* [Bug 1904210] [NEW] Crashed with 'uncaught target signal SIGILL' while program has registered by signal(SIGILL, handler)
@ 2020-11-13 14:42 Wang Zhongwei
2020-11-17 14:39 ` [Bug 1904210] " Peter Maydell
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Wang Zhongwei @ 2020-11-13 14:42 UTC (permalink / raw)
To: qemu-devel
Public bug reported:
This binary is an CTF reverse challenge binary, it registers signal
handler via 'signal(SIGILL, 0x1193D);' while 0x1193D is the SIGILL
handler.
Please see the attachment, the file 'repair' is the binary i mentioned
above, the file 'qemu-arm' is an old version qemu at 2.5.0, and it seems
an official release (not modified).
Which means, it could be a bug in recent release.
You need to input 'flag{' to the stdin to let the binary execute the
illegal instruction at 0x10A68.
In 2.5.0 version the -strace logs:
116 uname(0xf6ffed40) = 0
116 brk(NULL) = 0x0009f000
116 brk(0x0009fd00) = 0x0009fd00
116 readlink("/proc/self/exe",0xf6ffde78,4096) = 21
116 brk(0x000c0d00) = 0x000c0d00
116 brk(0x000c1000) = 0x000c1000
116 access("/etc/ld.so.nohwcap",F_OK) = -1 errno=2 (No such file or directory)
116 rt_sigaction(SIGILL,0xf6ffec48,0xf6ffecd4) = 0
116 fstat64(1,0xf6ffe8e8) = 0
116 ioctl(1,21505,-151000980,-151000924,652480,640808) = 0
116 fstat64(0,0xf6ffe7d0) = 0
116 ioctl(0,21505,-151001260,-151001204,652480,641152) = 0
116 write(1,0xa5548,6)input: = 6
116 read(0,0xa6550,4096)flag{
= 6
116 write(1,0xa5548,7)wrong!
= 7
116 _llseek(0,4294967295,4294967295,0xf6ffee18,SEEK_CUR) = -1 errno=29 (Illegal seek)
116 exit_group(0)
In 2.11.1, it shows:
113 uname(0xfffeed30) = 0
113 brk(NULL) = 0x0009f000
113 brk(0x0009fd00) = 0x0009fd00
113 readlink("/proc/self/exe",0xfffede68,4096) = 21
113 brk(0x000c0d00) = 0x000c0d00
113 brk(0x000c1000) = 0x000c1000
113 access("/etc/ld.so.nohwcap",F_OK) = -1 errno=2 (No such file or directory)
113 rt_sigaction(SIGILL,0xfffeec38,0xfffeecc4) = 0
113 fstat64(1,0xfffee8d8) = 0
113 ioctl(1,21505,-71588,-71532,652480,640808) = 0
113 fstat64(0,0xfffee7c0) = 0
113 ioctl(0,21505,-71868,-71812,652480,641152) = 0
113 write(1,0xa5548,6)input: = 6
113 read(0,0xa6550,4096)flag{
= 6
--- SIGILL {si_signo=SIGILL, si_code=2, si_addr=0x00010a68} ---
--- SIGILL {si_signo=SIGILL, si_code=2, si_addr=0x0001182c} ---
qemu: uncaught target signal 4 (Illegal instruction) - core dumped
Illegal instruction (core dumped)
** Affects: qemu
Importance: Undecided
Status: New
** Attachment added: "repair.zip"
https://bugs.launchpad.net/bugs/1904210/+attachment/5434169/+files/repair.zip
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1904210
Title:
Crashed with 'uncaught target signal SIGILL' while program has
registered by signal(SIGILL, handler)
Status in QEMU:
New
Bug description:
This binary is an CTF reverse challenge binary, it registers signal
handler via 'signal(SIGILL, 0x1193D);' while 0x1193D is the SIGILL
handler.
Please see the attachment, the file 'repair' is the binary i mentioned
above, the file 'qemu-arm' is an old version qemu at 2.5.0, and it
seems an official release (not modified).
Which means, it could be a bug in recent release.
You need to input 'flag{' to the stdin to let the binary execute the
illegal instruction at 0x10A68.
In 2.5.0 version the -strace logs:
116 uname(0xf6ffed40) = 0
116 brk(NULL) = 0x0009f000
116 brk(0x0009fd00) = 0x0009fd00
116 readlink("/proc/self/exe",0xf6ffde78,4096) = 21
116 brk(0x000c0d00) = 0x000c0d00
116 brk(0x000c1000) = 0x000c1000
116 access("/etc/ld.so.nohwcap",F_OK) = -1 errno=2 (No such file or directory)
116 rt_sigaction(SIGILL,0xf6ffec48,0xf6ffecd4) = 0
116 fstat64(1,0xf6ffe8e8) = 0
116 ioctl(1,21505,-151000980,-151000924,652480,640808) = 0
116 fstat64(0,0xf6ffe7d0) = 0
116 ioctl(0,21505,-151001260,-151001204,652480,641152) = 0
116 write(1,0xa5548,6)input: = 6
116 read(0,0xa6550,4096)flag{
= 6
116 write(1,0xa5548,7)wrong!
= 7
116 _llseek(0,4294967295,4294967295,0xf6ffee18,SEEK_CUR) = -1 errno=29 (Illegal seek)
116 exit_group(0)
In 2.11.1, it shows:
113 uname(0xfffeed30) = 0
113 brk(NULL) = 0x0009f000
113 brk(0x0009fd00) = 0x0009fd00
113 readlink("/proc/self/exe",0xfffede68,4096) = 21
113 brk(0x000c0d00) = 0x000c0d00
113 brk(0x000c1000) = 0x000c1000
113 access("/etc/ld.so.nohwcap",F_OK) = -1 errno=2 (No such file or directory)
113 rt_sigaction(SIGILL,0xfffeec38,0xfffeecc4) = 0
113 fstat64(1,0xfffee8d8) = 0
113 ioctl(1,21505,-71588,-71532,652480,640808) = 0
113 fstat64(0,0xfffee7c0) = 0
113 ioctl(0,21505,-71868,-71812,652480,641152) = 0
113 write(1,0xa5548,6)input: = 6
113 read(0,0xa6550,4096)flag{
= 6
--- SIGILL {si_signo=SIGILL, si_code=2, si_addr=0x00010a68} ---
--- SIGILL {si_signo=SIGILL, si_code=2, si_addr=0x0001182c} ---
qemu: uncaught target signal 4 (Illegal instruction) - core dumped
Illegal instruction (core dumped)
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1904210/+subscriptions
^ permalink raw reply [flat|nested] 4+ messages in thread* [Bug 1904210] Re: Crashed with 'uncaught target signal SIGILL' while program has registered by signal(SIGILL, handler)
2020-11-13 14:42 [Bug 1904210] [NEW] Crashed with 'uncaught target signal SIGILL' while program has registered by signal(SIGILL, handler) Wang Zhongwei
@ 2020-11-17 14:39 ` Peter Maydell
2020-11-17 16:08 ` Peter Maydell
2021-05-09 14:10 ` Thomas Huth
2 siblings, 0 replies; 4+ messages in thread
From: Peter Maydell @ 2020-11-17 14:39 UTC (permalink / raw)
To: qemu-devel
This binary doesn't execute on a real Arm CPU (it takes a SIGTRAP when
it executes the first 'udf 1' insn), so I suspect it's never been tested
on anything except QEMU and it happened to rely on incorrect older
signal handling emulation in previous QEMU versions.
As far as I can see the binary executes an illegal insn ("udf 1"), which
causes a SIGILL on QEMU; execution continues inside the SIGILL handler
and the binary then executes another "udf 1". Since the SIGILL signal is
still blocked we can't invoke the handler again and so this time around
it's fatal.
If you still think QEMU has a bug in here, please provide more details
of exactly what the guest program does and where QEMU diverges from real
Arm Linux kernel behaviour.
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1904210
Title:
Crashed with 'uncaught target signal SIGILL' while program has
registered by signal(SIGILL, handler)
Status in QEMU:
New
Bug description:
This binary is an CTF reverse challenge binary, it registers signal
handler via 'signal(SIGILL, 0x1193D);' while 0x1193D is the SIGILL
handler.
Please see the attachment, the file 'repair' is the binary i mentioned
above, the file 'qemu-arm' is an old version qemu at 2.5.0, and it
seems an official release (not modified).
Which means, it could be a bug in recent release.
You need to input 'flag{' to the stdin to let the binary execute the
illegal instruction at 0x10A68.
In 2.5.0 version the -strace logs:
116 uname(0xf6ffed40) = 0
116 brk(NULL) = 0x0009f000
116 brk(0x0009fd00) = 0x0009fd00
116 readlink("/proc/self/exe",0xf6ffde78,4096) = 21
116 brk(0x000c0d00) = 0x000c0d00
116 brk(0x000c1000) = 0x000c1000
116 access("/etc/ld.so.nohwcap",F_OK) = -1 errno=2 (No such file or directory)
116 rt_sigaction(SIGILL,0xf6ffec48,0xf6ffecd4) = 0
116 fstat64(1,0xf6ffe8e8) = 0
116 ioctl(1,21505,-151000980,-151000924,652480,640808) = 0
116 fstat64(0,0xf6ffe7d0) = 0
116 ioctl(0,21505,-151001260,-151001204,652480,641152) = 0
116 write(1,0xa5548,6)input: = 6
116 read(0,0xa6550,4096)flag{
= 6
116 write(1,0xa5548,7)wrong!
= 7
116 _llseek(0,4294967295,4294967295,0xf6ffee18,SEEK_CUR) = -1 errno=29 (Illegal seek)
116 exit_group(0)
In 2.11.1, it shows:
113 uname(0xfffeed30) = 0
113 brk(NULL) = 0x0009f000
113 brk(0x0009fd00) = 0x0009fd00
113 readlink("/proc/self/exe",0xfffede68,4096) = 21
113 brk(0x000c0d00) = 0x000c0d00
113 brk(0x000c1000) = 0x000c1000
113 access("/etc/ld.so.nohwcap",F_OK) = -1 errno=2 (No such file or directory)
113 rt_sigaction(SIGILL,0xfffeec38,0xfffeecc4) = 0
113 fstat64(1,0xfffee8d8) = 0
113 ioctl(1,21505,-71588,-71532,652480,640808) = 0
113 fstat64(0,0xfffee7c0) = 0
113 ioctl(0,21505,-71868,-71812,652480,641152) = 0
113 write(1,0xa5548,6)input: = 6
113 read(0,0xa6550,4096)flag{
= 6
--- SIGILL {si_signo=SIGILL, si_code=2, si_addr=0x00010a68} ---
--- SIGILL {si_signo=SIGILL, si_code=2, si_addr=0x0001182c} ---
qemu: uncaught target signal 4 (Illegal instruction) - core dumped
Illegal instruction (core dumped)
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1904210/+subscriptions
^ permalink raw reply [flat|nested] 4+ messages in thread* [Bug 1904210] Re: Crashed with 'uncaught target signal SIGILL' while program has registered by signal(SIGILL, handler)
2020-11-13 14:42 [Bug 1904210] [NEW] Crashed with 'uncaught target signal SIGILL' while program has registered by signal(SIGILL, handler) Wang Zhongwei
2020-11-17 14:39 ` [Bug 1904210] " Peter Maydell
@ 2020-11-17 16:08 ` Peter Maydell
2021-05-09 14:10 ` Thomas Huth
2 siblings, 0 replies; 4+ messages in thread
From: Peter Maydell @ 2020-11-17 16:08 UTC (permalink / raw)
To: qemu-devel
This patch makes QEMU's linux-user emulation follow the real kernel's handling of "udf 1" (and the other magic-treat-like-breakpoint insns) and deliver a SIGTRAP:
https://patchew.org/QEMU/20201117155634.6924-1-peter.maydell@linaro.org/
Your binary still won't run even with that patch, but it doesn't run on
real hardware either, so I think that the remaining issues are bugs in
your binary, not in QEMU.
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1904210
Title:
Crashed with 'uncaught target signal SIGILL' while program has
registered by signal(SIGILL, handler)
Status in QEMU:
New
Bug description:
This binary is an CTF reverse challenge binary, it registers signal
handler via 'signal(SIGILL, 0x1193D);' while 0x1193D is the SIGILL
handler.
Please see the attachment, the file 'repair' is the binary i mentioned
above, the file 'qemu-arm' is an old version qemu at 2.5.0, and it
seems an official release (not modified).
Which means, it could be a bug in recent release.
You need to input 'flag{' to the stdin to let the binary execute the
illegal instruction at 0x10A68.
In 2.5.0 version the -strace logs:
116 uname(0xf6ffed40) = 0
116 brk(NULL) = 0x0009f000
116 brk(0x0009fd00) = 0x0009fd00
116 readlink("/proc/self/exe",0xf6ffde78,4096) = 21
116 brk(0x000c0d00) = 0x000c0d00
116 brk(0x000c1000) = 0x000c1000
116 access("/etc/ld.so.nohwcap",F_OK) = -1 errno=2 (No such file or directory)
116 rt_sigaction(SIGILL,0xf6ffec48,0xf6ffecd4) = 0
116 fstat64(1,0xf6ffe8e8) = 0
116 ioctl(1,21505,-151000980,-151000924,652480,640808) = 0
116 fstat64(0,0xf6ffe7d0) = 0
116 ioctl(0,21505,-151001260,-151001204,652480,641152) = 0
116 write(1,0xa5548,6)input: = 6
116 read(0,0xa6550,4096)flag{
= 6
116 write(1,0xa5548,7)wrong!
= 7
116 _llseek(0,4294967295,4294967295,0xf6ffee18,SEEK_CUR) = -1 errno=29 (Illegal seek)
116 exit_group(0)
In 2.11.1, it shows:
113 uname(0xfffeed30) = 0
113 brk(NULL) = 0x0009f000
113 brk(0x0009fd00) = 0x0009fd00
113 readlink("/proc/self/exe",0xfffede68,4096) = 21
113 brk(0x000c0d00) = 0x000c0d00
113 brk(0x000c1000) = 0x000c1000
113 access("/etc/ld.so.nohwcap",F_OK) = -1 errno=2 (No such file or directory)
113 rt_sigaction(SIGILL,0xfffeec38,0xfffeecc4) = 0
113 fstat64(1,0xfffee8d8) = 0
113 ioctl(1,21505,-71588,-71532,652480,640808) = 0
113 fstat64(0,0xfffee7c0) = 0
113 ioctl(0,21505,-71868,-71812,652480,641152) = 0
113 write(1,0xa5548,6)input: = 6
113 read(0,0xa6550,4096)flag{
= 6
--- SIGILL {si_signo=SIGILL, si_code=2, si_addr=0x00010a68} ---
--- SIGILL {si_signo=SIGILL, si_code=2, si_addr=0x0001182c} ---
qemu: uncaught target signal 4 (Illegal instruction) - core dumped
Illegal instruction (core dumped)
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1904210/+subscriptions
^ permalink raw reply [flat|nested] 4+ messages in thread* [Bug 1904210] Re: Crashed with 'uncaught target signal SIGILL' while program has registered by signal(SIGILL, handler)
2020-11-13 14:42 [Bug 1904210] [NEW] Crashed with 'uncaught target signal SIGILL' while program has registered by signal(SIGILL, handler) Wang Zhongwei
2020-11-17 14:39 ` [Bug 1904210] " Peter Maydell
2020-11-17 16:08 ` Peter Maydell
@ 2021-05-09 14:10 ` Thomas Huth
2 siblings, 0 replies; 4+ messages in thread
From: Thomas Huth @ 2021-05-09 14:10 UTC (permalink / raw)
To: qemu-devel
Peter's patch had been included here:
https://gitlab.com/qemu-project/qemu/-/commit/acebed948c4f2f3be89
... so I'm closing this issue now. If you still think that there is anything left to do here, please open a new ticket in our new bug tracker here: https://gitlab.com/qemu-project/qemu/-/issues
** Changed in: qemu
Status: New => Fix Released
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1904210
Title:
Crashed with 'uncaught target signal SIGILL' while program has
registered by signal(SIGILL, handler)
Status in QEMU:
Fix Released
Bug description:
This binary is an CTF reverse challenge binary, it registers signal
handler via 'signal(SIGILL, 0x1193D);' while 0x1193D is the SIGILL
handler.
Please see the attachment, the file 'repair' is the binary i mentioned
above, the file 'qemu-arm' is an old version qemu at 2.5.0, and it
seems an official release (not modified).
Which means, it could be a bug in recent release.
You need to input 'flag{' to the stdin to let the binary execute the
illegal instruction at 0x10A68.
In 2.5.0 version the -strace logs:
116 uname(0xf6ffed40) = 0
116 brk(NULL) = 0x0009f000
116 brk(0x0009fd00) = 0x0009fd00
116 readlink("/proc/self/exe",0xf6ffde78,4096) = 21
116 brk(0x000c0d00) = 0x000c0d00
116 brk(0x000c1000) = 0x000c1000
116 access("/etc/ld.so.nohwcap",F_OK) = -1 errno=2 (No such file or directory)
116 rt_sigaction(SIGILL,0xf6ffec48,0xf6ffecd4) = 0
116 fstat64(1,0xf6ffe8e8) = 0
116 ioctl(1,21505,-151000980,-151000924,652480,640808) = 0
116 fstat64(0,0xf6ffe7d0) = 0
116 ioctl(0,21505,-151001260,-151001204,652480,641152) = 0
116 write(1,0xa5548,6)input: = 6
116 read(0,0xa6550,4096)flag{
= 6
116 write(1,0xa5548,7)wrong!
= 7
116 _llseek(0,4294967295,4294967295,0xf6ffee18,SEEK_CUR) = -1 errno=29 (Illegal seek)
116 exit_group(0)
In 2.11.1, it shows:
113 uname(0xfffeed30) = 0
113 brk(NULL) = 0x0009f000
113 brk(0x0009fd00) = 0x0009fd00
113 readlink("/proc/self/exe",0xfffede68,4096) = 21
113 brk(0x000c0d00) = 0x000c0d00
113 brk(0x000c1000) = 0x000c1000
113 access("/etc/ld.so.nohwcap",F_OK) = -1 errno=2 (No such file or directory)
113 rt_sigaction(SIGILL,0xfffeec38,0xfffeecc4) = 0
113 fstat64(1,0xfffee8d8) = 0
113 ioctl(1,21505,-71588,-71532,652480,640808) = 0
113 fstat64(0,0xfffee7c0) = 0
113 ioctl(0,21505,-71868,-71812,652480,641152) = 0
113 write(1,0xa5548,6)input: = 6
113 read(0,0xa6550,4096)flag{
= 6
--- SIGILL {si_signo=SIGILL, si_code=2, si_addr=0x00010a68} ---
--- SIGILL {si_signo=SIGILL, si_code=2, si_addr=0x0001182c} ---
qemu: uncaught target signal 4 (Illegal instruction) - core dumped
Illegal instruction (core dumped)
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1904210/+subscriptions
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-05-09 14:21 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-13 14:42 [Bug 1904210] [NEW] Crashed with 'uncaught target signal SIGILL' while program has registered by signal(SIGILL, handler) Wang Zhongwei
2020-11-17 14:39 ` [Bug 1904210] " Peter Maydell
2020-11-17 16:08 ` Peter Maydell
2021-05-09 14:10 ` Thomas Huth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).