From: Elizabeth Jones <elly1@andrew.cmu.edu>
To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net>
Subject: Re: [9fans] Kernel crash bug
Date: Sat, 1 Aug 2009 18:47:48 -0400 [thread overview]
Message-ID: <Pine.LNX.4.64-044.0908011839420.12216@unix10.andrew.cmu.edu> (raw)
In-Reply-To: <dd6fe68a0908011508u64d7a7cbobc4c60fcd48d0769@mail.gmail.com>
On Sat, 1 Aug 2009, Russ Cox wrote:
> calling vmemchr assumes that the memory isn't being changed
> by some other proc mapping the same page. if you find the
> NUL in one pass and then call strcpy or strlen on the pointer
> later, the other proc might have pulled the NUL in the interim.
With you so far.
> there is a function in the kernel called validnamedup
> that both validates a string argument and at the same time
> makes an in-kernel-memory copy. it's the easiest safe
> way to handle strings passed to the kernel. namec uses
> it and luckily almost every string pointer passed to the kernel
> ends up being interpreted by namec. exec is an exception.
sysstat() uses namec in what I believe is considered to be the correct
fashion:
959 validaddr(arg[0], 1, 0);
960 c = namec((char*)arg[0], Aaccess, 0, 0);
namec() then calls validanamedup() which calls validname0(), which appears
to do the right thing. However, the following reliably crashes the kernel:
1 #include <u.h>
2 #include <libc.h>
3
4 #define SEGBASE (char*)0x40000000
5 #define SEGSIZE 4096
6
7 int main() {
8 uchar buf[128];
9 segattach(0, "shared", SEGBASE, SEGSIZE);
10 *(char*)(SEGBASE + SEGSIZE - 1) = 'a';
11 stat((char*)SEGBASE + SEGSIZE - 1, buf, sizeof(buf));
12 return 0;
13 }
This suggests to me that something more unpleasant is afoot. Perhaps
validname0() is incorrect in some way?
> when i was working on 9vx, i rewrote exec to remove
> crashes like this one as well as a handful of other bugs.
> the code is at
> http://code.swtch.com/vx32/src/tip/src/9vx/a/sysproc.c#cl-220
> and could easily be dropped back into plan 9.
>
> russ
-- Elly
next prev parent reply other threads:[~2009-08-01 22:47 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-08-01 21:01 Elizabeth Jones
2009-08-01 21:37 ` cinap_lenrek
2009-08-01 22:01 ` Charles Forsyth
2009-08-01 22:08 ` Russ Cox
2009-08-01 22:47 ` Elizabeth Jones [this message]
2009-08-01 23:09 ` Russ Cox
2009-08-01 23:15 ` cinap_lenrek
2009-08-02 1:38 ` erik quanstrom
2009-08-02 2:13 ` erik quanstrom
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Pine.LNX.4.64-044.0908011839420.12216@unix10.andrew.cmu.edu \
--to=elly1@andrew.cmu.edu \
--cc=9fans@9fans.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).