[patch 2.6.17-rc4] i386: let usermode execute the "enter" instruction

From: Chuck Ebbert
Date: Wed May 17 2006 - 22:03:05 EST

The i386 page fault handler does not allow enough slack when
checking for userspace access below the current stack pointer.
This prevents use of the enter instruction by user code. Fix
this by allowing enough slack for "enter $65535,$31" to execute.

Problem reported by Tomasz Malesinski <tmal@xxxxxxxxxxxx>

Signed-off-by: Chuck Ebbert <76306.1226@xxxxxxxxxxxxxx>


Tested using this program, based on the original from Tomasz:

.file "ovflow.S"
.version "01.01"
.section .rodata
.string "asdf\n"
.align 4
.globl main
.type main,@function
.rept 30
enter $0,$nest_level
enter $65535,$30
enter $65535,$31
addl $-12,%esp
pushl $.LC0
call printf
addl $16,%esp
.rept 32
.size main,.Lfe1-main
.ident "GCC: (GNU) 2.95.4 20011002 (Debian prerelease)"

--- 2.6.17-rc4-32.orig/arch/i386/mm/fault.c
+++ 2.6.17-rc4-32/arch/i386/mm/fault.c
@@ -380,12 +380,12 @@ fastcall void __kprobes do_page_fault(st
goto bad_area;
if (error_code & 4) {
- * accessing the stack below %esp is always a bug.
- * The "+ 32" is there due to some instructions (like
- * pusha) doing post-decrement on the stack and that
- * doesn't show up until later..
+ * Accessing the stack below %esp is always a bug.
+ * The large cushion allows instructions like enter
+ * and pusha to work. ("enter $65535,$31" pushes
+ * 32 pointers and then decrements %esp by 65535.)
- if (address + 32 < regs->esp)
+ if (address + 65536 + 32 * sizeof(unsigned long) < regs->esp)
goto bad_area;
if (expand_stack(vma, address))
"The x86 isn't all that complex -- it just doesn't make a lot of sense."
-- Mike Johnson
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/