[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Bash's malloc does not work within qemu-user when compiled with PIE
|
From: |
Eduardo A . Bustamante López |
|
Subject: |
Re: Bash's malloc does not work within qemu-user when compiled with PIE enabled |
|
Date: |
Fri, 16 Feb 2018 10:59:21 -0600 |
|
User-agent: |
Mutt/1.9.3 (2018-01-21) |
> On 2/14/18 3:38 AM, Raphael Hertzog wrote:
[...]
> > Isn't it possible that sbrk() returns that pointer to you and you treat
> > it as being an error instead of a valid address?
The problem is in QEMU:
dualbus@ubuntu:~$ cat sbrk.c
#include <stdio.h>
#include <unistd.h>
int main() {
fprintf(stderr, "%ld\n", (long)sbrk(0));
fprintf(stderr, "%ld\n", (long)sbrk(4096));
return 0;
}
dualbus@ubuntu:~$ gcc -o sbrk sbrk.c
dualbus@ubuntu:~$ ./sbrk
94870340603904
94870340603904
dualbus@ubuntu:~$ qemu-x86_64 ./sbrk
warning: TCG doesn't support requested feature: CPUID.01H:ECX.vmx [bit 5]
274880012288
-1
dualbus@ubuntu:~$ gcc -o sbrk sbrk.c -no-pie
dualbus@ubuntu:~$ qemu-x86_64 ./sbrk
warning: TCG doesn't support requested feature: CPUID.01H:ECX.vmx [bit 5]
6299648
6299648
i.e. the QEMU emulated `brk' system call returns -1 (ENOMEM) to a simple 4096
byte request. This causes bash's `pagealign()' function to fail, and thus the
error propagates into internal_malloc, and all the way up to xmalloc. See:
http://git.savannah.gnu.org/cgit/bash.git/tree/lib/malloc/malloc.c?h=devel#n765
I suspect the problem might be in the implementation of the `brk' system call in
QEMU, i.e. do_brk:
https://github.com/qemu/qemu/blob/master/linux-user/syscall.c#L1091