[Bug 257193] bad pointer to kernel copyin() causes it to loop forever

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 257193] bad pointer to kernel copyin() causes it to loop forever"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Wed, 14 Jul 2021 20:22:12 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=257193

            Bug ID: 257193
           Summary: bad pointer to kernel copyin() causes it to loop
                    forever
           Product: Base System
           Version: CURRENT
          Hardware: riscv
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: riscv
          Assignee: riscv@FreeBSD.org
          Reporter: rtm@lcs.mit.edu

The risc-v kernel copyin() routine loops forever if the user passs a
pointer with the high bit set. I"m using qemu 5.2.0 to run this image:

https://download.freebsd.org/ftp/snapshots/VM-IMAGES/14.0-CURRENT/riscv64/Latest/FreeBSD-14.0-CURRENT-riscv-riscv64.raw.xz

I compile and run this program:

  #include <fcntl.h>
  main()
  {
    fcntl(1, F_GETLK, 0x800000c000000000);
  }

The kernel fcntl calls copyin(), which never returns. I'm guessing that
copyin's bgt in copyinout.S should be a bgtu:

ENTRY(copyin)
    beqz    a2, copyin_end  /* If len == 0 then skip loop */
    add a3, a0, a2
    li  a4, VM_MAXUSER_ADDRESS
    bgt  a3, a4, copyio_fault_nopcb
    ...

-- 
You are receiving this mail because:
You are the assignee for the bug.