On Fri, Sep 13, 2013 at 3:03 AM, Wolfram Gloger <wm...@dent.med.uni-muenchen.de> wrote: > "H. Peter Anvin" <h...@zytor.com> writes: > >> Actually, the sanest would be: >> >> if (fp < (unsigned long)stack || >> fp >= (unsigned long)stack+(THREAD_SIZE-16)) >> >> ... wouldn't it (since we are accessing an 8-byte datum at offset +8? > > Ok, splitting hairs maybe, what about this V2 of the patch? > > fp is under userspace control. stack-8 cannot underflow, otherwise we'd > have much more serious problems in kernel space. > > Hence, for dereferencing fp+8: > > The case fp == stack-8 is valid. > As is the case fp == stack+(THREAD_SIZE-16). > Everything outside is invalid. > > About the worst-case implications: Like I said I have not reproduced it > and cannot really comment on that.
+kees@, linux-kernel@ -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
