[Lguest] [PATCH] Fix out-by-one error in traps.c

Rusty Russell rusty at rustcorp.com.au
Fri Aug 31 16:03:58 EST 2007


On Thu, 2007-08-30 at 21:44 -0700, Linus Torvalds wrote:
> 
> On Fri, 31 Aug 2007, Rusty Russell wrote:
> >
> > We don't care if ebp is on the stack, we care about ebp + 4.  Without
> > this, lguest (with CONFIG_DEBUG_LOCKDEP) can touch a page unmapped by
> > CONFIG_DEBUG_PAGEALLOC.
> 
> Hmm.. This *really* cannot happen with a normal kernel - it implies that 
> the stack has crossed into an invalid page. 

AFAICT, a corrupt stack could lead us to touch a page which isn't
mapped.  If we assume the stack isn't corrupt, we don't have to do the
valid_stack_ptr() check at all...

> Why is that allowed with lguest? What kind of code could validly *ever* 
> come in here and cause problems?

head.S pushes a "$0" on the stack to stop the unwinder, lguest doesn't.

Here's the lguest fix, but I still think the real fix posted previously
is more important.

Cheers,
Rusty.
===
lguest doesn't terminate stack, upsets unwinder

Copy head.S, which puts a 0 on the stack to terminate ebp-chasing
backtrace code.

Signed-off-by: Rusty Russell <rusty at rustcorp.com.au>

diff -r 926e5cc964fd drivers/lguest/lguest_asm.S
--- a/drivers/lguest/lguest_asm.S	Fri Aug 31 08:02:08 2007 +1000
+++ b/drivers/lguest/lguest_asm.S	Fri Aug 31 16:01:25 2007 +1000
@@ -19,6 +19,8 @@
  	movl $(init_thread_union+THREAD_SIZE),%esp
 	movl %esi, %eax
 	addl $__PAGE_OFFSET, %eax
+	/* Fake value to stop backtraces with CONFIG_FRAME_POINTER */
+	pushl $0
 	jmp lguest_init
 
 /*G:055 We create a macro which puts the assembler code between lgstart_ and





More information about the Lguest mailing list