QEMU

ARM semihosting SYS_GET_CMDLINE does not return arguments

Bug #673613 reported by Wolfgang Schildbach on 2010-11-10

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	QEMU	Fix Released	Undecided	Unassigned

Bug Description

I have downloaded version 0.13.0 of the code, configured with: './configure' '--prefix=/tmp/qemu-0.13.0' '--interp-prefix=/tmp/qemu-0.13.0/usr/local/gnemul/qemu-%M' '--target-list=arm-softmmu arm-linux-user armeb-linux-user'

and built using gcc version 4.3.2 (Debian 4.3.2-1.1). Execution environment is Debian, kernel 2.6.26-2-686.

I am running a barebone helloworld.c which echoes its commandline arguments, compiled with ADS1.2 from ARM. The arguments never get echoed back.

I have found the culprit in the source code, lines 3020 and 3022 of linux-user/main.c which free target_argv[]. However, loader_exec(), which is called a couple lines above, records the pointer to target_argv[]. So, when the data is accessed in arm-semi.c, it is actually trying to load from memory that has been free()d already.

This bug manifests itself for baremetal simulation, but I suspect it hits other platforms as well.

Revision history for this message

Peter Maydell (pmaydell) wrote on 2010-11-14:

I see this bug has been reported before, for instance here:
http://<email address hidden>/msg29250.html
and Laurent Desnogues noticed the problem while reviewing a patch in this area:
http://<email address hidden>/msg22251.html

The only code which looks at ts->info->host_argv is the code to handle SYS_GET_CMDLINE in the ARM semihosting support code arm-semi.c. My tentative suggestion is that we should instead make the semihosting support code read the argc/argv out of the userspace memory which loader_build_argptr has set up. (This is what linux-user/elfload.c does in fill_psinfo() as part of creating core dumps.)

Revision history for this message

Wolfgang Schildbach (wschi) wrote on 2010-11-17:

Download full text (4.5 KiB)

- if (!cmdline_buffer)
- /* FIXME - should this error code be -TARGET_EFAULT ? */
- return (uint32_t)-1;
+ char *arm_cmdline_buffer ;
+ const char *host_cmdline_buffer ;

- s = cmdline_buffer;
- while (*arg && len > 2) {
- int n = strlen(*arg);
+ int arm_cmdline_len = ARG(1) ;
+ int host_cmdline_len = ts->info->arg_end-ts->info->arg_start ;

- if (s != cmdline_buffer) {
- *(s++) = ' ';
- len--;
- }
- if (n >= len)
- n = len - 1;
- memcpy(s, *arg, n);
- s += n;
- len -= n;
- arg++;
- }
- /* Null terminate the string. */
- *s = 0;
- len = s - cmdline_buffer;
+ if (host_cmdline_len > arm_cmdline_len)
+ return (uint32_t)-1; /* command line too long */
+
+ /* lock the buffers on the ARM side */
+ arm_cmdline_buffer = (char*)lock_user(VERIFY_WRITE, ARG(0), host_cmdline_len, 0);
+ host_cmdline_buffer = (const char*)lock_user(PAGE_READ, ts->info->arg_start, host_cmdline_len, 0);

- /* Unlock the buffer on the ARM side. */
- unlock_user(cmdline_buffer, ARG(0), len);
+ if (arm_cmdline_buffer && host_cmdline_buffer)
+ {

- /* Adjust the commandline length argument. */
- SET_ARG(1, len);
+ /* the last argument is zero-terminated;
+ no need for additional termination */
+ memcpy(arm_cmdline_buffer, host_cmdline_buffer, host_cmdline_len);

- /* Return success if commandline fit into buffer. */
- return *arg ? -1 : 0;
+ /* separate arguments by white spaces */
+ for (i = 0; i < host_cmdline_len-1; i++) {
+ if (arm_cmdline_buffer[i] == 0) {
+ arm_cmdline_buffer[i] = ' ';
+ }
+ }
+
+ /* Adjust the commandline length argument. */
+ SET_ARG(1, host_cmdline_len);
+ }
+
+ /* Unlock the buffers on the ARM side. */
+ unlock_user(arm_cmdline_buffer, ARG(0), host_cmdline_len);
+ unlock_user((void*)host_cmdline_buffer, ts->info->arg_start, host_cmdline_len);
+
+ /* Return success if we could return a commandline. */
+ return (arm_cmdline_buffer && host_cmdline_buffer) ? 0 : -1;
}
#else
- return -1;
+ return -1;
#endif
case S...

diff --git a/arm-semi.c b/arm-semi.c
index 0687b03..53b40e4 100644
--- a/arm-semi.c
+++ b/arm-semi.c
@@ -373,45 +373,48 @@ uint32_t do_arm_semihosting(CPUState *env)
 #ifdef CONFIG_USER_ONLY
         /* Build a commandline from the original argv.  */
         {
-            char **arg = ts->info->host_argv;
-            int len = ARG(1);
-            /* lock the buffer on the ARM side */
-            char *cmdline_buffer = (char*)lock_user(VERIFY_WRITE, ARG(0), len, 0);
+            int i ;
 
-            if (!cmdline_buffer)
-                /* FIXME - should this error code be -TARGET_EFAULT ? */
-                return (uint32_t)-1;
+            char *arm_cmdline_buffer ;
+            const char *host_cmdline_buffer ;
 
-            s = cmdline_buffer;
-            while (*arg && len > 2) {
-                int n = strlen(*arg);
+            int arm_cmdline_len = ARG(1) ;
+            int host_cmdline_len = ts->info->arg_end-ts->info->arg_start ;
 
-                if (s != cmdline_buffer) {
-                    *(s++) = ' ';
-                    len--;
-                }
-                if (n >= len)
-                    n = len - 1;
-                memcpy(s, *arg, n);
-                s += n;
-                len -= n;
-                arg++;
-            }
-            /* Null terminate the string.  */
-            *s = 0;
-            len = s - cmdline_buffer;
+            if (host_cmdline_len > arm_cmdline_len)
+                return (uint32_t)-1; /* command line too long */
+
+            /* lock the buffers on the ARM side */
+            arm_cmdline_buffer = (char*)lock_user(VERIFY_WRITE, ARG(0), host_cmdline_len, 0);
+            host_cmdline_buffer = (const char*)lock_user(PAGE_READ, ts->info->arg_start, host_cmdline_len, 0);
 
-            /* Unlock the buffer on the ARM side.  */
-            unlock_user(cmdline_buffer, ARG(0), len);
+            if (arm_cmdline_buffer && host_cmdline_buffer)
+            {
 
-            /* Adjust the commandline length argument.  */
-            SET_ARG(1, len);
+                /* the last argument is zero-terminated;
+                   no need for additional termination */ 
+                memcpy(arm_cmdline_buffer, host_cmdline_buffer, host_cmdline_len);
 
-            /* Return success if commandline fit into buffer.  */
-            return *arg ? -1 : 0;
+                /* separate arguments by white spaces */
+                for (i = 0; i < host_cmdline_len-1; i++) {
+                    if (arm_cmdline_buffer[i] == 0) {
+                        arm_cmdline_buffer[i] = ' ';
+                    }
+                }
+
+                /* Adjust the commandline length argument.  */
+                SET_ARG(1, host_cmdline_len);
+            }
+
+            /* Unlock the buffers on the ARM side.  */
+            unlock_user(arm_cmdline_buffer, ARG(0), host_cmdline_len);
+            unlock_user((void*)host_cmdline_buffer, ts->info->arg_start, host_cmdline_len);
+			
+            /* Return success if we could return a commandline.  */
+            return (arm_cmdline_buffer && host_cmdline_buffer) ? 0 : -1;
         }
 #else
-      return -1;
+        return -1;
 #endif
     case SYS_HEAPINFO:
         {
diff --git a/bsd-user/bsdload.c b/bsd-user/bsdload.c
index 14a93bf..6d9bb6f 100644
--- a/bsd-user/bsdload.c
+++ b/bsd-user/bsdload.c
@@ -176,8 +176,6 @@ int loader_exec(const char * filename, char ** argv, char ** envp,
 
     retval = prepare_binprm(&bprm);
 
-    infop->host_argv = argv;
-
     if(retval>=0) {
         if (bprm.buf[0] == 0x7f
                 && bprm.buf[1] == 'E'
diff --git a/bsd-user/qemu.h b/bsd-user/qemu.h
index 9763616..e343894 100644
--- a/bsd-user/qemu.h
+++ b/bsd-user/qemu.h
@@ -50,7 +50,6 @@ struct image_info {
     abi_ulong entry;
     abi_ulong code_offset;
     abi_ulong data_offset;
-    char      **host_argv;
     int       personality;
 };
 
diff --git a/linux-user/linuxload.c b/linux-user/linuxload.c
index 9ee27c3..ac8c486 100644
--- a/linux-user/linuxload.c
+++ b/linux-user/linuxload.c
@@ -174,8 +174,6 @@ int loader_exec(const char * filename, char ** argv, char ** envp,
 
     retval = prepare_binprm(bprm);
 
-    infop->host_argv = argv;
-
     if(retval>=0) {
         if (bprm->buf[0] == 0x7f
                 && bprm->buf[1] == 'E'
diff --git a/linux-user/qemu.h b/linux-user/qemu.h
index 708021e..8f0a81f 100644
--- a/linux-user/qemu.h
+++ b/linux-user/qemu.h
@@ -50,7 +50,6 @@ struct image_info {
         abi_ulong       saved_auxv;
         abi_ulong       arg_start;
         abi_ulong       arg_end;
-        char            **host_argv;
 	int		personality;
 };

Revision history for this message

Wolfgang Schildbach (wschi) wrote on 2010-11-17:

Hi Peter,

Is this what you had in mind?

Aurelien Jarno (aurel32) on 2011-01-08

Changed in qemu:
status:	New → Fix Committed

Aurelien Jarno (aurel32) on 2011-02-20

Changed in qemu:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.