maybe the kernel should use something like this to validate pointers
to null terminated strings?
(this assumes that validaddr for a byte will also be valid for the whole page)
void
validstraddr(char *p)
{
char *x;
for(;;){
validaddr((ulong)p, 1, 0);
x = (char*)(((ulong)p & ~(BY2PG-1))+BY2PG);
for(; p < x; p++){
if(*p == 0)
return;
}
}
}
--
cinap
--- Begin Message ---
There exist crash bugs in some of the system call handlers to do with
string validation; sometimes, only the first byte of an argument string is
validated. The following program reliably causes a kernel panic for me:
#include <u.h>
#include <libc.h>
#define SEGBASE (char*)0x40000000
#define SEGSIZE 4096
int main() {
segattach(0, "shared", SEGBASE, SEGSIZE);
*(char*)(SEGBASE + SEGSIZE - 1) = 'a';
exec((char*)SEGBASE + SEGSIZE - 1, nil);
return 0;
}
-- Elly
--- End Message ---
