Re: A question about PROT_NONE on ARM and ARM26

From: Jamie Lokier
Date: Wed Jun 30 2004 - 21:01:49 EST

Next message: IWAMOTO Toshihiro: "Re: [Lhms-devel] new memory hotremoval patch"
Previous message: Steven Newbury: "Trouble with the filesize limit"
In reply to: Ian Molton: "Re: A question about PROT_NONE on ARM and ARM26"
Next in thread: Nicolas Pitre: "Re: A question about PROT_NONE on ARM and ARM26"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Ian Molton wrote:
> > "ge" is a signed comparison, and unsigned is needed here, unless I
> > missed something subtle. So "bge" and "ldrge" should be "bhi" and "ldrhi".
>
> technically, I think you're right here.
>
> in practise, the arm26 address space is too small (64MB) for this to
> ever cause a problem.

No -- there is still a bug.

The bug is that userspace can pass an address like 0x90000000 to the
kernel. This is possible even on arm26.

If you follow the logic in getuser.S, it won't branch to
__get_user_bad, and it won't execute _either_ of the "ldrlst" or
"ldrge" instructions.

So it'll end up returning the value that happens to be in r1 and/or
r2, and using that for the syscall, instead of the syscall returning
-EFAULT as it should.

In rare cases, that's a security information leakage. Usually it's
just rubbish.

-- Jamie
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: IWAMOTO Toshihiro: "Re: [Lhms-devel] new memory hotremoval patch"
Previous message: Steven Newbury: "Trouble with the filesize limit"
In reply to: Ian Molton: "Re: A question about PROT_NONE on ARM and ARM26"
Next in thread: Nicolas Pitre: "Re: A question about PROT_NONE on ARM and ARM26"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]