Re: select() call corrupts stack

Brian Gerst (bgerst@didntduck.org)
Wed, 27 Feb 2002 15:19:01 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Eric Swalens: "[BUG] execve("/bin/sh"...) in init/main.c"
Previous message: Andrew Morton: "Re: [Lse-tech] lockmeter results comparing 2.4.17, 2.5.3, and 2.5.5"
Maybe in reply to: Artiom Morozov: "select() call corrupts stack"

Artiom Morozov wrote:
>
> Hello,
>
> Here's a sample program. Try running it and open about 2k of
> connections to port 5222 (you'll need ulimit -n 10000 or like that). It
> will segfault. Simple asm like this
> __asm__(
> "pushl %eax \n\t" "movl 0(%ebp), %eax \n\t"
> "cmp $65535, %eax \n\t"
> "ja isok \n\t"
> "xor %eax, %eax \n\t"
> "movl %eax, 0(%eax) \n\t"
> "isok: \n\t"
> "popl %eax \n\t"
> );
> after each subroutine call will show you that after select() [ebp] have
> weird value. While this is unlikely to be a security flaw, i think this
> is a bug.
>
> ps: it's okay for 1k of connections or so
> pps: kernel 2.4.17 on i686, gcc 3.0.3, glibc 2.2.3.
>
> ------------------------------------------------------------------------
>
> main.cppName: main.cpp
> Type: C++ Source file (application/x-unknown-content-type-cppfile)
>
> MakefileName: Makefile
> Type: text/x-makefile

This is not a kernel problem. You are overflowing the size of the
fd_set structure in userspace, which has room for FD_SETSIZE file
descriptors. The kernel smashes the user stack because you told it you
had more descriptors that you gave it room for.

Brian Gerst - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/

Next message: Eric Swalens: "[BUG] execve("/bin/sh"...) in init/main.c"
Previous message: Andrew Morton: "Re: [Lse-tech] lockmeter results comparing 2.4.17, 2.5.3, and 2.5.5"
Maybe in reply to: Artiom Morozov: "select() call corrupts stack"