summary refs log tree commit diff stats
path: root/results/classifier/118/debug/1904210
diff options
context:
space:
mode:
Diffstat (limited to 'results/classifier/118/debug/1904210')
-rw-r--r--results/classifier/118/debug/1904210101
1 files changed, 101 insertions, 0 deletions
diff --git a/results/classifier/118/debug/1904210 b/results/classifier/118/debug/1904210
new file mode 100644
index 000000000..68f13c216
--- /dev/null
+++ b/results/classifier/118/debug/1904210
@@ -0,0 +1,101 @@
+debug: 0.918
+graphic: 0.909
+register: 0.906
+semantic: 0.902
+TCG: 0.896
+device: 0.888
+arm: 0.885
+ppc: 0.885
+architecture: 0.884
+performance: 0.882
+permissions: 0.879
+mistranslation: 0.878
+assembly: 0.873
+vnc: 0.873
+risc-v: 0.853
+PID: 0.852
+hypervisor: 0.842
+x86: 0.842
+files: 0.841
+kernel: 0.840
+user-level: 0.839
+socket: 0.836
+KVM: 0.834
+peripherals: 0.832
+network: 0.830
+boot: 0.824
+VMM: 0.815
+i386: 0.659
+virtual: 0.614
+
+Crashed with 'uncaught target signal SIGILL' while program has registered by signal(SIGILL, handler)
+
+This binary is an CTF reverse challenge binary, it registers signal handler via 'signal(SIGILL, 0x1193D);' while 0x1193D is the SIGILL handler.
+
+Please see the attachment, the file 'repair' is the binary i mentioned above, the file 'qemu-arm' is an old version qemu at 2.5.0, and it seems an official release (not modified).
+
+Which means, it could be a bug in recent release.
+
+You need to input 'flag{' to the stdin to let the binary execute the illegal instruction at 0x10A68.
+
+In 2.5.0 version the -strace logs:
+116 uname(0xf6ffed40) = 0
+116 brk(NULL) = 0x0009f000
+116 brk(0x0009fd00) = 0x0009fd00
+116 readlink("/proc/self/exe",0xf6ffde78,4096) = 21
+116 brk(0x000c0d00) = 0x000c0d00
+116 brk(0x000c1000) = 0x000c1000
+116 access("/etc/ld.so.nohwcap",F_OK) = -1 errno=2 (No such file or directory)
+116 rt_sigaction(SIGILL,0xf6ffec48,0xf6ffecd4) = 0
+116 fstat64(1,0xf6ffe8e8) = 0
+116 ioctl(1,21505,-151000980,-151000924,652480,640808) = 0
+116 fstat64(0,0xf6ffe7d0) = 0
+116 ioctl(0,21505,-151001260,-151001204,652480,641152) = 0
+116 write(1,0xa5548,6)input: = 6
+116 read(0,0xa6550,4096)flag{
+ = 6
+116 write(1,0xa5548,7)wrong!
+ = 7
+116 _llseek(0,4294967295,4294967295,0xf6ffee18,SEEK_CUR) = -1 errno=29 (Illegal seek)
+116 exit_group(0)
+
+In 2.11.1, it shows:
+113 uname(0xfffeed30) = 0
+113 brk(NULL) = 0x0009f000
+113 brk(0x0009fd00) = 0x0009fd00
+113 readlink("/proc/self/exe",0xfffede68,4096) = 21
+113 brk(0x000c0d00) = 0x000c0d00
+113 brk(0x000c1000) = 0x000c1000
+113 access("/etc/ld.so.nohwcap",F_OK) = -1 errno=2 (No such file or directory)
+113 rt_sigaction(SIGILL,0xfffeec38,0xfffeecc4) = 0
+113 fstat64(1,0xfffee8d8) = 0
+113 ioctl(1,21505,-71588,-71532,652480,640808) = 0
+113 fstat64(0,0xfffee7c0) = 0
+113 ioctl(0,21505,-71868,-71812,652480,641152) = 0
+113 write(1,0xa5548,6)input: = 6
+113 read(0,0xa6550,4096)flag{
+ = 6
+--- SIGILL {si_signo=SIGILL, si_code=2, si_addr=0x00010a68} ---
+--- SIGILL {si_signo=SIGILL, si_code=2, si_addr=0x0001182c} ---
+qemu: uncaught target signal 4 (Illegal instruction) - core dumped
+Illegal instruction (core dumped)
+
+
+
+This binary doesn't execute on a real Arm CPU (it takes a SIGTRAP when it executes the first 'udf 1' insn), so I suspect it's never been tested on anything except QEMU and it happened to rely on incorrect older signal handling emulation in previous QEMU versions.
+
+As far as I can see the binary executes an illegal insn ("udf 1"), which causes a SIGILL on QEMU; execution continues inside the SIGILL handler and the binary then executes another "udf 1". Since the SIGILL signal is still blocked we can't invoke the handler again and so this time around it's fatal.
+
+If you still think QEMU has a bug in here, please provide more details of exactly what the guest program does and where QEMU diverges from real Arm Linux kernel behaviour.
+
+
+This patch makes QEMU's linux-user emulation follow the real kernel's handling of "udf 1" (and the other magic-treat-like-breakpoint insns) and deliver a SIGTRAP:
+https://<email address hidden>/
+
+Your binary still won't run even with that patch, but it doesn't run on real hardware either, so I think that the remaining issues are bugs in your binary, not in QEMU.
+
+
+Peter's patch had been included here:
+https://gitlab.com/qemu-project/qemu/-/commit/acebed948c4f2f3be89
+... so I'm closing this issue now. If you still think that there is anything left to do here, please open a new ticket in our new bug tracker here: https://gitlab.com/qemu-project/qemu/-/issues
+