Commit 5d52013c authored Oct 10, 2008 by Stuart MENEFY Committed by Paul Mundt Nov 13, 2008

sh: __copy_user function can corrupt the stack in case of exception

The __copy_user function can corrupt the stack in the case of a
non-trivial length of data, and either of the first two move instructions
cause an exception. This is because the fixup for these two instructions
is mapped to the no_pop case, but these instructions execute after the
stack is pushed.

This change creates an explicit NO_POP exception mapping macro, and uses
it for the two instructions executed in the trivial case where no stack
pushes occur.

More information at ST Linux bugzilla:

	https://bugzilla.stlinux.com/show_bug.cgi?id=4824



Signed-off-by: Dylan Reid <dylan_reid@bose.com>
Signed-off-by: Stuart Menefy <stuart.menefy@st.com>
Signed-off-by: Paul Mundt <lethal@linux-sh.org>

parent 2cd0ebc8

arch/sh/lib/copy_page.S

+8 −3

Original line number	Diff line number	Diff line
		@@ -80,6 +80,11 @@ ENTRY(copy_page)
		.section __ex_table, "a"; \
		.long 9999b, 6000f ; \
		.previous
		#define EX_NO_POP(...) \
		9999: __VA_ARGS__ ; \
		.section __ex_table, "a"; \
		.long 9999b, 6005f ; \
		.previous
		ENTRY(__copy_user)
		! Check if small number of bytes
		mov #11,r0
		@@ -139,9 +144,9 @@ EX( mov.b r1,@r4 )
		bt 1f

		2:
		EX( mov.b @r5+,r0 )
		EX_NO_POP( mov.b @r5+,r0 )
		dt r6
		EX( mov.b r0,@r4 )
		EX_NO_POP( mov.b r0,@r4 )
		bf/s 2b
		add #1,r4

		@@ -150,7 +155,7 @@ EX( mov.b r0,@r4 )

		# Exception handler:
		.section .fixup, "ax"
		6000:
		6005:
		mov.l 8000f,r1
		mov r3,r0
		jmp @r1