From 9928452ab6188d404ca7bb8fc5215a718e2d5c9d Mon Sep 17 00:00:00 2001
From: Romain Malmain <romain.malmain@pm.me>
Date: Thu, 30 Nov 2023 17:27:34 +0100
Subject: [PATCH 1/3] Added paging id boilerplate code + x86_64 implementation.

---
 cpu-target.c                     | 20 ++++++++++++++++++++
 include/hw/core/sysemu-cpu-ops.h |  6 ++++++
 target/i386/cpu.c                | 13 +++++++++++++
 target/i386/cpu.h                |  6 ++++++
 4 files changed, 45 insertions(+)

diff --git a/cpu-target.c b/cpu-target.c
index 52a2516b373..e5eb9714fe8 100644
--- a/cpu-target.c
+++ b/cpu-target.c
@@ -61,6 +61,14 @@ int libafl_qemu_write_reg(CPUState* cpu, int reg, uint8_t* val);
 int libafl_qemu_read_reg(CPUState* cpu, int reg, uint8_t* val);
 int libafl_qemu_num_regs(CPUState* cpu);
 
+//// --- Begin LibAFL code ---
+
+#ifndef CONFIG_USER_ONLY
+hwaddr libafl_qemu_current_paging_id(CPUState* cpu);
+#endif
+
+//// --- End LibAFL code ---
+
 void libafl_flush_jit(void);
 
 extern int libafl_restoring_devices;
@@ -153,6 +161,18 @@ int libafl_qemu_num_regs(CPUState* cpu)
     return cc->gdb_num_core_regs;
 }
 
+//// --- Begin LibAFL code ---
+
+#ifndef CONFIG_USER_ONLY
+hwaddr libafl_qemu_current_paging_id(CPUState* cpu)
+{
+    CPUClass* cc = CPU_GET_CLASS(cpu);
+    return cc->sysemu_ops->get_paging_id(cpu);
+}
+#endif
+
+//// --- End LibAFL code ---
+
 void libafl_flush_jit(void)
 {
     CPUState *cpu;
diff --git a/include/hw/core/sysemu-cpu-ops.h b/include/hw/core/sysemu-cpu-ops.h
index 24d003fe041..22885b5b4fa 100644
--- a/include/hw/core/sysemu-cpu-ops.h
+++ b/include/hw/core/sysemu-cpu-ops.h
@@ -25,6 +25,12 @@ typedef struct SysemuCPUOps {
      * @get_paging_enabled: Callback for inquiring whether paging is enabled.
      */
     bool (*get_paging_enabled)(const CPUState *cpu);
+//// --- Begin LibAFL code ---
+    /**
+     * @get_paging_id: Callback for inquiring paging ID (makes sense iif @get_paging_enabled is true).
+     */
+    hwaddr (*get_paging_id)(const CPUState* cpu);
+//// --- End LibAFL code ---
     /**
      * @get_phys_page_debug: Callback for obtaining a physical address.
      */
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index 358d9c0a655..35c793c6dd6 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -7654,6 +7654,18 @@ static bool x86_cpu_get_paging_enabled(const CPUState *cs)
 
     return cpu->env.cr[0] & CR0_PG_MASK;
 }
+
+//// --- Begin LibAFL code ---
+
+static hwaddr x86_cpu_get_paging_id(const CPUState *cs)
+{
+    X86CPU *cpu = X86_CPU(cs);
+
+    return cpu->env.cr[3] & CR3_PD_BASE;
+}
+
+//// --- End LibAFL code ---
+
 #endif /* !CONFIG_USER_ONLY */
 
 static void x86_cpu_set_pc(CPUState *cs, vaddr value)
@@ -7922,6 +7934,7 @@ static Property x86_cpu_properties[] = {
 static const struct SysemuCPUOps i386_sysemu_ops = {
     .get_memory_mapping = x86_cpu_get_memory_mapping,
     .get_paging_enabled = x86_cpu_get_paging_enabled,
+    .get_paging_id = x86_cpu_get_paging_id,
     .get_phys_page_attrs_debug = x86_cpu_get_phys_page_attrs_debug,
     .asidx_from_attrs = x86_asidx_from_attrs,
     .get_crash_info = x86_cpu_get_crash_info,
diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index cd2e295bd65..deebf1a9ade 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -238,6 +238,12 @@ typedef enum X86Seg {
 #define CR0_CD_MASK  (1U << 30)
 #define CR0_PG_MASK  (1U << 31)
 
+//// --- Begin LibAFL code ---
+
+#define CR3_PD_BASE  (~(((((target_ulong) 1U) << 12) - 1)))
+
+//// --- End LibAFL code ---
+
 #define CR4_VME_MASK  (1U << 0)
 #define CR4_PVI_MASK  (1U << 1)
 #define CR4_TSD_MASK  (1U << 2)

From c386a5a9b9a2a1cf250726cf54b37becffd27e82 Mon Sep 17 00:00:00 2001
From: Romain Malmain <romain.malmain@pm.me>
Date: Thu, 30 Nov 2023 18:09:17 +0100
Subject: [PATCH 2/3] fix: check if `get_paging_id` is implemented.

---
 cpu-target.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/cpu-target.c b/cpu-target.c
index e5eb9714fe8..b7d4d76d357 100644
--- a/cpu-target.c
+++ b/cpu-target.c
@@ -167,7 +167,11 @@ int libafl_qemu_num_regs(CPUState* cpu)
 hwaddr libafl_qemu_current_paging_id(CPUState* cpu)
 {
     CPUClass* cc = CPU_GET_CLASS(cpu);
-    return cc->sysemu_ops->get_paging_id(cpu);
+    if (cc->sysemu_ops && cc->sysemu_ops->get_paging_id) {
+        return cc->sysemu_ops->get_paging_id(cpu);
+    } else {
+        return 0;
+    }
 }
 #endif
 

From 033f2439c797214c50365ecd4c593594d6a27a1a Mon Sep 17 00:00:00 2001
From: Romain Malmain <romain.malmain@pm.me>
Date: Thu, 30 Nov 2023 18:15:13 +0100
Subject: [PATCH 3/3] added libafl guard.

---
 target/i386/cpu.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index 35c793c6dd6..499771053c0 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -7934,7 +7934,9 @@ static Property x86_cpu_properties[] = {
 static const struct SysemuCPUOps i386_sysemu_ops = {
     .get_memory_mapping = x86_cpu_get_memory_mapping,
     .get_paging_enabled = x86_cpu_get_paging_enabled,
+//// --- Begin LibAFL code ---
     .get_paging_id = x86_cpu_get_paging_id,
+//// --- End LibAFL code ---
     .get_phys_page_attrs_debug = x86_cpu_get_phys_page_attrs_debug,
     .asidx_from_attrs = x86_asidx_from_attrs,
     .get_crash_info = x86_cpu_get_crash_info,