[quake3-bugzilla] [Bug 4282] New: Fix potential overlap of VM stack and bss sections

bugzilla-daemon at icculus.org bugzilla-daemon at icculus.org
Thu Sep 17 05:42:23 EDT 2009 

http://bugzilla.icculus.org/show_bug.cgi?id=4282

           Summary: Fix potential overlap of VM stack and bss sections
           Product: ioquake3
           Version: SVN HEAD
          Platform: All
        OS/Version: All
            Status: RESOLVED
          Severity: normal
          Priority: P3
         Component: Platform
        AssignedTo: zakk at icculus.org
        ReportedBy: baggett.patrick at gmail.com
         QAContact: quake3-bugzilla at icculus.org
                CC: tim at ngus.net


Tim Angus <tim at ngus.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
                 CC|                            |tim at ngus.net
         Resolution|                            |FIXED

It is possible for the Q3VM stack and data segment to overlap, which is very
bad. Below is the write up that I made a long time ago and mentioned once on
the mailing list but never filed a bug for:

Consulting vm.c:VM_LoadQVM()

If you see the definition of the "dataMask", you'll see it is the next highest
power of two that is greater than the sum of data, lit, and bss segments. So,
if the their sum was say, 400 bytes, then the next highest power of two would
be 512, and the mask would be 0x1FF (decimal 511). Let's continue with this
example. The stack grows down, and is implicity at the end of the image. This
means that the 

[data+lit+bss = 400][Extra space 112 bytes]

^------------------------------------------^ Whole allocation is 512 bytes.


Let's suppose the stack size was 256 bytes. This means:

                Stack size of 256 bytes
             v---------------------------v
[data+lit+bss = 400][Extra space 112 bytes]
^------------------^
             [ !!! ]

The area marked as [ !!! ] is the overlap of the two.

This can easily be fixed by changing the calculation of "dataLength" in vm.c
to:

dataLength = header.h->dataLength + header.h->litLength + header.h->bssLength +
STACK_SIZE;



This has not yet been a problem, but the closer the sum (header.h->dataLength +
header.h->litLength + header.h->bssLength) is to a power of two, the more
likely the error is to occur.

--- Comment #1 from Patrick Baggett <baggett.patrick at gmail.com> 2009-09-15 04:19:37 EDT ---
*** Bug 4283 has been marked as a duplicate of this bug. ***

--- Comment #2 from Tim Angus <tim at ngus.net> 2009-09-17 05:42:21 EDT ---
Fixed in r1632.

-- 
Configure bugmail: http://bugzilla.icculus.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

More information about the quake3-bugzilla mailing list