Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!uunet!ccicpg!goshen From: goshen@ccicpg.UUCP (Shmuel Goshen) Newsgroups: comp.bugs.4bsd Subject: Re: exec (really vinifod) can scribble random kernel data Message-ID: <1497@ccicpg.UUCP> Date: Tue, 28-Jul-87 03:21:49 EDT Article-I.D.: ccicpg.1497 Posted: Tue Jul 28 03:21:49 1987 Date-Received: Wed, 29-Jul-87 04:36:52 EDT References: <24281@sun.uucp> Reply-To: goshen@ccicpg.UUCP (Shmuel Goshen) Organization: CCI CPG, Irvine CA Lines: 33 In article <24281@sun.uucp> shannon@sun.uucp (Bill Shannon) writes: >Description: > vinifod (in vm_subr.c) is called with a pointer to pte's. vinifod > calls bmap, which can sleep. While the process is sleeping in bmap, > it can be swapped out. When it is swapped back in, the pte's can > be allocated at a different kernel virtual address. vinifod will > then use the old pte address and scribble on random kernel data. >Fix: > In kern_exec.c, change line 453 to > > u.u_procp->p_flag |= pagi | SKEEP; > > After line 469 (after the call to vinifod) add: > > u.u_procp->p_flag &= ~SKEEP; The same fix should be made in vm_pt.c around line 120. Set SKEEP before the call to vinifod and reset it after the call. The modified text will look like: if (xp->x_flag & XLOAD) { p->p_flag |= SKEEP; vinifod((struct fpte *)tptopte(p, 0), PG_FTEXT, xp->x_iptr, (daddr_t)1, xp->x_size); p->p_flag &= ~SKEEP; -- Shmuel Goshen (714) 951-8053 Computer Consoles Inc. (714) 458-7282 Irvine, CA. {allegra!hplabs!felix,seismo!rlgvax}!ccicpg!goshen