-
Notifications
You must be signed in to change notification settings - Fork 747
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ql_syscall_shmat is dummy implementation and sometimes returns 0 address #1331
Comments
Thanks for reporting this. |
Good point. I'll implement an incrementing key value instead of just using the address. |
@SRSG, I added the fix. |
I'd like to try it soon.By the way ,when I debug by IDA pro,I find that shmat(maybe in uclibc) require the return address greater than 0XFFFC0001 or it will be replaced by 0.It is quite strange.But I didn't debug it carefully, so it's only for reference. |
I didn't find any reference to this number in the man pages; if you can point me, that would be great. |
I re-implemented |
But I'd like to appreciate it that your changes about that number I mentioned and |
It seems like the address Do you think it should have behaved differently? If so, can you point to a specific flow there you think should happen?
|
I am sorry that I was wrong, which may have caused you a misunderstanding.I want to say that the second arg of shmat that is When ptr is not 0(last ipc or shmat,and it is
For my program,this p.s.In last changes it cannot work about that number |
I understood that, and mentioned that the address was already taken so the segment couldn't be attached there. In this case (not being able to attach to the specified address) it should return -1. If the common practice is that the program allocates the memory before calling As for the last thing you mentioned, sorry but I didn't understand what you meant there.. |
The full log?Do you mean the echo just run this program or the echo run with debug verbose, or a file output in somewhere? |
Attaching a text file containing Qiling log output, set to default verbosity. |
Like below:
|
Yes, but this is only part of the log which is pasted directly and not as text file. |
I'm not sure.These are all it pasted.I just code like this:
Can you show me how to make it?Maybe the code to get the full log you want.Then I'll upload the file. |
You may pipe both python3 ./my_qiling_script.py 2>&1 | tee out.log Then upload If you could include the following hook in your code before you run it, that would be helpful: from qiling.const import QL_INTERCEPT
def __onenter_ipc(ql: Qiling, call: int, first: int, second: int, third: int, ptr: int, fifth: int):
if call == 21:
ql.log.info(f'about to call shmat: ptr ({ptr:#010x}) is {"" if ql.mem.is_available(ptr, ql.arch.pointersize) else "not "}available')
ql.os.set_syscall('ipc', __onenter_ipc, QL_INTERCEPT.ENTER) |
out.log |
OK, I think I've found the root cause: However, note that the I searched both man pages and Linux kernel implementation, and did not see any reference to a read permission given by default on shmid = shmget (key, size, IPC_CREAT | 0660); If you know something different, then let me know. Otherwise, the existing Qiling implementation seems to be accordig to spec. For reference:
From
|
OK,I think I have understood what you found.I check some reference again and get that maybe the existing Qiling_shm is right in deed. But I think we need determine if your first change(3 weeks ago because at that time |
The older implementation followed the spec to some extent. I created a test program that uses |
Yes,it's a service program in a certain firmware for mips32.I think your viewpoint is reasonable.However,I didn't see anything about it yet in my reverse process.It's sad that I cannot figure it out either. |
Let me know if you want to investigate it further by providing more use cases and code examples, or close the issue. |
Is your feature request related to a problem? Please describe.
When I simulated the Tenda /bin/webs program, I found that while qiling has successfully implemented shmget, shmat was just dummy implementation.This has been written as a comment at line 246,https://github.com/qilingframework/qiling/blob/master/qiling/os/posix/syscall/mman.py.
During the simulation process, at first ,I got an error "syscall ql_syscall_ipc number = 0x1015(4117) not implemented".Before long I wrote my_syscall_ipc(code as below and only part of real syscall_ipc) to solve it.
This syscall_ipc will call another 2 syscalls--shmget and shmat.Then an new error occured.shmat returned address 0 which cannot be used.Possible error part of qiling_syscall_shmat are as below:
When the second argument shmaddr is 0,ql.mem.map_anywhere will return 0 address.
Describe the solution you'd like
Generally, most programs might check return value like
if(ret) report error;else rigth step
.So does qiling plan to correctly implement shmat or check why it return 0?The text was updated successfully, but these errors were encountered: