From: Fabrice Bellard <fabrice@bellard.org>
To: qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] bug report : kqemu and self-writing code
Date: Tue, 02 May 2006 23:04:41 +0200 [thread overview]
Message-ID: <4457C969.5070304@bellard.org> (raw)
In-Reply-To: <ef735050605020213p68b433abmfcce31b54ce2881e@mail.gmail.com>
To clarify the current behaviour of kqemu and QEMU with self-writing
code, the following table can be useful:
Supported feature QEMU kqemu
----------------------------------------------------
CS.limit no yes
NX bit yes (x86_64 only) no
So you can understand now why in some cases QEMU or kqemu does not seem
to give what you expect. Fixing both issues is of course possible but it
is not my priority yet.
Fabrice.
G Portokalidis wrote:
> I had a similar problem, but only when not using kqemu.
>
> When using a stack overflow exploit, the shellcode provided only
> executes when using kqemu. I can attribute this to either the
> shellcode being in a different location (maybe someone can clarify
> this, is qemu using a different memory layout e.g. stack is located in
> a different virtual address), or qemu does not translate the shellcode
> located in the stack and instead causes a memory fault (again i have
> no idea why this should be the case).
>
> When using kqemu the shellcode executes normally.
> I did not have any time to investigate the reasons, but i have a hunch
> it is the probably the translation.
> If anyone knows what the problem is, i would be glad to write a patch.
>
>
> On 02/05/06, Kevin F. Quinn <ml@kevquinn.com> wrote:
>
>> Looks like SELinux to me. Even - you should raise it with whoever
>> writes your policy.
>>
>> On Mon, 01 May 2006 23:29:54 +0200
>> Fabrice Bellard <fabrice@bellard.org> wrote:
>>
>> > Are you sure that the bug is really in kqemu ? It is possible that
>> > your guest kernel implements a security system which prevents self
>> > modifying code using segment limits which QEMU does not check (but
>> > kqemu checks them !).
>> >
>> > Regards,
>> >
>> > Fabrice.
>> >
>> > Even Rouault wrote:
>> > > Guest OS : Linux 2.6.15-1.2054_FC5 i686 (Fedora Core 5 i386)
>> > > Host OS: Linux 2.6.12-10-amd64-k8 #1 x86_64 (Ubuntu 5.10 amd64)
>> > > QEMU Version : today CVS compiled with kqemu support
>> > > KQEMU : 1.3.0pre6
>> > > Binary used : qemu-system-x86-64 (so kqemu user-mode is used)
>> > >
>> > > I'm running the simple C code attached. With kqemu user-mode, this
>> > > fails (sigsegv) with the following warning in dmesg :
>> > >
>> > > audit(1146505373.813:12): avc: denied { execheap } for pid=1860
>> > > comm="selfmodifying scontext=user_u:system_r:unconfined_t:s0
>> > > tcontext=user_u:system_r:unconfined_t:s0 tclass=process
>> > > Erreur de segmentation
>> > >
>> > > Without kqemu enabled, it runs fine.
>> > >
>> > >
>> > >
>> > >
>> ------------------------------------------------------------------------
>> > >
>> > > #define _XOPEN_SOURCE 600
>> > > #include <sys/mman.h>
>> > > #include <unistd.h>
>> > > #include <stdlib.h>
>> > > #include <stdio.h>
>> > >
>> > > int main(int argc, char** argv)
>> > > {
>> > > int pagesize = getpagesize();
>> > > unsigned char* addr = NULL;
>> > > posix_memalign((void**)&addr, pagesize, pagesize);
>> > > mprotect(addr, pagesize, PROT_WRITE | PROT_READ | PROT_EXEC);
>> > > addr[0] = 0x8b; addr[1] = 0x44; addr[2] = 0x24; addr[3] =
>> > > 0x04; /* mov 0x4(%esp),%eax */ addr[4] = 0x83; addr[5] = 0xc0;
>> > > addr[6] = 0x01; /* add $0x1,%eax */ addr[7] = 0xc3; /* ret */
>> > >
>> > > printf("10+1=%d\n", ((int (*)(int))addr)(10));
>> > > free(addr);
>> > > return 0;
>> > > }
>> > >
>> > >
>> > >
>> ------------------------------------------------------------------------
>> > >
>> > > _______________________________________________
>> > > Qemu-devel mailing list
>> > > Qemu-devel@nongnu.org
>> > > http://lists.nongnu.org/mailman/listinfo/qemu-devel
>> >
>> >
>> >
>> > _______________________________________________
>> > Qemu-devel mailing list
>> > Qemu-devel@nongnu.org
>> > http://lists.nongnu.org/mailman/listinfo/qemu-devel
>>
>>
>> --
>> Kevin F. Quinn
>>
>>
>> _______________________________________________
>> Qemu-devel mailing list
>> Qemu-devel@nongnu.org
>> http://lists.nongnu.org/mailman/listinfo/qemu-devel
>>
>
>
> _______________________________________________
> Qemu-devel mailing list
> Qemu-devel@nongnu.org
> http://lists.nongnu.org/mailman/listinfo/qemu-devel
>
>
prev parent reply other threads:[~2006-05-02 21:05 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-05-01 19:53 [Qemu-devel] bug report : kqemu and self-writing code Even Rouault
2006-05-01 21:29 ` Fabrice Bellard
2006-05-01 22:08 ` Even Rouault
2006-05-02 6:55 ` Kevin F. Quinn
2006-05-02 9:13 ` G Portokalidis
2006-05-02 21:04 ` Fabrice Bellard [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4457C969.5070304@bellard.org \
--to=fabrice@bellard.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.