qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] i386 emulation bug: mov reg, [addr]


From: Aurelien Jarno
Subject: Re: [Qemu-devel] i386 emulation bug: mov reg, [addr]
Date: Sat, 6 Mar 2010 18:02:40 +0100
User-agent: Mutt/1.5.20 (2009-06-14)

On Tue, Dec 15, 2009 at 07:48:53PM +0100, Clemens Kolbitsch wrote:
> Hi list,
> 
> I'm experiencing a strange emulation bug with the op-code below. The 
> instruction raises a segfault in the application (running on the guest), 
> however, if I enable KVM to run the exact same application, no segfault is 
> raised.
> 
> 0x0080023b:       8b 04 65 11 22 33 44    mov regEAX, [0x44332211]
> 
> where "11 22 33 44" is just some address. According to gdb (on a 32bit little-
> endian machine), this instruction can be disassembled as a "mov address to 
> reg-eax".
> 
> I have added some debugging code to the disas_insn function in translate.c to 
> find out that the code is disassembled to the following blocks:
> 
> (NOTE: this debugging comes from an old qemu version where the old TB-style 
> code was still used. HOWEVER, the same bug is still happening when used on 
> the 
> 0.11.0 source branch).
> 
> 0x0080023b: disassemble 7 bytes (to 0x00800242)
> 0x001: movl_A0_im 0x44332211
> 0x002: addl_A0_ESP_s1
> 0x003: ldl_user_T0_A0
> 0x004: movl_EAX_T0
> 
> So, as you can see, everything seems correct, but there is an additional 
> (second) TB that messes everything up. In fact, the segfault happens because 
> whatever is in ESP (shifted by one) is added to the address (which might then 
> not be a valid address).
> 
> As I said, the code might crash in old versions of Qemu just like in the 
> 0.11.0 source branch and works fine if I use KVM (because the user code is 
> not 
> emulated of course).
> 
> Since this is such a fundamental problem, I don't quite understand how this 
> could stay hidden so long... or maybe there is an error on my side :-/
> 
> Any help on this is greatly appreciated!!

I have just noticed the problem is not yet fixed, even if Jamie proposed
a patch in English. I have built a testcase (see below) and I have just
sent a patch to the mailing list.

Compile with: gcc -static -nostartfiles -m32 -o test test.S

        .data
msg_addr:       .long msg0

msg0:           .ascii "Hello World\n"
msg1:

        .text
        .globl _start

_start:
        mov  $4, %eax
        mov  $1, %ebx
        .byte 0x8b 
        .byte 0x0c
        .byte 0x65 
        .long msg_addr
        mov $(msg1-msg0), %edx
        int  $0x80

        mov $1, %eax
        int $0x80

-- 
Aurelien Jarno                          GPG: 1024D/F1BCDB73
address@hidden                 http://www.aurel32.net




reply via email to

[Prev in Thread] Current Thread [Next in Thread]