[patch] make exception handler in copy_user more robust

[patch] make exception handler in copy_user more robust

[Chen, Kenneth W]

The exception handler in copy user always expects fault occurs only on
user space address and the fall back recovery code is written with that
very assumption in mind.  Recent source code inspection revealed that
while it worked splendid and to the expectation under normal circumstances,
It broke down under unexpected condition where some address calculation
might go outside the legal address range the original copy_user was
called for.  This patch is to make copy_user exception handler more robust
and to prevent potential memory corruption.


Signed-off-by: Ken Chen <kenneth.w.chen@intel.com>


--- linux-2.6.13/arch/ia64/lib/memcpy_mck.S.orig	2005-09-06 15:15:29.560795174 -0700
+++ linux-2.6.13/arch/ia64/lib/memcpy_mck.S	2005-09-06 15:21:46.798095240 -0700
@@ -625,8 +625,11 @@ EK(.ex_handler,  (p17)	st8	[dst1]=r39,8)
 	clrrrb
 	;;
 	alloc	saved_pfs_stack=ar.pfs,3,3,3,0
+	cmp.lt	p8,p0=A,r0
 	sub	B = dst0, saved_in0	// how many byte copied so far
 	;;
+(p8)	mov	A = 0;			// A shouldn't be negative, cap it
+	;;
 	sub	C = A, B
 	sub	D = saved_in2, A
 	;;

Re: [patch] make exception handler in copy_user more robust

[david mosberger]

Since we no longer support GCC 2.x, could that code perhaps be
simplified by taking advantage of tags?

  --david

On 9/6/05, Chen, Kenneth W <kenneth.w.chen@intel.com> wrote:
> The exception handler in copy user always expects fault occurs only on
> user space address and the fall back recovery code is written with that
> very assumption in mind.  Recent source code inspection revealed that
> while it worked splendid and to the expectation under normal circumstances,
> It broke down under unexpected condition where some address calculation
> might go outside the legal address range the original copy_user was
> called for.  This patch is to make copy_user exception handler more robust
> and to prevent potential memory corruption.
> 
> 
> Signed-off-by: Ken Chen <kenneth.w.chen@intel.com>
> 
> 
> --- linux-2.6.13/arch/ia64/lib/memcpy_mck.S.orig        2005-09-06 15:15:29.560795174 -0700
> +++ linux-2.6.13/arch/ia64/lib/memcpy_mck.S     2005-09-06 15:21:46.798095240 -0700
> @@ -625,8 +625,11 @@ EK(.ex_handler,  (p17)     st8     [dst1]=r39,8)
>         clrrrb
>         ;;
>         alloc   saved_pfs_stack=ar.pfs,3,3,3,0
> +       cmp.lt  p8,p0=A,r0
>         sub     B = dst0, saved_in0     // how many byte copied so far
>         ;;
> +(p8)   mov     A = 0;                  // A shouldn't be negative, cap it
> +       ;;
>         sub     C = A, B
>         sub     D = saved_in2, A
>         ;;
> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-ia64" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 


-- 
Mosberger Consulting LLC, voice/fax: 510-744-9372,
http://www.mosberger-consulting.com/
35706 Runckel Lane, Fremont, CA 94536

RE: [patch] make exception handler in copy_user more robust

[Chen, Kenneth W]

david mosberger wrote on Tuesday, September 06, 2005 6:11 PM
> Since we no longer support GCC 2.x, could that code perhaps be
> simplified by taking advantage of tags?

Maybe, that would get rid of the guessing of where the fault address
is (which is the source of current vulnerability under unusual
condition).  Lots of code in the exception handler is to figure out
how far the software pipeline has started and it tries to copy the
remaining bytes that are still in-flight in the pipeline stage. This
won't change with or without tag support.  When I wrote the code, I
tried to be precise and copy as much byte as I can (even in the
exception handler).  Maybe we don't need that kind of byte granularity
when fault happens.  Does anyone need precise partial copy_user,
meaning copy all the bytes up until faulting address?

- Ken

Re: [patch] make exception handler in copy_user more robust

[david mosberger]

On 9/6/05, Chen, Kenneth W <kenneth.w.chen@intel.com> wrote:

> Does anyone need precise partial copy_user,
> meaning copy all the bytes up until faulting address?

Yes, I'm pretty sure that's the case.  I recall seeing problems with
mount option copying when copy_user doesn't give the exact number of
bytes that haven't been copied.

  --david

-- 
Mosberger Consulting LLC, voice/fax: 510-744-9372,
http://www.mosberger-consulting.com/
35706 Runckel Lane, Fremont, CA 94536

RE: [patch] make exception handler in copy_user more robust

[Chen, Kenneth W]

david mosberger wrote on Tuesday, September 06, 2005 7:08 PM
> On 9/6/05, Chen, Kenneth W <kenneth.w.chen@intel.com> wrote:
> 
> > Does anyone need precise partial copy_user,
> > meaning copy all the bytes up until faulting address?
> 
> Yes, I'm pretty sure that's the case.  I recall seeing problems with
> mount option copying when copy_user doesn't give the exact number of
> bytes that haven't been copied.

OK, in that case, we won't be able to simplify too much code in the
exception handler.  Good for me :-p

- Ken