From: <ch...@su...> - 2014-04-30 12:15:29
|
Hi! We have quite a lot of testcases that passes wrong pointer to syscalls to check that they return EFAULT and several ad-hoc ways to do this. I've looked at the code we have and at the kernel implementation in order to fix this mess. There are several ways that testcases use to generate bad addres: * (void*)-1 * get_high_address() * mmap(..., PROT_NONE, ...) I've looked how is the checking implemented in kernel and it boils down to various get_user/put_user variants of strncpy build on the top of the __get_user and __put_user functions. On x86 these functions do coarse check for overflow which should be triggered by the (void*)-1 parameter, then if the pointer is smaller than maximal possible userspace address and then proceeds with the memory access. If memory access creates a page fault the page fault handler executes fixup code which returns the EFAULT and if I understand this correctly this is the case for both get_high_address() and mmap(..., PROT_NONE, ...). Then there are other architectures that does things a little bit differently and I'm not even sure how because most of the functions are written in assembler. Now there are a few things I wonder about: * Is there an machine that has userspace memory mapped on (void*)-1 ? because that would make quite a lot of our testcases to fail * Is there a machine that has userspace address mapped on NULL ? I would consider this pretty evil thing to do, due to fact that most of the libraries returns NULL on failure and dereferencing these should really cause SegFault or EFAULT. -- Cyril Hrubis ch...@su... |