[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Bug: fstenv is wrongly implemented
|
From: |
Ziqiao Kong |
|
Subject: |
Bug: fstenv is wrongly implemented |
|
Date: |
Fri, 2 Apr 2021 16:29:38 +0800 |
Hello everyone,
I am an active maintainer of Unicorn engine
(https://github.com/unicorn-engine). During my development, I found
that the fstenv implementation in qemu upstream is incorrect.
Below is the code snippet from target/i386/tcg/fpu_helper.c
(https://github.com/qemu/qemu/blob/266469947161aa10b1d36843580d369d5aa38589/target/i386/tcg/fpu_helper.c#L2393).
> cpu_stl_data_ra(env, ptr, env->fpuc, retaddr);
> cpu_stl_data_ra(env, ptr + 4, fpus, retaddr);
> cpu_stl_data_ra(env, ptr + 8, fptag, retaddr);
> cpu_stl_data_ra(env, ptr + 12, 0, retaddr); /* fpip */
> cpu_stl_data_ra(env, ptr + 16, 0, retaddr); /* fpcs */
> cpu_stl_data_ra(env, ptr + 20, 0, retaddr); /* fpoo */
> cpu_stl_data_ra(env, ptr + 24, 0, retaddr); /* fpos */
The value of fpip is wrongly set to 0, which should be env->fpip at
least I think. In real-world usage, the fstenv is often used to obtain
the current eip value from the FIP field in shellcode.
According to git blame, this bug is introduced about 13 years ago:
https://github.com/qemu/qemu/blame/633decd71119a4293e5e53e6059026c517a8bef0/target-i386/fpu_helper.c#L997.
We also had a patch for this bug:
https://github.com/unicorn-engine/unicorn/commit/59b09a71bfc6fd8b95357944f6be9aa54f424421
which you may refer to. I can also help draft a patch if necessary.
I'm pretty new to qemu-devel mail list and sorry for any violation of
your convention. Thanks in advance!
Ziqiao
- Bug: fstenv is wrongly implemented,
Ziqiao Kong <=