Skip to content

qemu-mipsn32: Illegal Instruction at `exts` instruction

Host environment

  • Operating system: Ubuntu 20.04.1
  • OS/kernel version: 5.15.0-67-generic
  • Architecture: x86_64
  • QEMU flavor: qemu-mipsn32
  • QEMU version: 8.0.50
  • QEMU command line: 
    qemu-mipsn32 run

Emulated/Virtualized environment

  • Operating system:
  • OS/kernel version:
  • Architecture: N32 MIPS64

Description of problem

Run with the command above, I got this error:

qemu-mipsn32 run
qemu: uncaught target signal 4 (Illegal instruction) - core dumped
Illegal instruction (core dumped)

I then tried to debug the program with qemu option -g 1234 and know that

$ gdb-multiarch run
...

pwndbg> target remote 0:1234
...

pwndbg> c
Continuing.

Program received signal SIGILL, Illegal instruction.
0x3f7d2434 in ?? () from /lib32/ld.so.1
warning: GDB can't find the start of the function at 0x3f7d2434.
x/10i

pwndbg> x/10i $pc
=> 0x3f7d2434:	0x7047f03a
   0x3f7d2438:	lui	a3,0x7000
   0x3f7d243c:	ori	a3,a3,0x5e
   0x3f7d2440:	b	0x3f7d241c
   0x3f7d2444:	subu	v0,a3,v0
   0x3f7d2448:	sltiu	a7,a3,-3
   0x3f7d244c:	bnezl	a7,0x3f7d246c
   0x3f7d2450:	subu	a3,a4,v0
   0x3f7d2454:	addiu	a3,a3,1
   0x3f7d2458:	li	v0,-4

So I know the problem is in libc32/ld.so.1. When I dissasemble that file and look at offset 0x4434, it's an exts instruction as below:

$ file /lib32/ld.so.1
/lib32/ld-2.15.so: ELF 32-bit MSB shared object, MIPS, N32 MIPS64 rel2 version 1 (SYSV), dynamically linked, stripped

$ ./mips64-n32--glibc--stable-2022.08-1/bin/mips64-buildroot-linux-gnu-objdump -d /lib32/ld.so.1 | less
    ...
    4434:       7047f03a        exts    a3,v0,0x0,0x1e
    4438:       3c077000        lui     a3,0x7000
    443c:       34e7005e        ori     a3,a3,0x5e
    4440:       1000fff6        b       441c <GLIBC_2.0@@GLIBC_2.0+0x441c>
    4444:       00e21023        subu    v0,a3,v0
    4448:       2cebfffd        sltiu   a7,a3,-3
    444c:       55600007        bnezl   a7,446c <GLIBC_2.0@@GLIBC_2.0+0x446c>
    4450:       01023823        subu    a3,a4,v0
    4454:       24e70001        addiu   a3,a3,1
    4458:       2402fffc        li      v0,-4

Steps to reproduce

  1. Download toolchain of mips64-n32 on toolchains.bootlin.com here
  2. Write this c code to file run.c:
#include <stdio.h>

int main(){
	puts("hello world");
	while (1);
}
  1. Compile file run.c with downloaded toolchain:
mips64-n32--glibc--stable-2022.08-1/bin/mips64-buildroot-linux-gnu-gcc run.c -o run

Step 1, 2 and 3 can be skip if you download the attached run file.

  1. Download the attached ld
  2. Make new dir at /lib32 and move the file ld to /lib32
  3. Run command qemu-mipsn32 run

Additional information

ld-2.15.so

run

Edited by Johnathan Huu Tri
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information