diff options
| author | jake <jake@FreeBSD.org> | 2002-04-20 16:23:52 +0000 |
|---|---|---|
| committer | jake <jake@FreeBSD.org> | 2002-04-20 16:23:52 +0000 |
| commit | 69657315370005307a6b70440e55dbd184b3c6db (patch) | |
| tree | c7c5a952f3aaf8263fdaddba26a847e96794c90d /sys/sparc64 | |
| parent | 91e565fab5e3b33750c4b0bda0d6f184a89774b6 (diff) | |
| download | FreeBSD-src-69657315370005307a6b70440e55dbd184b3c6db.zip FreeBSD-src-69657315370005307a6b70440e55dbd184b3c6db.tar.gz | |
Check the alignment of the stack pointer before copying in windows from the
user stack in response to a failed window fill, allowing the process to be
killed if its wrong. This caused user programs which misalign their stack
pointer to get stuck in an infinite loop at the kernel-userland boundary,
which is mostly harmless.
The same thing causes a fatal RED state exception on OpenBSD and probably
NetBSD.
Inspired by: art@openbsd.org
Diffstat (limited to 'sys/sparc64')
| -rw-r--r-- | sys/sparc64/sparc64/rwindow.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/sys/sparc64/sparc64/rwindow.c b/sys/sparc64/sparc64/rwindow.c index 2a29a23..0c5e5a6 100644 --- a/sys/sparc64/sparc64/rwindow.c +++ b/sys/sparc64/sparc64/rwindow.c @@ -60,6 +60,8 @@ rwindow_load(struct thread *td, struct trapframe *tf, int n) for (i = 0; i < n; i++) { CTR1(KTR_TRAP, "rwindow_load: usp=%#lx", usp); usp += SPOFF; + if ((error = (usp & 0x7)) != 0) + break; error = copyin((void *)usp, &rw, sizeof rw); usp = rw.rw_in[6]; } @@ -91,6 +93,8 @@ rwindow_save(struct thread *td) usp = *ausp; CTR1(KTR_TRAP, "rwindow_save: usp=%#lx", usp); usp += SPOFF; + if ((error = (usp & 0x7)) != 0) + break; error = copyout(rw, (void *)usp, sizeof *rw); if (error) break; |
