From: Alex Barcelo <abarcelo@ac.upc.edu>
To: qemu-devel@nongnu.org
Cc: Riku Voipio <riku.voipio@iki.fi>, Alex Barcelo <abarcelo@ac.upc.edu>
Subject: [Qemu-devel] [PATCHv3 0/2] Preparing safe sigprocmask wrapper on qemu-user
Date: Sat, 20 Oct 2012 16:15:55 +0200 [thread overview]
Message-ID: <1350742557-9717-1-git-send-email-abarcelo@ac.upc.edu> (raw)
qemu-user needs SIGSEGV (at least) for some internal use. If the guest
application masks it and does unsafe sigprocmask, then the application
crashes. Problems happen in applications with self-modifying code (who
also change the signal mask). Other guest applications may have related
problems if they use the SIGSEGV.
A way to be more safe is adding a wrapper for all sigprocmask calls from
the guest. The wrapper proposed here is quite simple, but the code can
be improved, here I try to ensure that the wrapper is set up properly.
Changes in v3:
- Wrapping also sigreturn's sigprocmask calls (on signal.c)
Here, a test case where qemu-user goes wrong:
////////////
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
#include <malloc.h>
#include <signal.h>
unsigned char *testfun;
int main ( void )
{
unsigned int ra;
testfun=memalign(getpagesize(),1024);
// We block the SIGSEGV signal, used by qemu-user
sigset_t set;
sigemptyset(&set);
sigaddset(&set, 11);
sigprocmask(SIG_BLOCK, &set, NULL);
mprotect(testfun, 1024, PROT_READ|PROT_EXEC|PROT_WRITE);
//400687: b8 0d 00 00 00 mov $0xd,%eax
//40068d: c3 retq
testfun[ 0]=0xb8;
testfun[ 1]=0x0d;
testfun[ 2]=0x00;
testfun[ 3]=0x00;
testfun[ 4]=0x00;
testfun[ 5]=0xc3;
printf ( "0x%02X\n",
((unsigned int (*)())testfun)() );
//400687: b8 20 00 00 00 mov $0x20,%eax
//40068d: c3 retq
// This self-modifying code will break because of the sigsegv signal block
testfun[ 1]=0x20;
printf ( "0x%02X\n",
((unsigned int (*)())testfun)() );
}
////////////
On an i386 native host:
0x0D
0x20
On a non-patched qemu-i386:
0x0D
Segmentation fault
Alex Barcelo (2):
signal: added a wrapper for sigprocmask function
signal: sigsegv protection on do_sigprocmask
linux-user/qemu.h | 1 +
linux-user/signal.c | 27 +++++++++++++++++++++++++++
linux-user/syscall.c | 14 +++++++-------
3 files changed, 35 insertions(+), 7 deletions(-)
--
1.7.5.4
next reply other threads:[~2012-10-20 14:16 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-10-20 14:15 Alex Barcelo [this message]
2012-10-20 14:15 ` [Qemu-devel] [PATCHv3 1/2] signal: added a wrapper for sigprocmask function Alex Barcelo
2012-10-20 14:15 ` [Qemu-devel] [PATCHv3 2/2] signal: sigsegv protection on do_sigprocmask Alex Barcelo
2012-11-19 19:01 ` [Qemu-devel] [PATCHv3 0/2] Preparing safe sigprocmask wrapper on qemu-user Alex Barcelo
2013-01-14 14:34 ` Alex Barcelo
-- strict thread matches above, loose matches on Subject: below --
2013-01-14 12:16 Alex Barcelo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1350742557-9717-1-git-send-email-abarcelo@ac.upc.edu \
--to=abarcelo@ac.upc.edu \
--cc=qemu-devel@nongnu.org \
--cc=riku.voipio@iki.fi \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).