[#5202] strnlen_user and strlen_user don't check if there are a good/bad pointer before accesses happen.

Document created by Aaronwu Employee on Sep 3, 2013
Version 1Show Document
  • View in full screen mode

[#5202] strnlen_user and strlen_user don't check if there are a good/bad pointer before accesses happen.

Submitted By: Robin Getz

Open Date

2009-06-03 20:30:37     Close Date

2009-06-03 20:49:16

Priority:

Medium     Assignee:

Robin Getz

Status:

Closed     Fixed In Release:

N/A

Found In Release:

N/A     Release:

trunk

Category:

Kernel Functions     Board:

N/A

Processor:

ALL     Silicon Revision:

all

Is this bug repeatable?:

Yes     Resolution:

Fixed

Uboot version or rev.:

trunk     Toolchain version or rev.:

trunk

App binary format:

N/A     

Summary: strnlen_user and strlen_user don't check if there are a good/bad pointer before accesses happen.

Details:

 

Making a bad userspace call to:

 

execlp(progname, progname, "-d", "0", "-q", "-p", 1, tests, NULL);

 

causes the kernel to crash:

 

NULL pointer access

Kernel OOPS in progress

Deferred Exception context

CURRENT PROCESS:

COMM=traps_test PID=235

CPU = 0

TEXT = 0x002c0040-0x002c86a0        DATA = 0x002c86c0-0x002cb610

BSS = 0x002cb610-0x002cb8f0  USER-STACK = 0x002ccf70

 

return address: [0x0009f452]; contents of:

0x0009f430:  9d48  2006  6c08  9941  4308  0c00  1807  4348

0x0009f440:  5002  3210  9910  4828  17f6  3040  0010  0000

0x0009f450:  3208 [9948] 0c00  180a  0000  3251  6c0a  9950

0x0009f460:  0c00  17fd  440a  3042  0010  6802  2ffd  0000

 

ADSP-BF537 Rev:3 500(MHz CCLK) 125(MHz SCLK) (mpu off)

 

SEQUENCER STATUS:               Not tainted

SEQSTAT: 00062027  IPEND: 8030  SYSCFG: 0006

  EXCAUSE   : 0x27

  interrupts disabled

  physical IVG5 asserted : <0xffa00bb0> { _evt_ivhw + 0x0 }

  physical IVG15 asserted : <0xffa00e94> { _evt_system_call + 0x0 }

  logical irq   6 mapped  : <0xffa00374> { _timer_interrupt + 0x0 }

  logical irq  10 mapped  : <0x000ec984> { _bfin_rtc_interrupt + 0x0 }

  logical irq  12 mapped  : <0x00109bec> { _rx_handler + 0x0 }

  logical irq  13 mapped  : <0x00109b90> { _tx_handler + 0x0 }

  logical irq  18 mapped  : <0x000b1e9c> { _bfin_serial_dma_rx_int + 0x0 }

  logical irq  19 mapped  : <0x000b1b68> { _bfin_serial_dma_tx_int + 0x0 }

  logical irq  24 mapped  : <0x000bbedc> { _bfin_mac_interrupt + 0x0 }

  logical irq  45 mapped  : <0x001099fc> { _err_handler + 0x0 }

RETE: <0x00000000> /* Maybe null pointer? */

RETN: <0x03e0fe88> /* kernel dynamic memory */

RETX: <0x00000480> /* Maybe fixed code section */

RETS: <0x00045176> { _copy_strings + 0x36 }

PC  : <0x0009f452> { _strlen + 0x2 }

DCPLB_FAULT_ADDR: <0x00000001> /* Maybe null pointer? */

ICPLB_FAULT_ADDR: <0x0009f452> { _strlen + 0x2 }

 

PROCESSOR STATE:

R0 : 00000001    R1 : 00000005    R2 : 00000002    R3 : 002dd018

R4 : 00000fad    R5 : 00000001    R6 : 0001ffab    R7 : 00000000

P0 : 002defad    P1 : 00000001    P2 : 001cf8cc    P3 : 00000002

P4 : 002dd014    P5 : 00000005    FP : 002ccd80    SP : 03e0fdac

LB0: ffa03140    LT0: ffa0313e    LC0: 00000000

LB1: 00048118    LT1: 00048110    LC1: 00000ff6

B0 : 00000000    L0 : 00000000    M0 : 00000000    I0 : 00000001

B1 : 00000000    L1 : 00000000    M1 : 00000000    I1 : 002ccfc0

B2 : 00000000    L2 : 00000000    M2 : 00000000    I2 : 00000000

B3 : 00000000    L3 : 00000000    M3 : 00000000    I3 : 00000000

A0.w: 00000000   A0.x: 00000000   A1.w: 00000000   A1.x: 00000000

USP : 002ccce0  ASTAT: 02003004

 

Hardware Trace:

   0 Target : <0x00004d18> { _trap_c + 0x0 }

     Source : <0xffa0060a> { _exception_to_level5 + 0x9e } CALL pcrel

   1 Target : <0xffa0056c> { _exception_to_level5 + 0x0 }

     Source : <0xffa00458> { _bfin_return_from_exception + 0x18 } RTX

   2 Target : <0xffa00440> { _bfin_return_from_exception + 0x0 }

     Source : <0xffa004c2> { _ex_trap_c + 0x46 } JUMP.S

   3 Target : <0xffa0047c> { _ex_trap_c + 0x0 }

     Source : <0xffa006d6> { _trap + 0x5a } JUMP (P4)

   4 Target : <0xffa0067c> { _trap + 0x0 }

     Source : <0x0009f450> { _strlen + 0x0 } 0x3208

   5 Target : <0x0009f450> { _strlen + 0x0 }

     Source : <0x00045172> { _copy_strings + 0x32 } CALL pcrel

   6 Target : <0x00045168> { _copy_strings + 0x28 }

     Source : <0xffa00236> { __access_ok + 0xde } RTS

   7 Target : <0xffa00232> { __access_ok + 0xda }

     Source : <0xffa0019a> { __access_ok + 0x42 } IF !CC JUMP

   8 Target : <0xffa00158> { __access_ok + 0x0 }

     Source : <0x00045164> { _copy_strings + 0x24 } CALL pcrel

   9 Target : <0x00045160> { _copy_strings + 0x20 }

     Source : <0x0004519c> { _copy_strings + 0x5c } IF CC JUMP

  10 Target : <0x0004519a> { _copy_strings + 0x5a }

     Source : <0x0004523e> { _copy_strings + 0xfe } JUMP.S

  11 Target : <0x00045238> { _copy_strings + 0xf8 }

     Source : <0xffa03142> { _memcpy + 0x5a } RTS

  12 Target : <0xffa0313a> { _memcpy + 0x52 }

     Source : <0xffa03104> { _memcpy + 0x1c } IF !CC JUMP

  13 Target : <0xffa030e8> { _memcpy + 0x0 }

     Source : <0x00045234> { _copy_strings + 0xf4 } CALL pcrel

  14 Target : <0x00045226> { _copy_strings + 0xe6 }

     Source : <0x00045218> { _copy_strings + 0xd8 } IF !CC JUMP

  15 Target : <0x00045216> { _copy_strings + 0xd6 }

     Source : <0xffa00236> { __access_ok + 0xde } RTS

 

 

because we don't do access_ok checks in strnlen_user and strlen_user.

 

-Robin

 

Follow-ups

 

--- Robin Getz                                               2009-06-03 20:49:16

Fixed on branch (2009) and trunk.

 

 

 

    Files

    Changes

    Commits

    Dependencies

    Duplicates

    Associations

    Tags

 

File Name     File Type     File Size     Posted By

No Files Were Found

Attachments

    Outcomes