From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1HTPd0-0006jM-Kk for qemu-devel@nongnu.org; Mon, 19 Mar 2007 17:42:54 -0400 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1HTPcw-0006dE-Os for qemu-devel@nongnu.org; Mon, 19 Mar 2007 17:42:53 -0400 Received: from [199.232.76.173] (helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1HTPcw-0006dB-In for qemu-devel@nongnu.org; Mon, 19 Mar 2007 16:42:50 -0500 Received: from phoenix.bawue.net ([193.7.176.60] helo=mail.bawue.net) by monty-python.gnu.org with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.60) (envelope-from ) id 1HTPbR-0006t9-F7 for qemu-devel@nongnu.org; Mon, 19 Mar 2007 17:41:17 -0400 Received: from lagash (88-106-169-123.dynamic.dsl.as9105.com [88.106.169.123]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.bawue.net (Postfix) with ESMTP id A7E54BA5A8 for ; Mon, 19 Mar 2007 22:34:28 +0100 (CET) Received: from ths by lagash with local (Exim 4.63) (envelope-from ) id 1HTPV7-0007kJ-6K for qemu-devel@nongnu.org; Mon, 19 Mar 2007 21:34:45 +0000 Date: Mon, 19 Mar 2007 21:34:45 +0000 Subject: Re: [Qemu-devel] [Bug] [Patch] MIPS code fails at branch instruction Message-ID: <20070319213445.GJ28895@networkno.de> References: <45FB245C.2010900@mail.berlios.de> <20070317143106.GF25863@networkno.de> <45FC3A07.3070302@weilnetz.de> <200703172032.52010.paul@codesourcery.com> <45FEFAC0.4060901@mail.berlios.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <45FEFAC0.4060901@mail.berlios.de> From: Thiemo Seufer Reply-To: qemu-devel@nongnu.org List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Stefan Weil wrote: > Thank you, Paul, for your explanation which clarified Thiemo's statement. > > I now checked how my published test code could contribute to a DoS attack. > > Current QEMU HEAD: > > * The code "hangs" as I wrote before. This is from a user's point of view. > "Hanging" means, that the test process runs in an infinite loop using any > CPU time it can get in the virtual machine. QEMU uses all available > CPU time from the host CPU. This is a bug in qemu, since it doesn't match CPU behaviour. While the architecture spec claims UNPREDICTABLE, such a code sequence shouldn't impede other processes on the same CPU. Throwing an RI exception should suffice for the general case (i.e. not AR7). > With single stepping enabled or in the debugger, the test code won't > hang but give a random result. > > Patched QEMU HEAD (see appended patch file): > > * The code works in a well defined way. An optional message in the log file > will show the faulty statement. It won't amount to a DoS because it > is disabled by default. Sorry, but I missed the "well defined". What does the jump in the branch delay slot exactly _do_ now? Where does the PC point to when it was a conditional branch which wasn't taken? [snip] > * show optional message when any branch bits in hflags are already set > before a branch instruction is generated (so we have a branch in the > delay slot) Agreed on that, since it is debug output which is only written when asked for. Thiemo