The patch titled
i386: let usermode execute the "enter" instruction
has been removed from the -mm tree. Its filename is
i386-let-usermode-execute-the-enter.patch
This patch was dropped because it was merged into mainline or a subsystem tree
------------------------------------------------------
Subject: i386: let usermode execute the "enter" instruction
From: Chuck Ebbert <76306.1226@xxxxxxxxxxxxxx>
The i386 page fault handler does not allow enough slack when checking for
userspace access below the current stack pointer. This prevents use of the
enter instruction by user code. Fix this by allowing enough slack for
"enter $65535,$31" to execute.
Problem reported by Tomasz Malesinski <tmal@xxxxxxxxxxxx>
Tested using this program, based on the original from Tomasz:
.file "ovflow.S"
.version "01.01"
gcc2_compiled.:
.section .rodata
.LC0:
.string "asdf\n"
.text
.align 4
.globl main
.type main,@function
main:
nest_level=0
.rept 30
enter $0,$nest_level
nest_level=nest_level+1
.endr
enter $65535,$30
enter $65535,$31
addl $-12,%esp
pushl $.LC0
call printf
addl $16,%esp
.L2:
.rept 32
leave
.endr
ret
.Lfe1:
.size main,.Lfe1-main
.ident "GCC: (GNU) 2.95.4 20011002 (Debian prerelease)"
Signed-off-by: Chuck Ebbert <76306.1226@xxxxxxxxxxxxxx>
Cc: Andi Kleen <ak@xxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxx>
---
arch/i386/mm/fault.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff -puN arch/i386/mm/fault.c~i386-let-usermode-execute-the-enter arch/i386/mm/fault.c
--- a/arch/i386/mm/fault.c~i386-let-usermode-execute-the-enter
+++ a/arch/i386/mm/fault.c
@@ -380,12 +380,12 @@ fastcall void __kprobes do_page_fault(st
goto bad_area;
if (error_code & 4) {
/*
- * accessing the stack below %esp is always a bug.
- * The "+ 32" is there due to some instructions (like
- * pusha) doing post-decrement on the stack and that
- * doesn't show up until later..
+ * Accessing the stack below %esp is always a bug.
+ * The large cushion allows instructions like enter
+ * and pusha to work. ("enter $65535,$31" pushes
+ * 32 pointers and then decrements %esp by 65535.)
*/
- if (address + 32 < regs->esp)
+ if (address + 65536 + 32 * sizeof(unsigned long) < regs->esp)
goto bad_area;
}
if (expand_stack(vma, address))
_
Patches currently in -mm which might be from 76306.1226@xxxxxxxxxxxxxx are
origin.patch
i386-print-stack-size-in-oops-messages.patch
i386-use-c-code-for-current_thread_info.patch
binfmt_elf-fix-checks-for-bad-address.patch
binfmt_elf-fix-checks-for-bad-address-fix.patch
-
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
