Re: [Qemu-devel] [PATCHv3 0/2] Preparing safe sigprocmask wrapper on qemu-user

Mon, 19 Nov 2012 11:02:40 -0800 

ping



On Sat, Oct 20, 2012 at 4:15 PM, Alex Barcelo <abarc...@ac.upc.edu> wrote:

> qemu-user needs SIGSEGV (at least) for some internal use. If the guest
> application masks it and does unsafe sigprocmask, then the application
> crashes. Problems happen in applications with self-modifying code (who
> also change the signal mask). Other guest applications may have related
> problems if they use the SIGSEGV.
>
> A way to be more safe is adding a wrapper for all sigprocmask calls from
> the guest. The wrapper proposed here is quite simple, but the code can
> be improved, here I try to ensure that the wrapper is set up properly.
>
> Changes in v3:
>  - Wrapping also sigreturn's sigprocmask calls (on signal.c)
>
> Here, a test case where qemu-user goes wrong:
>
> ////////////
> #include <stdio.h>
> #include <stdlib.h>
> #include <string.h>
> #include <sys/mman.h>
> #include <malloc.h>
> #include <signal.h>
>
> unsigned char *testfun;
>
> int main ( void )
> {
>     unsigned int ra;
>     testfun=memalign(getpagesize(),1024);
>     // We block the SIGSEGV signal, used by qemu-user
>     sigset_t set;
>     sigemptyset(&set);
>     sigaddset(&set, 11);
>     sigprocmask(SIG_BLOCK, &set, NULL);
>     mprotect(testfun, 1024, PROT_READ|PROT_EXEC|PROT_WRITE);
>
>     //400687: b8 0d 00 00 00          mov    $0xd,%eax
>     //40068d: c3                      retq
>     testfun[ 0]=0xb8;
>     testfun[ 1]=0x0d;
>     testfun[ 2]=0x00;
>     testfun[ 3]=0x00;
>     testfun[ 4]=0x00;
>     testfun[ 5]=0xc3;
>     printf ( "0x%02X\n",
>              ((unsigned int (*)())testfun)() );
>
>     //400687: b8 20 00 00 00          mov    $0x20,%eax
>     //40068d: c3                      retq
>     // This self-modifying code will break because of the sigsegv signal
> block
>     testfun[ 1]=0x20;
>     printf ( "0x%02X\n",
>              ((unsigned int (*)())testfun)() );
> }
> ////////////
>
> On an i386 native host:
> 0x0D
> 0x20
>
> On a non-patched qemu-i386:
> 0x0D
> Segmentation fault
>
> Alex Barcelo (2):
>   signal: added a wrapper for sigprocmask function
>   signal: sigsegv protection on do_sigprocmask
>
>  linux-user/qemu.h    |    1 +
>  linux-user/signal.c  |   27 +++++++++++++++++++++++++++
>  linux-user/syscall.c |   14 +++++++-------
>  3 files changed, 35 insertions(+), 7 deletions(-)
>
> --
> 1.7.5.4
>
>

Reply via email to