Clean-up full-coverage mode implementation

GJDuck · GJDuck · commit 350b0718017d · 2023-08-23T13:28:56.000+08:00
- Fix -O3 and -100 compatibility.
- Make multiple -100 binaries work together
- Add --help documentation
- Add manpage documentation
diff --git a/doc/e9patch.1 b/doc/e9patch.1
@@ -28,6 +28,8 @@ The first phase tracks instruction patching success or failure:
 .IP
 \fB\[char46]\fR = Instruction was patched successfully
 .br
+\fBT\fR = Instruction was patched with tactic B0
+.br
 \fBX\fR = Instruction could not be patched
 .PP
 The second phase tracks physical memory compression:
@@ -159,6 +161,8 @@ automatically/randomly.  The special value "none" leaves the
 original base intact.
 .br
 Default: \fBnone\fR (disabled)
+.IP "\fB\-\-tactic\-B0\fR[=\fI\,false\/\fR]" 4
+.PD 0
 .IP "\fB\-\-tactic\-B1\fR[=\fI\,false\/\fR]" 4
 .PD 0
 .IP "\fB\-\-tactic\-B2\fR[=\fI\,false\/\fR]" 4
@@ -169,12 +173,14 @@ Default: \fBnone\fR (disabled)
 .PD 0
 .IP "\fB\-\-tactic\-T3\fR[=\fI\,false\/\fR]" 4
 .PD
-Enables [disables] the corresponding tactic (B1/B2/T1/T2/T3).
+Enables [disables] corresponding tactic (B1/B2/T1/T2/T3).
 .br
-Default: \fBtrue\fR (enabled)
-.IP
+Default: \fBtrue\fR (enabled) for B1/B2/T1/T2/T3
+         \fBfalse\fR (disabled) for B0
+.TP
 \fB\-\-tactic\-backward\-T3\fR[=\fI\,false\/\fR]
-Enable [disables] backward jumps for tactic T3.
+Enables [disables] backward jumps for tactic T3.
+.br
 Default: \fBtrue\fR (enabled)
 .TP
 \fB\-\-trap\fR=\fI\,ADDR\/\fR
@@ -185,11 +191,13 @@ the trampoline using GDB.
 \fB\-\-trap\-all\fR[=\fI\,false\/\fR]
 Enable [disable] the insertion of a trap (int3) instruction at
 all trampoline entries.
+.br
 Default: \fBfalse\fR (disabled)
 .TP
 \fB\-\-trap\-entry\fR[=\fI\,false\/\fR]
 Enable [disable] the insertion of a trap (int3) at the program
 loader entry\-point.
+.br
 Default: \fBfalse\fR (disabled)
 .TP
 \fB\-\-version\fR
diff --git a/doc/e9tool.1 b/doc/e9tool.1
@@ -102,6 +102,11 @@ For more information, please refer to the following document:
 .IP "" 4
 \fI/usr/share/doc/e9tool/e9tool-user-guide.html\fR
 .SH OPTIONS
+.IP "\fB\-100\fR" 4
+Enables "full coverage" mode that attempts to patch 100% of matching
+instructions, even at the cost of a significant reduction in performance.
+This is useful for applications that prioritize coverage over other
+considerations.
 .IP "\fB\-\-backend\fR PROG" 4
 Use PROG as the backend.
 The default is "e9patch".
diff --git a/src/e9patch/e9elf.cpp b/src/e9patch/e9elf.cpp
@@ -522,7 +522,7 @@ size_t emitElf(Binary *B, const MappingSet &mappings, size_t mapping_size)
     for (auto i = B->Traps.rbegin(); i != B->Traps.rend(); ++i)
     {
         const Alloc *A = *i;
-        struct e9_trap_s trap = {A->I->addr, A->lb};
+        struct e9_trap_s trap = {A->I->addr, A->lb + A->entry};
         memcpy(data + size, &trap, sizeof(trap));
         size += sizeof(trap);
         config->num_traps++;
diff --git a/src/e9patch/e9loader_elf.cpp b/src/e9patch/e9loader_elf.cpp
@@ -48,6 +48,7 @@ struct ksigaction
     sigset_t sa_mask;
 };
 #define SA_RESTORER 0x04000000
+#define E9_BACKDOOR 0xe9e9e9e9
 
 typedef void (*e9handler_t)(int, siginfo_t *, void *);
 struct e9scratch_s
@@ -163,7 +164,7 @@ static NO_INLINE struct e9scratch_s *e9scratch(const e9_config_s *config,
     if (!alloc)
         return (struct e9scratch_s *)scratch;
     intptr_t r = e9mmap(scratch, PAGE_SIZE, PROT_READ | PROT_WRITE,
-        MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+        MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0);
     r = (r >= 0 && r != (intptr_t)scratch? -EAGAIN: r);
     if (r < 0)
         e9panic("mmap() scratch failed (errno=%u)", (unsigned)-r);
@@ -250,7 +251,7 @@ void e9handler(int sig, siginfo_t *info, ucontext_t *ctx,
         {
             (void *)SIG_DFL, SA_NODEFER | SA_RESTORER, NULL, 0
         };
-        e9syscall(SYS_rt_sigaction, SIGILL, &action, NULL, 8, 0xe9e9e9e9);
+        e9syscall(SYS_rt_sigaction, SIGILL, &action, NULL, 8, E9_BACKDOOR);
         trampoline = (uint8_t *)mctx->gregs[REG_RIP];
     }
     void *xstate = (void *)mctx->fpregs;
@@ -301,7 +302,7 @@ static void e9filter(struct e9scratch_s *scratch)
         BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
             offsetof(struct seccomp_data, args[4])),
         // Backdoor: TODO: think of a better solution
-        BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, 0xe9e9e9e9, 3, 0),
+        BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, E9_BACKDOOR, 3, 0),
         BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
             offsetof(struct seccomp_data, args[0])),
         BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, SIGILL, 0, 1),
@@ -416,7 +417,8 @@ void *e9init(int argc, char **argv, char **envp, const e9_config_s *config)
             (void *)handler, SA_NODEFER | SA_SIGINFO | SA_RESTORER,
             NULL, 0x0
         };
-        intptr_t r = e9syscall(SYS_rt_sigaction, SIGILL, &action, &old, 8);
+        intptr_t r = e9syscall(SYS_rt_sigaction, SIGILL, &action, &old, 8,
+            E9_BACKDOOR);
         if (r < 0)
             e9panic("sigaction() failed (errno=%u)", -r);
         scratch =
diff --git a/src/e9patch/e9patch.cpp b/src/e9patch/e9patch.cpp
@@ -357,13 +357,15 @@ static void usage(FILE *stream, const char *progname)
         "\t\toriginal base intact.\n"
         "\t\tDefault: none (disabled)\n"
         "\n"
+        "\t--tactic-B0[=false]\n"
         "\t--tactic-B1[=false]\n"
         "\t--tactic-B2[=false]\n"
         "\t--tactic-T1[=false]\n"
         "\t--tactic-T2[=false]\n"
         "\t--tactic-T3[=false]\n"
-        "\t\tEnables [disables] the corresponding tactic (B1/B2/T1/T2/T3).\n"
-        "\t\tDefault: true (enabled)\n"
+        "\t\tEnables [disables] corresponding tactic (B0/B1/B2/T1/T2/T3).\n"
+        "\t\tDefault: true  (enabled) for B1/B2/T1/T2/T3\n"
+        "\t\t         false (disabled) for B0\n"
         "\n"
         "\t--tactic-backward-T3[=false]\n"
         "\t\tEnable [disables] backward jumps for tactic T3.\n"
diff --git a/src/e9patch/e9tactics.cpp b/src/e9patch/e9tactics.cpp
@@ -260,7 +260,8 @@ static Bounds makeBounds(Binary &B, const Trampoline *T, const Instr *I,
     switch (B.mode)
     {
         case MODE_ELF_EXE: case MODE_ELF_DSO:
-            hi = std::min(hi, option_loader_base);
+            // The additional page is for the loader scratch space
+            hi = std::min(hi, option_loader_base - (intptr_t)PAGE_SIZE);
         default:
             break;
     }
diff --git a/src/e9tool/e9misc.cpp b/src/e9tool/e9misc.cpp
@@ -223,6 +223,12 @@ void usage(FILE *stream, const char *progname)
         "OTHER OPTIONS\n"
         "=============\n"
         "\n"
+        "\t-100\n"
+        "\t\tEnables \"full coverage\" mode that attempts to patch 100%%\n"
+        "\t\tof matching instructions, even at the cost of a (significant)\n"
+        "\t\treduction in performance.  This is useful for applications\n"
+        "\t\tthat prioritize coverage over other considerations.\n"
+        "\n"
         "\t--backend PROG\n"
         "\t\tUse PROG as the backend.  The default is \"e9patch\".\n"
         "\n"

Original file line number	Diff line number	Diff line change
`@@ -522,7 +522,7 @@ size_t emitElf(Binary *B, const MappingSet &mappings, size_t mapping_size)`
`522`	`522`	`for (auto i = B->Traps.rbegin(); i != B->Traps.rend(); ++i)`
`523`	`523`	`{`
`524`	`524`	`const Alloc A = i;`
`525`		`- struct e9_trap_s trap = {A->I->addr, A->lb};`
	`525`	`+ struct e9_trap_s trap = {A->I->addr, A->lb + A->entry};`
`526`	`526`	`memcpy(data + size, &trap, sizeof(trap));`
`527`	`527`	`size += sizeof(trap);`
`528`	`528`	`config->num_traps++;`
Original file line number	Diff line number	Diff line change
`@@ -260,7 +260,8 @@ static Bounds makeBounds(Binary &B, const Trampoline T, const Instr I,`
`260`	`260`	`switch (B.mode)`
`261`	`261`	`{`
`262`	`262`	`case MODE_ELF_EXE: case MODE_ELF_DSO:`
`263`		`- hi = std::min(hi, option_loader_base);`
	`263`	`+ // The additional page is for the loader scratch space`
	`264`	`+ hi = std::min(hi, option_loader_base - (intptr_t)PAGE_SIZE);`
`264`	`265`	`default:`
`265`	`266`	`break;`
`266`	`267`	`}`