[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] Bug in emulation of 'bound' x86 instruction?
|
From: |
Frode Vatvedt Fjeld |
|
Subject: |
[Qemu-devel] Bug in emulation of 'bound' x86 instruction? |
|
Date: |
Mon, 26 Jul 2004 15:41:53 +0200 |
|
User-agent: |
Gnus/5.1003 (Gnus v5.10.3) Emacs/21.3 (berkeley-unix) |
I'm suspecting that there's a bug in Qemu's emulation of the x86
'bound' instruction. The effect of this bug seems to be to add 1 to
the ESP register, which of course havocs everything.
I'm not confident I understand the information in /tmp/qemu.log, but
as I said I suspect that the following in_asm is the culprit:
0x0015d716: bound %esp,%fs:0xffffffe7(%edi)
This instruction, in 32-bit protected mode, is intended to verify that
ESP is within some bounds. These bounds are located at the physical
address 0x100054, which is the result of the instruction's address
because EDI=0x6d and the FS selector points to a segment that starts
at 0x100000.
I have verified that the exact same thing happens when the FS-override
instruction prefix is removed from the bounds instruction above, so
that the DS segment, which happens to be identical to the FS segment,
is used.
The following is a piece of /tmp/qemu.log that I hope provides the
relevant context. As you can see, the value of ESP appears to change
to an odd value for no good reason.
EAX=000cdeb9 EBX=0005d713 ECX=00000001 EDX=00000001
ESI=0003750e EDI=0000006d EBP=000cded8 ESP=000cdeb8
EIP=0005d713 EFL=00040002 [-------] CPL=0 II=0 A20=1
ES =0020 00100000 fff00fff 00cf9310
CS =0018 00100000 fff00fff 00cf9a10
SS =0020 00100000 fff00fff 00cf9310
DS =0020 00100000 fff00fff 00cf9310
FS =0028 00100000 fff00fff 00cf9310
GS =0010 00000000 ffffffff 00cf9300
LDT=0000 00000000 0000ffff 00008000
TR =0000 00000000 0000ffff 00008000
GDT= 00100330 0000003f
IDT= 001018a8 000003f7
CR0=60000011 CR2=00000000 CR3=00000000 CR4=00000000
CCS=00000001 CCD=00000000 CCO=SUBL
----------------
IN:
0x0015d713: mov %eax,0xfffffff8(%ebp)
0x0015d716: bound %esp,%fs:0xffffffe7(%edi)
0x0015d71a: mov 0x5e(%esi),%ebx
0x0015d71d: mov 0x21(%edi,%esi,1),%eax
0x0015d721: mov 0x62(%esi),%edx
0x0015d724: mov 0xfffffffd(%edx),%esi
0x0015d727: call *0x6(%esi)
OUT: [size=734]
0x087d8b40: mov 0x14(%ebp),%edi
0x087d8b43: add $0xfffffff8,%edi
0x087d8b49: add 0xe8(%ebp),%edi
0x087d8b4f: mov 0x0(%ebp),%ebx
0x087d8b52: push %eax
0x087d8b53: mov %edi,%eax
0x087d8b55: shr $0xc,%eax
0x087d8b58: movzbl %al,%edx
0x087d8b5b: mov %edi,%eax
0x087d8b5d: and $0xfffff003,%eax
0x087d8b62: cmp %eax,0x11fc(%ebp,%edx,8)
0x087d8b69: mov %edi,%ecx
0x087d8b6b: mov %ebx,(%esp,1)
0x087d8b6e: je 0x87d8b82
0x087d8b70: push $0x0
0x087d8b72: mov 0x4(%esp,1),%edx
0x087d8b76: mov %edi,%eax
0x087d8b78: call 0x80a37c0
0x087d8b7d: pop %ecx
0x087d8b7e: jmp 0x87d8b8e
0x087d8b80: mov %esi,%esi
0x087d8b82: add 0x1200(%ebp,%edx,8),%ecx
0x087d8b89: mov (%esp,1),%eax
0x087d8b8c: mov %eax,(%ecx)
0x087d8b8e: pop %edx
0x087d8b8f: mov %ebx,0x10(%ebp)
0x087d8b92: mov 0x1c(%ebp),%edi
0x087d8b95: add $0xffffffe7,%edi
0x087d8b9b: add 0x108(%ebp),%edi
0x087d8ba1: sub $0x10,%esp
0x087d8ba4: mov 0x38(%ebp),%eax
0x087d8ba7: mov %edi,%edx
0x087d8ba9: shr $0xc,%edx
0x087d8bac: mov %eax,(%esp,1)
0x087d8baf: and $0x3,%eax
0x087d8bb2: and $0xff,%edx
0x087d8bb8: cmp $0x3,%eax
0x087d8bbb: sete %al
0x087d8bbe: movzbl %al,%eax
0x087d8bc1: mov %eax,0x8(%esp,1)
0x087d8bc5: shl $0x8,%eax
0x087d8bc8: lea (%edx,%eax,1),%edx
0x087d8bcb: mov %edi,%eax
0x087d8bcd: and $0xfffff003,%eax
0x087d8bd2: cmp %eax,0x1fc(%ebp,%edx,8)
0x087d8bd9: mov %edi,%ecx
0x087d8bdb: je 0x87d8bf5
0x087d8bdd: pushl 0x8(%esp,1)
0x087d8be1: mov %edi,%eax
0x087d8be3: call 0x80a35c0
0x087d8be8: pop %ecx
0x087d8be9: mov %eax,0xc(%esp,1)
0x087d8bed: mov 0x38(%ebp),%eax
0x087d8bf0: mov %eax,(%esp,1)
0x087d8bf3: jmp 0x87d8c02
0x087d8bf5: add 0x200(%ebp,%edx,8),%ecx
0x087d8bfc: mov (%ecx),%ecx
0x087d8bfe: mov %ecx,0xc(%esp,1)
0x087d8c02: lea 0x4(%edi),%ecx
0x087d8c05: mov %ecx,%edx
0x087d8c07: shr $0xc,%edx
0x087d8c0a: andl $0x3,(%esp,1)
0x087d8c0e: and $0xff,%edx
0x087d8c14: xor %eax,%eax
0x087d8c16: cmpl $0x3,(%esp,1)
0x087d8c1a: sete %al
0x087d8c1d: mov %eax,0x4(%esp,1)
0x087d8c21: shl $0x8,%eax
0x087d8c24: lea (%edx,%eax,1),%edx
0x087d8c27: mov %ecx,%eax
0x087d8c29: and $0xfffff003,%eax
0x087d8c2e: cmp %eax,0x1fc(%ebp,%edx,8)
0x087d8c35: je 0x87d8c45
0x087d8c37: pushl 0x4(%esp,1)
0x087d8c3b: mov %ecx,%eax
0x087d8c3d: call 0x80a35c0
0x087d8c42: pop %edx
0x087d8c43: jmp 0x87d8c4e
0x087d8c45: add 0x200(%ebp,%edx,8),%ecx
0x087d8c4c: mov (%ecx),%eax
0x087d8c4e: cmp 0xc(%esp,1),%ebx
0x087d8c52: jl 0x87d8c58
0x087d8c54: cmp %eax,%ebx
0x087d8c56: jle 0x87d8c67
0x087d8c58: push $0x5
0x087d8c5a: movl $0x5d716,0x20(%ebp)
0x087d8c61: call 0x809db68
0x087d8c66: pop %eax
0x087d8c67: add $0x10,%esp
0x087d8c6a: mov 0x18(%ebp),%edi
0x087d8c6d: add $0x5e,%edi
0x087d8c73: add 0xf8(%ebp),%edi
0x087d8c79: mov %edi,%eax
0x087d8c7b: shr $0xc,%eax
0x087d8c7e: movzbl %al,%ecx
0x087d8c81: mov %edi,%eax
0x087d8c83: and $0xfffff003,%eax
0x087d8c88: cmp %eax,0x1fc(%ebp,%ecx,8)
0x087d8c8f: mov %edi,%edx
0x087d8c91: je 0x87d8ca1
0x087d8c93: push $0x0
0x087d8c95: mov %edi,%eax
0x087d8c97: call 0x80a35c0
0x087d8c9c: pop %edx
0x087d8c9d: jmp 0x87d8caa
0x087d8c9f: mov %esi,%esi
0x087d8ca1: add 0x200(%ebp,%ecx,8),%edx
0x087d8ca8: mov (%edx),%eax
0x087d8caa: mov %eax,%ebx
0x087d8cac: mov %ebx,0xc(%ebp)
0x087d8caf: mov 0x1c(%ebp),%edi
0x087d8cb2: add $0x21,%edi
0x087d8cb8: add 0x18(%ebp),%edi
0x087d8cbb: add 0xf8(%ebp),%edi
0x087d8cc1: mov %edi,%eax
0x087d8cc3: shr $0xc,%eax
0x087d8cc6: movzbl %al,%ecx
0x087d8cc9: mov %edi,%eax
0x087d8ccb: and $0xfffff003,%eax
0x087d8cd0: cmp %eax,0x1fc(%ebp,%ecx,8)
0x087d8cd7: mov %edi,%edx
0x087d8cd9: je 0x87d8ce9
0x087d8cdb: push $0x0
0x087d8cdd: mov %edi,%eax
0x087d8cdf: call 0x80a35c0
0x087d8ce4: pop %edx
0x087d8ce5: jmp 0x87d8cf2
0x087d8ce7: mov %esi,%esi
0x087d8ce9: add 0x200(%ebp,%ecx,8),%edx
0x087d8cf0: mov (%edx),%eax
0x087d8cf2: mov %eax,%ebx
0x087d8cf4: mov %ebx,0x0(%ebp)
0x087d8cf7: mov 0x18(%ebp),%edi
0x087d8cfa: add $0x62,%edi
0x087d8d00: add 0xf8(%ebp),%edi
0x087d8d06: mov %edi,%eax
0x087d8d08: shr $0xc,%eax
0x087d8d0b: movzbl %al,%ecx
0x087d8d0e: mov %edi,%eax
0x087d8d10: and $0xfffff003,%eax
0x087d8d15: cmp %eax,0x1fc(%ebp,%ecx,8)
0x087d8d1c: mov %edi,%edx
0x087d8d1e: je 0x87d8d2e
0x087d8d20: push $0x0
0x087d8d22: mov %edi,%eax
0x087d8d24: call 0x80a35c0
0x087d8d29: pop %edx
0x087d8d2a: jmp 0x87d8d37
0x087d8d2c: mov %esi,%esi
0x087d8d2e: add 0x200(%ebp,%ecx,8),%edx
0x087d8d35: mov (%edx),%eax
0x087d8d37: mov %eax,%ebx
0x087d8d39: mov %ebx,0x8(%ebp)
0x087d8d3c: mov 0x8(%ebp),%edi
0x087d8d3f: add $0xfffffffd,%edi
0x087d8d45: add 0xf8(%ebp),%edi
0x087d8d4b: mov %edi,%eax
0x087d8d4d: shr $0xc,%eax
0x087d8d50: movzbl %al,%ecx
0x087d8d53: mov %edi,%eax
0x087d8d55: and $0xfffff003,%eax
0x087d8d5a: cmp %eax,0x1fc(%ebp,%ecx,8)
0x087d8d61: mov %edi,%edx
0x087d8d63: je 0x87d8d73
0x087d8d65: push $0x0
0x087d8d67: mov %edi,%eax
0x087d8d69: call 0x80a35c0
0x087d8d6e: pop %edx
0x087d8d6f: jmp 0x87d8d7c
0x087d8d71: mov %esi,%esi
0x087d8d73: add 0x200(%ebp,%ecx,8),%edx
0x087d8d7a: mov (%edx),%eax
0x087d8d7c: mov %eax,%ebx
0x087d8d7e: mov %ebx,0x18(%ebp)
0x087d8d81: mov 0x18(%ebp),%edi
0x087d8d84: add $0x6,%edi
0x087d8d8a: add 0xf8(%ebp),%edi
0x087d8d90: mov %edi,%eax
0x087d8d92: shr $0xc,%eax
0x087d8d95: movzbl %al,%ecx
0x087d8d98: mov %edi,%eax
0x087d8d9a: and $0xfffff003,%eax
0x087d8d9f: cmp %eax,0x1fc(%ebp,%ecx,8)
0x087d8da6: mov %edi,%edx
0x087d8da8: je 0x87d8db8
0x087d8daa: push $0x0
0x087d8dac: mov %edi,%eax
0x087d8dae: call 0x80a35c0
0x087d8db3: pop %edx
0x087d8db4: jmp 0x87d8dc1
0x087d8db6: mov %esi,%esi
0x087d8db8: add 0x200(%ebp,%ecx,8),%edx
0x087d8dbf: mov (%edx),%eax
0x087d8dc1: mov %eax,%ebx
0x087d8dc3: mov $0x5d72a,%esi
0x087d8dc8: mov 0x10(%ebp),%edi
0x087d8dcb: sub $0x4,%edi
0x087d8dce: add 0xe8(%ebp),%edi
0x087d8dd4: mov %edi,%eax
0x087d8dd6: shr $0xc,%eax
0x087d8dd9: push %edx
0x087d8dda: movzbl %al,%edx
0x087d8ddd: mov %edi,%eax
0x087d8ddf: and $0xfffff003,%eax
0x087d8de4: cmp %eax,0x11fc(%ebp,%edx,8)
0x087d8deb: mov %edi,%ecx
0x087d8ded: mov %esi,(%esp,1)
0x087d8df0: je 0x87d8e04
0x087d8df2: push $0x0
0x087d8df4: mov 0x4(%esp,1),%edx
0x087d8df8: mov %edi,%eax
0x087d8dfa: call 0x80a37c0
0x087d8dff: pop %eax
0x087d8e00: jmp 0x87d8e10
0x087d8e02: mov %esi,%esi
0x087d8e04: add 0x1200(%ebp,%edx,8),%ecx
0x087d8e0b: mov (%esp,1),%eax
0x087d8e0e: mov %eax,(%ecx)
0x087d8e10: pop %eax
0x087d8e11: addl $0xfffffffc,0x10(%ebp)
0x087d8e18: mov %ebx,0x20(%ebp)
0x087d8e1b: xor %ebx,%ebx
0x087d8e1d: ret
EAX=0002ba2f EBX=0001c9af ECX=000cebf0 EDX=00013417
ESI=0003750e EDI=0000006d EBP=000cded8 ESP=000cdeb9
EIP=0005d72a EFL=00040002 [-------] CPL=0 II=0 A20=1
ES =0020 00100000 fff00fff 00cf9310
CS =0018 00100000 fff00fff 00cf9a10
SS =0020 00100000 fff00fff 00cf9310
DS =0020 00100000 fff00fff 00cf9310
FS =0028 00100000 fff00fff 00cf9310
GS =0010 00000000 ffffffff 00cf9300
LDT=0000 00000000 0000ffff 00008000
TR =0000 00000000 0000ffff 00008000
GDT= 00100330 0000003f
IDT= 001018a8 000003f7
CR0=60000011 CR2=00000000 CR3=00000000 CR4=00000000
CCS=00000044 CCD=00000000 CCO=EFLAGS
----------------
Regards,
--
Frode Vatvedt Fjeld
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-devel] Bug in emulation of 'bound' x86 instruction?,
Frode Vatvedt Fjeld <=