提交 21528454 编写于 作者: C Chuck Ebbert 提交者: Linus Torvalds

[PATCH] i386: let usermode execute the "enter" instruction

The i386 page fault handler does not allow enough slack when checking for
userspace access below the current stack pointer.  This prevents use of the
enter instruction by user code.  Fix this by allowing enough slack for
"enter $65535,$31" to execute.

Problem reported by Tomasz Malesinski <tmal@mimuw.edu.pl>

Tested using this program, based on the original from Tomasz:

	.file	"ovflow.S"
	.version	"01.01"
gcc2_compiled.:
.section	.rodata
.LC0:
	.string	"asdf\n"
.text
	.align 4
.globl main
	.type	 main,@function
main:
nest_level=0
.rept 30
	enter $0,$nest_level
nest_level=nest_level+1
.endr
	enter $65535,$30
	enter $65535,$31
	addl $-12,%esp
	pushl $.LC0
	call printf
	addl $16,%esp
.L2:
.rept 32
	leave
.endr
	ret
.Lfe1:
	.size	 main,.Lfe1-main
	.ident	"GCC: (GNU) 2.95.4 20011002 (Debian prerelease)"
Signed-off-by: NChuck Ebbert <76306.1226@compuserve.com>
Cc: Andi Kleen <ak@muc.de>
Signed-off-by: NAndrew Morton <akpm@osdl.org>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
上级 1b61b910
......@@ -380,12 +380,12 @@ fastcall void __kprobes do_page_fault(struct pt_regs *regs,
goto bad_area;
if (error_code & 4) {
/*
* accessing the stack below %esp is always a bug.
* The "+ 32" is there due to some instructions (like
* pusha) doing post-decrement on the stack and that
* doesn't show up until later..
* Accessing the stack below %esp is always a bug.
* The large cushion allows instructions like enter
* and pusha to work. ("enter $65535,$31" pushes
* 32 pointers and then decrements %esp by 65535.)
*/
if (address + 32 < regs->esp)
if (address + 65536 + 32 * sizeof(unsigned long) < regs->esp)
goto bad_area;
}
if (expand_stack(vma, address))
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册