> Had a quick look at this.
> A _possible_ reason for the problem is;
> vi) access_ok() returns true as you're not running on an old
> i386, so only the address limit is checked.
> This doesn't seem to be a strong enough check. It is
> possible there is not enough distance between the top
> of stack and the hard stack size limit (ulimit) for a
> full frame.
i dont think this is true. The page-cache corruption is puzzling, but
access_ok() should be enough. If we get a page fault in setup_frame() we
simply refuse to make that page present and return a -EFAULT to
__put_user, without making that write. The process will proceed (it's
slightly ugly that we try all writes in setup_frame(), but it's safe), and
will try to send another signal afterwards, infinitly, looping between
setup_page() and do_signal in the return path, without ever executing
user-space again. The process can still be killed and interrupted.
-- mingo
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/