* Fixup in unaligned.c
@ 2001-10-29 13:35 tommy.christensen
2001-10-30 9:17 ` Ralf Baechle
0 siblings, 1 reply; 2+ messages in thread
From: tommy.christensen @ 2001-10-29 13:35 UTC (permalink / raw)
To: Ralf Baechle; +Cc: linux-mips
[-- Attachment #1: Type: text/plain, Size: 1710 bytes --]
It seems we don't always handle bad user-mode pointers correctly.
If put_user is called with an unmapped AND unaligned address it
kills the current process instead of returning EFAULT.
The reason for this is that we do compute_return_epc() in do_ade()
before the exception table is searched, so we never get a match.
Below is a simple patch to fix it (attached as well).
The second part is not related, but it makes sense to only consult
the MF_FIXADE flag on exceptions originating from user-mode, right?
-Tommy
--- arch/mips/kernel/unaligned.c 2001/10/05 15:13:25 1.14
+++ arch/mips/kernel/unaligned.c 2001/10/29 12:39:56
@@ -353,12 +353,12 @@
fault:
/* Did we have an exception handler installed? */
- fixup = search_exception_table(regs->cp0_epc);
+ fixup = search_exception_table(pc);
if (fixup) {
long new_epc;
- new_epc = fixup_exception(dpf_reg, fixup, regs->cp0_epc);
+ new_epc = fixup_exception(dpf_reg, fixup, pc);
printk(KERN_DEBUG "%s: Forwarding exception at [<%lx>]
(%lx)\n",
- current->comm, regs->cp0_epc, new_epc);
+ current->comm, pc, new_epc);
regs->cp0_epc = new_epc;
return;
}
@@ -408,7 +408,7 @@
pc = regs->cp0_epc + ((regs->cp0_cause & CAUSEF_BD) ? 4 : 0);
if (compute_return_epc(regs))
return;
- if ((current->thread.mflags & MF_FIXADE) == 0)
+ if (user_mode(regs) && (current->thread.mflags & MF_FIXADE) == 0)
goto sigbus;
emulate_load_store_insn(regs, regs->cp0_badvaddr, pc);
(See attached file: unaligned.c.patch.gz)
[-- Attachment #2: unaligned.c.patch.gz --]
[-- Type: application/octet-stream, Size: 569 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Fixup in unaligned.c
2001-10-29 13:35 Fixup in unaligned.c tommy.christensen
@ 2001-10-30 9:17 ` Ralf Baechle
0 siblings, 0 replies; 2+ messages in thread
From: Ralf Baechle @ 2001-10-30 9:17 UTC (permalink / raw)
To: tommy.christensen; +Cc: linux-mips
On Mon, Oct 29, 2001 at 02:35:45PM +0100, tommy.christensen@eicon.com wrote:
> It seems we don't always handle bad user-mode pointers correctly.
> If put_user is called with an unmapped AND unaligned address it
> kills the current process instead of returning EFAULT.
>
> The reason for this is that we do compute_return_epc() in do_ade()
> before the exception table is searched, so we never get a match.
The missplaced branch emulation is a known problem in basically all of our
execption handers that have to emulate branches in software. It also
effects ptrace; it is possible that a debugger already observes the new epc
after the branch has been executed but the instruction in the delay slow
wasn't due to some problem like a page fault.
> Below is a simple patch to fix it (attached as well).
> The second part is not related, but it makes sense to only consult
> the MF_FIXADE flag on exceptions originating from user-mode, right?
That's actually an evil one from which local DoS attacks can be constructed.
Ralf
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2001-10-30 9:17 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2001-10-29 13:35 Fixup in unaligned.c tommy.christensen
2001-10-30 9:17 ` Ralf Baechle
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox