Subject: port-arm32/7838: copyoutstr go boom.
To: None <>
From: Bill Sommerfeld <>
List: netbsd-bugs
Date: 06/23/1999 07:36:48
>Number:         7838
>Category:       port-arm32
>Synopsis:       copyoutstr go boom.
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    port-arm32-maintainer (NetBSD/arm32 Portmaster)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Jun 23 07:35:00 1999
>Originator:     Bill Sommerfeld
>Release:        19990620


	The enclosed test program crashes a shark.

[u]vm_fault(0xf010af58, f40000000, 3, 0) -> 1
Unhandled trap (frame = 0xf3727d80)
Data abort: 'Translation fault(section)' status=005 address=f4000050
Stopped in bar at	_copyoutstr+0x8c:	str	r6, [r4, #0x0050]



I *think* this is actually a copyinstr (the assembly code for both
shares the same tail) call because $r1 (the "destination" pointer in
the copy) points into kernel space.

r4 contains 0xf4000000; it should contain the contents of curpcb,
which at the time is 0xf3726000

Also noticed at the same time: copyoutstr doesn't do the COW
emulation which is done by copyout in bcopyinout.S, which seems.. poor.


compile and run the following:

#include <string.h>
#include <stdlib.h>
#include <sys/param.h>
#include <unistd.h>
#include <stdio.h>

#define CHECK_LEN       (NCARGS+3)
static  char    **array = NULL;
main(argc, argv, envp)
        int argc;
        char *argv[];
        char *envp[];
        int i;
        array = (char **)malloc(CHECK_LEN * sizeof(char *));
        for (i = 0; i < (CHECK_LEN - 1); i++)
                array[i] = "/bin/sh";
        array[CHECK_LEN - 1] = NULL;
        execve("/bin/sh", array, envp);


??? don't know arm assembly that well