On Mon, 11 Dec 2006 01:16:47 +0900 (JST), Atsushi Nemoto <firstname.lastname@example.org>
> If we passed an invalid _and_ unaligned source address to
> copy_from_user(), the fault handling code miscalculates a length of
> uncopied bytes and returns a value greater than original length. This
> also causes an negative buffer overflow and overwrites some bytes just
> before the destination kernel buffer.
> This can happen "src_unaligned" case in memcpy.S. If the first load
> from source buffer was a LDFIRST/LDREST (L[WD][RL]) instruction, it
> raise an exception and the THREAD_BUADDR will be an aligned address so
> it will _smaller_ than its real target address.
Sorry, this is wrong! Please ignore this patch.
In this case THREAD_BUADDR should be an _unaligned_ address. On QEMU
THREAD_BUADDR was an _aligned_ address so it might be a QEMU bug ...