Bug 64147

Summary: kstat_read_proc() overflow
Product: [Retired] Red Hat Linux Reporter: Heather Conway <conway_heather>
Component: kernelAssignee: Arjan van de Ven <arjanv>
Status: CLOSED CURRENTRELEASE QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.2CC: gary_lerhaupt, john_hull, matt_domsch, sct
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2003-02-13 18:17:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
vsnprintf-fix.patch
none
stat-fix.patch none

Description Heather Conway 2002-04-26 16:30:01 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)

Description of problem:
Whenever kstat_read_proc() in fs/proc/proc_misc.c is called,it's trashing the 
first 95 bytes in the the virtual
page which follows the page that is legitimately being written
to by kstat_read_proc().



Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
Comments in this file indicate that overflow off the end of the
page is a definite possibility and is handled gracefully.  I have
used the linux kdb in-kernel debugger from SGI to see the actual
corrupted pages.  The ASCII text written by kstat_read_proc() can
be seen overflowing from the virtual page before the corruption
over to the (in our case) first 95 bytes of the next page.  The
case I've debugged caused a panic in the kmem_cache subsystem because
the slab header of a buffer_header slab was corrupted.  I have also
seem the same text strings corrupting various files on our system.
This evidence combined with the high potential that the page being
corrupted is a data buffer leads me to believe that this bug could
easily cause data corruption.

RedHat added a call to print_tux_procinfo() to both the 2.4.9-31
and 2.4.3-12 versions of kstat_read_proc().  Despite the fact that
we have only seen this problem occur with the 2.4.9-31 kernel, it
has not been shown that the problem cannot/will not occur with the
2.4.3-12 kernel also.  We have commented out this call to print_tux_procinfo()
and not seen the problem again.	

Additional info:
Comment 1 Arjan van de Ven 2002-04-26 16:40:17 UTC 
Thanks for this debugging!

(oh and I assume you used the kdb kernel we ship.. at least I hope you didn't
have to go through all the trouble of getting that to work with our kernels
yourself ;
)
Comment 2 Ben LaHaise 2002-04-27 00:16:16 UTC 
The following two patches should fix the problem.
Comment 3 Ben LaHaise 2002-04-27 00:18:05 UTC 
Created attachment 55564 [details]
vsnprintf-fix.patch
Comment 4 Ben LaHaise 2002-04-27 00:20:43 UTC 
Created attachment 55565 [details]
stat-fix.patch
Comment 5 Matt Domsch 2002-07-18 19:13:35 UTC 
Both of the above patches are included in the first Pensacola errata kernel 
2.4.9-e.5.
Comment 6 Matt Domsch 2002-08-12 18:52:23 UTC 
This appears to still be an outstanding issue with the 2.4.9-34 errata kernel 
(latest released for 7.1/7.2), but is not a problem with Hampton or Milan.  
Please look to include this into the next 7.[12] errata kernel.
Comment 7 Arjan van de Ven 2002-08-12 18:57:04 UTC 
oh this will be fixed that way, sure
Comment 8 Matt Domsch 2003-02-13 18:17:31 UTC 
Milan kernel 2.4.18-14 and errata kernels released after that have this 
fixed.  Closing.