Bug 431183

Summary: utrace: PTRACE_POKEUSR_AREA corrupts ACR0
Product: Red Hat Enterprise Linux 5 Reporter: Jan Kratochvil <jan.kratochvil>
Component: kernelAssignee: Anton Arapov <anton>
Status: CLOSED ERRATA QA Contact: Martin Jenner <mjenner>
Severity: medium Docs Contact:
Priority: high    
Version: 5.1CC: kernel-mgr, nobody, rlerch, roland
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: s390x   
OS: Linux   
URL: http://sources.redhat.com/cgi-bin/cvsweb.cgi/~checkout~/tests/ptrace-tests/tests/user-area-access.c?cvsroot=systemtap
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
(s390)
 Story Points: ---
Clone Of: Environment:
Last Closed: 2009-01-20 19:42:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 437932, 448732    
Attachments:
Description Flags
Fix. none

Description Jan Kratochvil 2008-02-01 11:33:13 UTC 
Description of problem:
Problem found by the GDB testsuite.

Version-Release number of selected component (if applicable):
kernel-2.6.18-75.el5.rm4.s390x (FAIL)
kernel-2.6.18-77.el5.s390x (FAIL)

kernel-2.6.18-53.el5.s390x (RHEL-5.1) surprisingly PASSes
kernel-2.6.9-67.0.1.EL.s390x (RHEL-4.6) PASSes

How reproducible:
Always.

Steps to Reproduce:
1. http://sourceware.org/systemtap/wiki/utrace/tests
2. Testcase there:
http://sources.redhat.com/cgi-bin/cvsweb.cgi/~checkout~/tests/ptrace-tests/tests/user-area-access.c?cvsroot=systemtap

Actual results:
user-area-access: user-area-access.c:134: main: Assertion `memcmp (&u.user,
&u2.user, sizeof u.byte) == 0' failed.
Aborted

Expected results:
<nothing>, rc=0

Additional info:
there is an s390x (only s390x) regression:
        kernel-2.6.18-53.el5.s390x
->
        kernel-2.6.18-75.el5.rm4.s390x

Reproducer so far on RHEL-5.1 with upgraded only the kernel:
wget
http://porkchop.devel.redhat.com/brewroot/packages/gdb/6.5/37.el5/src/gdb-6.5-37.el5.src.rpm
rpmbuild -bc /usr/src/redhat/SPECS/gdb.spec
cd /usr/src/redhat/BUILD/gdb-6.5/build-s390x-redhat-linux-gnu/gdb/testsuite
runtest gdb.base/call-ar-st.exp
../gdb -nx -ex 'file gdb.base/call-ar-st' -ex 'b 1209' -ex 'r' -ex 'print
print_double_array(double_array)' -ex 'print
print_char_array(char_array)'
-> inferior SEGV

Testsuite regression against RHEL-5.1:
 (gdb) print print_char_array(char_array)
 array_c :
 =========

-Z
-aZaZaZaZaZaZaZaZaZaZaZaZaZaZaZaZaZaZaZaZaZaZaZaZaZ
-aZaZaZaZaZaZaZaZaZaZaZaZaZaZaZaZaZaZaZaZaZaZaZaZaZ
-aZaZaZaZaZaZaZaZaZa

-$2 = void
-(gdb) PASS: gdb.base/call-ar-st.exp: print print_char_array(char_array)
+Program received signal SIGSEGV, Segmentation fault.
+vfprintf@@GLIBC_2.4 () from /lib64/libc.so.6
+The program being debugged was signaled while in a function called from GDB.
+GDB remains in the frame where the signal was received.
+To change this behavior use "set unwindonsignal on"
+Evaluation of the expression containing the function (print_char_array) will be
abandoned.
+(gdb) FAIL: gdb.base/call-ar-st.exp: print print_char_array(char_array) (pattern 3)

QA: Covered by the testcase `user-area-access' of `/kernel/syscalls/ptrace'.
Comment 1 RHEL Program Management 2008-02-01 11:38:54 UTC 
This bugzilla has Keywords: Regression.  

Since no regressions are allowed between releases, 
it is also being proposed as a blocker for this release.  

Please resolve ASAP.
Comment 2 Jan Kratochvil 2008-02-03 22:33:49 UTC 
Created attachment 293842 [details]
Fix.

I hope this is an obvious fix but sure the testsuites needs to be rerun with
it.
It is a regression from:
  linux-2.6-utrace-s390-regs-fixes.patch
Comment 3 Jan Kratochvil 2008-02-03 22:36:15 UTC 
There still remains a regression since RHEL-4 for:
  biarch-tests/user-area-access
as currently the utrace kernels always zeroes on 32-bit s390 the 4 bytes
aligned/unused area in between:
struct user_regs_struct {
...
    long unsigned int orig_gpr2;
<- HERE are 4 aligned bytes
    s390_fp_regs fp_regs;
...
};
I would rather fix the testcase - or do you rather fix the kernel to be
completely backward compatible?
Comment 4 Roland McGrath 2008-03-16 23:26:27 UTC 
It looks to me like the RHEL-4 kernel is actually returning a word of nearby
kernel memory, not anything sane.  It is a bug and maybe even a security/safety
issue that lets you write that word with POKEUSR.  It should be an error or
ignored to try to write that word.  It should probably read back as zero rather
than garbage/internal information leak.  If anyone cared, you could file a RHEL4
bug for that.  So, fix the test case not to expect this to work.

I applied the other fix to upstream utrace, and we'll call this bug just about
that issue and not the padding word thing.
Comment 7 Anton Arapov 2008-07-30 12:41:30 UTC 
Regression was introduced the patch in 2.6.18-60.el5 built on Fri Dec 14 2007.
- [utrace] s390 regs fixes (Roland McGrath ) [325451]
Comment 9 Don Zickus 2008-08-13 16:06:47 UTC 
in kernel-2.6.18-104.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5
Comment 12 Ryan Lerch 2008-10-15 00:55:35 UTC 
Release note added. If any revisions are required, please set the 
"requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly.
All revisions will be proofread by the Engineering Content Services team.

New Contents:
(s390)
Comment 14 errata-xmlrpc 2009-01-20 19:42:03 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2009-0225.html