[Qemu-devel] sidt problem - Clemens Kolbitsch

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Clemens Kolbitsch <clemens.kol@gmx.at>
To: qemu-devel@nongnu.org
Subject: [Qemu-devel] sidt problem
Date: Mon, 25 Jun 2007 23:42:25 +0200	[thread overview]
Message-ID: <468036C1.8070901@gmx.at> (raw)
In-Reply-To: <20070614160402.14245gmx1@mx083.gmx.net>

hi everyone!
i have a strange problem:

i use the following code on my linux 2.6.20 (kubuntu debian, i386) to 
dynamically get the location of the system-call table (as can also be 
found in /proc/kallsyms --> "sys_call_table") as it is quite interesting 
for new exploits ( :-)  )

on a real cpu this works fine, however crashes in qemu... obviously 
there is a bug somewhere. i have not found my way that deep into the 
qemu source, so i cannot really help to find the bug.

well, here is the code:

    struct
    {
        unsigned short limit;
        unsigned int base;
    } __attribute__ ((packed)) idtr;

    struct
    {
        unsigned short off1;
        unsigned short sel;
        unsigned char none, flags;
        unsigned short off2;
    } __attribute__ ((packed)) *igd;

    unsigned long *sys_call;
    unsigned char *pc;

    // find idt_table
    __asm__("sidt %0" : :"m"(idtr));

    // find system_call
    igd = idtr.base + 8 * 0x80;

    // !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    // the next line crashes
    // !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    sys_call = (igd->off2 << 16) | igd->off1;

    // find sys_call_table
    // ff 14 85 XX XX XX XX     call <sys_call_table>(,%eax,4)

    sys_call_table = 0x0;
    pc = (char*)sys_call;

    // check the first 100 bytes in system_call
    for (i = 0; i < 100; ++i)
    {
        if ((*(long*)++pc << 8) == 0x8514ff00)
        {
            sys_call_table = *(long*)(pc+3);
            break;
        }
    }


maybe, someone has time to look at this problem (by the way, i use the 
same system inside qemu as on my laptop)

greets!!

next      parent reply	other threads:[~2007-06-25 21:42 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20070614160402.14245gmx1@mx083.gmx.net>
2007-06-25 21:42 ` Clemens Kolbitsch [this message]
2007-06-27 10:10   ` [Qemu-devel] Re: sidt problem Clemens Kolbitsch

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=468036C1.8070901@gmx.at \
    --to=clemens.kol@gmx.at \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.