linux/arch/i386/kernel
Alexander Nyberg f48d9663f1 [PATCH] x86 stack initialisation fix
The recent change fix-crash-in-entrys-restore_all.patch

 	childregs->esp = esp;

 	p->thread.esp = (unsigned long) childregs;
-	p->thread.esp0 = (unsigned long) (childregs+1);
+	p->thread.esp0 = (unsigned long) (childregs+1) - 8;

 	p->thread.eip = (unsigned long) ret_from_fork;

introduces an inconsistency between esp and esp0 before the task is run the
first time.  esp0 is no longer the actual start of the stack, but 8 bytes
off.

This shows itself clearly in a scenario when a ptracer that is set to also
ptrace eventual children traces program1 which then clones thread1.  Now
the ptracer wants to modify the registers of thread1.  The x86 ptrace
implementation bases it's knowledge about saved user-space registers upon
p->thread.esp0.  But this will be a few bytes off causing certain writes to
the kernel stack to overwrite a saved kernel function address making the
kernel when actually running thread1 jump out into user-space.  Very
spectacular.

The testcase I've used is:
/* start with strace -f ./a.out */
#include <pthread.h>
#include <stdio.h>

void *do_thread(void *p)
{
	for (;;);
}

int main()
{
	pthread_t one;
	pthread_create(&one, NULL, &do_thread, NULL);
	for (;;);
	return 0;
}

So, my solution is to instead of just adjusting esp0 that creates an
inconsitent state I adjust where the user-space registers are saved with -8
bytes.  This gives us the wanted extra bytes on the start of the stack and
esp0 is now correct.  This solves the issues I saw from the original
testcase from Mateusz Berezecki and has survived testing here.  I think
this should go into -mm a round or two first however as there might be some
cruft around depending on pt_regs lying on the start of the stack.  That
however would have broken with the first change too!

It's actually a 2-line diff but I had to move the comment of why the -8 bytes
are there a few lines up. Thanks to Zwane for helping me with this.

Signed-off-by: Alexander Nyberg <alexn@telia.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-05-05 16:36:30 -07:00
..
acpi [PATCH] x86: fix acpi compile without CONFIG_ACPI_BUS 2005-04-18 08:01:30 -07:00
cpu [PATCH] make lots of things static 2005-05-01 08:59:29 -07:00
timers [PATCH] i386: fix hpet for systems that don't support legacy replacement 2005-05-01 08:58:50 -07:00
apic.c [PATCH] check nmi watchdog is broken 2005-05-01 08:58:48 -07:00
apm.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
asm-offsets.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
bootflag.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
cpuid.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
dmi_scan.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
doublefault.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
early_printk.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
efi_stub.S Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
efi.c [PATCH] efi: eliminate bad section references 2005-04-16 15:25:53 -07:00
entry.S [PATCH] uml: fix syscall table by including $(SUBARCH)'s one, for i386 2005-05-01 08:58:55 -07:00
head.S [PATCH] clean up kernel messages 2005-05-01 08:59:02 -07:00
i386_ksyms.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
i387.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
i8259.c [PATCH] pm_message_t: more fixes in common and i386 2005-04-16 15:25:24 -07:00
init_task.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
io_apic.c [PATCH] check nmi watchdog is broken 2005-05-01 08:58:48 -07:00
ioport.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
irq.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
kprobes.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
ldt.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
Makefile [PATCH] x86 reboot: Add reboot fixup for gx1/cs5530a 2005-05-01 08:58:49 -07:00
mca.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
microcode.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
module.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
mpparse.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
msr.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
nmi.c [PATCH] check nmi watchdog is broken 2005-05-01 08:58:48 -07:00
numaq.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
pci-dma.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
process.c [PATCH] x86 stack initialisation fix 2005-05-05 16:36:30 -07:00
ptrace.c Merge with master.kernel.org:/pub/scm/linux/kernel/git/torvalds/linux-2.6.git 2005-05-03 08:14:09 +01:00
quirks.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
reboot_fixups.c [PATCH] x86 reboot: Add reboot fixup for gx1/cs5530a 2005-05-01 08:58:49 -07:00
reboot.c [PATCH] x86 reboot: Add reboot fixup for gx1/cs5530a 2005-05-01 08:58:49 -07:00
scx200.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
semaphore.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
setup.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
sigframe.h Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
signal.c [PATCH] i386: Use loaddebug macro consistently 2005-04-16 15:24:46 -07:00
smp.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
smpboot.c [PATCH] check nmi watchdog is broken 2005-05-01 08:58:48 -07:00
srat.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
summit.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
sys_i386.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
syscall_table.S [PATCH] uml: fix syscall table by including $(SUBARCH)'s one, for i386 2005-05-01 08:58:55 -07:00
sysenter.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
time_hpet.c [PATCH] i386: fix hpet for systems that don't support legacy replacement 2005-05-01 08:58:50 -07:00
time.c [PATCH] i386: fix hpet for systems that don't support legacy replacement 2005-05-01 08:58:50 -07:00
trampoline.S Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
traps.c [PATCH] x86: entry.S trap return fixes 2005-05-01 08:58:49 -07:00
vm86.c [PATCH] misc verify_area cleanups 2005-05-01 08:59:08 -07:00
vmlinux.lds.S Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
vsyscall-int80.S Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
vsyscall-note.S [PATCH] i386 vDSO: add PT_NOTE segment 2005-04-16 15:24:48 -07:00
vsyscall-sigreturn.S Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
vsyscall-sysenter.S Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
vsyscall.lds.S [PATCH] i386 vDSO: add PT_NOTE segment 2005-04-16 15:24:48 -07:00
vsyscall.S Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00