Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys/arch/m68k/m68k Plug kernel stack leaks in reenter_syscal...



details:   https://anonhg.NetBSD.org/src/rev/987b276ca381
branches:  trunk
changeset: 980984:987b276ca381
user:      tsutsui <tsutsui%NetBSD.org@localhost>
date:      Tue Feb 23 16:54:17 2021 +0000

description:
Plug kernel stack leaks in reenter_syscall() for setcontext(2).

This fixes long standing kernel crashes (MMU fault, address error,
and silent freeze by a double bus fault etc. seen for ~10 years)
caused by kernel stack overflow, especially on x68k and sun3 running
Xorg based servers.  See PR/55990 for more details.

"This change seems perfectly reasonable" from thorpej@ and
jklos@ also reported this also solved freeze of his mac68k system
with 10 megabyes of memory.

Should be pulled up to netbsd-9 and netbsd-8.

diffstat:

 sys/arch/m68k/m68k/reenter_syscall.s |  15 ++++++++++++++-
 1 files changed, 14 insertions(+), 1 deletions(-)

diffs (29 lines):

diff -r 5fe1f4a6215b -r 987b276ca381 sys/arch/m68k/m68k/reenter_syscall.s
--- a/sys/arch/m68k/m68k/reenter_syscall.s      Tue Feb 23 16:47:04 2021 +0000
+++ b/sys/arch/m68k/m68k/reenter_syscall.s      Tue Feb 23 16:54:17 2021 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: reenter_syscall.s,v 1.6 2021/02/21 07:23:41 tsutsui Exp $      */
+/*     $NetBSD: reenter_syscall.s,v 1.7 2021/02/23 16:54:17 tsutsui Exp $      */
 
 /*
  * Written by ITOH Yasufumi.
@@ -51,6 +51,19 @@
 #endif
        moveal  FR_SP(%sp),%a0          | grab and restore
        movel   %a0,%usp                |   user SP
+       movw    FR_ADJ(%sp),%d0         | need to adjust stack?
+       jne     .Ladjstk                | yes, go to it
        moveml  (%sp)+,#0x7FFF          | restore user registers
        addql   #8,%sp                  | pop SP and stack adjust
        jra     _ASM_LABEL(rei)         | rte
+.Ladjstk:
+       lea     FR_HW(%sp),%a1          | pointer to HW frame
+       addql   #8,%a1                  | source pointer
+       movl    %a1,%a0                 | source
+       addw    %d0,%a0                 |  + hole size = dest pointer
+       movl    -(%a1),-(%a0)           | copy
+       movl    -(%a1),-(%a0)           |  8 bytes
+       movl    %a0,FR_SP(%sp)          | new SSP
+       moveml  (%sp)+,#0x7FFF          | restore user register
+       movl    (%sp),%sp               | and do real RTE
+       jra     _ASM_LABEL(rei)         | rte



Home | Main Index | Thread Index | Old Index