MIPS dupio/dupsh broken on qemu-system

[theKidOfArcrania]

It seems like the dupio/dupsh templates are broken when you run the following shellcode in a MIPS machine (emulated using qemu-system. I used the setup from arm_now:

sc = asm(shellcraft.dupsh())

In case you need the MIPS kernel version I am using:

# uname -a
Linux buildroot 4.11.3 #1 SMP Sun Mar 4 03:29:34 UTC 2018 mips GNU/Linux

Error seems to traceback to this file. Seems like this code is looping through values 0-2 via a counter at register $t0.

However, seems like after one call to the syscall 0x40404 instruction, it seems like $t0 is set to 0. As a result, only dup($reg, 2) is called, ignoring fd's 0 and 1.

Not sure if it is standard that $t* registers are potentially volatile after a syscall in the MIPS linux kernel or just an edge case behavior for some older kernel version. See gef-gdb debug output below:

warning: GDB can't find the start of the function at 0x66666844.
[ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────────────────────────────── registers ────
$zero: 0x0       
$at  : 0x1       
$v0  : 0xfdf     
$v1  : 0xa       
$a0  : 0x7       
$a1  : 0x2       
$a2  : 0x1       
$a3  : 0x0       
$t0  : 0x2       
$t1  : 0x7640    
$t2  : 0x1       
$t3  : 0x804ac738
$t4  : 0x5ad0    
$t5  : 0x77f22e20  →  <dl_main+7432> lw s5, -32692(gp)
$t6  : 0x0       
$t7  : 0x00419140  →  0x00000000
$s0  : 0x0       
$s1  : 0x00400dd8  →  0x3c1c0002 ("<"?)
$s2  : 0x0       
$s3  : 0x4b0000  
$s4  : 0x0       
$s5  : 0x77fd15b8
$s6  : 0x4e24dc  
$s7  : 0x1       
$t8  : 0x4b0000  
$t9  : 0xfffffffd
$k0  : 0x0       
$k1  : 0x0       
$s8  : 0x41414141 ("AAAA"?)
$pc  : 0x66666844  →  0x0101010c
$sp  : 0x66666830  →  0x2419fffd
$hi  : 0x100     
$lo  : 0x38      
$fir : 0x739300  
$ra  : 0x66666830  →  0x2419fffd
$gp  : 0x00419140  →  0x00000000
───────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x66666830│+0x0000: 0x2419fffd	 ← $sp, $ra
0x66666834│+0x0004: 0x03204027
0x66666838│+0x0008: 0xafa8fffc
0x6666683c│+0x000c: 0x8fa5fffc
0x66666840│+0x0010: 0x34020fdf
0x66666844│+0x0014: 0x0101010c	 ← $pc
0x66666848│+0x0018: 0x1d00fffb
0x6666684c│+0x001c: 0x2108ffff
────────────────────────────────────────────────────────────────────────────────── code:mips:MIPS32 ────
   0x66666838                  sw     t0, -4(sp)
   0x6666683c                  lw     a1, -4(sp)
   0x66666840                  li     v0, 0xfdf
 → 0x66666844                  syscall 0x40404
   0x66666848                  bgtz   t0, 0x66666838
   0x6666684c                  addi   t0, t0, -1
   0x66666850                  lui    t1, 0x2f2f
   0x66666854                  ori    t1, t1, 0x6269
   0x66666858                  sw     t1, -12(sp)
─────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "mipstake", stopped, reason: SINGLE STEP
───────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x66666844 → syscall 0x40404
────────────────────────────────────────────────────────────────────────────────────────────────────────
0x66666844 in ?? ()
gef➤  
warning: GDB can't find the start of the function at 0x66666848.
[ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────────────────────────────── registers ────
$zero: 0x0       
$at  : 0x1       
$v0  : 0x2       
$v1  : 0xa       
$a0  : 0x7       
$a1  : 0x2       
$a2  : 0x1       
$a3  : 0x0       
$t0  : 0x0       
$t1  : 0x8fad2300
$t2  : 0x8fa72d48
$t3  : 0x1       
$t4  : 0x0       
$t5  : 0xffffffff
$t6  : 0x0       
$t7  : 0x5000d   
$s0  : 0x0       
$s1  : 0x00400dd8  →  0x3c1c0002 ("<"?)
$s2  : 0x0       
$s3  : 0x4b0000  
$s4  : 0x0       
$s5  : 0x77fd15b8
$s6  : 0x4e24dc  
$s7  : 0x1       
$t8  : 0x2108ffff
$t9  : 0xfffffffd
$k0  : 0x0       
$k1  : 0x0       
$s8  : 0x41414141 ("AAAA"?)
$pc  : 0x66666848  →  0x1d00fffb
$sp  : 0x66666830  →  0x2419fffd
$hi  : 0x100     
$lo  : 0x38      
$fir : 0x739300  
$ra  : 0x66666830  →  0x2419fffd
$gp  : 0x00419140  →  0x00000000
───────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x66666830│+0x0000: 0x2419fffd	 ← $sp, $ra
0x66666834│+0x0004: 0x03204027
0x66666838│+0x0008: 0xafa8fffc
0x6666683c│+0x000c: 0x8fa5fffc
0x66666840│+0x0010: 0x34020fdf
0x66666844│+0x0014: 0x0101010c
0x66666848│+0x0018: 0x1d00fffb	 ← $pc
0x6666684c│+0x001c: 0x2108ffff
────────────────────────────────────────────────────────────────────────────────── code:mips:MIPS32 ────
   0x6666683c                  lw     a1, -4(sp)
   0x66666840                  li     v0, 0xfdf
   0x66666844                  syscall 0x40404
 → 0x66666848                  bgtz   t0, 0x66666838	NOT taken [Reason: !(t0 > 0)]
   0x6666684c                  addi   t0, t0, -1
   0x66666850                  lui    t1, 0x2f2f
   0x66666854                  ori    t1, t1, 0x6269
   0x66666858                  sw     t1, -12(sp)
   0x6666685c                  lui    t1, 0x6e2f
─────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "mipstake", stopped, reason: SINGLE STEP
───────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x66666848 → bgtz t0, 0x66666838
────────────────────────────────────────────────────────────────────────────────────────────────────────
0x66666848 in ?? ()

[zachriggle]

If you fix this, be sure to add tests so it doesn’t break in the future

[Arusekk]

Closed in #1776