Qemu Hosting Mte Enabled Kernel Does Not Raise Fault

Where does QEMU maps the kernel pages of a guest OS?

QEMU doesn't specifically map the guest OS kernel itself. It just provides emulated RAM to the virtual machine (and this emulated RAM is created by doing a normal anonymous mmap in qemu_anon_ram_alloc() -- it could equally well do it by calling malloc()). Guest binaries may be loaded into the RAM either by QEMU (the various hw/core/loader.c functions do this) or by the guest itself loading it off emulated disk.

For an x86 guest, typically QEMU only loads the guest BIOS rom image into the guest memory. The guest BIOS then loads the actual guest kernel into memory (either from emulated disk, or via the "fw_cfg" QEMU-specific device that the guest can use to access files from outside the emulation), and QEMU doesn't know or care where it happens to have put it.

Address space identifiers using qemu for i386 linux kernel

In the first case, using qemu-linux-user to perform user mode emulation of a single program, the task is quite easy because the memory is linear and there is no virtual memory involved in the emulator. The second case of whole system emulation is a lot more complex, because you basically have to parse the addresses out of the kernel structures.

If you can get the virtual addresses directly out of QEmu, your job is a bit easier; then you just need to identify the process and everything else functions just like in the single-process case. You might be able to get the PID by faking a system call to get_pid().

Otherwise, this all seems quite a bit similar to debugging a system from a physical memory dump. There are some tools for this task. They are probably too slow to run for every instruction, though, but you can look for hints there.

Related Topics