bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bash's malloc does not work within qemu-user when compiled with PIE


From: Eduardo A . Bustamante López
Subject: Re: Bash's malloc does not work within qemu-user when compiled with PIE enabled
Date: Fri, 16 Feb 2018 10:59:21 -0600
User-agent: Mutt/1.9.3 (2018-01-21)

> On 2/14/18 3:38 AM, Raphael Hertzog wrote:
[...]
> > Isn't it possible that sbrk() returns that pointer to you and you treat
> > it as being an error instead of a valid address?

The problem is in QEMU:

    address@hidden:~$ cat sbrk.c 
    #include <stdio.h>
    #include <unistd.h>
    int main() {
        fprintf(stderr, "%ld\n", (long)sbrk(0));
        fprintf(stderr, "%ld\n", (long)sbrk(4096));
        return 0;
    }

    address@hidden:~$ gcc -o sbrk sbrk.c

    address@hidden:~$ ./sbrk 
    94870340603904
    94870340603904

    address@hidden:~$ qemu-x86_64 ./sbrk 
    warning: TCG doesn't support requested feature: CPUID.01H:ECX.vmx [bit 5]
    274880012288
    -1

    address@hidden:~$ gcc -o sbrk sbrk.c -no-pie

    address@hidden:~$ qemu-x86_64 ./sbrk 
    warning: TCG doesn't support requested feature: CPUID.01H:ECX.vmx [bit 5]
    6299648
    6299648


i.e. the QEMU emulated `brk' system call returns -1 (ENOMEM) to a simple 4096
byte request. This causes bash's `pagealign()' function to fail, and thus the
error propagates into internal_malloc, and all the way up to xmalloc. See:

  
http://git.savannah.gnu.org/cgit/bash.git/tree/lib/malloc/malloc.c?h=devel#n765


I suspect the problem might be in the implementation of the `brk' system call in
QEMU, i.e. do_brk:

  https://github.com/qemu/qemu/blob/master/linux-user/syscall.c#L1091



reply via email to

[Prev in Thread] Current Thread [Next in Thread]