Check the alignment of the stack pointer before copying in windows from the

user stack in response to a failed window fill, allowing the process to be killed if its wrong. This caused user programs which misalign their stack pointer to get stuck in an infinite loop at the kernel-userland boundary, which is mostly harmless. The same thing causes a fatal RED state exception on OpenBSD and probably NetBSD. Inspired by: art@openbsd.org
svn path=/head/; revision=95134
2024-09-20 00:33:57 +00:00 · 2002-04-20 16:23:52 +00:00 · 2002-04-20 16:23:52 +00:00 · d1fef1792c · 2020-12-20 02:59:44 +00:00
parent bb52b4f3fc
commit d1fef1792c
1 changed files with 4 additions and 0 deletions
--- a/sys/sparc64/sparc64/rwindow.c
+++ b/sys/sparc64/sparc64/rwindow.c
@ -60,6 +60,8 @@ rwindow_load(struct thread *td, struct trapframe *tf, int n)
 	for (i = 0; i < n; i++) {
 		CTR1(KTR_TRAP, "rwindow_load: usp=%#lx", usp);
 		usp += SPOFF;
+		if ((error = (usp & 0x7)) != 0)
+			break;
 		error = copyin((void *)usp, &rw, sizeof rw);
 		usp = rw.rw_in[6];
 	}
@ -91,6 +93,8 @@ rwindow_save(struct thread *td)
 		usp = *ausp;
 		CTR1(KTR_TRAP, "rwindow_save: usp=%#lx", usp);
 		usp += SPOFF;
+		if ((error = (usp & 0x7)) != 0)
+			break;
 		error = copyout(rw, (void *)usp, sizeof *rw);
 		if (error)
 			break;