[uClinux-dev] FW: [PATCH] binfmt_flat.c
Peter Griffin
pgriffin at mpc-data.co.uk
Wed Jun 11 06:57:32 EDT 2008
Hi everyone,
I think I've found a bug in the uClinux bin flat loader.
Essentially what happens is in a vfork exec scenario, the parent is
suspended until the child either does an exec or _exit system call.
However in the binflat loader the parent gets informed that the exec has
taken place, when in fact it can still potentially fail.
This bug showed up on my system by continually running a shell, until
RAM is exhausted. When this happens the parent is informed by the
flush_old_exec function that the exec call has taken place and is put on
the run queue, however the memory allocation then fails, and both parent
and child return into the same address space, stomping all over the
stack.
The fix is to send a signal killing the child, if any of the memory
allocations fail. I've tested this on my system and this fixes this
behaviour.
Best regards,
Peter.
--- binfmt_flat.c.vanilla 2008-06-11 11:57:34.000000000 +0100
+++ binfmt_flat.c 2008-06-11 12:00:06.000000000 +0100
@@ -538,6 +538,7 @@
textpos = (unsigned long) -ENOMEM;
printk("Unable to mmap process text, errno
%d\n", (int)-textpos);
ret = textpos;
+ send_sig(SIGKILL, current, 0);
goto err;
}
@@ -562,6 +563,7 @@
(int)-realdatastart);
do_munmap(current->mm, textpos, text_len);
ret = realdatastart;
+ send_sig(SIGKILL, current, 0);
goto err;
}
datapos = realdatastart + MAX_SHARED_LIBS *
sizeof(unsigned long);
@@ -613,6 +615,7 @@
printk("Unable to allocate RAM for process
text/data, errno %d\n",
(int)-textpos);
ret = textpos;
+ send_sig(SIGKILL, current, 0);
goto err;
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.uclinux.org/pipermail/uclinux-dev/attachments/20080611/2cd0038f/attachment.html
More information about the uClinux-dev
mailing list