On Fri, 31 Oct 2014, Ren Qiaowei wrote: > On 10/31/2014 06:38 AM, Dave Hansen wrote: > > > @@ -316,6 +317,11 @@ dotraplinkage void do_bounds(struct pt_regs *regs, > > > long error_code) > > > break; > > > > > > case 1: /* Bound violation. */ > > > + do_mpx_bounds(regs, &info, xsave_buf); > > > + do_trap(X86_TRAP_BR, SIGSEGV, "bounds", regs, > > > + error_code, &info); > > > + break; > > > + > > > case 0: /* No exception caused by Intel MPX operations. */ > > > do_trap(X86_TRAP_BR, SIGSEGV, "bounds", regs, error_code, > > > NULL); > > > break; > > > > > > > So, siginfo is stack-allocarted here. do_mpx_bounds() can error out if > > it sees an invalid bndregno. We still send the signal with the &info > > whether or not we filled the 'info' in do_mpx_bounds(). > > > > Can't this leak some kernel stack out in the 'info'? > > > > This should check the return value of do_mpx_bounds and should be fixed. And how's that answering Dave's question about leaking stack information? Thanks, tglx
