qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] qmeu-arm SIGSEGV for self-modifying code


From: John Reiser
Subject: [Qemu-devel] qmeu-arm SIGSEGV for self-modifying code
Date: Tue, 19 Sep 2017 16:13:50 -0700
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0

[Moving here from  https://bugzilla.redhat.com/show_bug.cgi?id=1493304 ]

qemu-arm from qemu-user-2.10.0-1.fc27.x86_64 (thus emulating 32-bit ARM on 
x86_64)
generates SIGSEGV when code modifies a never-previously executed instruction
that is on a writable page and is 848 bytes ahead of pc.
A real armv7l processor allows this and executes as desired.
Why the difference?  How can it be changed?  Where is the documentation?

=====  the real processor (RaspberryPi 3B in 32-bit mode running Fedora 27)
model name      : ARMv7 Processor rev 4 (v7l)
BogoMIPS        : 38.40
Features        : half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt 
vfpd32 lpae evtstrm crc32
CPU implementer : 0x41
CPU architecture: 7
CPU variant     : 0x0
CPU part        : 0xd03
CPU revision    : 4
=====

The memory region in question is allocated via
  
mmap2(0xf7000000,228092,PROT_EXEC|PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED,-1,0)
 = 0xf7000000
[and not changed via mprotect()] and written once to contain:
=====
0xf703704c:
        ldr r2,mflg_here  // pc+856
        orr r2,r2,r3  @ modify the instruction
=>      str r2,mflg_here  // pc+848    the faulting instruction

     [[snip about 848 bytes containing instructions only]]

0xf70373ac:
  mflg_here:  // The next instruction is re-written once.
        orr r3,r3,#0  @ flags |= MAP_{PRIVATE|ANON}  [QNX vs Linux]
=====

--



reply via email to

[Prev in Thread] Current Thread [Next in Thread]