 0)) {
  72. error_setg(errp, "win-dump: failed to read MmPfnDatabase");
  73. return;
  74. }
  75. }
  76. static void patch_bugcheck_data(WinDumpHeader64 *h, Error **errp)
  77. {
  78. uint64_t KiBugcheckData;
  79. if (cpu_memory_rw_debug(first_cpu,
  80. h->KdDebuggerDataBlock + KDBG_KI_BUGCHECK_DATA_OFFSET64,
  81. (uint8_t *)&KiBugcheckData, sizeof(KiBugcheckData), 0)) {
  82. error_setg(errp, "win-dump: failed to read KiBugcheckData");
  83. return;
  84. }
  85. if (cpu_memory_rw_debug(first_cpu,
  86. KiBugcheckData,
  87. h->BugcheckData, sizeof(h->BugcheckData), 0)) {
  88. error_setg(errp, "win-dump: failed to read bugcheck data");
  89. return;
  90. }
  91. /*
  92. * If BugcheckCode wasn't saved, we consider guest OS as alive.
  93. */
  94. if (!h->BugcheckCode) {
  95. h->BugcheckCode = LIVE_SYSTEM_DUMP;
  96. }
  97. }
  98. /*
  99. * This routine tries to correct mistakes in crashdump header.
  100. */
  101. static void patch_header(WinDumpHeader64 *h)
  102. {
  103. Error *local_err = NULL;
  104. h->RequiredDumpSpace = sizeof(WinDumpHeader64) +
  105. (h->PhysicalMemoryBlock.NumberOfPages << TARGET_PAGE_BITS);
  106. h->PhysicalMemoryBlock.unused = 0;
  107. h->unused1 = 0;
  108. patch_mm_pfn_database(h, &local_err);
  109. if (local_err) {
  110. warn_report_err(local_err);
  111. local_err = NULL;
  112. }
  113. patch_bugcheck_data(h, &local_err);
  114. if (local_err) {
  115. warn_report_err(local_err);
  116. }
  117. }
  118. static void check_header(WinDumpHeader64 *h, Error **errp)
  119. {
  120. const char Signature[] = "PAGE";
  121. const char ValidDump[] = "DU64";
  122. if (memcmp(h->Signature, Signature, sizeof(h->Signature))) {
  123. error_setg(errp, "win-dump: invalid header, expected '%.4s',"
  124. " got '%.4s'", Signature, h->Signature);
  125. return;
  126. }
  127. if (memcmp(h->ValidDump, ValidDump, sizeof(h->ValidDump))) {
  128. error_setg(errp, "win-dump: invalid header, expected '%.4s',"
  129. " got '%.4s'", ValidDump, h->ValidDump);
  130. return;
  131. }
  132. }
  133. static void check_kdbg(WinDumpHeader64 *h, Error **errp)
  134. {
  135. const char OwnerTag[] = "KDBG";
  136. char read_OwnerTag[4];
  137. uint64_t KdDebuggerDataBlock = h->KdDebuggerDataBlock;
  138. bool try_fallback = true;
  139. try_again:
  140. if (cpu_memory_rw_debug(first_cpu,
  141. KdDebuggerDataBlock + KDBG_OWNER_TAG_OFFSET64,
  142. (uint8_t *)&read_OwnerTag, sizeof(read_OwnerTag), 0)) {
  143. error_setg(errp, "win-dump: failed to read OwnerTag");
  144. return;
  145. }
  146. if (memcmp(read_OwnerTag, OwnerTag, sizeof(read_OwnerTag))) {
  147. if (try_fallback) {
  148. /*
  149. * If attempt to use original KDBG failed
  150. * (most likely because of its encryption),
  151. * we try to use KDBG obtained by guest driver.
  152. */
  153. KdDebuggerDataBlock = h->BugcheckParameter1;
  154. try_fallback = false;
  155. goto try_again;
  156. } else {
  157. error_setg(errp, "win-dump: invalid KDBG OwnerTag,"
  158. " expected '%.4s', got '%.4s'",
  159. OwnerTag, read_OwnerTag);
  160. return;
  161. }
  162. }
  163. h->KdDebuggerDataBlock = KdDebuggerDataBlock;
  164. }
  165. struct saved_context {
  166. WinContext ctx;
  167. uint64_t addr;
  168. };
  169. static void patch_and_save_context(WinDumpHeader64 *h,
  170. struct saved_context *saved_ctx,
  171. Error **errp)
  172. {
  173. uint64_t KiProcessorBlock;
  174. uint16_t OffsetPrcbContext;
  175. CPUState *cpu;
  176. int i = 0;
  177. if (cpu_memory_rw_debug(first_cpu,
  178. h->KdDebuggerDataBlock + KDBG_KI_PROCESSOR_BLOCK_OFFSET64,
  179. (uint8_t *)&KiProcessorBlock, sizeof(KiProcessorBlock), 0)) {
  180. error_setg(errp, "win-dump: failed to read KiProcessorBlock");
  181. return;
  182. }
  183. if (cpu_memory_rw_debug(first_cpu,
  184. h->KdDebuggerDataBlock + KDBG_OFFSET_PRCB_CONTEXT_OFFSET64,
  185. (uint8_t *)&OffsetPrcbContext, sizeof(OffsetPrcbContext), 0)) {
  186. error_setg(errp, "win-dump: failed to read OffsetPrcbContext");
  187. return;
  188. }
  189. CPU_FOREACH(cpu) {
  190. X86CPU *x86_cpu = X86_CPU(cpu);
  191. CPUX86State *env = &x86_cpu->env;
  192. uint64_t Prcb;
  193. uint64_t Context;
  194. WinContext ctx;
  195. if (cpu_memory_rw_debug(first_cpu,
  196. KiProcessorBlock + i * sizeof(uint64_t),
  197. (uint8_t *)&Prcb, sizeof(Prcb), 0)) {
  198. error_setg(errp, "win-dump: failed to read"
  199. " CPU #%d PRCB location", i);
  200. return;
  201. }
  202. if (cpu_memory_rw_debug(first_cpu,
  203. Prcb + OffsetPrcbContext,
  204. (uint8_t *)&Context, sizeof(Context), 0)) {
  205. error_setg(errp, "win-dump: failed to read"
  206. " CPU #%d ContextFrame location", i);
  207. return;
  208. }
  209. saved_ctx[i].addr = Context;
  210. ctx = (WinContext){
  211. .ContextFlags = WIN_CTX_ALL,
  212. .MxCsr = env->mxcsr,
  213. .SegEs = env->segs[0].selector,
  214. .SegCs = env->segs[1].selector,
  215. .SegSs = env->segs[2].selector,
  216. .SegDs = env->segs[3].selector,
  217. .SegFs = env->segs[4].selector,
  218. .SegGs = env->segs[5].selector,
  219. .EFlags = cpu_compute_eflags(env),
  220. .Dr0 = env->dr[0],
  221. .Dr1 = env->dr[1],
  222. .Dr2 = env->dr[2],
  223. .Dr3 = env->dr[3],
  224. .Dr6 = env->dr[6],
  225. .Dr7 = env->dr[7],
  226. .Rax = env->regs[R_EAX],
  227. .Rbx = env->regs[R_EBX],
  228. .Rcx = env->regs[R_ECX],
  229. .Rdx = env->regs[R_EDX],
  230. .Rsp = env->regs[R_ESP],
  231. .Rbp = env->regs[R_EBP],
  232. .Rsi = env->regs[R_ESI],
  233. .Rdi = env->regs[R_EDI],
  234. .R8 = env->regs[8],
  235. .R9 = env->regs[9],
  236. .R10 = env->regs[10],
  237. .R11 = env->regs[11],
  238. .R12 = env->regs[12],
  239. .R13 = env->regs[13],
  240. .R14 = env->regs[14],
  241. .R15 = env->regs[15],
  242. .Rip = env->eip,
  243. .FltSave = {
  244. .MxCsr = env->mxcsr,
  245. },
  246. };
  247. if (cpu_memory_rw_debug(first_cpu, Context,
  248. (uint8_t *)&saved_ctx[i].ctx, sizeof(WinContext), 0)) {
  249. error_setg(errp, "win-dump: failed to save CPU #%d context", i);
  250. return;
  251. }
  252. if (cpu_memory_rw_debug(first_cpu, Context,
  253. (uint8_t *)&ctx, sizeof(WinContext), 1)) {
  254. error_setg(errp, "win-dump: failed to write CPU #%d context", i);
  255. return;
  256. }
  257. i++;
  258. }
  259. }
  260. static void restore_context(WinDumpHeader64 *h,
  261. struct saved_context *saved_ctx)
  262. {
  263. int i;
  264. Error *err = NULL;
  265. for (i = 0; i < h->NumberProcessors; i++) {
  266. if (cpu_memory_rw_debug(first_cpu, saved_ctx[i].addr,
  267. (uint8_t *)&saved_ctx[i].ctx, sizeof(WinContext), 1)) {
  268. error_setg(&err, "win-dump: failed to restore CPU #%d context", i);
  269. warn_report_err(err);
  270. }
  271. }
  272. }
  273. void create_win_dump(DumpState *s, Error **errp)
  274. {
  275. WinDumpHeader64 *h = (WinDumpHeader64 *)(s->guest_note +
  276. VMCOREINFO_ELF_NOTE_HDR_SIZE);
  277. X86CPU *first_x86_cpu = X86_CPU(first_cpu);
  278. uint64_t saved_cr3 = first_x86_cpu->env.cr[3];
  279. struct saved_context *saved_ctx = NULL;
  280. Error *local_err = NULL;
  281. if (s->guest_note_size != sizeof(WinDumpHeader64) +
  282. VMCOREINFO_ELF_NOTE_HDR_SIZE) {
  283. error_setg(errp, "win-dump: invalid vmcoreinfo note size");
  284. return;
  285. }
  286. check_header(h, &local_err);
  287. if (local_err) {
  288. error_propagate(errp, local_err);
  289. return;
  290. }
  291. /*
  292. * Further access to kernel structures by virtual addresses
  293. * should be made from system context.
  294. */
  295. first_x86_cpu->env.cr[3] = h->DirectoryTableBase;
  296. check_kdbg(h, &local_err);
  297. if (local_err) {
  298. error_propagate(errp, local_err);
  299. goto out_cr3;
  300. }
  301. patch_header(h);
  302. saved_ctx = g_new(struct saved_context, h->NumberProcessors);
  303. /*
  304. * Always patch context because there is no way
  305. * to determine if the system-saved context is valid
  306. */
  307. patch_and_save_context(h, saved_ctx, &local_err);
  308. if (local_err) {
  309. error_propagate(errp, local_err);
  310. goto out_free;
  311. }
  312. s->total_size = h->RequiredDumpSpace;
  313. s->written_size = qemu_write_full(s->fd, h, sizeof(*h));
  314. if (s->written_size != sizeof(*h)) {
  315. error_setg(errp, QERR_IO_ERROR);
  316. goto out_restore;
  317. }
  318. write_runs(s, h, &local_err);
  319. if (local_err) {
  320. error_propagate(errp, local_err);
  321. goto out_restore;
  322. }
  323. out_restore:
  324. restore_context(h, saved_ctx);
  325. out_free:
  326. g_free(saved_ctx);
  327. out_cr3:
  328. first_x86_cpu->env.cr[3] = saved_cr3;
  329. return;
  330. }