[#5202] strnlen_user and strlen_user don't check if there are a good/bad pointer before accesses happen.
Submitted By: Robin Getz
Open Date
2009-06-03 20:30:37 Close Date
2009-06-03 20:49:16
Priority:
Medium Assignee:
Robin Getz
Status:
Closed Fixed In Release:
N/A
Found In Release:
N/A Release:
trunk
Category:
Kernel Functions Board:
N/A
Processor:
ALL Silicon Revision:
all
Is this bug repeatable?:
Yes Resolution:
Fixed
Uboot version or rev.:
trunk Toolchain version or rev.:
trunk
App binary format:
N/A
Summary: strnlen_user and strlen_user don't check if there are a good/bad pointer before accesses happen.
Details:
Making a bad userspace call to:
execlp(progname, progname, "-d", "0", "-q", "-p", 1, tests, NULL);
causes the kernel to crash:
NULL pointer access
Kernel OOPS in progress
Deferred Exception context
CURRENT PROCESS:
COMM=traps_test PID=235
CPU = 0
TEXT = 0x002c0040-0x002c86a0 DATA = 0x002c86c0-0x002cb610
BSS = 0x002cb610-0x002cb8f0 USER-STACK = 0x002ccf70
return address: [0x0009f452]; contents of:
0x0009f430: 9d48 2006 6c08 9941 4308 0c00 1807 4348
0x0009f440: 5002 3210 9910 4828 17f6 3040 0010 0000
0x0009f450: 3208 [9948] 0c00 180a 0000 3251 6c0a 9950
0x0009f460: 0c00 17fd 440a 3042 0010 6802 2ffd 0000
ADSP-BF537 Rev:3 500(MHz CCLK) 125(MHz SCLK) (mpu off)
SEQUENCER STATUS: Not tainted
SEQSTAT: 00062027 IPEND: 8030 SYSCFG: 0006
EXCAUSE : 0x27
interrupts disabled
physical IVG5 asserted : <0xffa00bb0> { _evt_ivhw + 0x0 }
physical IVG15 asserted : <0xffa00e94> { _evt_system_call + 0x0 }
logical irq 6 mapped : <0xffa00374> { _timer_interrupt + 0x0 }
logical irq 10 mapped : <0x000ec984> { _bfin_rtc_interrupt + 0x0 }
logical irq 12 mapped : <0x00109bec> { _rx_handler + 0x0 }
logical irq 13 mapped : <0x00109b90> { _tx_handler + 0x0 }
logical irq 18 mapped : <0x000b1e9c> { _bfin_serial_dma_rx_int + 0x0 }
logical irq 19 mapped : <0x000b1b68> { _bfin_serial_dma_tx_int + 0x0 }
logical irq 24 mapped : <0x000bbedc> { _bfin_mac_interrupt + 0x0 }
logical irq 45 mapped : <0x001099fc> { _err_handler + 0x0 }
RETE: <0x00000000> /* Maybe null pointer? */
RETN: <0x03e0fe88> /* kernel dynamic memory */
RETX: <0x00000480> /* Maybe fixed code section */
RETS: <0x00045176> { _copy_strings + 0x36 }
PC : <0x0009f452> { _strlen + 0x2 }
DCPLB_FAULT_ADDR: <0x00000001> /* Maybe null pointer? */
ICPLB_FAULT_ADDR: <0x0009f452> { _strlen + 0x2 }
PROCESSOR STATE:
R0 : 00000001 R1 : 00000005 R2 : 00000002 R3 : 002dd018
R4 : 00000fad R5 : 00000001 R6 : 0001ffab R7 : 00000000
P0 : 002defad P1 : 00000001 P2 : 001cf8cc P3 : 00000002
P4 : 002dd014 P5 : 00000005 FP : 002ccd80 SP : 03e0fdac
LB0: ffa03140 LT0: ffa0313e LC0: 00000000
LB1: 00048118 LT1: 00048110 LC1: 00000ff6
B0 : 00000000 L0 : 00000000 M0 : 00000000 I0 : 00000001
B1 : 00000000 L1 : 00000000 M1 : 00000000 I1 : 002ccfc0
B2 : 00000000 L2 : 00000000 M2 : 00000000 I2 : 00000000
B3 : 00000000 L3 : 00000000 M3 : 00000000 I3 : 00000000
A0.w: 00000000 A0.x: 00000000 A1.w: 00000000 A1.x: 00000000
USP : 002ccce0 ASTAT: 02003004
Hardware Trace:
0 Target : <0x00004d18> { _trap_c + 0x0 }
Source : <0xffa0060a> { _exception_to_level5 + 0x9e } CALL pcrel
1 Target : <0xffa0056c> { _exception_to_level5 + 0x0 }
Source : <0xffa00458> { _bfin_return_from_exception + 0x18 } RTX
2 Target : <0xffa00440> { _bfin_return_from_exception + 0x0 }
Source : <0xffa004c2> { _ex_trap_c + 0x46 } JUMP.S
3 Target : <0xffa0047c> { _ex_trap_c + 0x0 }
Source : <0xffa006d6> { _trap + 0x5a } JUMP (P4)
4 Target : <0xffa0067c> { _trap + 0x0 }
Source : <0x0009f450> { _strlen + 0x0 } 0x3208
5 Target : <0x0009f450> { _strlen + 0x0 }
Source : <0x00045172> { _copy_strings + 0x32 } CALL pcrel
6 Target : <0x00045168> { _copy_strings + 0x28 }
Source : <0xffa00236> { __access_ok + 0xde } RTS
7 Target : <0xffa00232> { __access_ok + 0xda }
Source : <0xffa0019a> { __access_ok + 0x42 } IF !CC JUMP
8 Target : <0xffa00158> { __access_ok + 0x0 }
Source : <0x00045164> { _copy_strings + 0x24 } CALL pcrel
9 Target : <0x00045160> { _copy_strings + 0x20 }
Source : <0x0004519c> { _copy_strings + 0x5c } IF CC JUMP
10 Target : <0x0004519a> { _copy_strings + 0x5a }
Source : <0x0004523e> { _copy_strings + 0xfe } JUMP.S
11 Target : <0x00045238> { _copy_strings + 0xf8 }
Source : <0xffa03142> { _memcpy + 0x5a } RTS
12 Target : <0xffa0313a> { _memcpy + 0x52 }
Source : <0xffa03104> { _memcpy + 0x1c } IF !CC JUMP
13 Target : <0xffa030e8> { _memcpy + 0x0 }
Source : <0x00045234> { _copy_strings + 0xf4 } CALL pcrel
14 Target : <0x00045226> { _copy_strings + 0xe6 }
Source : <0x00045218> { _copy_strings + 0xd8 } IF !CC JUMP
15 Target : <0x00045216> { _copy_strings + 0xd6 }
Source : <0xffa00236> { __access_ok + 0xde } RTS
because we don't do access_ok checks in strnlen_user and strlen_user.
-Robin
Follow-ups
--- Robin Getz 2009-06-03 20:49:16
Fixed on branch (2009) and trunk.
Files
Changes
Commits
Dependencies
Duplicates
Associations
Tags
File Name File Type File Size Posted By
No Files Were Found