* Bug in copy_user
@ 2002-06-04 18:08 Gleb O. Raiko
0 siblings, 0 replies; only message in thread
From: Gleb O. Raiko @ 2002-06-04 18:08 UTC (permalink / raw)
To: linux-mips, linux-mips
There is bug in __copy_user (arch/mips*/lib/memcpy.S). Tested for 2.4.18
kernels, but versions 2.2, 2.4, and 2.5 for both mips and mips64 seems
to have similar bug.
For kernel 2.4.18 and mips
__copy_user returns wrong value if len = 4...7 and dst isn't accessible.
Other versions behave almost the same, just borders differ.
For example,
read(0,NULL,len), len=4...7
getsockopt/ioctl(fd, *GET*, NULL, sizeof(int))
returns success. Fortunately, they don't write to at address 0.
The following patch seems to be OK for 2.4.18:
less_than_4units:
/*
* rem = len % NBYTES
*/
beq rem, len, copy_bytes
nop
1:
EXC( LOAD t0, 0(src), l_exc)
ADD src, src, NBYTES
SUB len, len, NBYTES
-EXC( STORE t0, 0(dst), s_exc)
+EXC( STORE t0, 0(dst), s_exc_p1u)
bne rem, len, 1b
ADD dst, dst, NBYTES
Any comments?
Regards,
Gleb.
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2002-06-04 18:05 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-06-04 18:08 Bug in copy_user Gleb O. Raiko
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox