Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!uunet!ccicpg!goshen
From: goshen@ccicpg.UUCP (Shmuel Goshen)
Newsgroups: comp.bugs.4bsd
Subject: Re: exec (really vinifod) can scribble random kernel data
Message-ID: <1497@ccicpg.UUCP>
Date: Tue, 28-Jul-87 03:21:49 EDT
Article-I.D.: ccicpg.1497
Posted: Tue Jul 28 03:21:49 1987
Date-Received: Wed, 29-Jul-87 04:36:52 EDT
References: <24281@sun.uucp>
Reply-To: goshen@ccicpg.UUCP (Shmuel Goshen)
Organization: CCI CPG, Irvine CA
Lines: 33

In article <24281@sun.uucp> shannon@sun.uucp (Bill Shannon) writes:
>Description:
>	vinifod (in vm_subr.c) is called with a pointer to pte's.  vinifod
>	calls bmap, which can sleep.  While the process is sleeping in bmap,
>	it can be swapped out.  When it is swapped back in, the pte's can
>	be allocated at a different kernel virtual address.  vinifod will
>	then use the old pte address and scribble on random kernel data.

>Fix:
>	In kern_exec.c, change line 453 to
>
>		u.u_procp->p_flag |= pagi | SKEEP;
>
>	After line 469 (after the call to vinifod) add:
>
>		u.u_procp->p_flag &= ~SKEEP;


The same fix should be made in vm_pt.c around line 120.
Set SKEEP before the call to vinifod and reset it after the
call. The modified text will look like:

	if (xp->x_flag & XLOAD) {
		p->p_flag |= SKEEP;
		vinifod((struct fpte *)tptopte(p, 0), PG_FTEXT, xp->x_iptr,
		    (daddr_t)1, xp->x_size);
		p->p_flag &= ~SKEEP;

-- 

Shmuel Goshen				(714) 951-8053	
Computer Consoles Inc.			(714) 458-7282
Irvine, CA.		  {allegra!hplabs!felix,seismo!rlgvax}!ccicpg!goshen