sh: __copy_user function can corrupt the stack in case of exception
The __copy_user function can corrupt the stack in the case of a non-trivial length of data, and either of the first two move instructions cause an exception. This is because the fixup for these two instructions is mapped to the no_pop case, but these instructions execute after the stack is pushed. This change creates an explicit NO_POP exception mapping macro, and uses it for the two instructions executed in the trivial case where no stack pushes occur. More information at ST Linux bugzilla: https://bugzilla.stlinux.com/show_bug.cgi?id=4824 Signed-off-by: Dylan Reid <dylan_reid@bose.com> Signed-off-by: Stuart Menefy <stuart.menefy@st.com> Signed-off-by: Paul Mundt <lethal@linux-sh.org>
This commit is contained in:
parent
2cd0ebc83d
commit
5d52013cbb
@ -80,6 +80,11 @@ ENTRY(copy_page)
|
||||
.section __ex_table, "a"; \
|
||||
.long 9999b, 6000f ; \
|
||||
.previous
|
||||
#define EX_NO_POP(...) \
|
||||
9999: __VA_ARGS__ ; \
|
||||
.section __ex_table, "a"; \
|
||||
.long 9999b, 6005f ; \
|
||||
.previous
|
||||
ENTRY(__copy_user)
|
||||
! Check if small number of bytes
|
||||
mov #11,r0
|
||||
@ -139,9 +144,9 @@ EX( mov.b r1,@r4 )
|
||||
bt 1f
|
||||
|
||||
2:
|
||||
EX( mov.b @r5+,r0 )
|
||||
EX_NO_POP( mov.b @r5+,r0 )
|
||||
dt r6
|
||||
EX( mov.b r0,@r4 )
|
||||
EX_NO_POP( mov.b r0,@r4 )
|
||||
bf/s 2b
|
||||
add #1,r4
|
||||
|
||||
@ -150,7 +155,7 @@ EX( mov.b r0,@r4 )
|
||||
|
||||
# Exception handler:
|
||||
.section .fixup, "ax"
|
||||
6000:
|
||||
6005:
|
||||
mov.l 8000f,r1
|
||||
mov r3,r0
|
||||
jmp @r1
|
||||
|
Loading…
Reference in New Issue
Block a user