On Fri, 31 Aug 2007, Rusty Russell wrote:

quoted text
> On Thu, 2007-08-30 at 21:44 -0700, Linus Torvalds wrote:
> > 
> > Hmm.. This *really* cannot happen with a normal kernel - it implies that 
> > the stack has crossed into an invalid page. 
> 
> AFAICT, a corrupt stack could lead us to touch a page which isn't
> mapped.  If we assume the stack isn't corrupt, we don't have to do the
> valid_stack_ptr() check at all...

Fair enough. That said, you seem to see this even without a corrupt stack.

quoted text
> > Why is that allowed with lguest? What kind of code could validly *ever* 
> > come in here and cause problems?
> 
> head.S pushes a "__PLACEHOLDER__1_" on the stack to stop the unwinder, lguest doesn't.

The unwinder should stop when it sees an invalid frame pointer, and even 
without the push 0 I'd have expected it to be invalid.

But I suspect lguest triggers another thing: you actually make the stack 
start at the *very*top* of the stack area. Afaik, normal x86 does not. A 
normal x86 kernel will start off with a pt_regs[] setup, I think - ie the 
kernel stack is always set up so that it has the "return to user mode" 
information.

And *that* difference may be what triggers this for lguest, even though it 
can never trigger for a "real" kernel.

But your patch does improve the sanity checking of the frame pointer. That 
said, I think the following patch improves it more: does this also work 
for you? (Totally untested, but it looks like the RightThing(tm) to do)

		Linus

---
diff --git a/arch/i386/kernel/traps.c b/arch/i386/kernel/traps.c
index cfffe3d..b9998f3 100644
--- a/arch/i386/kernel/traps.c
+++ b/arch/i386/kernel/traps.c
@@ -100,10 +100,10 @@ asmlinkage void machine_check(void);
 int kstack_depth_to_print = 24;
 static unsigned int code_bytes = 64;
 
-static inline int valid_stack_ptr(struct thread_info *tinfo, void *p)
+static inline int valid_stack_ptr(struct thread_info *tinfo, void *p, unsigned size)
 {
 	return	p > (void *)tinfo &&
-		p < (void *)tinfo + THREAD_SIZE - 3;
+		p <= (void *)tinfo + THREAD_SIZE - size;
 }
 
 static inline unsigned long print_context_stack(struct thread_info *tinfo,
@@ -113,7 +113,7 @@ static inline unsigned long print_context_stack(struct thread_info *tinfo,
 	unsigned long addr;
 
 #ifdef	CONFIG_FRAME_POINTER
-	while (valid_stack_ptr(tinfo, (void *)ebp)) {
+	while (valid_stack_ptr(tinfo, (void *)ebp, 2*sizeof(unsigned long))) {
 		unsigned long new_ebp;
 		addr = *(unsigned long *)(ebp + 4);
 		ops->address(data, addr);
@@ -129,7 +129,7 @@ static inline unsigned long print_context_stack(struct thread_info *tinfo,
 		ebp = new_ebp;
 	}
 #else
-	while (valid_stack_ptr(tinfo, stack)) {
+	while (valid_stack_ptr(tinfo, stack, sizeof(*stack))) {
 		addr = *stack++;
 		if (__kernel_text_address(addr))
 			ops->address(data, addr);
-
unsubscribe notice
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/