tech-kern: Re: kcopy() audit

Subject: Re: kcopy() audit
To: None <tech-kern@netbsd.org>
From: Charles M. Hannum <root@ihack.net>
List: tech-kern
Date: 11/26/1998 16:10:47
Here are untested patches for i386, sparc, sparc64.

There were a couple of other bogons:
1) The sparc version didn't even clear pcb_onfault in one case.
2) The sparc and sparc64 versions returned -1 rather that EFAULT
   (though nothing actually cares about this).

-----8<-----snip-----8<-----snip-----8<-----snip-----8<-----snip-----8<-----
Index: i386/i386/locore.s
===================================================================
RCS file: /cvsroot/src/sys/arch/i386/i386/locore.s,v
retrieving revision 1.202
diff -c -2 -r1.202 locore.s
*** locore.s	1998/10/01 04:37:15	1.202
--- locore.s	1998/11/26 21:08:29
***************
*** 1031,1036 ****
  	pushl	%esi
  	pushl	%edi
- 
  	movl	_curpcb,%eax	# load curpcb into eax and set on-fault
  	movl	$_copy_fault, PCB_ONFAULT(%eax)
  
--- 1031,1036 ----
  	pushl	%esi
  	pushl	%edi
  	movl	_curpcb,%eax	# load curpcb into eax and set on-fault
+ 	pushl	PCB_ONFAULT(%eax)
  	movl	$_copy_fault, PCB_ONFAULT(%eax)
  
***************
*** 1051,1059 ****
  	movsb
  
! 	xorl	%eax,%eax
  	popl	%edi
  	popl	%esi
! 	movl    _curpcb,%edx
! 	movl    %eax,PCB_ONFAULT(%edx)
  	ret
  
--- 1051,1059 ----
  	movsb
  
! 	movl    _curpcb,%edx
! 	popl    PCB_ONFAULT(%edx)
  	popl	%edi
  	popl	%esi
! 	xorl	%eax,%eax
  	ret
  
***************
*** 1073,1083 ****
  	rep
  	movsl
  
! 	xorl	%eax,%eax
  	popl	%edi
  	popl	%esi
! 	movl    _curpcb,%edx
! 	movl    %eax,PCB_ONFAULT(%edx)
! 	cld
  	ret
  #endif
--- 1073,1083 ----
  	rep
  	movsl
+ 	cld
  
! 	movl    _curpcb,%edx
! 	popl    PCB_ONFAULT(%edx)
  	popl	%edi
  	popl	%esi
! 	xorl	%eax,%eax
  	ret
  #endif
***************
*** 1097,1100 ****
--- 1097,1101 ----
  	pushl	%esi
  	pushl	%edi
+ 	pushl	$0
  	
  	movl	12(%esp),%esi
***************
*** 1183,1191 ****
  	rep
  	movsb
- 	xorl	%eax,%eax
  
  	popl	%edi
  	popl	%esi
! 	movl	%eax,PCB_ONFAULT(%edx)
  	ret
  
--- 1184,1192 ----
  	rep
  	movsb
  
+ 	popl	PCB_ONFAULT(%edx)
  	popl	%edi
  	popl	%esi
! 	xorl	%eax,%eax
  	ret
  
***************
*** 1198,1201 ****
--- 1199,1203 ----
  	pushl	%edi
  	movl	_curpcb,%eax
+ 	pushl	$0
  	movl	$_copy_fault,PCB_ONFAULT(%eax)
  	
***************
*** 1225,1241 ****
  	rep
  	movsb
- 	xorl	%eax,%eax
  
  	popl	%edi
  	popl	%esi
! 	movl	_curpcb,%edx
! 	movl	%eax,PCB_ONFAULT(%edx)
  	ret
  
  ENTRY(copy_fault)
  	popl	%edi
  	popl	%esi
- 	movl	_curpcb,%edx
- 	movl	$0,PCB_ONFAULT(%edx)
  	movl	$EFAULT,%eax
  	ret
--- 1227,1243 ----
  	rep
  	movsb
  
+ 	movl	_curpcb,%edx
+ 	popl	PCB_ONFAULT(%edx)
  	popl	%edi
  	popl	%esi
! 	xorl	%eax,%eax
  	ret
  
  ENTRY(copy_fault)
+ 	movl	_curpcb,%edx
+ 	popl	PCB_ONFAULT(%edx)
  	popl	%edi
  	popl	%esi
  	movl	$EFAULT,%eax
  	ret
Index: sparc/sparc/locore.s
===================================================================
RCS file: /cvsroot/src/sys/arch/sparc/sparc/locore.s,v
retrieving revision 1.105
diff -c -2 -r1.105 locore.s
*** locore.s	1998/10/24 08:04:07	1.105
--- locore.s	1998/11/26 21:08:30
***************
*** 5590,5593 ****
--- 5590,5594 ----
  	ld	[%o5 + %lo(_cpcb)], %o5
  	set	Lkcerr, %o3
+ 	ld	%o6, [%o5 + PCB_ONFAULT]! save fault handler
  	st	%o3, [%o5 + PCB_ONFAULT]
  
***************
*** 5611,5615 ****
  	inc	%o1
  1:
! 	st	%g0, [%o5 + PCB_ONFAULT]! clear onfault
  	retl
  	mov	0, %o0		! delay slot: return success
--- 5612,5616 ----
  	inc	%o1
  1:
! 	st	%o6, [%o5 + PCB_ONFAULT]! restore fault handler
  	retl
  	mov	0, %o0		! delay slot: return success
***************
*** 5643,5647 ****
  	bnz	0b		!	} while (--len != 0);
  	stb	%o4, [%o1 - 1]
! 	st	%g0, [%o5 + PCB_ONFAULT]! clear onfault
  	retl
  	mov	0, %o0		! delay slot: return success
--- 5644,5648 ----
  	bnz	0b		!	} while (--len != 0);
  	stb	%o4, [%o1 - 1]
! 	st	%o6, [%o5 + PCB_ONFAULT]! restore fault handler
  	retl
  	mov	0, %o0		! delay slot: return success
***************
*** 5747,5751 ****
  	ldsb	[%o0 + 2], %o4	! dst[2] = src[2];
  	stb	%o4, [%o1 + 2]
! 	st	%g0, [%o5 + PCB_ONFAULT]! clear onfault
  	retl
  	mov	0, %o0		! delay slot: return success
--- 5748,5752 ----
  	ldsb	[%o0 + 2], %o4	! dst[2] = src[2];
  	stb	%o4, [%o1 + 2]
! 	st	%o6, [%o5 + PCB_ONFAULT]! restore fault handler
  	retl
  	mov	0, %o0		! delay slot: return success
***************
*** 5758,5762 ****
  
  Lkcopy_done:
! 	st	%g0, [%o5 + PCB_ONFAULT]! clear onfault
  	retl
  	mov	0, %o0		! delay slot: return success
--- 5759,5763 ----
  
  Lkcopy_done:
! 	st	%o6, [%o5 + PCB_ONFAULT]! restore fault handler
  	retl
  	mov	0, %o0		! delay slot: return success
***************
*** 5764,5773 ****
  1:
  	stb	%o4,[%o1]
! 	mov	0, %o0		! delay slot: return success
  	retl
  Lkcerr:
! 	st	%g0, [%o5 + PCB_ONFAULT]! clear onfault
! 	retl				! and return error indicator
! 	mov	-1, %o0
  
  /*
--- 5765,5776 ----
  1:
  	stb	%o4,[%o1]
! 	st	%o6, [%o5 + PCB_ONFAULT]! restore fault handler
  	retl
+ 	mov	0, %o0		! delay slot: return success
+ 
  Lkcerr:
! 	st	%o6, [%o5 + PCB_ONFAULT]! restore fault handler
! 	retl		
! 	mov	EFAULT, %o0	! delay slot: return error indicator
  
  /*
Index: sparc64/sparc64/locore.s
===================================================================
RCS file: /cvsroot/src/sys/arch/sparc64/sparc64/locore.s,v
retrieving revision 1.22
diff -c -2 -r1.22 locore.s
*** locore.s	1998/10/08 02:31:40	1.22
--- locore.s	1998/11/26 21:08:31
***************
*** 8038,8041 ****
--- 8038,8042 ----
  	LDPTR	[%o5 + %lo(_C_LABEL(cpcb))], %o5
  	set	Lkcerr, %o3
+ 	LDPTR	%o6, [%o5 + PCB_ONFAULT]! save fault handler
  	STPTR	%o3, [%o5 + PCB_ONFAULT]
  	cmp	%o2, BCOPY_SMALL
***************
*** 8058,8062 ****
  	 inc	%o1
  1:
! 	STPTR	%g0, [%o5 + PCB_ONFAULT]
  	retl
  	 clr	%o0
--- 8059,8063 ----
  	 inc	%o1
  1:
! 	STPTR	%o6, [%o5 + PCB_ONFAULT]! restore fault handler
  	retl
  	 clr	%o0
***************
*** 8091,8097 ****
  	 stb	%o4, [%o1 - 1]
  	membar	#Sync		! Make sure all traps are taken
! 	clr	%o0
  	retl
! 	 STPTR	%g0, [%o5 + PCB_ONFAULT]
  	NOTREACHED
  
--- 8092,8098 ----
  	 stb	%o4, [%o1 - 1]
  	membar	#Sync		! Make sure all traps are taken
! 	STPTR	%o6, [%o5 + PCB_ONFAULT]! restore fault handler
  	retl
! 	 clr	%o0
  	NOTREACHED
  
***************
*** 8192,8198 ****
  	stb	%o4, [%o1 + 2]
  	membar	#Sync		! Make sure all traps are taken
! 	clr	%o0
  	retl
! 	 STPTR	%g0, [%o5 + PCB_ONFAULT]
  	NOTREACHED
  
--- 8193,8199 ----
  	stb	%o4, [%o1 + 2]
  	membar	#Sync		! Make sure all traps are taken
! 	STPTR	%o6, [%o5 + PCB_ONFAULT]! restore fault handler
  	retl
! 	 clr	%o0
  	NOTREACHED
  
***************
*** 8203,8217 ****
  
  Lkcopy_done:
- 	clr	%o0
  	membar	#Sync		! Make sure all traps are taken
  	retl
! 	 STPTR	%g0, [%o5 + PCB_ONFAULT]! clear onfault
  
  1:
  	stb	%o4,[%o1]
- 	clr	%o0
  	membar	#Sync		! Make sure all traps are taken
  	retl
! 	 STPTR	%g0, [%o5 + PCB_ONFAULT]! clear onfault
  	
  Lkcerr:
--- 8204,8220 ----
  
  Lkcopy_done:
  	membar	#Sync		! Make sure all traps are taken
+ 	STPTR	%o6, [%o5 + PCB_ONFAULT]! restore fault handler
  	retl
! 	 clr	%o0
! 	NOTREACHED
  
  1:
  	stb	%o4,[%o1]
  	membar	#Sync		! Make sure all traps are taken
+ 	STPTR	%o6, [%o5 + PCB_ONFAULT]! restore fault handler
  	retl
! 	 clr	%o0
! 	NOTREACHED
  	
  Lkcerr:
***************
*** 8233,8239 ****
  3:
  #endif
! 	STPTR	%g0, [%o5 + PCB_ONFAULT]! clear onfault
  	retl				! and return error indicator
! 	 mov	-1, %o0
  
  #if 0
--- 8236,8243 ----
  3:
  #endif
! 	STPTR	%o6, [%o5 + PCB_ONFAULT]! restore fault handler
  	retl				! and return error indicator
! 	 mov	EFAULT, %o0
! 	NOTREACHED
  
  #if 0
-----8<-----snip-----8<-----snip-----8<-----snip-----8<-----snip-----8<-----