From: Sergey Fedorov <serge.fdrv@gmail.com>
To: Stanislav Shmarov <snarpix@gmail.com>, qemu-devel@nongnu.org
Cc: Paolo Bonzini <pbonzini@redhat.com>,
Richard Henderson <rth@twiddle.net>,
Peter Crosthwaite <crosthwaite.peter@gmail.com>
Subject: Re: [Qemu-devel] [PATCH] translate-all: Bugfix for user-mode self-modifying code in 2 page long TB
Date: Tue, 5 Jul 2016 22:31:56 +0300 [thread overview]
Message-ID: <577C0B2C.8010906@gmail.com> (raw)
In-Reply-To: <1467715511-868127-1-git-send-email-snarpix@gmail.com>
On 05/07/16 13:45, Stanislav Shmarov wrote:
> In user-mode emulation Translation Block can consist of 2 guest pages.
> In that case QEMU also mprotects 2 host pages that are dedicated for
> guest memory, containing instructions. QEMU detects self-modifying code
> with SEGFAULT signal processing.
>
> In case if instruction in 1st page is modifying memory of 2nd
> page (or vice versa) QEMU will mark 2nd page with PAGE_WRITE,
> invalidate TB, generate new TB contatining 1 guest instruction and
> exit to CPU loop. QEMU won't call mprotect, and new TB will cause
> same SEGFAULT. Page will have both PAGE_WRITE_ORG and PAGE_WRITE
> flags, so QEMU will handle the signal as guest binary problem,
> and exit with guest SEGFAULT.
>
> Solution is retranslate TB before marking pages as PAGE_WRITE,
> and remove protection with mprotect on second SEGFAULT.
>
> Signed-off-by: Stanislav Shmarov <snarpix@gmail.com>
> ---
> translate-all.c | 10 +++++-----
> 1 file changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/translate-all.c b/translate-all.c
> index eaa95e4..1e2ac84 100644
> --- a/translate-all.c
> +++ b/translate-all.c
> @@ -2022,11 +2022,7 @@ int page_unprotect(target_ulong address, uintptr_t pc)
>
> prot = 0;
> for (addr = host_start ; addr < host_end ; addr += TARGET_PAGE_SIZE) {
> - p = page_find(addr >> TARGET_PAGE_BITS);
> - p->flags |= PAGE_WRITE;
> - prot |= p->flags;
> -
> - /* and since the content will be modified, we must invalidate
> + /* Since the content will be modified, we must invalidate
> the corresponding translated code. */
> if (tb_invalidate_phys_page(addr, pc)) {
> mmap_unlock();
> @@ -2035,6 +2031,10 @@ int page_unprotect(target_ulong address, uintptr_t pc)
> #ifdef DEBUG_TB_CHECK
> tb_invalidate_check(addr);
> #endif
> +
> + p = page_find(addr >> TARGET_PAGE_BITS);
> + p->flags |= PAGE_WRITE;
> + prot |= p->flags;
I'm afraid you need to do this even later, out of the loop for guest
pages, to ensure that mprotect() will be eventually called. That will
require a separate loop through all the guest pages which make up the
host page.
Kind regards,
Sergey
> }
> mprotect((void *)g2h(host_start), qemu_host_page_size,
> prot & PAGE_BITS);
next prev parent reply other threads:[~2016-07-05 19:32 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-05 10:45 [Qemu-devel] [PATCH] translate-all: Bugfix for user-mode self-modifying code in 2 page long TB Stanislav Shmarov
2016-07-05 19:31 ` Sergey Fedorov [this message]
2016-07-06 7:58 ` Стас Шмаров
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=577C0B2C.8010906@gmail.com \
--to=serge.fdrv@gmail.com \
--cc=crosthwaite.peter@gmail.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=rth@twiddle.net \
--cc=snarpix@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.