From: Ziqiao Kong <ziqiaokong@gmail.com>
To: qemu-devel@nongnu.org
Cc: pbonzini@redhat.com, ehabkost@redhat.com, rth@twiddle.net
Subject: Bug: fstenv is wrongly implemented
Date: Fri, 2 Apr 2021 16:29:38 +0800 [thread overview]
Message-ID: <CAM0BWNCTD_oe3BgKQUqG41fgFqGCXVh1gaiMqJpvXbR4Fh5vHg@mail.gmail.com> (raw)
Hello everyone,
I am an active maintainer of Unicorn engine
(https://github.com/unicorn-engine). During my development, I found
that the fstenv implementation in qemu upstream is incorrect.
Below is the code snippet from target/i386/tcg/fpu_helper.c
(https://github.com/qemu/qemu/blob/266469947161aa10b1d36843580d369d5aa38589/target/i386/tcg/fpu_helper.c#L2393).
> cpu_stl_data_ra(env, ptr, env->fpuc, retaddr);
> cpu_stl_data_ra(env, ptr + 4, fpus, retaddr);
> cpu_stl_data_ra(env, ptr + 8, fptag, retaddr);
> cpu_stl_data_ra(env, ptr + 12, 0, retaddr); /* fpip */
> cpu_stl_data_ra(env, ptr + 16, 0, retaddr); /* fpcs */
> cpu_stl_data_ra(env, ptr + 20, 0, retaddr); /* fpoo */
> cpu_stl_data_ra(env, ptr + 24, 0, retaddr); /* fpos */
The value of fpip is wrongly set to 0, which should be env->fpip at
least I think. In real-world usage, the fstenv is often used to obtain
the current eip value from the FIP field in shellcode.
According to git blame, this bug is introduced about 13 years ago:
https://github.com/qemu/qemu/blame/633decd71119a4293e5e53e6059026c517a8bef0/target-i386/fpu_helper.c#L997.
We also had a patch for this bug:
https://github.com/unicorn-engine/unicorn/commit/59b09a71bfc6fd8b95357944f6be9aa54f424421
which you may refer to. I can also help draft a patch if necessary.
I'm pretty new to qemu-devel mail list and sorry for any violation of
your convention. Thanks in advance!
Ziqiao
next reply other threads:[~2021-04-02 8:31 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-02 8:29 Ziqiao Kong [this message]
2021-04-02 8:45 ` Bug: fstenv is wrongly implemented Paolo Bonzini
2021-04-02 8:56 ` Ziqiao Kong
2021-04-02 9:01 ` Paolo Bonzini
2021-04-02 10:48 ` Peter Maydell
2021-04-06 13:16 ` Ziqiao Kong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAM0BWNCTD_oe3BgKQUqG41fgFqGCXVh1gaiMqJpvXbR4Fh5vHg@mail.gmail.com \
--to=ziqiaokong@gmail.com \
--cc=ehabkost@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=rth@twiddle.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).