From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1NKdTc-0006p0-Sv for qemu-devel@nongnu.org; Tue, 15 Dec 2009 14:54:32 -0500 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1NKdTY-0006nT-Gl for qemu-devel@nongnu.org; Tue, 15 Dec 2009 14:54:32 -0500 Received: from [199.232.76.173] (port=52114 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1NKdTY-0006nQ-7E for qemu-devel@nongnu.org; Tue, 15 Dec 2009 14:54:28 -0500 Received: from mx1.redhat.com ([209.132.183.28]:28227) by monty-python.gnu.org with esmtp (Exim 4.60) (envelope-from ) id 1NKdTX-0002Il-3y for qemu-devel@nongnu.org; Tue, 15 Dec 2009 14:54:27 -0500 Message-ID: <4B27E95C.8040903@redhat.com> Date: Tue, 15 Dec 2009 21:54:04 +0200 From: Avi Kivity MIME-Version: 1.0 Subject: Re: [Qemu-devel] i386 emulation bug: mov reg, [addr] References: <200912151948.53307.ck@iseclab.org> In-Reply-To: <200912151948.53307.ck@iseclab.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Clemens Kolbitsch Cc: qemu-devel@nongnu.org On 12/15/2009 08:48 PM, Clemens Kolbitsch wrote: > Hi list, > > I'm experiencing a strange emulation bug with the op-code below. The > instruction raises a segfault in the application (running on the guest), > however, if I enable KVM to run the exact same application, no segfault is > raised. > > 0x0080023b: 8b 04 65 11 22 33 44 mov regEAX, [0x44332211] > > where "11 22 33 44" is just some address. According to gdb (on a 32bit little- > endian machine), this instruction can be disassembled as a "mov address to > reg-eax". > This is an odd encoding for this instruction, since there is a shorter one possible (8b 05 11 22 33 44). So it is possible there is a bug in qemu that has never been triggered because compilers/assemblers don't generate this encoding. btw, binutils disassembles this as 8b 04 65 11 22 33 44 mov 0x44332211(,%eiz,2),%eax I guess %eiz is some mnemonic for a "zero register" so the assembly can be reassembled into a 7-byte instruction later. -- Do not meddle in the internals of kernels, for they are subtle and quick to panic.