Re: + elf-loader-crash-while-zero-filling-bss.patch added to -mmtree

From: Daniel Jacobowitz
Date: Wed Feb 13 2008 - 10:06:56 EST


On Wed, Feb 13, 2008 at 12:15:06AM -0800, akpm@xxxxxxxxxxxxxxxxxxxx wrote:
> Subject: Elf loader crash while zero-filling .bss
> From: "Abel Bernabeu" <abelbg@xxxxxxxxx>
>
> I've finally found a solution for the crash in load_binary_elf I
> reported last week:
>
> http://lkml.org/lkml/2008/1/30/171
>
> The attached patch solves my problem.
>
> set_brk(start, end) allocs just page aligned regions (by "collapsing" both
> extremes to the start of the page in which they lay)... That means than
> even if both pointers are not equal there are still some chances that
> set_brk has allocated no space at all because ELF_PAGEALIGN(elf_bss) ==
> ELF_PAGEALIGN(elf_brk).
>
> So the condition was not correct.

This patch is wrong.

ELF_PAGEALIGN rounds up to the end of the page, not down to the start
of the page. If elf_bss is in the middle of a page, set_brk allocates
any additional pages after the one already allocated. elf_bss is the
start of the area that needs to be zero initialized, elf_brk is its
end. So if elf_bss != elf_brk then there's garbage mapped in BSS
from the file and if you don't clear it some of your zero-initialized
variables won't be zero initialized at all.

In the linked message, set_brk is passed elf_bss so its actual
arguments are set_brk (0xa3801, 0x000a4ec8). It should map one
page. 0xa3801 should be an already mapped page, and clear_user should
succeed in clearing it.

--
Daniel Jacobowitz
CodeSourcery
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/