* Re: convert_fxsr_from_user
2003-04-09 0:13 convert_fxsr_from_user Dave Jones
@ 2003-04-08 23:51 ` Andrew Morton
2003-04-09 1:10 ` convert_fxsr_from_user Dave Jones
0 siblings, 1 reply; 3+ messages in thread
From: Andrew Morton @ 2003-04-08 23:51 UTC (permalink / raw)
To: Dave Jones; +Cc: linux-kernel
Dave Jones <davej@codemonkey.org.uk> wrote:
>
> Andrew,
> A while back you optimised this routine to not do lots of memory
> copies. I've noticed it does no checking on the validity of the
> addresses it dereferences from userspace.
It never has performed those checks. The check is in the caller,
arch/i386/kernel/signal.c:restore_i387.
Bless you for merging Jon's uaccess.h documentation patch.
My __get_user()'s are arse-about.
diff -puN arch/i386/kernel/i387.c~convert_fxsr_from_user-get_user-fixes arch/i386/kernel/i387.c
--- 25/arch/i386/kernel/i387.c~convert_fxsr_from_user-get_user-fixes Tue Apr 8 16:47:08 2003
+++ 25-akpm/arch/i386/kernel/i387.c Tue Apr 8 16:48:13 2003
@@ -275,9 +275,9 @@ static int convert_fxsr_from_user( struc
unsigned long *t = (unsigned long *)to;
unsigned long *f = (unsigned long *)from;
- if (__get_user(*f, t) ||
- __get_user(*(f + 1), t + 1) ||
- __get_user(from->exponent, &to->exponent))
+ if (__get_user(*t, f) ||
+ __get_user(*(t + 1), f + 1) ||
+ __get_user(to->exponent, &from->exponent))
return 1;
}
return 0;
_
^ permalink raw reply [flat|nested] 3+ messages in thread
* convert_fxsr_from_user
@ 2003-04-09 0:13 Dave Jones
2003-04-08 23:51 ` convert_fxsr_from_user Andrew Morton
0 siblings, 1 reply; 3+ messages in thread
From: Dave Jones @ 2003-04-09 0:13 UTC (permalink / raw)
To: akpm; +Cc: Linux Kernel
Andrew,
A while back you optimised this routine to not do lots of memory
copies. I've noticed it does no checking on the validity of the
addresses it dereferences from userspace.
Looks like we need to...
Dave
Unable to handle kernel paging request at virtual address 08048514
printing eip:
c0114490
*pde = 05ad8067
*pte = 0586a025
Oops: 0003 [#1]
CPU: 0
EIP: 0060:[<c0114490>] Not tainted
EFLAGS: 00010246
EIP is at convert_fxsr_from_user+0xe0/0x150
eax: e9000000 ebx: 08048514 ecx: c5be1d40 edx: 00000000
esi: c56d4000 edi: 00000000 ebp: c56d5f1c esp: c56d5ee4
ds: 007b es: 007b ss: 0068
Process a.out (pid: 638, threadinfo=c56d4000 task=c5be1980)
Stack: c56d5ef0 080484f8 0000001c 83e58955 51e808ec e8000001 000001ac 0007cbe8
00c3c900 90f435ff c6165d70 c5be1980 c5be1d20 080484f8 c56d5f3c c0114711
c5be1d20 080484f8 00000200 080484f8 00000000 00000000 c56d5f54 c01147a0
Call Trace:
[<c0114711>] restore_i387_fxsave+0x81/0x90
[<c01147a0>] restore_i387+0x80/0x90
[<c01092b8>] restore_sigcontext+0x128/0x140
[<c010972c>] sys_rt_sigreturn+0x1bc/0x2e0
[<c016ba65>] sys_write+0x45/0x60
[<c010a457>] syscall_call+0x7/0xb
Code: 89 03 85 d2 75 2e 8b 41 04 89 43 04 85 d2 75 24 66 8b 41 08
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: convert_fxsr_from_user
2003-04-08 23:51 ` convert_fxsr_from_user Andrew Morton
@ 2003-04-09 1:10 ` Dave Jones
0 siblings, 0 replies; 3+ messages in thread
From: Dave Jones @ 2003-04-09 1:10 UTC (permalink / raw)
To: Andrew Morton; +Cc: linux-kernel
On Tue, Apr 08, 2003 at 04:51:13PM -0700, Andrew Morton wrote:
> It never has performed those checks. The check is in the caller,
> arch/i386/kernel/signal.c:restore_i387.
Ah, mixing my __'s up.
> Bless you for merging Jon's uaccess.h documentation patch.
> My __get_user()'s are arse-about.
Yup, that's the bugger. Fixes the problem here.
Dave
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2003-04-09 0:59 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-04-09 0:13 convert_fxsr_from_user Dave Jones
2003-04-08 23:51 ` convert_fxsr_from_user Andrew Morton
2003-04-09 1:10 ` convert_fxsr_from_user Dave Jones
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox