From: Blaisorblade <blaisorblade@yahoo.it>
To: user-mode-linux-devel@lists.sourceforge.net
Cc: Jeff Dike <jdike@addtoit.com>,
Bodo Stroesser <bstroesser@fujitsu-siemens.com>,
Alexander Viro <viro@parcelfarce.linux.theplanet.co.uk>,
LKML <linux-kernel@vger.kernel.org>
Subject: CONFIG_REGPARM - prevent_tail_call doubts (context: SKAS3 bug in detail)
Date: Tue, 12 Jul 2005 00:18:50 +0200 [thread overview]
Message-ID: <200507120018.51436.blaisorblade@yahoo.it> (raw)
I just diagnosed (and announced) a big bug affecting the SKAS3 patch: namely,
syscall parameter values stored in registers may be corrupted for some
syscalls on return, when called through int 0x80, and when CONFIG_REGPARM is
enabled.
Ok, the diagnosys of the SKAS3 bug I just noticed is that simply, this
construct:
int do_foo(params...) {
}
asmlinkage int sys_foo(params...) {
return do_foo(a_new_param, params...);
}
does not work, because sys_foo() is optimized to reorder parameters on the
stack and to tail-call do_foo. The corrupted parameters on the stack will
then be restored (when calling with int $0x80) inside the userspace
registers. From entry.S, especially from this comment:
/* if something modifies registers it must also disable sysexit */
it's clear that when using SYSENTER registers are not restored (even verified
through sys_iopl() code, which touched EFLAGS).
I've used prevent_tail_call to fix this, and it works (verified with tests and
assembly inspection). I even think I've understood why it works... it's clear
why it disallows tail call, but I thought that GCC could create a normal call
reusing some space from the stack frame of sys_foo, to create the stack frame
of do_foo... it's just that it wouldn't improve speed.
This construct is used for four syscalls (sys_mmap2, old_mmap, sys_mprotect,
sys_modify_ldt) and I verified the bug for all sys_mmap2 and sys_mprotect,
and I'm sure about modify_ldt because the compiled code is identical to
sys_mprotect().
I initially noticed this with the errno-vs-NPTL fix I and Al Viro discussed
some time ago: it used indeed mmap2() and triggered the bug.
Luckily, strace reads the correct data (since syscall params are read before
the syscall is done) so I couldn't do anything else than understand something
bad was happening.
--
Inform me of my mistakes, so I can keep imitating Homer Simpson's "Doh!".
Paolo Giarrusso, aka Blaisorblade (Skype ID "PaoloGiarrusso", ICQ 215621894)
http://www.user-mode-linux.org/~blaisorblade
___________________________________
Yahoo! Mail: gratis 1GB per i messaggi e allegati da 10MB
http://mail.yahoo.it
reply other threads:[~2005-07-11 22:15 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200507120018.51436.blaisorblade@yahoo.it \
--to=blaisorblade@yahoo.it \
--cc=bstroesser@fujitsu-siemens.com \
--cc=jdike@addtoit.com \
--cc=linux-kernel@vger.kernel.org \
--cc=user-mode-linux-devel@lists.sourceforge.net \
--cc=viro@parcelfarce.linux.theplanet.co.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).