Re: [x86] Access off the bottom of stack causes a segfault?

From: Chris Lattner (sabre_at_nondot.org)
Date: 10/14/03

  • Next message: Alexey Goldin: "2.6.0-test7 on Asus M3N, PCMCIA problem" 
    Date:	Tue, 14 Oct 2003 13:49:04 -0500 (CDT)
To: linux-kernel@vger.kernel.org

    On Tue, 14 Oct 2003, Chris Lattner wrote:
    > Generated code:
    > .intel_syntax
    > ...
    > main:
    > mov DWORD PTR [%ESP - 16004], %EBP # Save EBP to stack
    > mov %EBP, %ESP # Set up EBP
    > sub %ESP, 16004 # Finally adjust ESP
    > lea %EAX, DWORD PTR [%EBP - 16000] # Get the address of the array
    > ...
    > mov %EAX, 0 # Setup return value
    > mov %ESP, %EBP # restore ESP
    > mov %EBP, DWORD PTR [%ESP - 16004] # Restore EBP from stack
    > ret

    Ok, I found my own "answer": arch/i386/mm/fault.c:

                    /*
                     * accessing the stack below %esp is always a bug.
                     * The "+ 32" is there due to some instructions (like
                     * pusha) doing post-decrement on the stack and that
                     * doesn't show up until later..
                     */
                    if (address + 32 < regs->esp)
                            goto bad_area;

    Why exactly is accessing the stack below %esp always a bug?

    -Chris 

    -- 
http://llvm.cs.uiuc.edu/
http://www.nondot.org/~sabre/Projects/
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/
  • Next message: Alexey Goldin: "2.6.0-test7 on Asus M3N, PCMCIA problem"

    Relevant Pages

    • Re: ESP corruption bug - what CPUs are affected?
      ... Not a bug, but a feature. ... IMHO you have to switch to 16bit stack, load upper bits of ESP ... with target value, and then execute IRET, while 16bit SS:SP points ...
      (Linux-Kernel)
    • [patch 0/3] Re: 2.6.12-rc2-mm3
      ... What was the bug? ... the accesses beyond the stack. ... I literally substract it by 8 bytes, ... send the line "unsubscribe linux-kernel" in ...
      (Linux-Kernel)
    • [patch] x86: fix ESP corruption CPU bug
      ... is the official bug of x86 CPUs. ... 16bit stack segment. ... Patch helps running many apps under dosemu, ... of ESP. ...
      (Linux-Kernel)
    • Re: [x86] Access off the bottom of stack causes a segfault?
      ... > My compiler is generating accesses off the bottom of the stack (address ... > below %esp). ... send the line "unsubscribe linux-kernel" in ...
      (Linux-Kernel)
    • Re: 4k stacks in 2.6
      ... > at the bottom of the stack and is referenced by masking bits off %esp. ... > So the stack size must be constant whether in process context or IRQ ... send the line "unsubscribe linux-kernel" in ...
      (Linux-Kernel)