First Last Prev Next    This bug is not in your last search results.
Bug 134831 - SEGV on return from signal Handler with vDSO disabled
SEGV on return from signal Handler with vDSO disabled
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
2
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Dave Jones
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-10-06 11:55 EDT by Christian Ehrhardt
Modified: 2015-01-04 17:10 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-04-16 02:09:05 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Christian Ehrhardt 2004-10-06 11:55:37 EDT 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.0.1)
Gecko/20020921 Netscape/7.0

Description of problem:
A signal handler which doesn't provide it's own sa_restorer
will return to Address 0x00000440 if vDSO is disabled (the default
for this kernel version). This doesn't trigger with programs that
use libc because libc works around the bug by setting sa_restorer.

The Problem is the following code from arch/i386/kernel/signal.c:455

  restorer = current->mm->context.vdso + (long)&__kernel_rt_sigreturn;

together with the way current->mm->context.vdso is set in
arch/i386/kernel/sysenter.c (map_vsyscall):

if (unlikely(!vdso_enabled)) {
        current->mm->context.vdso = NULL;
        return;
}
addr = do_mmap(NULL, 0, 4096, PROT_READ | PROT_EXEC, MAP_PRIVATE, 0);
current->mm->context.vdso = (void *)addr;

The former is done without regrad to the value of vdso_enabled but
it only works for the case where vdso_enabled is true.
&__kernel_rt_sigreturn is 0x440 which explains the location of the
segfault.

This doesn't affect the vanilla 2.6.8.1 kernel.


Version-Release number of selected component (if applicable):
kernel-2.6.8-1.521

How reproducible:
Always

Steps to Reproduce:
1. Set a user space handler for some signal, make sure that libc
   doesn't add an sa_restorer behind your back
2. Send the signal to the program.
    

Actual Results:  The program segfaults right before return to kernel
space 

Expected Results:  No segfault.

Additional info:
Comment 1 Roland McGrath 2004-10-27 02:58:12 EDT 
The traditional stack trampoline can only work if the program has executable
stack, which I'm not sure you can tell just from thread state bits easy to check
in the signal code.  OTOH, if SA_RESTORER is not set and you have no vsyscall
page, then you are SOL if the signal stack isn't executable, so might as well
assume it is and crash there.
Comment 2 Dave Jones 2005-04-16 02:09:05 EDT 
Fedora Core 2 has now reached end of life, and no further updates will be
provided by Red Hat.  The Fedora legacy project will be producing further kernel
updates for security problems only.

If this bug has not been fixed in the latest Fedora Core 2 update kernel, please
try to reproduce it under Fedora Core 3, and reopen if necessary, changing the
product version accordingly.

Thank you.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.