sh: __copy_user function can corrupt the stack in case of exception
The __copy_user function can corrupt the stack in the case of a non-trivial length of data, and either of the first two move instructions cause an exception. This is because the fixup for these two instructions is mapped to the no_pop case, but these instructions execute after the stack is pushed. This change creates an explicit NO_POP exception mapping macro, and uses it for the two instructions executed in the trivial case where no stack pushes occur. More information at ST Linux bugzilla: https://bugzilla.stlinux.com/show_bug.cgi?id=4824 Signed-off-by: Dylan Reid <dylan_reid@bose.com> Signed-off-by: Stuart Menefy <stuart.menefy@st.com> Signed-off-by: Paul Mundt <lethal@linux-sh.org>
This commit is contained in:
parent
2cd0ebc83d
commit
5d52013cbb
1 changed files with 8 additions and 3 deletions
|
@ -80,6 +80,11 @@ ENTRY(copy_page)
|
||||||
.section __ex_table, "a"; \
|
.section __ex_table, "a"; \
|
||||||
.long 9999b, 6000f ; \
|
.long 9999b, 6000f ; \
|
||||||
.previous
|
.previous
|
||||||
|
#define EX_NO_POP(...) \
|
||||||
|
9999: __VA_ARGS__ ; \
|
||||||
|
.section __ex_table, "a"; \
|
||||||
|
.long 9999b, 6005f ; \
|
||||||
|
.previous
|
||||||
ENTRY(__copy_user)
|
ENTRY(__copy_user)
|
||||||
! Check if small number of bytes
|
! Check if small number of bytes
|
||||||
mov #11,r0
|
mov #11,r0
|
||||||
|
@ -139,9 +144,9 @@ EX( mov.b r1,@r4 )
|
||||||
bt 1f
|
bt 1f
|
||||||
|
|
||||||
2:
|
2:
|
||||||
EX( mov.b @r5+,r0 )
|
EX_NO_POP( mov.b @r5+,r0 )
|
||||||
dt r6
|
dt r6
|
||||||
EX( mov.b r0,@r4 )
|
EX_NO_POP( mov.b r0,@r4 )
|
||||||
bf/s 2b
|
bf/s 2b
|
||||||
add #1,r4
|
add #1,r4
|
||||||
|
|
||||||
|
@ -150,7 +155,7 @@ EX( mov.b r0,@r4 )
|
||||||
|
|
||||||
# Exception handler:
|
# Exception handler:
|
||||||
.section .fixup, "ax"
|
.section .fixup, "ax"
|
||||||
6000:
|
6005:
|
||||||
mov.l 8000f,r1
|
mov.l 8000f,r1
|
||||||
mov r3,r0
|
mov r3,r0
|
||||||
jmp @r1
|
jmp @r1
|
||||||
|
|
Loading…
Reference in a new issue