From: Paolo Bonzini <pbonzini@redhat.com>
To: "Hulin, Patrick - 0559 - MITLL" <Patrick.Hulin@ll.mit.edu>
Cc: "qemu-devel@nongnu.org" <qemu-devel@nongnu.org>
Subject: Re: [Qemu-devel] QEMU, self-modifying code, and Windows 7 64-bit (no KVM)
Date: Sun, 17 Aug 2014 07:21:16 +0200 [thread overview]
Message-ID: <53F03BCC.705@redhat.com> (raw)
In-Reply-To: <9BA52E25-E3BF-42FF-B080-86B7926D8B80@ll.mit.edu>
Il 15/08/2014 23:49, Hulin, Patrick - 0559 - MITLL ha scritto:
>>> In this case, the write is 8 bytes and unaligned, so it gets split
>>> into 8 single-byte writes. In stock QEMU, these writes are done in
>>> reverse order (see the loop in softmmu_template.h, line 402). The
>>> third decryption xor from Kernel Patch Protection should hit 4 bytes
>>> that are in the current TB and 4 bytes in the TB afterwards in linear
>>> order. Since this happens in reverse order, and the last 4 bytes of
>>> the write do not intersect the current TB, those writes happen
>>> successfully and QEMU's memory is modified. The 4th byte in linear
>>> order (the 5th in temporal order) then triggers the
>>> current_tb_modified flag and cpu_restore_state, longjmp'ing out.
>>>
>> Would it work to just call tb_invalidate_phys_page_range before the
>> helper_ret_stb loop?
>
> Maybe. I think there’s another issue, which is that QEMU’s ending up
> in the I/O read/write code instead of the normal memory RW. This could
> be QEMU messing up, it could be PatchGuard doing something weird, or it
> could be me misunderstanding what’s going on. I never really figured out
> how the control flow works here.
That's okay. Everything that's in the slow path goes down
io_mem_read/write (in this case TLB_NOTDIRTY is set for dirty-page
tracking and causes QEMU to choose that path).
Try making a self-contained test case using the kvm-unit-tests harness
(git://git.kernel.org/pub/scm/virt/kvm/kvm-unit-tests.git).
Paolo
next prev parent reply other threads:[~2014-08-17 5:21 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAG5rQryFDdrYZKPWYm8k_5EPGOP9RgvUqamSkjWiO3UikieeAw@mail.gmail.com>
2014-08-13 18:36 ` [Qemu-devel] QEMU, self-modifying code, and Windows 7 64-bit (no KVM) Hulin, Patrick - 0559 - MITLL
2014-08-14 13:53 ` Hulin, Patrick - 0559 - MITLL
2014-08-15 20:48 ` Paolo Bonzini
2014-08-15 21:49 ` Hulin, Patrick - 0559 - MITLL
2014-08-17 5:21 ` Paolo Bonzini [this message]
2014-08-18 17:37 ` Richard Henderson
2014-08-18 17:47 ` Hulin, Patrick - 0559 - MITLL
2014-08-18 20:50 ` Hulin, Patrick - 0559 - MITLL
2014-08-19 6:16 ` Paolo Bonzini
2014-08-20 14:03 ` Hulin, Patrick - 0559 - MITLL
2014-08-20 15:12 ` Richard Henderson
2014-08-18 21:12 ` Paolo Bonzini
2014-08-18 17:47 ` Hulin, Patrick - 0559 - MITLL
2014-08-18 18:08 ` Hulin, Patrick - 0559 - MITLL
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53F03BCC.705@redhat.com \
--to=pbonzini@redhat.com \
--cc=Patrick.Hulin@ll.mit.edu \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.