From: Clemens Kolbitsch <clemens.kol@gmx.at>
To: qemu-devel@nongnu.org
Subject: [Qemu-devel] Re: sidt problem
Date: Wed, 27 Jun 2007 12:10:09 +0200 [thread overview]
Message-ID: <46823781.50403@gmx.at> (raw)
In-Reply-To: <468036C1.8070901@gmx.at>
hi!
just wanted to post that i found out what is really the problem...
obviously this is one of the restrictions in a virtual machine and thus
not a "bug" (as most of you probably know already).
it'd still be cool if it could be fixed somehow... though this seems
more of an academic thing than a programmer's job :-)
greets!
Clemens Kolbitsch wrote:
> hi everyone!
> i have a strange problem:
>
> i use the following code on my linux 2.6.20 (kubuntu debian, i386) to
> dynamically get the location of the system-call table (as can also be
> found in /proc/kallsyms --> "sys_call_table") as it is quite
> interesting for new exploits ( :-) )
>
> on a real cpu this works fine, however crashes in qemu... obviously
> there is a bug somewhere. i have not found my way that deep into the
> qemu source, so i cannot really help to find the bug.
>
> well, here is the code:
>
> struct
> {
> unsigned short limit;
> unsigned int base;
> } __attribute__ ((packed)) idtr;
>
> struct
> {
> unsigned short off1;
> unsigned short sel;
> unsigned char none, flags;
> unsigned short off2;
> } __attribute__ ((packed)) *igd;
>
> unsigned long *sys_call;
> unsigned char *pc;
>
> // find idt_table
> __asm__("sidt %0" : :"m"(idtr));
>
> // find system_call
> igd = idtr.base + 8 * 0x80;
>
> // !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> // the next line crashes
> // !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> sys_call = (igd->off2 << 16) | igd->off1;
>
> // find sys_call_table
> // ff 14 85 XX XX XX XX call <sys_call_table>(,%eax,4)
>
> sys_call_table = 0x0;
> pc = (char*)sys_call;
>
> // check the first 100 bytes in system_call
> for (i = 0; i < 100; ++i)
> {
> if ((*(long*)++pc << 8) == 0x8514ff00)
> {
> sys_call_table = *(long*)(pc+3);
> break;
> }
> }
>
>
> maybe, someone has time to look at this problem (by the way, i use the
> same system inside qemu as on my laptop)
>
> greets!!
>
prev parent reply other threads:[~2007-06-27 10:36 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20070614160402.14245gmx1@mx083.gmx.net>
2007-06-25 21:42 ` [Qemu-devel] sidt problem Clemens Kolbitsch
2007-06-27 10:10 ` Clemens Kolbitsch [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=46823781.50403@gmx.at \
--to=clemens.kol@gmx.at \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.