Bug 147666

Summary: Memory corruption when reading /proc/kcore
Product: Red Hat Enterprise Linux 2.1 Reporter: Martin Wilck <martin.wilck>
Component: kernelAssignee: Don Howard <dhoward>
Status: CLOSED ERRATA QA Contact: Brian Brock <bbrock>
Severity: high Docs Contact:
Priority: medium    
Version: 2.1CC: dhoward, peterm, riel, shillman
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://marc.theaimsgroup.com/?t=110739734900006&r=1&w=2
Whiteboard:
Fixed In Version: RHSA-2007-0013 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-01-17 10:14:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Wilck 2005-02-10 08:59:15 UTC 
Description of problem:
Possible memory corruption when /proc/kcore is read


Version-Release number of selected component (if applicable):
2.4.9-e.57


How reproducible:
dd if=/proc/kcore of=/tmp/kcore bs=4k count=10
(if necessary, repeat a few times)

Steps to Reproduce:
see above
  
Actual results:
Various; usually the machine freezes after some /proc/kcore reads.

Expected results:
No problems, /proc/lcore is correctly read.

Additional info:
The problem is that the size of the kcore header is calculated incorrectly if
there are lots of VMAs. The reason is that the size of the data fields in the
ELF notes is not accounted for oin get_kcore_size() (fs/proc/kcore.c).


RH's Ernie Petrides has posted a patch for this to LKML.
http://marc.theaimsgroup.com/?t=110739734900006&r=1&w=2

It was accepted by Marcelo into 2.4 mainline.
http://linux.bkbits.net:8080/linux-2.4/cset@42024081gb19vludDwvjkxZjV0NvPg?nav=index.html|src/|src/fs|src/fs/proc|related/fs/proc/kcore.c

In 2.6 the problem has been fixed for 1.5 years.
ftp://ftp.kernel.org/pub/linux/kernel/people/akpm/patches/2.5/2.5.69/2.5.69-mm9/broken-out/proc-kcore-rework.patch

BUG 141394 contains references to this problem for RHEL3.
Comment 1 Martin Wilck 2005-02-10 09:05:53 UTC 
According to Ernie, this was accepted into the RHEL-U3 patch set.
The patch is pretty small and can hardly break stuff, so it'd be nice to see it
in AS2.1 ASAP, too.
Comment 2 Suzanne Hillman 2005-02-10 20:55:55 UTC 
As of February 7th, all new requests must go through Issue Tracker. If you have
further questions or need more information, please go through your partner manager.
Comment 4 Ernie Petrides 2005-02-25 23:57:53 UTC 
Jim, please note that bug 141394 has been deemed to be caused by some other
problem, which is yet unsolved.  The RHEL3 bugs resolved by the /proc/kcore
fix are 132838, 133905, 134988, and 136317.
Comment 8 Don Howard 2006-10-20 00:04:13 UTC 
I've picked this issue up.  There seems to be another bug in /proc/kcore on 2.1:
I can consistently crash the machine by repeatedly reading the kcore.  The crash
appears to be due to an unmapped region in the vmlist:

crash>  p vmlist
vmlist = $7 = (struct vm_struct *) 0xc14f1a00
crash> list -s vm_struct vm_struct.next 0xc14f1a00 | less  
     . . . 
ced68ca0
struct vm_struct {
  flags = 2,
  addr = 0xd08c3000,
  size = 20480,
  next = 0xcde37240
}
cde37240
struct vm_struct {
  flags = 2,
  addr = 0xd08c8000,
  size = 8192,
  next = 0xc14f1900
}
c14f1900
struct vm_struct {
  flags = 2,
  addr = 0xd08cf000,
  size = 36864,
  next = 0xc14f12c0
}
...


crash> kmem 0xd08c3000
d08c3000 (m) (autofs module)

VM_STRUCT     ADDRESS RANGE       SIZE
ced68ca0   d08c3000 - d08c8000   20480

  PAGE    PHYSICAL   MAPPING    INDEX CNT FLAGS
c13cea1c   e553000         0         0  1
crash> kmem 0xd08cf000
d08cf000 (m) (3c59x module)

VM_STRUCT     ADDRESS RANGE       SIZE
c14f1900   d08cf000 - d08d8000   36864

  PAGE    PHYSICAL   MAPPING    INDEX CNT FLAGS
c13e15bc   e9bb000         0         0  1
crash> kmem 0xd08c8000
d08c8000: address not found


Is it kosher for there to be unmapped regions in the vmlist?
It would seem not.
Comment 9 Don Howard 2006-11-09 21:03:14 UTC 
See BZ 213567 for more regarding comment #8.
Comment 12 Mike Gahagan 2006-12-19 20:00:00 UTC 
I couldn't recreate the crash with e.70, however I have verified that the fix is
in as part of linux-2.4.26-updates.patch and that patch is being applied in e.71.
Comment 14 Red Hat Bugzilla 2007-01-17 10:14:02 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0013.html