Bug 490938

Summary: [x86_64]: copy_user_c can zero more data than needed
Product: Red Hat Enterprise Linux 5 Reporter: Konstantin Khorenko <khorenko>
Component: kernelAssignee: Vitaly Mayatskikh <vmayatsk>
Status: CLOSED ERRATA QA Contact: Red Hat Kernel QE team <kernel-qe>
Severity: medium Docs Contact:
Priority: low    
Version: 5.3CC: anton, dhoward, dzickus, hdong, jpirko, qcai, vmayatsk
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-09-02 09:02:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 568305, 568307    

Description Konstantin Khorenko 2009-03-18 16:09:34 UTC 
Konstantin Khlebnikov from OpenVZ linux kernel team found that the code in x86_64 copy_user_c still contains an error after linux-2.6-x86_64-copy_user_c-assembler-can-leave-garbage-in-rsi.patch (bug# 456682, but i don't have permissions to see it).

The problem description:
copy_user_c:
...
    330         shrl $3,%ecx
    331         andl $7,%edx
    332 .Lc1:   rep
    333         movsq
    334         movl %edx,%ecx
    335 .Lc2:   rep
    336         movsb
    337         ret
    338
    339 .Lc1e:  movq %rcx,%rsi
    340 .Lc3:   rep
    341         stosq
    342 .Lc2ec: movl %edx,%ecx
    343 .Lc4:   rep
    344         stosb
    345 .Lc3e:  leaq (%rdx,%rsi,8),%rax
    346         ret
    347         /* %rsi contains source address - clear it */
    348 .Lc2e:  xorq %rsi,%rsi
    349         jmp .Lc2ec
...

* assume we want to write 7 bytes
* line 330: ecx == 0
* line 331: edx == 7
* assume we failed to copy in line 336 but NOT at the beginning of the writing, but failed to write, say, only the last byte. Then we jump to 348, having ecx == 1, edx == 7, rdi and rsi point to _6th_ byte from the beginning of the input/output buffers.
* 348, 349 -> 342
* 342: ecx == 7 now!
* 343, 344: we zero 7! bytes starting from the current rdi position, i.e. out of the buffer prepared for writing here => probable data corruption.

Suggested patch to fix this issue:
--- a/arch/x86_64/lib/copy_user.S       2009-03-18 17:55:38.000000000 +0300
+++ b/arch/x86_64/lib/copy_user.S       2009-03-18 17:58:09.000000000 +0300
@@ -339,14 +339,15 @@ copy_user_generic_c:
 .Lc1e: movq %rcx,%rsi
 .Lc3:  rep
        stosq
-.Lc2ec:        movl %edx,%ecx
+       movl %edx,%ecx
 .Lc4:  rep
        stosb
 .Lc3e: leaq (%rdx,%rsi,8),%rax
        ret
        /* %rsi contains source address - clear it */
 .Lc2e:  xorq %rsi,%rsi
-       jmp .Lc2ec
+       movl %ecx,%edx
+       jmp .Lc4
        CFI_ENDPROC
 END(copy_user_generic_c)

Please, fix the bug.
Comment 1 Konstantin Khorenko 2009-03-20 09:03:22 UTC 
just a reference: the same thing for RHEL4 kernel: bug# 491284
Comment 6 RHEL Program Management 2009-04-07 20:28:51 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 7 Don Zickus 2009-04-27 16:00:19 UTC 
in kernel-2.6.18-141.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5

Please do NOT transition this bugzilla state to VERIFIED until our QE team
has sent specific instructions indicating when to do so.  However feel free
to provide a comment indicating that this fix has been verified.
Comment 11 errata-xmlrpc 2009-09-02 09:02:58 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2009-1243.html