2

Hi~ I'm working on xv6 and I'm stuck on the validate test in usertests.c. There is asm code and I'm quite confused about what exactly is going on here. Would you like to explain that for me?

// try to crash the kernel by passing in a badly placed integer
void
validateint(int *p)
{
  int res;
  printf(stdout,"in validateint\n");
  asm("mov %%esp, %%ebx\n\t"
      "mov %3, %%esp\n\t"
      "int %2\n\t"
      "mov %%ebx, %%esp" :
      "=a" (res) :
      "a" (SYS_sleep), "n" (T_SYSCALL), "c" (p) :
      "ebx");
  printf(stdout,"%d \n",res);
}

I found that res is increasing with p but at some point res becomes 0 and then it becomes -1. The whole function stucks as long as res turn to -1. I have no idea what happened here.

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
MusicalChicken
  • 119
  • 10
  • Integer overflow? – Mad Physicist Mar 16 '21 at 20:14
  • @MadPhysicist That makes sense! so what os do if there is an overflow in kernal? – MusicalChicken Mar 16 '21 at 20:19
  • 1
    Judging by the comment, isn't this just a call to `SYS_sleep` that is meant to demonstrate that the kernel will (or will not) fault if its argument (`*p`) is an invalid pointer? The return values seems to confirm this (and that the kernel doesn't fault) but I don't understand what "as long as `res` turn to -1" means. – Margaret Bloom Mar 16 '21 at 20:20
  • 1
    What's the point of asking for `p` in ECX with a `"c"` constraint? What args does xv6's "sleep" system call take? Linux follows POSIX and has `sleep(unsigned int seconds)` as a library function on top of nanosleep, for example. (And where does xv6 want its args? On the user-space stack, pointed to by ESP? Or are EBX and ECX special, like they are for the Linux int 0x80 ABI?) – Peter Cordes Mar 17 '21 at 03:29

1 Answers1

2

From https://github.com/mit-pdos/xv6-public/blob/eeb7b415dbcb12cc362d0783e41c3d1f44066b17/syscall.c#L10 it appears that system call arguments are passed on the stack. So the purpose of this code seems to be to invoke the system call with a possibly invalid stack, i.e. with the stack pointer containing some random address p.

I'd guess that the return value of 0 corresponds to when the stack is pointing to valid process memory, and -1 is returned when it is not.

Nate Eldredge
  • 48,811
  • 6
  • 54
  • 82