From: Aurelien Jarno <aurelien@aurel32.net>
To: qemu-devel@nongnu.org
Cc: Clemens Kolbitsch <ck@iseclab.org>, Avi Kivity <avi@redhat.com>
Subject: Re: [Qemu-devel] i386 emulation bug: mov reg, [addr]
Date: Sat, 6 Mar 2010 18:02:40 +0100 [thread overview]
Message-ID: <20100306170240.GY10291@volta.aurel32.net> (raw)
In-Reply-To: <200912151948.53307.ck@iseclab.org>
On Tue, Dec 15, 2009 at 07:48:53PM +0100, Clemens Kolbitsch wrote:
> Hi list,
>
> I'm experiencing a strange emulation bug with the op-code below. The
> instruction raises a segfault in the application (running on the guest),
> however, if I enable KVM to run the exact same application, no segfault is
> raised.
>
> 0x0080023b: 8b 04 65 11 22 33 44 mov regEAX, [0x44332211]
>
> where "11 22 33 44" is just some address. According to gdb (on a 32bit little-
> endian machine), this instruction can be disassembled as a "mov address to
> reg-eax".
>
> I have added some debugging code to the disas_insn function in translate.c to
> find out that the code is disassembled to the following blocks:
>
> (NOTE: this debugging comes from an old qemu version where the old TB-style
> code was still used. HOWEVER, the same bug is still happening when used on the
> 0.11.0 source branch).
>
> 0x0080023b: disassemble 7 bytes (to 0x00800242)
> 0x001: movl_A0_im 0x44332211
> 0x002: addl_A0_ESP_s1
> 0x003: ldl_user_T0_A0
> 0x004: movl_EAX_T0
>
> So, as you can see, everything seems correct, but there is an additional
> (second) TB that messes everything up. In fact, the segfault happens because
> whatever is in ESP (shifted by one) is added to the address (which might then
> not be a valid address).
>
> As I said, the code might crash in old versions of Qemu just like in the
> 0.11.0 source branch and works fine if I use KVM (because the user code is not
> emulated of course).
>
> Since this is such a fundamental problem, I don't quite understand how this
> could stay hidden so long... or maybe there is an error on my side :-/
>
> Any help on this is greatly appreciated!!
I have just noticed the problem is not yet fixed, even if Jamie proposed
a patch in English. I have built a testcase (see below) and I have just
sent a patch to the mailing list.
Compile with: gcc -static -nostartfiles -m32 -o test test.S
.data
msg_addr: .long msg0
msg0: .ascii "Hello World\n"
msg1:
.text
.globl _start
_start:
mov $4, %eax
mov $1, %ebx
.byte 0x8b
.byte 0x0c
.byte 0x65
.long msg_addr
mov $(msg1-msg0), %edx
int $0x80
mov $1, %eax
int $0x80
--
Aurelien Jarno GPG: 1024D/F1BCDB73
aurelien@aurel32.net http://www.aurel32.net
prev parent reply other threads:[~2010-03-06 17:02 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-12-15 18:48 [Qemu-devel] i386 emulation bug: mov reg, [addr] Clemens Kolbitsch
2009-12-15 19:54 ` Avi Kivity
2009-12-15 21:21 ` Jamie Lokier
2009-12-16 8:56 ` Clemens Kolbitsch
2009-12-16 9:05 ` Avi Kivity
2009-12-16 9:28 ` [Qemu-devel] " Paolo Bonzini
2009-12-15 21:26 ` [Qemu-devel] " Jamie Lokier
2009-12-15 22:24 ` malc
2009-12-15 23:37 ` [Qemu-devel] " Paolo Bonzini
2009-12-16 10:07 ` [Qemu-devel] " Avi Kivity
2010-03-06 17:02 ` Aurelien Jarno [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100306170240.GY10291@volta.aurel32.net \
--to=aurelien@aurel32.net \
--cc=avi@redhat.com \
--cc=ck@iseclab.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).