ARM: Incorrect prefetch abort handling can cause a spin instead of SIGSEGV
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Linux |
New
|
Undecided
|
Unassigned | ||
linux-fsl-imx51 (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
http://
" ARM: 5728/1: Proper prefetch abort handling on ARMv6 and ARMv7
Currently, on ARMv6 and ARMv7, if an application tries to execute
code (or garbage) on non-executable page it hangs. It caused by
incorrect prefetch abort handling. Now every prefetch abort
processes as a translation fault. "
I believe the patch was merges in 2.6.32, so it is _probably_ already applied in the dove tree (but it might be worth checking)
[update: This bug does *not* affect the dove tree— confirmed]
This patch doesn't appear critical; it just affects cases where processes are already crashing by trying to execute in invalid address space. I'm not aware of any real problems in lucid caused by this at present.
Test case:
int main(void)
{
((void (*)(void)
}
Desired result is SIGSEGV.
description: | updated |
From alkml:
Jamie Lokier [jamie at shareable.org] wrote:
[...]
The above patch addresses ARMv6/v7 with NX mappings - and probably only those > TASK_SIZE; NX mappings < TASK_SIZE should have been caught by the PROT_EXEC check already in fault.c.
If I'm right, the NX one is more serious if you can trip a kernel bug into doing this, because it'll result in an unkillable process, stuck in kernel mode and spinning. But only if you trip a kernel bug.
So it looks like it cound be worth pulling this patch in but SRU is probably good enough— this only becomes a problem if there is already a kernel bug somewhere involving a jump to a random address.