When I reread the thread I see Brian was doing some testing/fuzzing,
that's why he found that out.
I managed to get my old router running. It's BCM5354 (BCM3302 v2.9) running on
Linux 2.4.35.
I used the following code (gnu as compiled but replaced the nop after branch
with the branch instruction
I don't know how Brian go to his state.
I should've mentioned though I was using custom binary (shellcode) that
triggered this behavior. This code was not generated by compiler.
However, I wanted to point out that user can crash the qemu host by
running custom code from userspace.
Unfortunately
I found the exact same bug. Tested on several hosts and qemu releases.
The newest one I tested was on FreeBSD 12.1 host and qemu-4.1.1_1 built
from ports.
Instructions:
4000d0: 0320f809jalrt9
4000d4: 454545450x45454545 # bc1any4t $fcc1,0x800101f8
I was
