From: "Alex Züpke" <azu@sysgo.de>
To: user-mode-linux-devel@lists.sourceforge.net
Subject: Re: [uml-devel] bad panic "Kernel stack overflow" - demo exploit
Date: Thu, 01 Jul 2004 19:57:38 +0200 [thread overview]
Message-ID: <40E45092.7050106@sysgo.de> (raw)
In-Reply-To: <200406302144.32539.blaisorblade_spam@yahoo.it>
> uml-linux-2.6.7-paolo/arch/um/kernel/trap_kern.c | 2 +-
> 1 files changed, 1 insertion(+), 1 deletion(-)
>
> diff -puN arch/um/kernel/trap_kern.c~check_is_user_before_panic
> arch/um/kernel/trap_kern.c
> --- uml-linux-2.6.7/arch/um/kernel/trap_kern.c~check_is_user_before_panic
> 2004-06-30 21:27:59.640300880 +0200
> +++ uml-linux-2.6.7-paolo/arch/um/kernel/trap_kern.c 2004-06-30
> 21:28:04.043631472 +0200
> @@ -54,7 +54,7 @@ int handle_page_fault(unsigned long addr
> if(is_write && !(vma->vm_flags & VM_WRITE))
> goto out;
> page = address & PAGE_MASK;
> - if(page == (unsigned long) current_thread + PAGE_SIZE)
> + if(page == (unsigned long) current_thread + PAGE_SIZE && !is_user)
> panic("Kernel stack overflow");
> pgd = pgd_offset(mm, page);
> pmd = pmd_offset(pgd, page);
>
>
Hi Paolo,
checking !is_user might not help, because
skas/uaccess.c::maybe_map() calls handle_page_fault with is_user = 0
when doing copy_from/to_user stuff ...
Maybe Jeff remembers the intention of this panic,
because the whole
if(page == (unsigned long) current + PAGE_SIZE)
panic("Kernel stack overflow");
does not make any sense for me when checking user VMAs
On Linux 2.4.xx with 8k stacks, current+PAGE_SIZE is the upper
page of the kernel stack and always valid in kernel address space
and has nothing to do with the userspace VMAs.
-Alex
-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
digital self defense, top technical experts, no vendor pitches,
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
User-mode-linux-devel mailing list
User-mode-linux-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/user-mode-linux-devel
next prev parent reply other threads:[~2004-07-01 17:52 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-06-28 11:39 [uml-devel] Patch for arch/um/kernel/trap_kern.c to fix bad panic azu
2004-06-29 18:34 ` BlaisorBlade
2004-06-30 10:04 ` [uml-devel] bad panic "Kernel stack overflow" - demo exploit azu
2004-07-01 12:01 ` BlaisorBlade
2004-07-01 13:34 ` BlaisorBlade
2004-07-01 17:57 ` Alex Züpke [this message]
2004-07-01 19:33 ` BlaisorBlade
2004-07-03 18:25 ` BlaisorBlade
2004-08-17 15:40 ` BlaisorBlade
2004-08-20 15:09 ` Jeff Dike
2004-09-05 16:41 ` BlaisorBlade
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=40E45092.7050106@sysgo.de \
--to=azu@sysgo.de \
--cc=user-mode-linux-devel@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.