Bug 134831 - SEGV on return from signal Handler with vDSO disabled
Summary: SEGV on return from signal Handler with vDSO disabled
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: 2
Hardware: i686
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Dave Jones
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-10-06 15:55 UTC by Christian Ehrhardt
Modified: 2015-01-04 22:10 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2005-04-16 06:09:05 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Christian Ehrhardt 2004-10-06 15:55:37 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.0.1)
Gecko/20020921 Netscape/7.0

Description of problem:
A signal handler which doesn't provide it's own sa_restorer
will return to Address 0x00000440 if vDSO is disabled (the default
for this kernel version). This doesn't trigger with programs that
use libc because libc works around the bug by setting sa_restorer.

The Problem is the following code from arch/i386/kernel/signal.c:455

  restorer = current->mm->context.vdso + (long)&__kernel_rt_sigreturn;

together with the way current->mm->context.vdso is set in
arch/i386/kernel/sysenter.c (map_vsyscall):

if (unlikely(!vdso_enabled)) {
        current->mm->context.vdso = NULL;
        return;
}
addr = do_mmap(NULL, 0, 4096, PROT_READ | PROT_EXEC, MAP_PRIVATE, 0);
current->mm->context.vdso = (void *)addr;

The former is done without regrad to the value of vdso_enabled but
it only works for the case where vdso_enabled is true.
&__kernel_rt_sigreturn is 0x440 which explains the location of the
segfault.

This doesn't affect the vanilla 2.6.8.1 kernel.


Version-Release number of selected component (if applicable):
kernel-2.6.8-1.521

How reproducible:
Always

Steps to Reproduce:
1. Set a user space handler for some signal, make sure that libc
   doesn't add an sa_restorer behind your back
2. Send the signal to the program.
    

Actual Results:  The program segfaults right before return to kernel
space 

Expected Results:  No segfault.

Additional info:

Comment 1 Roland McGrath 2004-10-27 06:58:12 UTC
The traditional stack trampoline can only work if the program has executable
stack, which I'm not sure you can tell just from thread state bits easy to check
in the signal code.  OTOH, if SA_RESTORER is not set and you have no vsyscall
page, then you are SOL if the signal stack isn't executable, so might as well
assume it is and crash there.

Comment 2 Dave Jones 2005-04-16 06:09:05 UTC
Fedora Core 2 has now reached end of life, and no further updates will be
provided by Red Hat.  The Fedora legacy project will be producing further kernel
updates for security problems only.

If this bug has not been fixed in the latest Fedora Core 2 update kernel, please
try to reproduce it under Fedora Core 3, and reopen if necessary, changing the
product version accordingly.

Thank you.



Note You need to log in before you can comment on or make changes to this bug.