Bug 1493304
Summary: | SIGSEGV in qemu-arm | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | John Reiser <jreiser> | ||||
Component: | qemu | Assignee: | Fedora Virtualization Maintainers <virt-maint> | ||||
Status: | CLOSED UPSTREAM | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 27 | CC: | amit, berrange, cfergeau, crobinso, dwmw2, itamar, pbonzini, rjones, virt-maint | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2017-09-20 22:34:15 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
John Reiser
2017-09-19 21:10:26 UTC
Created attachment 1328167 [details]
"./foo" 32-bit ARM executable
Runs natively on 32-bit ARM Fedora 27 (see strace at end of Description), gets SIGSEGV under qemu-arm on x86_64.
The ARM instructions in the vicinity of the SIGSEGV during emulation by qemu-arm: ===== 0xf703704c: ldr r2,mflg_here // pc+856 orr r2,r2,r3 @ modify the instruction => str r2,mflg_here // pc+848 the faulting instruction [[snip about 848 bytes]] 0xf70373ac: mflg_here: // The next instruction is re-written once. orr r3,r3,#0 @ flags |= MAP_{PRIVATE|ANON} [QNX vs Linux] ===== The modified instruction at 0xf70373ac is covered by the mmap2(0xf7000000,228092,PROT_EXEC|PROT_READ|PROT_WRITE, ... because 0x373ac is 226220 which is less than 228092, so the address has PROT_WRITE access. The word at 0xf70373ac was written (by storing 4 consecutive bytes individually) exactly once before, may have been read afterwards but never has been executed or otherwise written, and at 848 bytes ahead of pc is outside the range of any prefetch for instruction caching. Therefore the access should be allowed, and an actual 32-bit armv7hl ARM processor does allow it. Thanks for the report. Is this a regression, or is it your first time trying qemu for this? If it isn't a regression, I suggest taking this to qemu-devel, it can probably get straightened out quickly This is the first time. Inquiry sent to qemu-devel. Distilled from [qemu-devel]: qemu-arm wants 0xf7000000 and above for itself, and doesn't always protect it enough. There may be a workaround using something like "-R 0xfffe0000" but it is easier just to avoid 0xf7000000 and above. Note also that qemu-arm on a program which is ET_DYN (-fpie) puts the stack below the code (which is just below 0xf7000000.) |