Bug 112974 - (IT_19685) [patch] ptrace() doesn't reset page protection after write
[patch] ptrace() doesn't reset page protection after write
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: kernel (Show other bugs)
2.1
All Linux
medium Severity medium
: ---
: ---
Assigned To: Don Howard
Brian Brock
:
Depends On:
Blocks: 132992
  Show dependency treegraph
 
Reported: 2004-01-06 16:56 EST by Don Howard
Modified: 2007-11-30 17:06 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-05-26 14:55:36 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Reset pte permissions after ptrace() write operations. (1.37 KB, patch)
2004-01-06 16:58 EST, Don Howard
no flags Details | Diff

  None (edit)
Description Don Howard 2004-01-06 16:56:12 EST
Compiled with gcc 3.2 with the -g flag.

//fred.c
#include <stdio.h>

int main(int argc, char *argv[]) {
        char *name = \"Sam\";

        char * s = name;
        strcpy(name,\"Tim\");
        s[0] = \'P\';
        printf(\"%s\\n\",name);
        return 0;
}

It seg faults at strcpy while running normally, but runs fine when I step
through it. It is expected to seg fault.

----
gcc 3.2
gdb 5.2-2

***RUNNING FROM SHELL****
[limt@mholden ~/projects]$ gcc3 -g fred.c
[limt@mholden ~/projects]$ ./a.out
Segmentation fault

***RUNNING IN GDB*****
[limt@mholden ~/projects]$ gdb ./a.out
GNU gdb Red Hat Linux (5.2-2)
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type \"show copying\" to see the conditions.
There is absolutely no warranty for GDB.  Type \"show warranty\" for details.
This GDB was configured as \"i386-redhat-linux\"...
(gdb) break main
Breakpoint 1 at 0x804845d: file fred.c, line 4.
(gdb) run
Starting program: /home/limt/projects/a.out

Breakpoint 1, main (argc=1, argv=0xbffff654) at fred.c:4
4               char *name = \"Sam\";
(gdb) c
Continuing.
Pim

Program exited normally.
(gdb)

----------
Action by: dhoward
This appears to be a kernel ptrace() issue.  The kernel changes page protection when a breakpoint is set via ptrace(), but does not appear to reset the protection.
Comment 1 Don Howard 2004-01-06 16:58:23 EST
Created attachment 96794 [details]
Reset pte permissions after ptrace() write operations.
Comment 2 Don Howard 2004-01-09 17:33:11 EST
This corner case is also present in taroon, but pte manipulation  
has been moved out of ptrace(), which makes fixing it more tricky. 
Comment 3 Roland McGrath 2004-02-04 19:12:32 EST
FYI, a fix for this is on queue in 2.6 development, maybe for 2.6.3 or
later.  I have not looked into backporting that to RHEL3 or RHEL2.1.
Comment 4 Don Howard 2004-03-12 16:10:34 EST
Roland, do you have any specific objection to the pensacola patch 
that I posted? 
Comment 10 Don Howard 2005-02-14 16:59:04 EST
I've backported Roland's work from 2.6 to taroon (maybe_mkwrite() for
pte's), and have it working.

I'm having trouble with the backport for pensacola though - I see
machine freezes when updating the pte in handle_pte_fault().

After doing it both ways, I believe that my original patch is safe and
I've verified (again) that it does fix the reported problem.
Comment 14 Don Howard 2005-06-09 17:30:05 EDT
After internal review, this patch has been deemed to be high-risk and the impact
of the bug is not great enough to warrant fixing at this point in 2.1.

Note You need to log in before you can comment on or make changes to this bug.