In-Reply-To: <[email protected]>
On Tue, 01 Aug 2006 16:21:32 +0400, Stas Sergeev wrote:
> >> - .quad 0x0000920000000000 /* 0xd0 - ESPFIX 16-bit SS */
> >> + .quad 0x00cf92000000ffff /* 0xd0 - ESPFIX SS */
> > Seems a bit dangerous to allow access to full 4GB through this. Can you
> > tighten the limit any? I suppose not, because the high bits in %esp
> > really could be anything. But it might be nice to try setting the limit
> > to regs->esp + THREAD_SIZE. Of course, this is not strictly necessary,
> > just an extra paranoid protection mechanism.
> Since, when calculating the base, I do &-THREAD_SIZE, I guess the minimal
> safe limit is regs->esp + THREAD_SIZE*2... Well, may just I not do that please? :)
> For what, btw? There are no such a things for __KERNEL_DS or anything, so
> I just don't see the necessity.
It's really not that hard to get the limit:
limit_in_bytes = new_esp | (THREAD_SIZE - 1)
limit_in_pages = limit_in_bytes >> 12
And this will catch any bad accesses that assume zero-based pointers:
kernel stack is at f7000000
user stack is at b7000000
SS base = 40000000
SS limit = b7001fff
All kernel pointers will be >c0000000 and will trap on access if they
try to use SS. And it will work with any user/kernel split.
--
Chuck
Hello.
Chuck Ebbert wrote:
> It's really not that hard to get the limit:
> limit_in_bytes = new_esp | (THREAD_SIZE - 1)
> limit_in_pages = limit_in_bytes >> 12
I was worrying about a corner cases. The new_esp can
be just everything. It can be < THREAD_SIZE, in which
case the limit_in_pages will be 0. Or, I beleive, it
can even be a negative value, which will turn into a
a value larger than the old_esp.
But after calculating a few examples, I have almost
convinced myself that your technique will work in all
such a cases. So I'll try that as soon as the new -mm's
will boot for me again.