Description of problem:

A program compiled on an x86 environment that is moved to an
AMD x86_64 (Opteron) system can cause an kernel seg fault. This
happens in cases when the program attempts to dump core. The
problem is in file fs/binfmt_elf.c in which array element
notes[3] is not filled and yet is referenced. This array is placed
on the stack. Should a zero be at that location on the stack a
seg fault will occur. When you get the seg fault is happens
all the time. If you recompile the kernel you may no longer
hit this - though garbage data on the stack will still be used.

Version-Release number of selected component (if applicable):

2.4.21-1.1931.2.393.entsmp

How reproducible:

Always

Steps to Reproduce:
1. On an x86 system compile the test program like so:
   gcc self_test.c -o self_test -lpthread
2. Copy the executable to an Opteron box and execute like so:
   ulimit -c unlimited
   LD_ASSUME_KERNEL=2.4.1 self_test 1
  
Actual results:
System may take a seg fault and generate an Oops message, depending
on how data lands on stack.

Expected results:
Test program should core dump

Additional info:

The problem is in file "fs/binfmt_elf.c".
The following line of code in procedure "elf_core_dump" may pass
an uninitialized value:
    sz += notesize(&notes[i]);

This was analyzed examining a stack dump and observing the following
instruction as the first instruction of strlen:
    cmpb   $0x0,(%rdi)

This was executed with %rdi as null. The failure may cause a seg
fault or may simply use a garbage value - this is entirely dependent
on stack contents as "notes[]" is on the stack in this routine.

Here is an excerpt of the current code followed by a re-write which
fixes the problem and is simpler code as well. (The actual code in
file is much longer. I removed all but the incorrect code to
illustrate error.)
----- bad code ---------------------------
static int elf_core_dump(long signr, struct pt_regs * regs, struct 
file * file)
{
	...
	int numnote = 5;
	struct memelfnote notes[5];

	fill_note(&notes[0], "CORE", NT_PRSTATUS, sizeof(prstatus), 
&prstatus);
	fill_note(&notes[1], "CORE", NT_PRPSINFO, sizeof(psinfo), 
&psinfo);
	fill_note(&notes[2], "CORE", NT_TASKSTRUCT, sizeof(*current), 
current);

#ifndef __x86_64__
  	/* Try to dump the FPU. */
	if ((prstatus.pr_fpvalid = elf_core_copy_task_fpregs(current, 
&fpu))) {
		fill_note(&notes[3], "CORE", NT_PRFPREG, sizeof(fpu), 
&fpu);
	} else {
		--numnote;
 	}
#else
	numnote --;
#endif 	
#ifdef ELF_CORE_COPY_XFPREGS
	if (elf_core_copy_task_xfpregs(current, &xfpu)) {
		fill_note(&notes[4], "LINUX", NT_PRXFPREG, sizeof
(xfpu), xfpu);
	} else {
		--numnote;
	}
#else
	numnote --;
#endif

	for(i = 0; i < numnote; i++)
		sz += notesize(&notes[i]);
------------------------------------------
The problem is with the two ifdef sections. On the AMD x86_64 the 
first ifdef
will be skipped. This leaves notes[3] uninitialized. But the second 
ifdef is
not skipped, thus notes[4] is filled in and the value of "numnote" is 
4.
This means that the for loop will call "notesize(&notes[3])" 
resulting in
notesize calling strlen on an element of a structure that was never
initialized. If the stack contained zero we get a seg fault, otherwise
garbage data is used. The fix follows. It has the advantage of making 
the
code simpler.
----- fixed code -------------------------
	int numnote = 0;
	struct memelfnote notes[5];

	fill_note(&notes[numnotes++], "CORE", NT_PRSTATUS, sizeof
(prstatus), 
&prstatus);
	fill_note(&notes[numnotes++], "CORE", NT_PRPSINFO, sizeof
(psinfo), 
&psinfo);
	fill_note(&notes[numnotes++], "CORE", NT_TASKSTRUCT, sizeof
(*current), 
current);

#ifndef __x86_64__
  	/* Try to dump the FPU. */
	if ((prstatus.pr_fpvalid = elf_core_copy_task_fpregs(current, 
&fpu))) {
		fill_note(&notes[numnotes++], "CORE", NT_PRFPREG, 
sizeof(fpu), 
&fpu);
	}
#endif 	
#ifdef ELF_CORE_COPY_XFPREGS
	if (elf_core_copy_task_xfpregs(current, &xfpu)) {
		fill_note(&notes[numnotes++], "LINUX", NT_PRXFPREG, 
sizeof
(xfpu), &xfpu);
	}
#endif
------------------------------------------