From mboxrd@z Thu Jan  1 00:00:00 1970
Message-ID: <335ad4871879ca38a650196a26e6f200@gmx.de>
To: 9fans@9fans.net
Date: Sat,  1 Aug 2009 23:37:49 +0200
From: cinap_lenrek@gmx.de
In-Reply-To: <Pine.LNX.4.64-044.0908011700100.6538@unix10.andrew.cmu.edu>
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="upas-aslfhfgzitjctjhvigyynraagu"
Subject: Re: [9fans] Kernel crash bug
Topicbox-Message-UUID: 3480e6ae-ead5-11e9-9d60-3106f5b1d025

This is a multi-part message in MIME format.
--upas-aslfhfgzitjctjhvigyynraagu
Content-Disposition: inline
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit

maybe the kernel should use something like this to validate pointers
to null terminated strings?

(this assumes that validaddr for a byte will also be valid for the whole page)

void
validstraddr(char *p)
{
	char *x;

	for(;;){
		validaddr((ulong)p, 1, 0);
		x = (char*)(((ulong)p & ~(BY2PG-1))+BY2PG);
		for(; p < x; p++){
			if(*p == 0)
				return;
		}
	}
}

--
cinap

--upas-aslfhfgzitjctjhvigyynraagu
Content-Type: message/rfc822
Content-Disposition: inline

Return-Path: <9fans-bounces+cinap_lenrek=gmx.de@9fans.net>
X-Flags: 0000
Delivered-To: GMX delivery to cinap_lenrek@gmx.de
Received: (qmail invoked by alias); 01 Aug 2009 21:08:17 -0000
Received: from gouda.swtch.com (EHLO gouda.swtch.com) [67.207.142.3]
  by mx0.gmx.net (mx005) with SMTP; 01 Aug 2009 23:08:17 +0200
Received: from localhost ([127.0.0.1] helo=gouda.swtch.com)
	by gouda.swtch.com with esmtp (Exim 4.69)
	(envelope-from <9fans-bounces@9fans.net>)
	id 1MXLhv-00034p-ID; Sat, 01 Aug 2009 21:01:35 +0000
Received: from smtp.andrew.cmu.edu ([128.2.11.95])
	by gouda.swtch.com with esmtp (Exim 4.69)
	(envelope-from <elly1@andrew.cmu.edu>) id 1MXLht-00034k-In
	for 9fans@9fans.net; Sat, 01 Aug 2009 21:01:33 +0000
Received: from UNIX10.ANDREW.CMU.EDU (UNIX10.ANDREW.CMU.EDU [128.2.13.139])
	(user=elly1 mech=GSSAPI (0 bits))
	by smtp.andrew.cmu.edu (8.14.3/8.14.3) with ESMTP id n71L1QwT008404
	for <9fans@9fans.net>; Sat, 1 Aug 2009 17:01:26 -0400
Date: Sat, 1 Aug 2009 17:01:26 -0400 (EDT)
From: Elizabeth Jones <elly1@andrew.cmu.edu>
To: 9fans@9fans.net
Message-ID: <Pine.LNX.4.64-044.0908011700100.6538@unix10.andrew.cmu.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-PMX-Version: 5.5.5.374460, Antispam-Engine: 2.7.1.369594,
	Antispam-Data: 2009.8.1.204516
X-SMTP-Spam-Clean: 8% (
	BODY_SIZE_1000_LESS 0, BODY_SIZE_2000_LESS 0, BODY_SIZE_5000_LESS 0,
	BODY_SIZE_500_599 0, BODY_SIZE_7000_LESS 0, TO_NO_NAME 0, __CT 0,
	__CT_TEXT_PLAIN 0, __HAS_MSGID 0, __MIME_TEXT_ONLY 0,
	__MIME_VERSION 0, __SANE_MSGID 0, __TO_MALFORMED_2 0)
X-SMTP-Spam-Score: 8%
X-Scanned-By: MIMEDefang 2.60 on 128.2.11.95
Subject: [9fans] Kernel crash bug
X-BeenThere: 9fans@9fans.net
X-Mailman-Version: 2.1.10
Precedence: list
Reply-To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net>
List-Id: Fans of the OS Plan 9 from Bell Labs <9fans.9fans.net>
List-Unsubscribe: <http://mail.9fans.net/options/9fans>,
	<mailto:9fans-request@9fans.net?subject=unsubscribe>
List-Archive: <http://mail.9fans.net/private/9fans>
List-Post: <mailto:9fans@9fans.net>
List-Help: <mailto:9fans-request@9fans.net?subject=help>
List-Subscribe: <http://mail.9fans.net/listinfo/9fans>,
	<mailto:9fans-request@9fans.net?subject=subscribe>
Sender: 9fans-bounces@9fans.net
Errors-To: 9fans-bounces+cinap_lenrek=gmx.de@9fans.net
X-GMX-Antivirus: 0 (no virus found)
X-GMX-Antispam: 0 (Mail was not recognized as spam)
X-GMX-UID: oMIfItVTTlIvNpci1GhrgClGU2poZZnM

There exist crash bugs in some of the system call handlers to do with
string validation; sometimes, only the first byte of an argument string is
validated. The following program reliably causes a kernel panic for me:

#include <u.h>
#include <libc.h>

#define SEGBASE (char*)0x40000000
#define SEGSIZE 4096

int main() {
     segattach(0, "shared", SEGBASE, SEGSIZE);
     *(char*)(SEGBASE + SEGSIZE - 1) = 'a';
     exec((char*)SEGBASE + SEGSIZE - 1, nil);
     return 0;
}

-- Elly
--upas-aslfhfgzitjctjhvigyynraagu--