Add LAVA attack points manually

AndrewQuijano · AndrewQuijano · commit 0ca00bb094ea · 2025-05-16T22:43:29.000-04:00
diff --git a/panda/plugins/pri_taint/pri_taint.cpp b/panda/plugins/pri_taint/pri_taint.cpp
@@ -301,6 +301,40 @@ void pfun(void *var_ty_void, const char *var_nm, LocType loc_t, target_ulong loc
     }
 }
 
+// Taken from taint2_hypercalls.cpp, not sure why but at the moment
+// AttackPoints is never populated.
+Panda__SrcInfo *pandalog_src_info_create(PandaHypercallStruct phs) {
+    Panda__SrcInfo *si = (Panda__SrcInfo *) malloc(sizeof(Panda__SrcInfo));
+    *si = PANDA__SRC_INFO__INIT;
+    si->filename = phs.src_filename;
+    si->astnodename = phs.src_ast_node_name;
+    si->linenum = phs.src_linenum;
+    si->has_insertionpoint = 0;
+    if (phs.insertion_point) {
+        si->has_insertionpoint = 1;
+        si->insertionpoint = phs.insertion_point;
+    }
+    si->has_ast_loc_id = 1;
+    si->ast_loc_id = phs.src_filename;
+    return si;
+}
+
+void lava_attack_point(PandaHypercallStruct phs) {
+    if (pandalog) {
+        Panda__AttackPoint *ap = (Panda__AttackPoint *)malloc(sizeof(Panda__AttackPoint));
+        *ap = PANDA__ATTACK_POINT__INIT;
+        ap->info = phs.info;
+        Panda__LogEntry ple = PANDA__LOG_ENTRY__INIT;
+        ple.attack_point = ap;
+        ple.attack_point->src_info = pandalog_src_info_create(phs);
+        ple.attack_point->call_stack = pandalog_callstack_create();
+        pandalog_write_entry(&ple);
+        free(ple.attack_point->src_info);
+        pandalog_callstack_free(ple.attack_point->call_stack);
+        free(ap);
+    }
+}
+
 /*
 // Trace logging in the level of source code
 void hypercall_log_trace(unsigned ast_loc_id) {
@@ -363,22 +397,24 @@ void lava_hypercall(CPUState *cpu) {
             // lava/include/pirate_mark_lava.h
             if (phs.action == 13) {
                 target_ulong pc = panda_current_pc(cpu);
-                SrcInfo info;
                 // Calls 'pri_get_pc_source_info' in pri.c, which calls 'on_get_pc_source_info'
                 // In Dwarf2, the function 'on_get_pc_source_info' is mapped to 'dwarf_get_pc_source_info'
+                SrcInfo info;
                 int rc = pri_get_pc_source_info(cpu, pc, &info);
                 if (!rc) {
                     struct args args = {cpu, info.filename, info.line_number, phs.src_filename};
                     dprintf("[pri_taint] panda hypercall: [%s], "
                             "ln: %4ld, pc @ 0x" TARGET_FMT_lx "\n",
                             info.filename,
                             info.line_number, pc);
-
                     // Calls 'pri_funct_livevar_iter' in pri.c, which calls 'on_funct_livevar_iter'
                     // In Dwarf2, the function 'on_funct_livevar_iter' is mapped to 'dwarf_funct_livevar_iter'
                     // This is passing the function 'pfun' to 'pri_funct_livevar_iter', which is called at the end
                     pri_funct_livevar_iter(cpu, pc, (liveVarCB) pfun, (void *)&args);
                 }
+                else if (phs.action == 12) {
+                    lava_attack_point(phs);
+                }
                 else {
                     dprintf("[pri_taint] pri_get_pc_src_info has failed: %d != 0.\n", rc);
                 }
