134831 – SEGV on return from signal Handler with vDSO disabled

Bug 134831 - SEGV on return from signal Handler with vDSO disabled

Summary: SEGV on return from signal Handler with vDSO disabled

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	kernel
Sub Component:
Version:	2
Hardware:	i686
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Dave Jones
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2004-10-06 15:55 UTC by Christian Ehrhardt
Modified:	2015-01-04 22:10 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2005-04-16 06:09:05 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Christian Ehrhardt 2004-10-06 15:55:37 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.0.1)
Gecko/20020921 Netscape/7.0

Description of problem:
A signal handler which doesn't provide it's own sa_restorer
will return to Address 0x00000440 if vDSO is disabled (the default
for this kernel version). This doesn't trigger with programs that
use libc because libc works around the bug by setting sa_restorer.

The Problem is the following code from arch/i386/kernel/signal.c:455

  restorer = current->mm->context.vdso + (long)&__kernel_rt_sigreturn;

together with the way current->mm->context.vdso is set in
arch/i386/kernel/sysenter.c (map_vsyscall):

if (unlikely(!vdso_enabled)) {
        current->mm->context.vdso = NULL;
        return;
}
addr = do_mmap(NULL, 0, 4096, PROT_READ | PROT_EXEC, MAP_PRIVATE, 0);
current->mm->context.vdso = (void *)addr;

The former is done without regrad to the value of vdso_enabled but
it only works for the case where vdso_enabled is true.
&__kernel_rt_sigreturn is 0x440 which explains the location of the
segfault.

This doesn't affect the vanilla 2.6.8.1 kernel.


Version-Release number of selected component (if applicable):
kernel-2.6.8-1.521

How reproducible:
Always

Steps to Reproduce:
1. Set a user space handler for some signal, make sure that libc
   doesn't add an sa_restorer behind your back
2. Send the signal to the program.
    

Actual Results:  The program segfaults right before return to kernel
space 

Expected Results:  No segfault.

Additional info:

Comment 1 Roland McGrath 2004-10-27 06:58:12 UTC

The traditional stack trampoline can only work if the program has executable
stack, which I'm not sure you can tell just from thread state bits easy to check
in the signal code.  OTOH, if SA_RESTORER is not set and you have no vsyscall
page, then you are SOL if the signal stack isn't executable, so might as well
assume it is and crash there.

Comment 2 Dave Jones 2005-04-16 06:09:05 UTC

Fedora Core 2 has now reached end of life, and no further updates will be
provided by Red Hat.  The Fedora legacy project will be producing further kernel
updates for security problems only.

If this bug has not been fixed in the latest Fedora Core 2 update kernel, please
try to reproduce it under Fedora Core 3, and reopen if necessary, changing the
product version accordingly.

Thank you.

Note You need to log in before you can comment on or make changes to this bug.