qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug 1904210] Re: Crashed with 'uncaught target signal SIGILL' while pro

From: Peter Maydell
Subject: [Bug 1904210] Re: Crashed with 'uncaught target signal SIGILL' while program has registered by signal(SIGILL, handler)
Date: Tue, 17 Nov 2020 14:39:34 -0000 
This binary doesn't execute on a real Arm CPU (it takes a SIGTRAP when
it executes the first 'udf 1' insn), so I suspect it's never been tested
on anything except QEMU and it happened to rely on incorrect older
signal handling emulation in previous QEMU versions.

As far as I can see the binary executes an illegal insn ("udf 1"), which
causes a SIGILL on QEMU; execution continues inside the SIGILL handler
and the binary then executes another "udf 1". Since the SIGILL signal is
still blocked we can't invoke the handler again and so this time around
it's fatal.

If you still think QEMU has a bug in here, please provide more details
of exactly what the guest program does and where QEMU diverges from real
Arm Linux kernel behaviour.

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1904210

Title:
  Crashed with 'uncaught target signal SIGILL' while program has
  registered by signal(SIGILL, handler)

Status in QEMU:
  New

Bug description:
  This binary is an CTF reverse challenge binary, it registers signal
  handler via 'signal(SIGILL, 0x1193D);' while 0x1193D is the SIGILL
  handler.

  Please see the attachment, the file 'repair' is the binary i mentioned
  above, the file 'qemu-arm' is an old version qemu at 2.5.0, and it
  seems an official release (not modified).

  Which means, it could be a bug in recent release.

  You need to input 'flag{' to the stdin to let the binary execute the
  illegal instruction at 0x10A68.

  In 2.5.0 version the -strace logs:
  116 uname(0xf6ffed40) = 0
  116 brk(NULL) = 0x0009f000
  116 brk(0x0009fd00) = 0x0009fd00
  116 readlink("/proc/self/exe",0xf6ffde78,4096) = 21
  116 brk(0x000c0d00) = 0x000c0d00
  116 brk(0x000c1000) = 0x000c1000
  116 access("/etc/ld.so.nohwcap",F_OK) = -1 errno=2 (No such file or directory)
  116 rt_sigaction(SIGILL,0xf6ffec48,0xf6ffecd4) = 0
  116 fstat64(1,0xf6ffe8e8) = 0
  116 ioctl(1,21505,-151000980,-151000924,652480,640808) = 0
  116 fstat64(0,0xf6ffe7d0) = 0
  116 ioctl(0,21505,-151001260,-151001204,652480,641152) = 0
  116 write(1,0xa5548,6)input: = 6
  116 read(0,0xa6550,4096)flag{
   = 6
  116 write(1,0xa5548,7)wrong!
   = 7
  116 _llseek(0,4294967295,4294967295,0xf6ffee18,SEEK_CUR) = -1 errno=29 
(Illegal seek)
  116 exit_group(0)

  In 2.11.1, it shows:
  113 uname(0xfffeed30) = 0
  113 brk(NULL) = 0x0009f000
  113 brk(0x0009fd00) = 0x0009fd00
  113 readlink("/proc/self/exe",0xfffede68,4096) = 21
  113 brk(0x000c0d00) = 0x000c0d00
  113 brk(0x000c1000) = 0x000c1000
  113 access("/etc/ld.so.nohwcap",F_OK) = -1 errno=2 (No such file or directory)
  113 rt_sigaction(SIGILL,0xfffeec38,0xfffeecc4) = 0
  113 fstat64(1,0xfffee8d8) = 0
  113 ioctl(1,21505,-71588,-71532,652480,640808) = 0
  113 fstat64(0,0xfffee7c0) = 0
  113 ioctl(0,21505,-71868,-71812,652480,641152) = 0
  113 write(1,0xa5548,6)input: = 6
  113 read(0,0xa6550,4096)flag{
   = 6
  --- SIGILL {si_signo=SIGILL, si_code=2, si_addr=0x00010a68} ---
  --- SIGILL {si_signo=SIGILL, si_code=2, si_addr=0x0001182c} ---
  qemu: uncaught target signal 4 (Illegal instruction) - core dumped
  Illegal instruction (core dumped)

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1904210/+subscriptions
reply via email to
[Prev in Thread] Current Thread [Next in Thread]