linux-mips
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Bug in copy_user

from [Gleb O. Raiko] [Permanent Link][Original]
To: linux-mips@fnet.fr, linux-mips@oss.sgi.com
Subject: Bug in copy_user
From: "Gleb O. Raiko" <raiko@niisi.msk.ru>
Date: Tue, 04 Jun 2002 22:08:17 +0400
Organization: NIISI RAN
Sender: owner-linux-mips@oss.sgi.com 
There is bug in __copy_user (arch/mips*/lib/memcpy.S). Tested for 2.4.18
kernels, but versions 2.2, 2.4, and  2.5 for both mips and mips64 seems
to have similar bug.

For kernel 2.4.18 and mips
__copy_user returns wrong value if len = 4...7 and dst isn't accessible.

Other versions behave almost the same, just borders differ.

For example,
read(0,NULL,len), len=4...7 
getsockopt/ioctl(fd, *GET*, NULL, sizeof(int))

returns success. Fortunately, they don't write to at address 0.

The following patch seems to be OK for 2.4.18:

less_than_4units:
        /*
         * rem = len % NBYTES
         */
        beq     rem, len, copy_bytes
         nop
1:
EXC(    LOAD     t0, 0(src),            l_exc)
        ADD     src, src, NBYTES
        SUB     len, len, NBYTES
-EXC(    STORE   t0, 0(dst),             s_exc)
+EXC(    STORE   t0, 0(dst),             s_exc_p1u)
        bne     rem, len, 1b
         ADD    dst, dst, NBYTES

Any comments?

Regards,
Gleb.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • Bug in copy_user, Gleb O. Raiko <=
Previous by Date:  Re: 3 questions about linux-2.4.18 and R3000, nick
Next by Date:  Re: [patch] linux: mb() and friends again, Maciej W. Rozycki
Previous by Thread:  Re: PCI Graphics/Video Card for Malta Board?, Dan Malek
Next by Thread:  [PATCH] fbdev updates., James Simmons
Indexes:  [Date] [Thread] [Top] [All Lists]