mirror of
https://github.com/qemu/qemu.git
synced 2026-04-05 22:00:58 +00:00
linux-user: make syscall emulation interruptible
The syscall emulation code previously wasn't interruptible via cpu_loop_exit(), as this construct relies on a longjmp target that is not live anymore in the syscall handling code. Consequently, longjmp() would operate on a (potentially overwritten) stale jump buffer. This patch adds an additional setjmp and the necessary handling around it to make longjmp() (and by proxy cpu_loop_exit() safe to call even within a syscall context. Reviewed-by: Warner Losh <imp@bsdimp.com> Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org> Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Signed-off-by: Florian Hofhammer <florian.hofhammer@epfl.ch> Link: https://lore.kernel.org/qemu-devel/20260305-setpc-v5-v7-3-4c3adba52403@epfl.ch Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
This commit is contained in:
Florian Hofhammer
committed by
Pierrick Bouvier
Pierrick Bouvier
parent
d16ffa4244
commit
9097087147
@@ -181,7 +181,7 @@ void cpu_loop(CPUARMState *env)
|
||||
0, 0);
|
||||
if (ret == -QEMU_ERESTARTSYS) {
|
||||
env->pc -= 4;
|
||||
} else if (ret != -QEMU_ESIGRETURN) {
|
||||
} else if (ret != -QEMU_ESIGRETURN && ret != -QEMU_ESETPC) {
|
||||
env->xregs[0] = ret;
|
||||
}
|
||||
break;
|
||||
|
||||
@@ -82,7 +82,7 @@ void cpu_loop(CPUAlphaState *env)
|
||||
env->pc -= 4;
|
||||
break;
|
||||
}
|
||||
if (sysret == -QEMU_ESIGRETURN) {
|
||||
if (sysret == -QEMU_ESIGRETURN || sysret == -QEMU_ESETPC) {
|
||||
break;
|
||||
}
|
||||
/* Syscall writes 0 to V0 to bypass error check, similar
|
||||
|
||||
@@ -399,7 +399,7 @@ void cpu_loop(CPUARMState *env)
|
||||
0, 0);
|
||||
if (ret == -QEMU_ERESTARTSYS) {
|
||||
env->regs[15] -= env->thumb ? 2 : 4;
|
||||
} else if (ret != -QEMU_ESIGRETURN) {
|
||||
} else if (ret != -QEMU_ESIGRETURN && ret != -QEMU_ESETPC) {
|
||||
env->regs[0] = ret;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -56,7 +56,7 @@ void cpu_loop(CPUHexagonState *env)
|
||||
0, 0);
|
||||
if (ret == -QEMU_ERESTARTSYS) {
|
||||
env->gpr[HEX_REG_PC] -= 4;
|
||||
} else if (ret != -QEMU_ESIGRETURN) {
|
||||
} else if (ret != -QEMU_ESIGRETURN && ret != -QEMU_ESETPC) {
|
||||
env->gpr[0] = ret;
|
||||
}
|
||||
break;
|
||||
|
||||
@@ -124,6 +124,7 @@ void cpu_loop(CPUHPPAState *env)
|
||||
break;
|
||||
case -QEMU_ERESTARTSYS:
|
||||
case -QEMU_ESIGRETURN:
|
||||
case -QEMU_ESETPC:
|
||||
break;
|
||||
}
|
||||
break;
|
||||
|
||||
@@ -181,7 +181,9 @@ static void emulate_vsyscall(CPUX86State *env)
|
||||
if (ret == -TARGET_EFAULT) {
|
||||
goto sigsegv;
|
||||
}
|
||||
env->regs[R_EAX] = ret;
|
||||
if (ret != -QEMU_ESETPC) {
|
||||
env->regs[R_EAX] = ret;
|
||||
}
|
||||
|
||||
/* Emulate a ret instruction to leave the vsyscall page. */
|
||||
env->eip = caller;
|
||||
@@ -234,7 +236,7 @@ void cpu_loop(CPUX86State *env)
|
||||
0, 0);
|
||||
if (ret == -QEMU_ERESTARTSYS) {
|
||||
env->eip -= 2;
|
||||
} else if (ret != -QEMU_ESIGRETURN) {
|
||||
} else if (ret != -QEMU_ESIGRETURN && ret != -QEMU_ESETPC) {
|
||||
env->regs[R_EAX] = ret;
|
||||
}
|
||||
break;
|
||||
@@ -253,7 +255,7 @@ void cpu_loop(CPUX86State *env)
|
||||
0, 0);
|
||||
if (ret == -QEMU_ERESTARTSYS) {
|
||||
env->eip -= 2;
|
||||
} else if (ret != -QEMU_ESIGRETURN) {
|
||||
} else if (ret != -QEMU_ESIGRETURN && ret != -QEMU_ESETPC) {
|
||||
env->regs[R_EAX] = ret;
|
||||
}
|
||||
break;
|
||||
|
||||
@@ -29,4 +29,12 @@
|
||||
*/
|
||||
#define QEMU_ESIGRETURN 513
|
||||
|
||||
/*
|
||||
* This is returned after a plugin has used the qemu_plugin_set_pc API, to
|
||||
* indicate that the plugin deliberately changed the PC and potentially
|
||||
* modified the register values. The main loop should not touch the guest
|
||||
* registers for this reason.
|
||||
*/
|
||||
#define QEMU_ESETPC 514
|
||||
|
||||
#endif /* SPECIAL_ERRNO_H */
|
||||
|
||||
@@ -44,9 +44,10 @@ void cpu_loop(CPULoongArchState *env)
|
||||
env->pc -= 4;
|
||||
break;
|
||||
}
|
||||
if (ret == -QEMU_ESIGRETURN) {
|
||||
if (ret == -QEMU_ESIGRETURN || ret == -QEMU_ESETPC) {
|
||||
/*
|
||||
* Returning from a successful sigreturn syscall.
|
||||
* Returning from a successful sigreturn syscall or from
|
||||
* control flow diversion in a plugin callback.
|
||||
* Avoid clobbering register state.
|
||||
*/
|
||||
break;
|
||||
|
||||
@@ -66,7 +66,7 @@ void cpu_loop(CPUM68KState *env)
|
||||
0, 0);
|
||||
if (ret == -QEMU_ERESTARTSYS) {
|
||||
env->pc -= 2;
|
||||
} else if (ret != -QEMU_ESIGRETURN) {
|
||||
} else if (ret != -QEMU_ESIGRETURN && ret != -QEMU_ESETPC) {
|
||||
env->dregs[0] = ret;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -54,7 +54,7 @@ void cpu_loop(CPUMBState *env)
|
||||
if (ret == -QEMU_ERESTARTSYS) {
|
||||
/* Wind back to before the syscall. */
|
||||
env->pc -= 4;
|
||||
} else if (ret != -QEMU_ESIGRETURN) {
|
||||
} else if (ret != -QEMU_ESIGRETURN && ret != -QEMU_ESETPC) {
|
||||
env->regs[3] = ret;
|
||||
}
|
||||
/* All syscall exits result in guest r14 being equal to the
|
||||
|
||||
@@ -140,9 +140,12 @@ done_syscall:
|
||||
env->active_tc.PC -= 4;
|
||||
break;
|
||||
}
|
||||
if (ret == -QEMU_ESIGRETURN) {
|
||||
/* Returning from a successful sigreturn syscall.
|
||||
Avoid clobbering register state. */
|
||||
if (ret == -QEMU_ESIGRETURN || ret == -QEMU_ESETPC) {
|
||||
/*
|
||||
* Returning from a successful sigreturn syscall or from
|
||||
* control flow diversion in a plugin callback.
|
||||
* Avoid clobbering register state.
|
||||
*/
|
||||
break;
|
||||
}
|
||||
if ((abi_ulong)ret >= (abi_ulong)-1133) {
|
||||
|
||||
@@ -48,7 +48,7 @@ void cpu_loop(CPUOpenRISCState *env)
|
||||
cpu_get_gpr(env, 8), 0, 0);
|
||||
if (ret == -QEMU_ERESTARTSYS) {
|
||||
env->pc -= 4;
|
||||
} else if (ret != -QEMU_ESIGRETURN) {
|
||||
} else if (ret != -QEMU_ESIGRETURN && ret != -QEMU_ESETPC) {
|
||||
cpu_set_gpr(env, 11, ret);
|
||||
}
|
||||
break;
|
||||
|
||||
@@ -340,9 +340,13 @@ void cpu_loop(CPUPPCState *env)
|
||||
env->nip -= 4;
|
||||
break;
|
||||
}
|
||||
if (ret == (target_ulong)(-QEMU_ESIGRETURN)) {
|
||||
/* Returning from a successful sigreturn syscall.
|
||||
Avoid corrupting register state. */
|
||||
if (ret == (target_ulong)(-QEMU_ESIGRETURN) ||
|
||||
ret == (target_ulong)(-QEMU_ESETPC)) {
|
||||
/*
|
||||
* Returning from a successful sigreturn syscall or from
|
||||
* control flow diversion in a plugin callback.
|
||||
* Avoid corrupting register state.
|
||||
*/
|
||||
break;
|
||||
}
|
||||
if (ret > (target_ulong)(-515)) {
|
||||
|
||||
@@ -65,7 +65,7 @@ void cpu_loop(CPURISCVState *env)
|
||||
}
|
||||
if (ret == -QEMU_ERESTARTSYS) {
|
||||
env->pc -= 4;
|
||||
} else if (ret != -QEMU_ESIGRETURN) {
|
||||
} else if (ret != -QEMU_ESIGRETURN && ret != -QEMU_ESETPC) {
|
||||
env->gpr[xA0] = ret;
|
||||
}
|
||||
if (cs->singlestep_enabled) {
|
||||
|
||||
@@ -83,7 +83,7 @@ void cpu_loop(CPUS390XState *env)
|
||||
env->regs[6], env->regs[7], 0, 0);
|
||||
if (ret == -QEMU_ERESTARTSYS) {
|
||||
env->psw.addr -= env->int_svc_ilen;
|
||||
} else if (ret != -QEMU_ESIGRETURN) {
|
||||
} else if (ret != -QEMU_ESIGRETURN && ret != -QEMU_ESETPC) {
|
||||
env->regs[2] = ret;
|
||||
}
|
||||
|
||||
|
||||
@@ -50,7 +50,7 @@ void cpu_loop(CPUSH4State *env)
|
||||
0, 0);
|
||||
if (ret == -QEMU_ERESTARTSYS) {
|
||||
env->pc -= 2;
|
||||
} else if (ret != -QEMU_ESIGRETURN) {
|
||||
} else if (ret != -QEMU_ESIGRETURN && ret != -QEMU_ESETPC) {
|
||||
env->gregs[0] = ret;
|
||||
}
|
||||
break;
|
||||
|
||||
@@ -229,7 +229,9 @@ void cpu_loop (CPUSPARCState *env)
|
||||
env->regwptr[2], env->regwptr[3],
|
||||
env->regwptr[4], env->regwptr[5],
|
||||
0, 0);
|
||||
if (ret == -QEMU_ERESTARTSYS || ret == -QEMU_ESIGRETURN) {
|
||||
if (ret == -QEMU_ERESTARTSYS ||
|
||||
ret == -QEMU_ESIGRETURN ||
|
||||
ret == -QEMU_ESETPC) {
|
||||
break;
|
||||
}
|
||||
if ((abi_ulong)ret >= (abi_ulong)(-515)) {
|
||||
|
||||
@@ -43,6 +43,7 @@
|
||||
#include <linux/capability.h>
|
||||
#include <sched.h>
|
||||
#include <sys/timex.h>
|
||||
#include <setjmp.h>
|
||||
#include <sys/socket.h>
|
||||
#include <linux/sockios.h>
|
||||
#include <sys/un.h>
|
||||
@@ -600,6 +601,9 @@ const char *target_strerror(int err)
|
||||
if (err == QEMU_ESIGRETURN) {
|
||||
return "Successful exit from sigreturn";
|
||||
}
|
||||
if (err == QEMU_ESETPC) {
|
||||
return "Successfully redirected control flow";
|
||||
}
|
||||
|
||||
return strerror(target_to_host_errno(err));
|
||||
}
|
||||
@@ -14410,6 +14414,18 @@ abi_long do_syscall(CPUArchState *cpu_env, int num, abi_long arg1,
|
||||
return -QEMU_ESIGRETURN;
|
||||
}
|
||||
|
||||
/*
|
||||
* Set up a longjmp target here so that we can call cpu_loop_exit to
|
||||
* redirect control flow back to the main loop even from within
|
||||
* syscall-related plugin callbacks.
|
||||
* For other types of callbacks or longjmp call sites, the longjmp target
|
||||
* is set up in the cpu loop itself but in syscalls the target is not live
|
||||
* anymore.
|
||||
*/
|
||||
if (unlikely(sigsetjmp(cpu->jmp_env, 0) != 0)) {
|
||||
return -QEMU_ESETPC;
|
||||
}
|
||||
|
||||
record_syscall_start(cpu, num, arg1,
|
||||
arg2, arg3, arg4, arg5, arg6, arg7, arg8);
|
||||
|
||||
|
||||
@@ -186,6 +186,7 @@ void cpu_loop(CPUXtensaState *env)
|
||||
break;
|
||||
|
||||
case -QEMU_ESIGRETURN:
|
||||
case -QEMU_ESETPC:
|
||||
break;
|
||||
}
|
||||
break;
|
||||
|
||||
Reference in New Issue
Block a user