From 4316052bbe0c4e38cbaf4286b6273826b52a3cd3 Mon Sep 17 00:00:00 2001 From: David van Moolenbroek Date: Thu, 27 Feb 2014 18:30:45 +0100 Subject: [PATCH] Kernel: fix register corruption on signal delivery This fixes problems with test79 and other programs. Change-Id: I14de097a3b01114ec5dbd687ab5be9290ad13fc7 --- kernel/system/do_sigsend.c | 51 ++++++++++++++++++++++++-------------- 1 file changed, 33 insertions(+), 18 deletions(-) diff --git a/kernel/system/do_sigsend.c b/kernel/system/do_sigsend.c index ea1573413..e43554d65 100644 --- a/kernel/system/do_sigsend.c +++ b/kernel/system/do_sigsend.c @@ -24,6 +24,9 @@ int do_sigsend(struct proc * caller, message * m_ptr) register struct proc *rp; struct sigframe_sigcontext fr, *frp; int proc_nr, r; +#if defined(__i386__) + reg_t new_fp; +#endif if (!isokendpt(m_ptr->m_sigcalls.endpt, &proc_nr)) return EINVAL; if (iskerneln(proc_nr)) return EPERM; @@ -35,6 +38,10 @@ int do_sigsend(struct proc * caller, message * m_ptr) (vir_bytes)&smsg, (phys_bytes) sizeof(struct sigmsg))) != OK) return r; + /* WARNING: the following code may be run more than once even for a single + * signal delivery. Do not change registers here. See the comment below. + */ + /* Compute the user stack pointer where sigframe will start. */ smsg.sm_stkptr = arch_get_sp(rp); frp = (struct sigframe_sigcontext *) smsg.sm_stkptr - 1; @@ -62,7 +69,7 @@ int do_sigsend(struct proc * caller, message * m_ptr) fr.sf_sc.sc_ss = rp->p_reg.ss; fr.sf_fp = rp->p_reg.fp; fr.sf_signum = smsg.sm_signo; - rp->p_reg.fp = (reg_t) &frp->sf_fp; + new_fp = (reg_t) &frp->sf_fp; fr.sf_scpcopy = fr.sf_scp; fr.sf_ra_sigreturn = smsg.sm_sigreturn; fr.sf_ra= rp->p_reg.pc; @@ -74,11 +81,11 @@ int do_sigsend(struct proc * caller, message * m_ptr) return EINVAL; } - if (proc_used_fpu(rp)) { - /* save the FPU context before saving it to the sig context */ - save_fpu(rp); - memcpy(&fr.sf_sc.sc_fpu_state, rp->p_seg.fpu_state, FPU_XFP_SIZE); - } + if (proc_used_fpu(rp)) { + /* save the FPU context before saving it to the sig context */ + save_fpu(rp); + memcpy(&fr.sf_sc.sc_fpu_state, rp->p_seg.fpu_state, FPU_XFP_SIZE); + } #endif #if defined(__arm__) @@ -108,10 +115,28 @@ int do_sigsend(struct proc * caller, message * m_ptr) fr.sf_sc.sc_magic = SC_MAGIC; /* Initialize the sigframe structure. */ - fpu_sigcontext(rp, &fr, &fr.sf_sc); -#if defined(__arm__) + /* Copy the sigframe structure to the user's stack. */ + if ((r = data_copy_vmcheck(caller, KERNEL, (vir_bytes)&fr, + m_ptr->m_sigcalls.endpt, (vir_bytes)frp, + (vir_bytes)sizeof(struct sigframe_sigcontext))) != OK) + return r; + + /* WARNING: up to the statement above, the code may run multiple times, since + * copying out the frame/context may fail with VMSUSPEND the first time. For + * that reason, changes to process registers *MUST* be deferred until after + * this last copy -- otherwise, these changes will be made several times, + * possibly leading to corrupted process state. + */ + + /* Reset user registers to execute the signal handler. */ + rp->p_reg.sp = (reg_t) frp; + rp->p_reg.pc = (reg_t) smsg.sm_sighandler; + +#if defined(__i386__) + rp->p_reg.fp = new_fp; +#elif defined(__arm__) /* use the ARM link register to set the return address from the signal * handler */ @@ -125,16 +150,6 @@ int do_sigsend(struct proc * caller, message * m_ptr) rp->p_misc_flags |= MF_CONTEXT_SET; #endif - /* Copy the sigframe structure to the user's stack. */ - if ((r = data_copy_vmcheck(caller, KERNEL, (vir_bytes)&fr, - m_ptr->m_sigcalls.endpt, (vir_bytes)frp, - (vir_bytes)sizeof(struct sigframe_sigcontext))) != OK) - return r; - - /* Reset user registers to execute the signal handler. */ - rp->p_reg.sp = (reg_t) frp; - rp->p_reg.pc = (reg_t) smsg.sm_sighandler; - /* Signal handler should get clean FPU. */ rp->p_misc_flags &= ~MF_FPU_INITIALIZED;