From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1Fb241-0002Yu-AX for qemu-devel@nongnu.org; Tue, 02 May 2006 17:05:45 -0400 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1Fb240-0002YT-H5 for qemu-devel@nongnu.org; Tue, 02 May 2006 17:05:44 -0400 Received: from [199.232.76.173] (helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1Fb240-0002YN-AD for qemu-devel@nongnu.org; Tue, 02 May 2006 17:05:44 -0400 Received: from [84.96.92.56] (helo=smTp.neuf.fr) by monty-python.gnu.org with esmtp (Exim 4.52) id 1Fb24E-0008Op-Or for qemu-devel@nongnu.org; Tue, 02 May 2006 17:05:58 -0400 Received: from [84.102.211.71] by sp604003mt.gpm.neuf.ld (Sun Java System Messaging Server 6.2-5.05 (built Feb 16 2006)) with ESMTP id <0IYN00BMQP90XQM1@sp604003mt.gpm.neuf.ld> for qemu-devel@nongnu.org; Tue, 02 May 2006 23:05:24 +0200 (CEST) Date: Tue, 02 May 2006 23:04:41 +0200 From: Fabrice Bellard Subject: Re: [Qemu-devel] bug report : kqemu and self-writing code In-reply-to: Message-id: <4457C969.5070304@bellard.org> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7BIT References: <200605012153.51699.even.rouault@mines-paris.org> <44567DD2.8040708@bellard.org> <20060502085504.66479ac3@c1358217.kevquinn.com> Reply-To: qemu-devel@nongnu.org List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org To clarify the current behaviour of kqemu and QEMU with self-writing code, the following table can be useful: Supported feature QEMU kqemu ---------------------------------------------------- CS.limit no yes NX bit yes (x86_64 only) no So you can understand now why in some cases QEMU or kqemu does not seem to give what you expect. Fixing both issues is of course possible but it is not my priority yet. Fabrice. G Portokalidis wrote: > I had a similar problem, but only when not using kqemu. > > When using a stack overflow exploit, the shellcode provided only > executes when using kqemu. I can attribute this to either the > shellcode being in a different location (maybe someone can clarify > this, is qemu using a different memory layout e.g. stack is located in > a different virtual address), or qemu does not translate the shellcode > located in the stack and instead causes a memory fault (again i have > no idea why this should be the case). > > When using kqemu the shellcode executes normally. > I did not have any time to investigate the reasons, but i have a hunch > it is the probably the translation. > If anyone knows what the problem is, i would be glad to write a patch. > > > On 02/05/06, Kevin F. Quinn wrote: > >> Looks like SELinux to me. Even - you should raise it with whoever >> writes your policy. >> >> On Mon, 01 May 2006 23:29:54 +0200 >> Fabrice Bellard wrote: >> >> > Are you sure that the bug is really in kqemu ? It is possible that >> > your guest kernel implements a security system which prevents self >> > modifying code using segment limits which QEMU does not check (but >> > kqemu checks them !). >> > >> > Regards, >> > >> > Fabrice. >> > >> > Even Rouault wrote: >> > > Guest OS : Linux 2.6.15-1.2054_FC5 i686 (Fedora Core 5 i386) >> > > Host OS: Linux 2.6.12-10-amd64-k8 #1 x86_64 (Ubuntu 5.10 amd64) >> > > QEMU Version : today CVS compiled with kqemu support >> > > KQEMU : 1.3.0pre6 >> > > Binary used : qemu-system-x86-64 (so kqemu user-mode is used) >> > > >> > > I'm running the simple C code attached. With kqemu user-mode, this >> > > fails (sigsegv) with the following warning in dmesg : >> > > >> > > audit(1146505373.813:12): avc: denied { execheap } for pid=1860 >> > > comm="selfmodifying scontext=user_u:system_r:unconfined_t:s0 >> > > tcontext=user_u:system_r:unconfined_t:s0 tclass=process >> > > Erreur de segmentation >> > > >> > > Without kqemu enabled, it runs fine. >> > > >> > > >> > > >> > > >> ------------------------------------------------------------------------ >> > > >> > > #define _XOPEN_SOURCE 600 >> > > #include >> > > #include >> > > #include >> > > #include >> > > >> > > int main(int argc, char** argv) >> > > { >> > > int pagesize = getpagesize(); >> > > unsigned char* addr = NULL; >> > > posix_memalign((void**)&addr, pagesize, pagesize); >> > > mprotect(addr, pagesize, PROT_WRITE | PROT_READ | PROT_EXEC); >> > > addr[0] = 0x8b; addr[1] = 0x44; addr[2] = 0x24; addr[3] = >> > > 0x04; /* mov 0x4(%esp),%eax */ addr[4] = 0x83; addr[5] = 0xc0; >> > > addr[6] = 0x01; /* add $0x1,%eax */ addr[7] = 0xc3; /* ret */ >> > > >> > > printf("10+1=%d\n", ((int (*)(int))addr)(10)); >> > > free(addr); >> > > return 0; >> > > } >> > > >> > > >> > > >> ------------------------------------------------------------------------ >> > > >> > > _______________________________________________ >> > > Qemu-devel mailing list >> > > Qemu-devel@nongnu.org >> > > http://lists.nongnu.org/mailman/listinfo/qemu-devel >> > >> > >> > >> > _______________________________________________ >> > Qemu-devel mailing list >> > Qemu-devel@nongnu.org >> > http://lists.nongnu.org/mailman/listinfo/qemu-devel >> >> >> -- >> Kevin F. Quinn >> >> >> _______________________________________________ >> Qemu-devel mailing list >> Qemu-devel@nongnu.org >> http://lists.nongnu.org/mailman/listinfo/qemu-devel >> > > > _______________________________________________ > Qemu-devel mailing list > Qemu-devel@nongnu.org > http://lists.nongnu.org/mailman/listinfo/qemu-devel > >