Open NudistBeaaach opened 1 year ago
elicn
commented
1 year ago This is most likely caused due to a mismatch between the binary and the rootfs that is used to load it.
You can try using '/' as rootfs and see if it works. Normally using your hosting system root directory is not recommended, but this should be OK if you can trust the binary you are emulating and know it is harmless.
NudistBeaaach
commented
1 year ago This is most likely caused due to a mismatch between the binary and the rootfs that is used to load it. You can try using
'/'as rootfs and see if it works. Normally using your hosting system root directory is not recommended, but this should be OK if you can trust the binary you are emulating and know it is harmless.
I set my '/' as the rootfs and now I got the CPU ISA is lower than required that i previously saw in another issue, I added this snippet to tackle the problem but nop, same error CPU ISA is lower than required
def null_rseq_impl(ql: Qiling, abi: int, length: int, flags: int, sig: int):
# do nothing
pass
ql.os.set_syscall('rseq', null_rseq_impl, QL_INTERCEPT.CALL)I believe this one is caused due to arch_prctl being used with ARCH_CET_STATUS. You can work around it by returning an error that will indicate that the feature is not supported:
from qiling.const import QL_INTERCEPT
def __no_cet(ql: Qiling, code: int, addr: int, retval: int):
# intercept arch_prctl syscall after it exits. if code was set to ARCH_CET_STATUS,
# then return an error value. otherwise, return the value originally returned by
# the syscall.
#
# note: if -1 doesn't work, maybe should use -22 (-EINVAL) instead
return -1 if code == 0x3001 else retval
ql.os.set_syscall('arch_prctl', __no_cet, QL_INTERCEPT.EXIT)I tried on a 2.35 libc, and the patch I found in previous issues and here: https://cloud.tencent.com/developer/article/2144036 worked well, I still get a warning for the prctl syscall but it's running with no crash. But on newer libc the patchs are not working probably due to the hardcoded offsets which are maybe not the sames.
Btw with this latest snippet of code I still get the warning [!] prctl code 0x3001 not implemented, I don't know if removing it is possible but thx anyway for you help and quick support.
elicn
commented
1 year ago The snippet above just patches the returned value, so you'll still be seeing the warning message. I guess we can fix that though, should be a straightforward one.
Newer libc on Intel-based systems attempt to enable Intel CET, if it is supported. The problem with prctl is that it reports "OK" for everything (return value 0), even if it is not actually supported. Based on that libc tries to use CET and fail because the default CPU emulated by Unicorn, under the hood, does not support it.
The long-term fix will be allowing users to select the emulated CPU (say, Icelake, or equivalent) so the feature will be supported. The short-term fix is just let libc know the feature is not supported, and that is what the snippet above does: it patches the returned value to a "not supported" value when the system is queried about CET.
Running Qiling on a simple binary is crashing, it throws something about the libc version and in this case a problem about an
Operation not permittedwhich is really weird| v