I had a similar problem, but only when not using kqemu.
When using a stack overflow exploit, the shellcode provided only
executes when using kqemu. I can attribute this to either the
shellcode being in a different location (maybe someone can clarify
this, is qemu using a different memory layout e.g. stack is located in
a different virtual address), or qemu does not translate the shellcode
located in the stack and instead causes a memory fault (again i have
no idea why this should be the case).
When using kqemu the shellcode executes normally.
I did not have any time to investigate the reasons, but i have a hunch
it is the probably the translation.
If anyone knows what the problem is, i would be glad to write a patch.
On 02/05/06, Kevin F. Quinn <address@hidden> wrote:
Looks like SELinux to me. Even - you should raise it with whoever
writes your policy.
On Mon, 01 May 2006 23:29:54 +0200
Fabrice Bellard <address@hidden> wrote:
> Are you sure that the bug is really in kqemu ? It is possible that
> your guest kernel implements a security system which prevents self
> modifying code using segment limits which QEMU does not check (but
> kqemu checks them !).
>
> Regards,
>
> Fabrice.
>
> Even Rouault wrote:
> > Guest OS : Linux 2.6.15-1.2054_FC5 i686 (Fedora Core 5 i386)
> > Host OS: Linux 2.6.12-10-amd64-k8 #1 x86_64 (Ubuntu 5.10 amd64)
> > QEMU Version : today CVS compiled with kqemu support
> > KQEMU : 1.3.0pre6
> > Binary used : qemu-system-x86-64 (so kqemu user-mode is used)
> >
> > I'm running the simple C code attached. With kqemu user-mode, this
> > fails (sigsegv) with the following warning in dmesg :
> >
> > audit(1146505373.813:12): avc: denied { execheap } for pid=1860
> > comm="selfmodifying scontext=user_u:system_r:unconfined_t:s0
> > tcontext=user_u:system_r:unconfined_t:s0 tclass=process
> > Erreur de segmentation
> >
> > Without kqemu enabled, it runs fine.
> >
> >
> >
> >
------------------------------------------------------------------------
> >
> > #define _XOPEN_SOURCE 600
> > #include <sys/mman.h>
> > #include <unistd.h>
> > #include <stdlib.h>
> > #include <stdio.h>
> >
> > int main(int argc, char** argv)
> > {
> > int pagesize = getpagesize();
> > unsigned char* addr = NULL;
> > posix_memalign((void**)&addr, pagesize, pagesize);
> > mprotect(addr, pagesize, PROT_WRITE | PROT_READ | PROT_EXEC);
> > addr[0] = 0x8b; addr[1] = 0x44; addr[2] = 0x24; addr[3] =
> > 0x04; /* mov 0x4(%esp),%eax */ addr[4] = 0x83; addr[5] = 0xc0;
> > addr[6] = 0x01; /* add $0x1,%eax */ addr[7] = 0xc3; /* ret */
> >
> > printf("10+1=%d\n", ((int (*)(int))addr)(10));
> > free(addr);
> > return 0;
> > }
> >
> >
> >
------------------------------------------------------------------------
> >
> > _______________________________________________
> > Qemu-devel mailing list
> > address@hidden
> > http://lists.nongnu.org/mailman/listinfo/qemu-devel
>
>
>
> _______________________________________________
> Qemu-devel mailing list
> address@hidden
> http://lists.nongnu.org/mailman/listinfo/qemu-devel
--
Kevin F. Quinn
_______________________________________________
Qemu-devel mailing list
address@hidden
http://lists.nongnu.org/mailman/listinfo/qemu-devel
_______________________________________________
Qemu-devel mailing list
address@hidden
http://lists.nongnu.org/mailman/listinfo/qemu-devel