From: "Ollie Wild" <aaw@google.com>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>,
linux-kernel@vger.kernel.org,
parisc-linux@lists.parisc-linux.org, linux-mm@kvack.org,
linux-arch@vger.kernel.org, Ingo Molnar <mingo@elte.hu>,
Andi Kleen <ak@suse.de>
Subject: Re: [PATCH 4/4] mm: variable length argument support
Date: Tue, 5 Jun 2007 17:48:54 -0700 [thread overview]
Message-ID: <65dd6fd50706051748y2e7791c3q41722f0d7d536312@mail.gmail.com> (raw)
In-Reply-To: <20070605163925.bfc417ca.akpm@linux-foundation.org>
OK. It sounds like a healthy dose of comments is in order. I'll
clean things up and send out a new patch sometime tonight or tomorrow.
Additional comments inline below:
> > - len = strnlen_user((void __user *)p, PAGE_SIZE*MAX_ARG_PAGES);
> > - if (!len || len > PAGE_SIZE*MAX_ARG_PAGES)
> > + len = strnlen_user((void __user *)p, MAX_ARG_STRLEN);
> > + if (!len || len > MAX_ARG_STRLEN)
>
> strnlen_user() is a scary function. Please do remember that if the memory
> we just strlen'ed is writeable by any user thread then that thread can at
> any time invalidate the number which the kernel now holds.
At this point, we've already called setup_arg_pages(), so the user
memory is our own private copy. No other threads can access it.
> > - !(len = strnlen_user(compat_ptr(str), bprm->p))) {
> > + !(len = strnlen_user(compat_ptr(str), MAX_ARG_STRLEN))) {
> > ret = -EFAULT;
> > goto out;
> > }
> >
> > - if (bprm->p < len) {
> > + if (MAX_ARG_STRLEN < len) {
> > ret = -E2BIG;
> > goto out;
> > }
>
> Do we have an off-by-one here? Should it be <=?
No, strnlen_user() returns N+1 (where N==MAX_ARG_STRLEN) if the string
is too large.
> If not, then this code is relying upon the string's terminating \0 coming
> from userspace? If so, that's buggy: userspace can overwrite the \0 after
> we ran the strnlen_user(), perhaps, and confound the kernel?
If that's the case, then we will fail to copy the null terminator, and
the string will munge into the following string. Since we always
access this data via the various userspace access routines, we will
either return an error on a later operation, or the new process will
segfault shortly upon starting.
> > + vma_adjust(vma, new_start, old_end,
> > + vma->vm_pgoff - (-shift >> PAGE_SHIFT), NULL);
>
> hm, a right-shift of a negated unsigned value. That's pretty unusual. I
> hope you know what you're doing ;)
This is correct. In this case, shift is already populated with a
negative, wrapped unsigned value. The -shift is needed to make it
positive before the bitwise shift.
> > #define EXTRA_STACK_VM_PAGES 20 /* random */
> >
> > +/* Finalizes the stack vm_area_struct. The flags and permissions are updated,
> > + * the stack is optionally relocated, and some extra space is added.
> > + */
>
> That's better.
>
> But what extra space is added, and why?
We add EXTRA_STACK_VM_PAGES. To be honest, I think neither of us know
why this is done. It's just what the old code did, so we preserved
it.
Ollie
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2007-06-06 0:48 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-06-05 15:05 [PATCH 0/4] no MAX_ARG_PAGES Peter Zijlstra
2007-06-05 15:05 ` [PATCH 1/4] arch: personality independent stack top Peter Zijlstra
2007-06-05 15:05 ` [PATCH 2/4] audit: rework execve audit Peter Zijlstra
2007-06-05 23:39 ` Andrew Morton
2007-06-06 5:52 ` Peter Zijlstra
2007-06-05 15:05 ` [PATCH 3/4] mm: move_page_tables{,_up} Peter Zijlstra
2007-06-05 19:46 ` Christoph Lameter
2007-06-05 23:39 ` Andrew Morton
2007-06-06 19:06 ` Ollie Wild
2007-06-06 19:12 ` Peter Zijlstra
2007-06-06 19:50 ` Ollie Wild
2007-06-06 19:53 ` Peter Zijlstra
2007-06-05 15:05 ` [PATCH 4/4] mm: variable length argument support Peter Zijlstra, Ollie Wild
2007-06-05 23:39 ` Andrew Morton
2007-06-06 0:48 ` Ollie Wild [this message]
2007-06-06 6:02 ` Peter Zijlstra
2007-06-06 8:36 ` Andrew Morton
2007-06-06 8:44 ` Paul Mundt
2007-06-06 8:54 ` Peter Zijlstra
2007-06-06 9:06 ` Andrew Morton
2007-06-06 9:12 ` Peter Zijlstra
2007-06-06 14:40 ` [parisc-linux] " Grant Grundler
2007-06-06 9:34 ` Peter Zijlstra
2007-06-06 9:44 ` Paul Mundt
2007-06-06 9:47 ` Peter Zijlstra
2007-06-06 9:53 ` Andi Kleen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=65dd6fd50706051748y2e7791c3q41722f0d7d536312@mail.gmail.com \
--to=aaw@google.com \
--cc=a.p.zijlstra@chello.nl \
--cc=ak@suse.de \
--cc=akpm@linux-foundation.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mingo@elte.hu \
--cc=parisc-linux@lists.parisc-linux.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox