From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <196af8bd0e69366a85af7d6280e82d80@gmx.de> To: 9fans@9fans.net Date: Sun, 2 Aug 2009 01:15:55 +0200 From: cinap_lenrek@gmx.de In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="upas-hdjhgpyngmqkyuwswcwwxuyvnb" Subject: Re: [9fans] Kernel crash bug Topicbox-Message-UUID: 3515e77c-ead5-11e9-9d60-3106f5b1d025 This is a multi-part message in MIME format. --upas-hdjhgpyngmqkyuwswcwwxuyvnb Content-Disposition: inline Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit yes: if((ulong)name < KZERO){ validaddr((ulong)name, 1, 0); if(!dup) print("warning: validname called from %lux with user pointer", pc); p = name; t = BY2PG-((ulong)p&(BY2PG-1)); while((ename=vmemchr(p, 0, t)) == nil){ -> p += t; t = BY2PG; } }else when moving p to the start of the next page... it is not checked that this address is valid as vmemchr() assumes the start address to be already checked, and it will crash when vmemchr() touches it on the next round. vmemchr() will successive check pages if the pointer to pointer + len span page boundries anyway so the while is not really needed: name = aname; if((ulong)name < KZERO){ validaddr((ulong)name, 1, 0); if(!dup) print("warning: validname called from %lux with user pointer", pc); ename = vmemchr(name, 0, (1<<16)); }else -- cinap --upas-hdjhgpyngmqkyuwswcwwxuyvnb Content-Type: message/rfc822 Content-Disposition: inline Return-Path: <9fans-bounces+cinap_lenrek=gmx.de@9fans.net> X-Flags: 0000 Delivered-To: GMX delivery to cinap_lenrek@gmx.de Received: (qmail invoked by alias); 01 Aug 2009 22:53:56 -0000 Received: from gouda.swtch.com (EHLO gouda.swtch.com) [67.207.142.3] by mx0.gmx.net (mx097) with SMTP; 02 Aug 2009 00:53:56 +0200 Received: from localhost ([127.0.0.1] helo=gouda.swtch.com) by gouda.swtch.com with esmtp (Exim 4.69) (envelope-from <9fans-bounces@9fans.net>) id 1MXNMq-0004Vk-86; Sat, 01 Aug 2009 22:47:56 +0000 Received: from smtp.andrew.cmu.edu ([128.2.11.61]) by gouda.swtch.com with esmtp (Exim 4.69) (envelope-from ) id 1MXNMo-0004Vf-1t for 9fans@9fans.net; Sat, 01 Aug 2009 22:47:54 +0000 Received: from UNIX10.ANDREW.CMU.EDU (UNIX10.ANDREW.CMU.EDU [128.2.13.139]) (user=elly1 mech=GSSAPI (0 bits)) by smtp.andrew.cmu.edu (8.14.3/8.14.3) with ESMTP id n71Mlmom011608 for <9fans@9fans.net>; Sat, 1 Aug 2009 18:47:48 -0400 Date: Sat, 1 Aug 2009 18:47:48 -0400 (EDT) From: Elizabeth Jones To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> In-Reply-To: Message-ID: References: <335ad4871879ca38a650196a26e6f200@gmx.de> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-PMX-Version: 5.5.5.374460, Antispam-Engine: 2.7.1.369594, Antispam-Data: 2009.8.1.223316 X-SMTP-Spam-Clean: 10% ( TO_IN_SUBJECT 0.5, BODY_SIZE_1700_1799 0, BODY_SIZE_2000_LESS 0, BODY_SIZE_5000_LESS 0, BODY_SIZE_7000_LESS 0, __BOUNCE_CHALLENGE_SUBJ 0, __CP_URI_IN_BODY 0, __CT 0, __CT_TEXT_PLAIN 0, __HAS_MSGID 0, __MIME_TEXT_ONLY 0, __MIME_VERSION 0, __SANE_MSGID 0, __TO_MALFORMED_2 0) X-SMTP-Spam-Score: 10% X-Scanned-By: MIMEDefang 2.60 on 128.2.11.61 Subject: Re: [9fans] Kernel crash bug X-BeenThere: 9fans@9fans.net X-Mailman-Version: 2.1.10 Precedence: list Reply-To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> List-Id: Fans of the OS Plan 9 from Bell Labs <9fans.9fans.net> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: 9fans-bounces@9fans.net Errors-To: 9fans-bounces+cinap_lenrek=gmx.de@9fans.net X-GMX-Antivirus: 0 (no virus found) X-GMX-Antispam: 0 (Mail was not recognized as spam) X-GMX-UID: vfBBfu8JTiEtJowmxGRwOWF1ZUVSRJeb On Sat, 1 Aug 2009, Russ Cox wrote: > calling vmemchr assumes that the memory isn't being changed > by some other proc mapping the same page. if you find the > NUL in one pass and then call strcpy or strlen on the pointer > later, the other proc might have pulled the NUL in the interim. With you so far. > there is a function in the kernel called validnamedup > that both validates a string argument and at the same time > makes an in-kernel-memory copy. it's the easiest safe > way to handle strings passed to the kernel. namec uses > it and luckily almost every string pointer passed to the kernel > ends up being interpreted by namec. exec is an exception. sysstat() uses namec in what I believe is considered to be the correct fashion: 959 validaddr(arg[0], 1, 0); 960 c = namec((char*)arg[0], Aaccess, 0, 0); namec() then calls validanamedup() which calls validname0(), which appears to do the right thing. However, the following reliably crashes the kernel: 1 #include 2 #include 3 4 #define SEGBASE (char*)0x40000000 5 #define SEGSIZE 4096 6 7 int main() { 8 uchar buf[128]; 9 segattach(0, "shared", SEGBASE, SEGSIZE); 10 *(char*)(SEGBASE + SEGSIZE - 1) = 'a'; 11 stat((char*)SEGBASE + SEGSIZE - 1, buf, sizeof(buf)); 12 return 0; 13 } This suggests to me that something more unpleasant is afoot. Perhaps validname0() is incorrect in some way? > when i was working on 9vx, i rewrote exec to remove > crashes like this one as well as a handful of other bugs. > the code is at > http://code.swtch.com/vx32/src/tip/src/9vx/a/sysproc.c#cl-220 > and could easily be dropped back into plan 9. > > russ -- Elly --upas-hdjhgpyngmqkyuwswcwwxuyvnb--