* [Qemu-devel] bug report : kqemu and self-writing code
@ 2006-05-01 19:53 Even Rouault
2006-05-01 21:29 ` Fabrice Bellard
0 siblings, 1 reply; 6+ messages in thread
From: Even Rouault @ 2006-05-01 19:53 UTC (permalink / raw)
To: qemu-devel
[-- Attachment #1: Type: text/plain, Size: 628 bytes --]
Guest OS : Linux 2.6.15-1.2054_FC5 i686 (Fedora Core 5 i386)
Host OS: Linux 2.6.12-10-amd64-k8 #1 x86_64 (Ubuntu 5.10 amd64)
QEMU Version : today CVS compiled with kqemu support
KQEMU : 1.3.0pre6
Binary used : qemu-system-x86-64 (so kqemu user-mode is used)
I'm running the simple C code attached. With kqemu user-mode, this fails
(sigsegv) with the following warning in dmesg :
audit(1146505373.813:12): avc: denied { execheap } for pid=1860
comm="selfmodifying scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
Erreur de segmentation
Without kqemu enabled, it runs fine.
[-- Attachment #2: selfmodifying.c --]
[-- Type: text/x-csrc, Size: 596 bytes --]
#define _XOPEN_SOURCE 600
#include <sys/mman.h>
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
int main(int argc, char** argv)
{
int pagesize = getpagesize();
unsigned char* addr = NULL;
posix_memalign((void**)&addr, pagesize, pagesize);
mprotect(addr, pagesize, PROT_WRITE | PROT_READ | PROT_EXEC);
addr[0] = 0x8b; addr[1] = 0x44; addr[2] = 0x24; addr[3] = 0x04; /* mov 0x4(%esp),%eax */
addr[4] = 0x83; addr[5] = 0xc0; addr[6] = 0x01; /* add $0x1,%eax */
addr[7] = 0xc3; /* ret */
printf("10+1=%d\n", ((int (*)(int))addr)(10));
free(addr);
return 0;
}
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Qemu-devel] bug report : kqemu and self-writing code
2006-05-01 19:53 [Qemu-devel] bug report : kqemu and self-writing code Even Rouault
@ 2006-05-01 21:29 ` Fabrice Bellard
2006-05-01 22:08 ` Even Rouault
2006-05-02 6:55 ` Kevin F. Quinn
0 siblings, 2 replies; 6+ messages in thread
From: Fabrice Bellard @ 2006-05-01 21:29 UTC (permalink / raw)
To: qemu-devel
Are you sure that the bug is really in kqemu ? It is possible that your
guest kernel implements a security system which prevents self modifying
code using segment limits which QEMU does not check (but kqemu checks
them !).
Regards,
Fabrice.
Even Rouault wrote:
> Guest OS : Linux 2.6.15-1.2054_FC5 i686 (Fedora Core 5 i386)
> Host OS: Linux 2.6.12-10-amd64-k8 #1 x86_64 (Ubuntu 5.10 amd64)
> QEMU Version : today CVS compiled with kqemu support
> KQEMU : 1.3.0pre6
> Binary used : qemu-system-x86-64 (so kqemu user-mode is used)
>
> I'm running the simple C code attached. With kqemu user-mode, this fails
> (sigsegv) with the following warning in dmesg :
>
> audit(1146505373.813:12): avc: denied { execheap } for pid=1860
> comm="selfmodifying scontext=user_u:system_r:unconfined_t:s0
> tcontext=user_u:system_r:unconfined_t:s0 tclass=process
> Erreur de segmentation
>
> Without kqemu enabled, it runs fine.
>
>
>
> ------------------------------------------------------------------------
>
> #define _XOPEN_SOURCE 600
> #include <sys/mman.h>
> #include <unistd.h>
> #include <stdlib.h>
> #include <stdio.h>
>
> int main(int argc, char** argv)
> {
> int pagesize = getpagesize();
> unsigned char* addr = NULL;
> posix_memalign((void**)&addr, pagesize, pagesize);
> mprotect(addr, pagesize, PROT_WRITE | PROT_READ | PROT_EXEC);
> addr[0] = 0x8b; addr[1] = 0x44; addr[2] = 0x24; addr[3] = 0x04; /* mov 0x4(%esp),%eax */
> addr[4] = 0x83; addr[5] = 0xc0; addr[6] = 0x01; /* add $0x1,%eax */
> addr[7] = 0xc3; /* ret */
>
> printf("10+1=%d\n", ((int (*)(int))addr)(10));
> free(addr);
> return 0;
> }
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Qemu-devel mailing list
> Qemu-devel@nongnu.org
> http://lists.nongnu.org/mailman/listinfo/qemu-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Qemu-devel] bug report : kqemu and self-writing code
2006-05-01 21:29 ` Fabrice Bellard
@ 2006-05-01 22:08 ` Even Rouault
2006-05-02 6:55 ` Kevin F. Quinn
1 sibling, 0 replies; 6+ messages in thread
From: Even Rouault @ 2006-05-01 22:08 UTC (permalink / raw)
To: qemu-devel
You're absolutely right. SELinux was enabled on the host. I disabled it and
now the self modying code runs with kqemu enabled.
So, I guess the current behaviour of qemu (without kqemu) is not really
wanted.
Le Lundi 1 Mai 2006 23:29, Fabrice Bellard a écrit :
> Are you sure that the bug is really in kqemu ? It is possible that your
> guest kernel implements a security system which prevents self modifying
> code using segment limits which QEMU does not check (but kqemu checks
> them !).
>
> Regards,
>
> Fabrice.
>
> Even Rouault wrote:
> > Guest OS : Linux 2.6.15-1.2054_FC5 i686 (Fedora Core 5 i386)
> > Host OS: Linux 2.6.12-10-amd64-k8 #1 x86_64 (Ubuntu 5.10 amd64)
> > QEMU Version : today CVS compiled with kqemu support
> > KQEMU : 1.3.0pre6
> > Binary used : qemu-system-x86-64 (so kqemu user-mode is used)
> >
> > I'm running the simple C code attached. With kqemu user-mode, this fails
> > (sigsegv) with the following warning in dmesg :
> >
> > audit(1146505373.813:12): avc: denied { execheap } for pid=1860
> > comm="selfmodifying scontext=user_u:system_r:unconfined_t:s0
> > tcontext=user_u:system_r:unconfined_t:s0 tclass=process
> > Erreur de segmentation
> >
> > Without kqemu enabled, it runs fine.
> >
> >
> >
> > ------------------------------------------------------------------------
> >
> > #define _XOPEN_SOURCE 600
> > #include <sys/mman.h>
> > #include <unistd.h>
> > #include <stdlib.h>
> > #include <stdio.h>
> >
> > int main(int argc, char** argv)
> > {
> > int pagesize = getpagesize();
> > unsigned char* addr = NULL;
> > posix_memalign((void**)&addr, pagesize, pagesize);
> > mprotect(addr, pagesize, PROT_WRITE | PROT_READ | PROT_EXEC);
> > addr[0] = 0x8b; addr[1] = 0x44; addr[2] = 0x24; addr[3] = 0x04; /* mov
> > 0x4(%esp),%eax */ addr[4] = 0x83; addr[5] = 0xc0; addr[6] = 0x01; /*
> > add $0x1,%eax */ addr[7] = 0xc3; /* ret */
> >
> > printf("10+1=%d\n", ((int (*)(int))addr)(10));
> > free(addr);
> > return 0;
> > }
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Qemu-devel mailing list
> > Qemu-devel@nongnu.org
> > http://lists.nongnu.org/mailman/listinfo/qemu-devel
>
> _______________________________________________
> Qemu-devel mailing list
> Qemu-devel@nongnu.org
> http://lists.nongnu.org/mailman/listinfo/qemu-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Qemu-devel] bug report : kqemu and self-writing code
2006-05-01 21:29 ` Fabrice Bellard
2006-05-01 22:08 ` Even Rouault
@ 2006-05-02 6:55 ` Kevin F. Quinn
2006-05-02 9:13 ` G Portokalidis
1 sibling, 1 reply; 6+ messages in thread
From: Kevin F. Quinn @ 2006-05-02 6:55 UTC (permalink / raw)
To: qemu-devel
Looks like SELinux to me. Even - you should raise it with whoever
writes your policy.
On Mon, 01 May 2006 23:29:54 +0200
Fabrice Bellard <fabrice@bellard.org> wrote:
> Are you sure that the bug is really in kqemu ? It is possible that
> your guest kernel implements a security system which prevents self
> modifying code using segment limits which QEMU does not check (but
> kqemu checks them !).
>
> Regards,
>
> Fabrice.
>
> Even Rouault wrote:
> > Guest OS : Linux 2.6.15-1.2054_FC5 i686 (Fedora Core 5 i386)
> > Host OS: Linux 2.6.12-10-amd64-k8 #1 x86_64 (Ubuntu 5.10 amd64)
> > QEMU Version : today CVS compiled with kqemu support
> > KQEMU : 1.3.0pre6
> > Binary used : qemu-system-x86-64 (so kqemu user-mode is used)
> >
> > I'm running the simple C code attached. With kqemu user-mode, this
> > fails (sigsegv) with the following warning in dmesg :
> >
> > audit(1146505373.813:12): avc: denied { execheap } for pid=1860
> > comm="selfmodifying scontext=user_u:system_r:unconfined_t:s0
> > tcontext=user_u:system_r:unconfined_t:s0 tclass=process
> > Erreur de segmentation
> >
> > Without kqemu enabled, it runs fine.
> >
> >
> >
> > ------------------------------------------------------------------------
> >
> > #define _XOPEN_SOURCE 600
> > #include <sys/mman.h>
> > #include <unistd.h>
> > #include <stdlib.h>
> > #include <stdio.h>
> >
> > int main(int argc, char** argv)
> > {
> > int pagesize = getpagesize();
> > unsigned char* addr = NULL;
> > posix_memalign((void**)&addr, pagesize, pagesize);
> > mprotect(addr, pagesize, PROT_WRITE | PROT_READ | PROT_EXEC);
> > addr[0] = 0x8b; addr[1] = 0x44; addr[2] = 0x24; addr[3] =
> > 0x04; /* mov 0x4(%esp),%eax */ addr[4] = 0x83; addr[5] = 0xc0;
> > addr[6] = 0x01; /* add $0x1,%eax */ addr[7] = 0xc3; /* ret */
> >
> > printf("10+1=%d\n", ((int (*)(int))addr)(10));
> > free(addr);
> > return 0;
> > }
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Qemu-devel mailing list
> > Qemu-devel@nongnu.org
> > http://lists.nongnu.org/mailman/listinfo/qemu-devel
>
>
>
> _______________________________________________
> Qemu-devel mailing list
> Qemu-devel@nongnu.org
> http://lists.nongnu.org/mailman/listinfo/qemu-devel
--
Kevin F. Quinn
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Qemu-devel] bug report : kqemu and self-writing code
2006-05-02 6:55 ` Kevin F. Quinn
@ 2006-05-02 9:13 ` G Portokalidis
2006-05-02 21:04 ` Fabrice Bellard
0 siblings, 1 reply; 6+ messages in thread
From: G Portokalidis @ 2006-05-02 9:13 UTC (permalink / raw)
To: qemu-devel
I had a similar problem, but only when not using kqemu.
When using a stack overflow exploit, the shellcode provided only
executes when using kqemu. I can attribute this to either the
shellcode being in a different location (maybe someone can clarify
this, is qemu using a different memory layout e.g. stack is located in
a different virtual address), or qemu does not translate the shellcode
located in the stack and instead causes a memory fault (again i have
no idea why this should be the case).
When using kqemu the shellcode executes normally.
I did not have any time to investigate the reasons, but i have a hunch
it is the probably the translation.
If anyone knows what the problem is, i would be glad to write a patch.
On 02/05/06, Kevin F. Quinn <ml@kevquinn.com> wrote:
> Looks like SELinux to me. Even - you should raise it with whoever
> writes your policy.
>
> On Mon, 01 May 2006 23:29:54 +0200
> Fabrice Bellard <fabrice@bellard.org> wrote:
>
> > Are you sure that the bug is really in kqemu ? It is possible that
> > your guest kernel implements a security system which prevents self
> > modifying code using segment limits which QEMU does not check (but
> > kqemu checks them !).
> >
> > Regards,
> >
> > Fabrice.
> >
> > Even Rouault wrote:
> > > Guest OS : Linux 2.6.15-1.2054_FC5 i686 (Fedora Core 5 i386)
> > > Host OS: Linux 2.6.12-10-amd64-k8 #1 x86_64 (Ubuntu 5.10 amd64)
> > > QEMU Version : today CVS compiled with kqemu support
> > > KQEMU : 1.3.0pre6
> > > Binary used : qemu-system-x86-64 (so kqemu user-mode is used)
> > >
> > > I'm running the simple C code attached. With kqemu user-mode, this
> > > fails (sigsegv) with the following warning in dmesg :
> > >
> > > audit(1146505373.813:12): avc: denied { execheap } for pid=1860
> > > comm="selfmodifying scontext=user_u:system_r:unconfined_t:s0
> > > tcontext=user_u:system_r:unconfined_t:s0 tclass=process
> > > Erreur de segmentation
> > >
> > > Without kqemu enabled, it runs fine.
> > >
> > >
> > >
> > > ------------------------------------------------------------------------
> > >
> > > #define _XOPEN_SOURCE 600
> > > #include <sys/mman.h>
> > > #include <unistd.h>
> > > #include <stdlib.h>
> > > #include <stdio.h>
> > >
> > > int main(int argc, char** argv)
> > > {
> > > int pagesize = getpagesize();
> > > unsigned char* addr = NULL;
> > > posix_memalign((void**)&addr, pagesize, pagesize);
> > > mprotect(addr, pagesize, PROT_WRITE | PROT_READ | PROT_EXEC);
> > > addr[0] = 0x8b; addr[1] = 0x44; addr[2] = 0x24; addr[3] =
> > > 0x04; /* mov 0x4(%esp),%eax */ addr[4] = 0x83; addr[5] = 0xc0;
> > > addr[6] = 0x01; /* add $0x1,%eax */ addr[7] = 0xc3; /* ret */
> > >
> > > printf("10+1=%d\n", ((int (*)(int))addr)(10));
> > > free(addr);
> > > return 0;
> > > }
> > >
> > >
> > > ------------------------------------------------------------------------
> > >
> > > _______________________________________________
> > > Qemu-devel mailing list
> > > Qemu-devel@nongnu.org
> > > http://lists.nongnu.org/mailman/listinfo/qemu-devel
> >
> >
> >
> > _______________________________________________
> > Qemu-devel mailing list
> > Qemu-devel@nongnu.org
> > http://lists.nongnu.org/mailman/listinfo/qemu-devel
>
>
> --
> Kevin F. Quinn
>
>
> _______________________________________________
> Qemu-devel mailing list
> Qemu-devel@nongnu.org
> http://lists.nongnu.org/mailman/listinfo/qemu-devel
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Qemu-devel] bug report : kqemu and self-writing code
2006-05-02 9:13 ` G Portokalidis
@ 2006-05-02 21:04 ` Fabrice Bellard
0 siblings, 0 replies; 6+ messages in thread
From: Fabrice Bellard @ 2006-05-02 21:04 UTC (permalink / raw)
To: qemu-devel
To clarify the current behaviour of kqemu and QEMU with self-writing
code, the following table can be useful:
Supported feature QEMU kqemu
----------------------------------------------------
CS.limit no yes
NX bit yes (x86_64 only) no
So you can understand now why in some cases QEMU or kqemu does not seem
to give what you expect. Fixing both issues is of course possible but it
is not my priority yet.
Fabrice.
G Portokalidis wrote:
> I had a similar problem, but only when not using kqemu.
>
> When using a stack overflow exploit, the shellcode provided only
> executes when using kqemu. I can attribute this to either the
> shellcode being in a different location (maybe someone can clarify
> this, is qemu using a different memory layout e.g. stack is located in
> a different virtual address), or qemu does not translate the shellcode
> located in the stack and instead causes a memory fault (again i have
> no idea why this should be the case).
>
> When using kqemu the shellcode executes normally.
> I did not have any time to investigate the reasons, but i have a hunch
> it is the probably the translation.
> If anyone knows what the problem is, i would be glad to write a patch.
>
>
> On 02/05/06, Kevin F. Quinn <ml@kevquinn.com> wrote:
>
>> Looks like SELinux to me. Even - you should raise it with whoever
>> writes your policy.
>>
>> On Mon, 01 May 2006 23:29:54 +0200
>> Fabrice Bellard <fabrice@bellard.org> wrote:
>>
>> > Are you sure that the bug is really in kqemu ? It is possible that
>> > your guest kernel implements a security system which prevents self
>> > modifying code using segment limits which QEMU does not check (but
>> > kqemu checks them !).
>> >
>> > Regards,
>> >
>> > Fabrice.
>> >
>> > Even Rouault wrote:
>> > > Guest OS : Linux 2.6.15-1.2054_FC5 i686 (Fedora Core 5 i386)
>> > > Host OS: Linux 2.6.12-10-amd64-k8 #1 x86_64 (Ubuntu 5.10 amd64)
>> > > QEMU Version : today CVS compiled with kqemu support
>> > > KQEMU : 1.3.0pre6
>> > > Binary used : qemu-system-x86-64 (so kqemu user-mode is used)
>> > >
>> > > I'm running the simple C code attached. With kqemu user-mode, this
>> > > fails (sigsegv) with the following warning in dmesg :
>> > >
>> > > audit(1146505373.813:12): avc: denied { execheap } for pid=1860
>> > > comm="selfmodifying scontext=user_u:system_r:unconfined_t:s0
>> > > tcontext=user_u:system_r:unconfined_t:s0 tclass=process
>> > > Erreur de segmentation
>> > >
>> > > Without kqemu enabled, it runs fine.
>> > >
>> > >
>> > >
>> > >
>> ------------------------------------------------------------------------
>> > >
>> > > #define _XOPEN_SOURCE 600
>> > > #include <sys/mman.h>
>> > > #include <unistd.h>
>> > > #include <stdlib.h>
>> > > #include <stdio.h>
>> > >
>> > > int main(int argc, char** argv)
>> > > {
>> > > int pagesize = getpagesize();
>> > > unsigned char* addr = NULL;
>> > > posix_memalign((void**)&addr, pagesize, pagesize);
>> > > mprotect(addr, pagesize, PROT_WRITE | PROT_READ | PROT_EXEC);
>> > > addr[0] = 0x8b; addr[1] = 0x44; addr[2] = 0x24; addr[3] =
>> > > 0x04; /* mov 0x4(%esp),%eax */ addr[4] = 0x83; addr[5] = 0xc0;
>> > > addr[6] = 0x01; /* add $0x1,%eax */ addr[7] = 0xc3; /* ret */
>> > >
>> > > printf("10+1=%d\n", ((int (*)(int))addr)(10));
>> > > free(addr);
>> > > return 0;
>> > > }
>> > >
>> > >
>> > >
>> ------------------------------------------------------------------------
>> > >
>> > > _______________________________________________
>> > > Qemu-devel mailing list
>> > > Qemu-devel@nongnu.org
>> > > http://lists.nongnu.org/mailman/listinfo/qemu-devel
>> >
>> >
>> >
>> > _______________________________________________
>> > Qemu-devel mailing list
>> > Qemu-devel@nongnu.org
>> > http://lists.nongnu.org/mailman/listinfo/qemu-devel
>>
>>
>> --
>> Kevin F. Quinn
>>
>>
>> _______________________________________________
>> Qemu-devel mailing list
>> Qemu-devel@nongnu.org
>> http://lists.nongnu.org/mailman/listinfo/qemu-devel
>>
>
>
> _______________________________________________
> Qemu-devel mailing list
> Qemu-devel@nongnu.org
> http://lists.nongnu.org/mailman/listinfo/qemu-devel
>
>
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2006-05-02 21:05 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-05-01 19:53 [Qemu-devel] bug report : kqemu and self-writing code Even Rouault
2006-05-01 21:29 ` Fabrice Bellard
2006-05-01 22:08 ` Even Rouault
2006-05-02 6:55 ` Kevin F. Quinn
2006-05-02 9:13 ` G Portokalidis
2006-05-02 21:04 ` Fabrice Bellard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).