[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] i386 emulation bug: mov reg, [addr]
From: |
Aurelien Jarno |
Subject: |
Re: [Qemu-devel] i386 emulation bug: mov reg, [addr] |
Date: |
Sat, 6 Mar 2010 18:02:40 +0100 |
User-agent: |
Mutt/1.5.20 (2009-06-14) |
On Tue, Dec 15, 2009 at 07:48:53PM +0100, Clemens Kolbitsch wrote:
> Hi list,
>
> I'm experiencing a strange emulation bug with the op-code below. The
> instruction raises a segfault in the application (running on the guest),
> however, if I enable KVM to run the exact same application, no segfault is
> raised.
>
> 0x0080023b: 8b 04 65 11 22 33 44 mov regEAX, [0x44332211]
>
> where "11 22 33 44" is just some address. According to gdb (on a 32bit little-
> endian machine), this instruction can be disassembled as a "mov address to
> reg-eax".
>
> I have added some debugging code to the disas_insn function in translate.c to
> find out that the code is disassembled to the following blocks:
>
> (NOTE: this debugging comes from an old qemu version where the old TB-style
> code was still used. HOWEVER, the same bug is still happening when used on
> the
> 0.11.0 source branch).
>
> 0x0080023b: disassemble 7 bytes (to 0x00800242)
> 0x001: movl_A0_im 0x44332211
> 0x002: addl_A0_ESP_s1
> 0x003: ldl_user_T0_A0
> 0x004: movl_EAX_T0
>
> So, as you can see, everything seems correct, but there is an additional
> (second) TB that messes everything up. In fact, the segfault happens because
> whatever is in ESP (shifted by one) is added to the address (which might then
> not be a valid address).
>
> As I said, the code might crash in old versions of Qemu just like in the
> 0.11.0 source branch and works fine if I use KVM (because the user code is
> not
> emulated of course).
>
> Since this is such a fundamental problem, I don't quite understand how this
> could stay hidden so long... or maybe there is an error on my side :-/
>
> Any help on this is greatly appreciated!!
I have just noticed the problem is not yet fixed, even if Jamie proposed
a patch in English. I have built a testcase (see below) and I have just
sent a patch to the mailing list.
Compile with: gcc -static -nostartfiles -m32 -o test test.S
.data
msg_addr: .long msg0
msg0: .ascii "Hello World\n"
msg1:
.text
.globl _start
_start:
mov $4, %eax
mov $1, %ebx
.byte 0x8b
.byte 0x0c
.byte 0x65
.long msg_addr
mov $(msg1-msg0), %edx
int $0x80
mov $1, %eax
int $0x80
--
Aurelien Jarno GPG: 1024D/F1BCDB73
address@hidden http://www.aurel32.net
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: [Qemu-devel] i386 emulation bug: mov reg, [addr],
Aurelien Jarno <=