Package: qemu-user-static Version: 1:7.2+dfsg-7+deb12u2 Followup-For: Bug #1053101
Sharing some further in-depth debugging results. Everything seems to point to the executables with ELF type 3 (Linux) not marked as PIE suffering the same fate. The address that faults is always 0x400000 so I'm hunting for that in glibc's ld.so since I suspect it is a hard-coded default when not asking the kernel to suggest an address with mmap(NULL, ...) that ends up with an address that matches the host process virtual addresses. $ /usr/bin/qemu-aarch64-static -d page,strace,cpu,exec,trace:guest_user_syscall,trace:target_mmap sid-aarch64/lib/aarch64-linux-gnu/ld-linux-aarch64.so.1 --verify sid-aarch64/usr/bin/aarch64-linux-gnu-g++-13 host mmap_min_addr=0x10000 Locating guest address space @ 0x0 target_mmap start=0x0 len=0x2041360 prot=0x0 flags=0x4022 fd=-1 offset=0x0 page layout changed following mmap start end size prot 0000005500000000-0000005502042000 0000000002042000 --- target_mmap start=0x5500000000 len=0x26000 prot=0x5 flags=0x12 fd=3 offset=0x0 ... Trace 0: 0x7f4f18029a00 [0000000001009331/00000055000066ac/00000001/00000000] PC=00000055000066ac X00=0000000000400000 X01=0000000000504968 X02=0000000000504968 X03=0000000000000000 X04=000000006474e551 X05=0000000000001730 X06=0000005502841270 X07=0000000000000006 X08=0000000000006098 X09=0000000000000000 X10=0000000000000002 X11=0000000000000000 X12=00000000004fe8d0 X13=0000000000001000 X14=0000000000010000 X15=000000000000ffff X16=0000000000010000 X17=fffffffffffff000 X18=00000000004fe000 X19=0000000020000000 X20=0000000000000003 X21=0000000000000000 X22=0000005500041390 X23=0000005500041360 X24=0000005502840de0 X25=0000000000104968 X26=0000005502840de0 X27=000000550003f000 X28=00000055028412b0 X29=0000005502841010 X30=0000000000000000 SP=0000005502840db0 PSTATE=80000000 N--- EL0t SVCR=00000000 -- BTYPE=0 Linking TBs 0x7f4f18029a00 index 0 -> 0x7f4f18029bc0 Trace 0: 0x7f4f18029bc0 [0000000001009331/00000055000066c0/00000001/00000000] PC=00000055000066c0 X00=0000005502840e50 X01=0000000000504968 X02=0000000000504968 X03=0000000000000000 X04=000000006474e551 X05=0000000000001730 X06=0000005502841270 X07=0000000000000006 X08=0000000000006098 X09=0000000000000000 X10=0000000000000002 X11=0000000000000000 X12=00000000004fe8d0 X13=0000000000001000 X14=0000000000010000 X15=000000000000ffff X16=0000000000010000 X17=fffffffffffff000 X18=00000000004fe000 X19=0000000020000000 X20=0000000000000003 X21=0000000000000000 X22=0000005500041390 X23=0000005500041360 X24=0000005502840de0 X25=0000000000104968 X26=0000005502840de0 X27=000000550003f000 X28=00000055028412b0 X29=0000005502841010 X30=0000000000000000 SP=0000005502840db0 PSTATE=80000000 N--- EL0t SVCR=00000000 -- BTYPE=0 Linking TBs 0x7f4f18029bc0 index 0 -> 0x7f4f18029d80 Trace 0: 0x7f4f18029d80 [0000000001009331/00000055000066cc/00000001/00000000] PC=00000055000066cc X00=0000000000400000 X01=00000000004e5000 X02=0000000000504968 X03=0000000000000000 X04=000000006474e551 X05=0000000000001730 X06=0000005502841270 X07=0000000000000006 X08=0000000000006098 X09=0000000000000000 X10=0000000000000002 X11=0000000000000000 X12=00000000004fe8d0 X13=0000000000001000 X14=0000000000010000 X15=000000000000ffff X16=0000000000010000 X17=fffffffffffff000 X18=00000000004fe000 X19=0000000020000000 X20=0000000000000003 X21=0000000000000000 X22=0000005500041390 X23=0000005500041360 X24=0000005502840de0 X25=0000000000104968 X26=0000005502840de0 X27=000000550003f000 X28=00000055028412b0 X29=0000005502841010 X30=0000000000000000 SP=0000005502840db0 PSTATE=20000000 --C- EL0t SVCR=00000000 -- BTYPE=0 Trace 0: 0x7f4f18029fc0 [0000000001009331/000000550001ab90/00000001/00000000] PC=000000550001ab90 X00=0000000000400000 X01=00000000000e5000 X02=0000000000000005 X03=0000000000000812 X04=0000000000000003 X05=0000000000000000 X06=0000005502841270 X07=0000000000000006 X08=0000000000006098 X09=0000000000000000 X10=0000000000000002 X11=0000000000000000 X12=00000000004fe8d0 X13=0000000000001000 X14=0000000000010000 X15=000000000000ffff X16=0000000000010000 X17=fffffffffffff000 X18=00000000004fe000 X19=0000000020000000 X20=0000000000000003 X21=0000000000000000 X22=0000005500041390 X23=0000005500041360 X24=0000005502840de0 X25=0000000000104968 X26=0000005502840de0 X27=000000550003f000 X28=00000055028412b0 X29=0000005502841010 X30=00000055000066f4 SP=0000005502840db0 PSTATE=20000000 --C- EL0t SVCR=00000000 -- BTYPE=0 Linking TBs 0x7f4f18029fc0 index 0 -> 0x7f4f1802a140 Trace 0: 0x7f4f1802a140 [0000000001009331/000000550001ab98/00000001/00000000] PC=000000550001ab98 X00=0000000000400000 X01=00000000000e5000 X02=0000000000000005 X03=0000000000000812 X04=0000000000000003 X05=0000000000000000 X06=0000005502841270 X07=0000000000000006 X08=0000000000006098 X09=0000000000000000 X10=0000000000000002 X11=0000000000000000 X12=00000000004fe8d0 X13=0000000000001000 X14=0000000000010000 X15=000000000000ffff X16=0000000000010000 X17=fffffffffffff000 X18=00000000004fe000 X19=0000000020000000 X20=0000000000000003 X21=0000000000000000 X22=0000005500041390 X23=0000005500041360 X24=0000005502840de0 X25=0000000000104968 X26=0000005502840de0 X27=000000550003f000 X28=00000055028412b0 X29=0000005502841010 X30=00000055000066f4 SP=0000005502840db0 PSTATE=40000000 -Z-- EL0t SVCR=00000000 -- BTYPE=0 guest_user_syscall cpu=0x1659e50 num=0x00000000000000de arg1=0x0000000000400000 arg2=0x00000000000e5000 arg3=0x0000000000000005 arg4=0x0000000000000812 arg5=0x000000000000 0003 arg6=0x0000000000000000 arg7=0x0000000000000000 arg8=0x0000000000000000 1084043 mmap(0x0000000000400000,937984,PROT_EXEC|PROT_READ,MAP_PRIVATE|MAP_DENYWRITE|MAP_FIXED,3,0)target_mmap start=0x400000 len=0xe5000 prot=0x5 flags=0x812 fd=3 offset= 0x0 Segmentation fault (core dumped) Notice how the failing mmap address is 0x00400000 but the emulator mapping is at 0x5500000000. My suspicion here is that some kind of address translation should be done in QEMU runtime code based on the permutations of PIE between host and target. I discounted ASLR being the cause via $ cat /proc/sys/kernel/randomize_va_space 2 $ echo 0 | sudo dd of=/proc/sys/kernel/randomize_va_space
