On Mon, 11 Dec 2006 01:16:47 +0900 (JST), Atsushi Nemoto <anemo@xxxxxxxxxxxxx> wrote: > If we passed an invalid _and_ unaligned source address to > copy_from_user(), the fault handling code miscalculates a length of > uncopied bytes and returns a value greater than original length. This > also causes an negative buffer overflow and overwrites some bytes just > before the destination kernel buffer. > > This can happen "src_unaligned" case in memcpy.S. If the first load > from source buffer was a LDFIRST/LDREST (L[WD][RL]) instruction, it > raise an exception and the THREAD_BUADDR will be an aligned address so > it will _smaller_ than its real target address. Sorry, this is wrong! Please ignore this patch. In this case THREAD_BUADDR should be an _unaligned_ address. On QEMU THREAD_BUADDR was an _aligned_ address so it might be a QEMU bug ... --- Atsushi Nemoto
