Bug 151847

Summary:	Bad return address on signal stack breaks klibc
Product:	[Fedora] Fedora	Reporter:	H. Peter Anvin <hpa>
Component:	kernel	Assignee:	Dave Jones <davej>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Brian Brock <bbrock>
Severity:	high	Docs Contact:
Priority:	medium
Version:	3	CC:	pfrields, wtogami
Target Milestone:	---
Target Release:	---
Hardware:	i386
OS:	Linux
Whiteboard:
Fixed In Version:	kernel-2.6.12-1.1372_FC3	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2005-10-03 00:36:43 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description H. Peter Anvin 2005-03-22 21:01:14 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.6) Gecko/20050302 Firefox/1.0.1 Fedora/1.0.1-1.3.2

Description of problem:
I received a bug report from a user that Fedora kernels break klibc.  The reason, it turns out, is that the topmost dword on the stack, which is supposed to point to a return handler (in the vsyscall page on stock kernels) is nonsensical.

This is a dump of the top of the stack from one instance:

0xbffff178:     0x00000420      0x00000002      0x00000000      0x00000000
0xbffff188:     0x0000007b      0x0000007b      0x00000000      0x080480a0
0xbffff198:     0x10000000      0xbffff454      0x00006639      0x00000000
0xbffff1a8:     0xbffff468      0xfffffdfe      0x00000001      0x00000000
0xbffff1b8:     0x0804836f      0x00000073      0x00200206      0xbffff454
0xbffff1c8:     0x0000007b      0x00000000      0x00000000      0x00000000
0xbffff1d8:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffff1e8:     0x00000000      0x00000000      0x00000000      0x00000000

0x00000420 is clearly not a return address.

The code that generates this address is modified in Fedora versus the stock kernel:

-       restorer = &__kernel_sigreturn;
+       restorer = current->mm->context.vdso + (long)&__kernel_sigreturn;

This apparently doesn't produce a valid image.

I have gotten one report that turning vdso on makes it work; I can't verify it because if I enable vdso my system crashes hard.



Version-Release number of selected component (if applicable):
kernel-2.6.10-1.770_FC3smp

How reproducible:
Always

Steps to Reproduce:
1. Download klibc-1.0.4
2. Run klibc/tests/getint
3. Observe core dump.  Setting a gdb breakpoint on the signal handler reveals corrupt return address as shown above.
  

Actual Results:  Core dump

Expected Results:  Test completion

Additional info:

Comment 1 Dave Jones 2005-07-15 18:09:35 UTC

An update has been released for Fedora Core 3 (kernel-2.6.12-1.1372_FC3) which
may contain a fix for your problem.   Please update to this new kernel, and
report whether or not it fixes your problem.

If you have updated to Fedora Core 4 since this bug was opened, and the problem
still occurs with the latest updates for that release, please change the version
field of this bug to 'fc4'.

Thank you.

Comment 2 Dave Jones 2005-10-03 00:36:43 UTC

This bug has been automatically closed as part of a mass update.
It had been in NEEDINFO state since July 2005.
If this bug still exists in current errata kernels, please reopen this bug.

There are a large number of inactive bugs in the database, and this is the only
way to purge them.

Thank you.

Comment 3 H. Peter Anvin 2005-10-03 21:28:26 UTC

I just verified proper operation on 2.6.12-1.1447_FC4smp, so this can definitely
be put to rest.