From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1NnxOv-0006CP-L1 for qemu-devel@nongnu.org; Sat, 06 Mar 2010 12:02:53 -0500 Received: from [199.232.76.173] (port=44262 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1NnxOu-0006Bd-C9 for qemu-devel@nongnu.org; Sat, 06 Mar 2010 12:02:52 -0500 Received: from Debian-exim by monty-python.gnu.org with spam-scanned (Exim 4.60) (envelope-from ) id 1NnxOs-0003Bl-FY for qemu-devel@nongnu.org; Sat, 06 Mar 2010 12:02:51 -0500 Received: from hall.aurel32.net ([88.191.82.174]:41415) by monty-python.gnu.org with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.60) (envelope-from ) id 1NnxOs-0003Bd-1Y for qemu-devel@nongnu.org; Sat, 06 Mar 2010 12:02:50 -0500 Date: Sat, 6 Mar 2010 18:02:40 +0100 From: Aurelien Jarno Subject: Re: [Qemu-devel] i386 emulation bug: mov reg, [addr] Message-ID: <20100306170240.GY10291@volta.aurel32.net> References: <200912151948.53307.ck@iseclab.org> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Disposition: inline In-Reply-To: <200912151948.53307.ck@iseclab.org> List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: Clemens Kolbitsch , Avi Kivity On Tue, Dec 15, 2009 at 07:48:53PM +0100, Clemens Kolbitsch wrote: > Hi list, > > I'm experiencing a strange emulation bug with the op-code below. The > instruction raises a segfault in the application (running on the guest), > however, if I enable KVM to run the exact same application, no segfault is > raised. > > 0x0080023b: 8b 04 65 11 22 33 44 mov regEAX, [0x44332211] > > where "11 22 33 44" is just some address. According to gdb (on a 32bit little- > endian machine), this instruction can be disassembled as a "mov address to > reg-eax". > > I have added some debugging code to the disas_insn function in translate.c to > find out that the code is disassembled to the following blocks: > > (NOTE: this debugging comes from an old qemu version where the old TB-style > code was still used. HOWEVER, the same bug is still happening when used on the > 0.11.0 source branch). > > 0x0080023b: disassemble 7 bytes (to 0x00800242) > 0x001: movl_A0_im 0x44332211 > 0x002: addl_A0_ESP_s1 > 0x003: ldl_user_T0_A0 > 0x004: movl_EAX_T0 > > So, as you can see, everything seems correct, but there is an additional > (second) TB that messes everything up. In fact, the segfault happens because > whatever is in ESP (shifted by one) is added to the address (which might then > not be a valid address). > > As I said, the code might crash in old versions of Qemu just like in the > 0.11.0 source branch and works fine if I use KVM (because the user code is not > emulated of course). > > Since this is such a fundamental problem, I don't quite understand how this > could stay hidden so long... or maybe there is an error on my side :-/ > > Any help on this is greatly appreciated!! I have just noticed the problem is not yet fixed, even if Jamie proposed a patch in English. I have built a testcase (see below) and I have just sent a patch to the mailing list. Compile with: gcc -static -nostartfiles -m32 -o test test.S .data msg_addr: .long msg0 msg0: .ascii "Hello World\n" msg1: .text .globl _start _start: mov $4, %eax mov $1, %ebx .byte 0x8b .byte 0x0c .byte 0x65 .long msg_addr mov $(msg1-msg0), %edx int $0x80 mov $1, %eax int $0x80 -- Aurelien Jarno GPG: 1024D/F1BCDB73 aurelien@aurel32.net http://www.aurel32.net