[patch 2.6.17-rc4] i386: let usermode execute the "enter" instruction

The i386 page fault handler does not allow enough slack when
checking for userspace access below the current stack pointer.
This prevents use of the enter instruction by user code.  Fix
this by allowing enough slack for "enter $65535,$31" to execute.

Problem reported by Tomasz Malesinski <[email protected]>

Signed-off-by: Chuck Ebbert <[email protected]>

---

Tested using this program, based on the original from Tomasz:

	.file	"ovflow.S"
	.version	"01.01"
gcc2_compiled.:
.section	.rodata
.LC0:
	.string	"asdf\n"
.text
	.align 4
.globl main
	.type	 main,@function
main:
nest_level=0
.rept 30
	enter $0,$nest_level
nest_level=nest_level+1
.endr
	enter $65535,$30
	enter $65535,$31
	addl $-12,%esp
	pushl $.LC0
	call printf
	addl $16,%esp
.L2:
.rept 32
	leave
.endr
	ret
.Lfe1:
	.size	 main,.Lfe1-main
	.ident	"GCC: (GNU) 2.95.4 20011002 (Debian prerelease)"


--- 2.6.17-rc4-32.orig/arch/i386/mm/fault.c
+++ 2.6.17-rc4-32/arch/i386/mm/fault.c
@@ -380,12 +380,12 @@ fastcall void __kprobes do_page_fault(st
 		goto bad_area;
 	if (error_code & 4) {
 		/*
-		 * accessing the stack below %esp is always a bug.
-		 * The "+ 32" is there due to some instructions (like
-		 * pusha) doing post-decrement on the stack and that
-		 * doesn't show up until later..
+		 * Accessing the stack below %esp is always a bug.
+		 * The large cushion allows instructions like enter
+		 * and pusha to work.  ("enter $65535,$31" pushes
+		 * 32 pointers and then decrements %esp by 65535.)
 		 */
-		if (address + 32 < regs->esp)
+		if (address + 65536 + 32 * sizeof(unsigned long) < regs->esp)
 			goto bad_area;
 	}
 	if (expand_stack(vma, address))
-- 
Chuck
"The x86 isn't all that complex -- it just doesn't make a lot of sense."
                                                        -- Mike Johnson
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

---

• Prev by Date: Re: Regression seen for patch "sched:dont decrease idle sleep avg"
• Next by Date: Re: support for sata7 Streaming Feature Set?
• Previous by thread: USB keyboard driver buggy, repeats keys
• Next by thread: Re: [patch] Ignore MCFG if the mmconfig area isn't reserved in the e820 table.
• Index(es):
  • Date
  • Thread

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]