On Wed, Apr 26, 2023 at 09:10:50PM +1200, Michael Schmitz wrote:
Am 26.04.2023 um 16:42 schrieb Finn Thain:
If the long format frame was corrupted while on the user stack, the
partially completed MOVEM won't be resumed correctly. That's why I was
concerned about a bug in sys_sigreturn.
Yes, it turns out I hadn't read mangle_kernel_stack() carefully enough. I
thought the exception frame had remained on the kernel stack to be restored,
but I'd missed that it is actually being restored from the user stack copy
to the kernel stack.
Isn't that a security hole? If we restore the exception frame from
user memory, doesn't that allow a malicious program to affect the
internal state of the CPU just by handling a signal?
Brad Boyer
flar@xxxxxxxxxxxxx
