1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
|
id = 1722
title = "qemu-mipsn32: Illegal Instruction at `exts` instruction"
state = "closed"
created_at = "2023-06-23T00:26:09.313Z"
closed_at = "2024-08-20T06:50:14.350Z"
labels = ["target: mips"]
url = "https://gitlab.com/qemu-project/qemu/-/issues/1722"
host-os = "Ubuntu 20.04.1"
host-arch = "x86_64"
qemu-version = "8.0.50"
guest-os = "- OS/kernel version:"
guest-arch = "N32 MIPS64"
description = """Run with the command above, I got this error:
```
qemu-mipsn32 run
qemu: uncaught target signal 4 (Illegal instruction) - core dumped
Illegal instruction (core dumped)
```
I then tried to debug the program with qemu option `-g 1234` and know that
```
$ gdb-multiarch run
...
pwndbg> target remote 0:1234
...
pwndbg> c
Continuing.
Program received signal SIGILL, Illegal instruction.
0x3f7d2434 in ?? () from /lib32/ld.so.1
warning: GDB can't find the start of the function at 0x3f7d2434.
x/10i
pwndbg> x/10i $pc
=> 0x3f7d2434:\t0x7047f03a
0x3f7d2438:\tlui\ta3,0x7000
0x3f7d243c:\tori\ta3,a3,0x5e
0x3f7d2440:\tb\t0x3f7d241c
0x3f7d2444:\tsubu\tv0,a3,v0
0x3f7d2448:\tsltiu\ta7,a3,-3
0x3f7d244c:\tbnezl\ta7,0x3f7d246c
0x3f7d2450:\tsubu\ta3,a4,v0
0x3f7d2454:\taddiu\ta3,a3,1
0x3f7d2458:\tli\tv0,-4
```
So I know the problem is in libc32/ld.so.1. When I dissasemble that file and look at offset 0x4434, it's an `exts` instruction as below:
```
$ file /lib32/ld.so.1
/lib32/ld-2.15.so: ELF 32-bit MSB shared object, MIPS, N32 MIPS64 rel2 version 1 (SYSV), dynamically linked, stripped
$ ./mips64-n32--glibc--stable-2022.08-1/bin/mips64-buildroot-linux-gnu-objdump -d /lib32/ld.so.1 | less
...
4434: 7047f03a exts a3,v0,0x0,0x1e
4438: 3c077000 lui a3,0x7000
443c: 34e7005e ori a3,a3,0x5e
4440: 1000fff6 b 441c <GLIBC_2.0@@GLIBC_2.0+0x441c>
4444: 00e21023 subu v0,a3,v0
4448: 2cebfffd sltiu a7,a3,-3
444c: 55600007 bnezl a7,446c <GLIBC_2.0@@GLIBC_2.0+0x446c>
4450: 01023823 subu a3,a4,v0
4454: 24e70001 addiu a3,a3,1
4458: 2402fffc li v0,-4
```"""
reproduce = """1. Download toolchain of mips64-n32 on toolchains.bootlin.com [here](https://toolchains.bootlin.com/releases_mips64-n32.html)
2. Write this c code to file `run.c`:
```c
#include <stdio.h>
int main(){
\tputs("hello world");
\twhile (1);
}
```
3. Compile file run.c with downloaded toolchain:
```
mips64-n32--glibc--stable-2022.08-1/bin/mips64-buildroot-linux-gnu-gcc run.c -o run
```
> Step 1, 2 and 3 can be skip if you download the attached `run` file.
4. Download the attached ld
5. Make new dir at `/lib32` and move the file ld to `/lib32`
6. Run command `qemu-mipsn32 run`"""
additional = """[ld-2.15.so](/uploads/95f4da26e42d43d39aa2350670134bb5/ld-2.15.so)
[run](/uploads/01be57442009a75cf2f59cbcf53474f4/run)"""
|