|
From: | Tommy Huang |
Subject: | [Qemu-devel] Modify TLB entry |
Date: | Sun, 5 Jul 2009 22:03:46 -0700 |
Hi All, I was trying to redirect the instruction fetch from a different page. The way I used is to modify the TLB entry. The following is the code I extract from SecureQEMU project. The code is inside a function which is called by "gen_intermediate_code". if(pte1 = cte[env->eip >> TARGET_PAGE_BITS]) { cpu_x86_handle_mmu_fault(env, env->eip, 0, 1, 1); cpu_x86_handle_mmu_fault(env, env->eip + TARGET_PAGE_SIZE, 0, 1, 1); //Poison TLB Cache (Current Page + next page if needed) index1 = (env->eip >> TARGET_PAGE_BITS) & (CPU_TLB_SIZE - 1); temp_addend1 = env->tlb_table[1][index1].addend; env->tlb_table[1][index1].addend = (pte1 - (env->eip & TARGET_PAGE_MASK)); ret = gen_intermediate_code_internal(env, tb, search_pc); //Unpoison the TLB env->tlb_table[1][index1].addend = temp_addend1; if(pte2) env->tlb_table[1][index2].addend = temp_addend2; ... } In my case, it still fetches codes from original page instead of pte1. I am sure control flow really entered this if block. Poisoning TLB seems not working to me. What is wrong here? I was wondering if soft MMU is not turned on here so it never uses the tlb_table. btw, I use qemu 0.9.0, a pretty old version for compatibility. Any hint or suggestion is appreciated. Thanks in advance. Regards, Tommy Windows Live™ SkyDrive™: Get 25 GB of free online storage. Get it on your BlackBerry or iPhone. |
[Prev in Thread] | Current Thread | [Next in Thread] |