Re: [uClinux-dev] Bug in sys_mount (m68knommu)

Sun, 10 Jan 2010 23:07:46 -0800 


Hi Allon,

Allon Stern wrote:

The kernel is Linux 2.6.28.6
I had a report of a crash on mounting our UBIFS flash volume on our m68knommu (Coldfire 5282) platform; 
After tracing it down, I found this code in fs/namespace.c:

/*
 * Some copy_from_user() implementations do not return the exact number of
* bytes remaining to copy on a fault. But copy_mount_options() requires that. * Note that this function differs from copy_from_user() in that it will oops 
 * on bad values of `to', rather than returning a short copy.
 */
static long exact_copy_from_user(void *to, const void __user * from,
                 unsignedlong n)
{
    char *t = to;
    const char __user *f = from;
    char c;

    if (!access_ok(VERIFY_READ, from, n))
        return n;

    while (n) {
        if (__get_user(c, f)) {
            memset(t, 0, n);
            break;
        }
        *t++ = c;
        f++;
        n--;
    }
    return n;
}
The problem is that the from address, which is passed into the sys_mount syscall, is within a page of the top of memory (sometimes). Sys_mount calls copy_mount_options to copy parameters. That call doesn't specify a length to copy - it always copies a page worth of data. Since the source address is within a page of the top of memory, it causes a memory fault. 

On m68knommu, access_ok is a noop.
__get_user() *should* return -EFAULT on an error, but instead an exception is raised, I think. I was able to hack around this problem by changing the __get_user() line to: 

extern unsigned long _ramend;

        if ((f >= _ramend) || __get_user(c, f)) {
Which causes the code to only copy up to the end of memory without going over. 
Does this find point to an underlying problem in __get_user() on m68knommu?


I guess it sort of does. The comments around access_ok() in
arch/m68k/include/asm/uaccess_no.h hint at the problems.

Just checking if above end of ram in this specific case is good enough.
But in general it would need to check _within_ RAM and also within
any flash regions that could be mapped (XIP for example).

Regards
Greg


------------------------------------------------------------------------
Greg Ungerer  --  Principal Engineer        EMAIL:     g...@snapgear.com
SnapGear Group, McAfee                      PHONE:       +61 7 3435 2888
8 Gardner Close                             FAX:         +61 7 3217 5323
Milton, QLD, 4064, Australia                WEB: http://www.SnapGear.com
_______________________________________________
uClinux-dev mailing list
uClinux-dev@uclinux.org
http://mailman.uclinux.org/mailman/listinfo/uclinux-dev
This message was resent by uclinux-dev@uclinux.org
To unsubscribe see:
http://mailman.uclinux.org/mailman/options/uclinux-dev

Reply via email to