[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] qmeu-arm SIGSEGV for self-modifying code
From: |
John Reiser |
Subject: |
[Qemu-devel] qmeu-arm SIGSEGV for self-modifying code |
Date: |
Tue, 19 Sep 2017 16:13:50 -0700 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 |
[Moving here from https://bugzilla.redhat.com/show_bug.cgi?id=1493304 ]
qemu-arm from qemu-user-2.10.0-1.fc27.x86_64 (thus emulating 32-bit ARM on
x86_64)
generates SIGSEGV when code modifies a never-previously executed instruction
that is on a writable page and is 848 bytes ahead of pc.
A real armv7l processor allows this and executes as desired.
Why the difference? How can it be changed? Where is the documentation?
===== the real processor (RaspberryPi 3B in 32-bit mode running Fedora 27)
model name : ARMv7 Processor rev 4 (v7l)
BogoMIPS : 38.40
Features : half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt
vfpd32 lpae evtstrm crc32
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x0
CPU part : 0xd03
CPU revision : 4
=====
The memory region in question is allocated via
mmap2(0xf7000000,228092,PROT_EXEC|PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED,-1,0)
= 0xf7000000
[and not changed via mprotect()] and written once to contain:
=====
0xf703704c:
ldr r2,mflg_here // pc+856
orr r2,r2,r3 @ modify the instruction
=> str r2,mflg_here // pc+848 the faulting instruction
[[snip about 848 bytes containing instructions only]]
0xf70373ac:
mflg_here: // The next instruction is re-written once.
orr r3,r3,#0 @ flags |= MAP_{PRIVATE|ANON} [QNX vs Linux]
=====
--
- [Qemu-devel] qmeu-arm SIGSEGV for self-modifying code,
John Reiser <=