Re: + espfix-code-cleanup.patch added to -mm tree

From: Zachary Amsden
Date: Wed Aug 02 2006 - 14:28:02 EST

Stas Sergeev wrote:

Zachary Amsden wrote:
You need to get a #GP or #NP on the faulting iret. Several ways to do that -
I do that much simpler - I provoke a SIGSEGV and in a signal handler
I put the wrong value to scp->cs or scp->ss, and that makes iret to fault.

Ok, that's a new trick ;)

iret faults, but doesn't pop the user return frame.
But does it push the kernel frame after it or not?
If not - I don't understand how we go to a fixup.
If yes - I don't understand how the user's frame gets
accessed later, as it is above the kernel's frame.

Yes. The iret faults, the fault pushes a new kernel frame - and the fault handler's iret returns, removing the kernel frame. So the kernel frame is gone by the time the fixup runs.

safe limit is regs->esp + THREAD_SIZE*2... Well, may just I not do that please? :)
For what, btw? There are no such a things for __KERNEL_DS or anything, so
I just don't see the necessity.
It helps track down any bugs that could leak through otherwise and corrupt random memory.
I think regs->esp + THREAD_SIZE*2 is already very permissive,
and I'd like to avoid messing with granularity. So unless you
really insist, I'll better not do that. :)

It's really hard to catch bugs that could otherwise happen when a non-zero based stack gets used (for example, C code which uses %ebp with -fomit-frame-pointer). Setting the limit to THREAD_SIZE should guarantee that the non-zero based stack never is used to access anything but the stack and current thread.


To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at