Re: + espfix-code-cleanup.patch added to -mm tree

From: Chuck Ebbert
Date: Fri Aug 11 2006 - 22:47:13 EST

In-Reply-To: <44CF474C.9070800@xxxxxxxx>

On Tue, 01 Aug 2006 16:21:32 +0400, Stas Sergeev wrote:

> >> - .quad 0x0000920000000000 /* 0xd0 - ESPFIX 16-bit SS */
> >> + .quad 0x00cf92000000ffff /* 0xd0 - ESPFIX SS */

> > Seems a bit dangerous to allow access to full 4GB through this. Can you
> > tighten the limit any? I suppose not, because the high bits in %esp
> > really could be anything. But it might be nice to try setting the limit
> > to regs->esp + THREAD_SIZE. Of course, this is not strictly necessary,
> > just an extra paranoid protection mechanism.

> Since, when calculating the base, I do &-THREAD_SIZE, I guess the minimal
> safe limit is regs->esp + THREAD_SIZE*2... Well, may just I not do that please? :)
> For what, btw? There are no such a things for __KERNEL_DS or anything, so
> I just don't see the necessity.

It's really not that hard to get the limit:

limit_in_bytes = new_esp | (THREAD_SIZE - 1)
limit_in_pages = limit_in_bytes >> 12

And this will catch any bad accesses that assume zero-based pointers:

kernel stack is at f7000000
user stack is at b7000000

SS base = 40000000
SS limit = b7001fff

All kernel pointers will be >c0000000 and will trap on access if they
try to use SS. And it will work with any user/kernel split.


To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at