Bug 437712
Summary: | ptrace: PTRACE_SETREGS does not set RIP | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 4 | Reporter: | Jan Kratochvil <jan.kratochvil> |
Component: | kernel | Assignee: | Red Hat Kernel Manager <kernel-mgr> |
Status: | CLOSED NOTABUG | QA Contact: | Martin Jenner <mjenner> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 4.6 | CC: | kernel-mgr, roland |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-03-17 14:09:04 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jan Kratochvil
2008-03-16 22:13:42 UTC
If I'm reading that wdiff fragment correctly, the old rip value was 0x39d3f2e25d and you tried to set rip to 0x8786858483828180. Is that correct? User addresses on x86_64 cannot be above 0x7fffffffefff on recent kernels, or above 0x7fbfffffff of RHEL4 kernels. On most kernels, you can set any rip value you like via ptrace. For any invalid value (even the high ones that are permanently invalid), the thread will just get the normal signal when it resumes at the bad rip. On RHEL4, the fix for CAN-2005-1762 was kept conservative by making ptrace disallow setting an rip value that is too high to ever be a valid user address on that kernel. On upstream kernels, the issue was fixed a different way that was more invasive to deep kernel code, but did not affect the ptrace semantics in this way. If you try to set rip to the same value with PTRACE_POKEUSR, it will fail with -EIO. However, PTRACE_SETREGS just ignores all individual failures from setting bad values (e.g. also nonzero segment register values with either of the low two bits clear) and just sets what it can and returns success. So AFAICT, the issue is trying to set bogus values for rip. If the tests are constrained to permissible values, they should work OK on all kernels. Is that a sufficient workaround? (In reply to comment #3) > If I'm reading that wdiff fragment correctly, the old rip value was > 0x39d3f2e25d and you tried to set rip to 0x8786858483828180. Is that correct? Yes. > If you try to set rip to the same value with PTRACE_POKEUSR, it will fail with > -EIO. However, PTRACE_SETREGS just ignores all individual failures from > setting bad values Later I thought PTRACE_SETREGS should -EIO in such case but OK. > So AFAICT, the issue is trying to set bogus values for rip. If the tests are > constrained to permissible values, they should work OK on all kernels. > Is that a sufficient workaround? Yes, implemented for `user-regs-peekpoke'. Thanks for the explanation. |