135848 – syscall() behaviour wrong when called using _syscall6 macro

Bug 135848 - syscall() behaviour wrong when called using _syscall6 macro

Summary: syscall() behaviour wrong when called using _syscall6 macro

Keywords:
Status:	CLOSED UPSTREAM
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	glibc
Sub Component:
Version:	2
Hardware:	i686
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	---
Assignee:	Jakub Jelinek
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2004-10-15 12:06 UTC by Jonas Maebe
Modified:	2007-11-30 22:10 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2004-10-16 07:30:43 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Test case to reproduce crash (765 bytes, text/plain) 2004-10-15 12:07 UTC, Jonas Maebe	no flags	Details
View All

Description Jonas Maebe 2004-10-15 12:06:22 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/125.5 (KHTML, 
like Gecko) Safari/125.9

Description of problem:
This is the compiled code for syscall() in glibc:

0x0060e510 <syscall+0>: push   %edi
0x0060e511 <syscall+1>: push   %esi
0x0060e512 <syscall+2>: push   %ebx
0x0060e513 <syscall+3>: mov    0x24(%esp),%edi
0x0060e517 <syscall+7>: mov    0x20(%esp),%esi
0x0060e51b <syscall+11>:        mov    0x1c(%esp),%edx
0x0060e51f <syscall+15>:        mov    0x18(%esp),%ecx
0x0060e523 <syscall+19>:        mov    0x14(%esp),%ebx
0x0060e527 <syscall+23>:        mov    0x10(%esp),%eax
0x0060e52b <syscall+27>:        call   *%gs:0x10
0x0060e532 <syscall+34>:        pop    %ebx
0x0060e533 <syscall+35>:        pop    %esi
0x0060e534 <syscall+36>:        pop    %edi
0x0060e535 <syscall+37>:        cmp    $0xfffff001,%eax
0x0060e53a <syscall+42>:        jae    0x60e53d <syscall+45>
0x0060e53c <syscall+44>:        ret    
0x0060e53d <syscall+45>:        call   0x648ed6 <__i686.get_pc_thunk.cx>
0x0060e542 <syscall+50>:        add    $0x5faba,%ecx
0x0060e548 <syscall+56>:        mov    0xffffff3c(%ecx),%ecx
0x0060e54e <syscall+62>:        xor    %edx,%edx
0x0060e550 <syscall+64>:        sub    %eax,%edx
0x0060e552 <syscall+66>:        mov    %edx,%gs:0x0(%ecx)
0x0060e556 <syscall+70>:        or     $0xffffffff,%eax
0x0060e559 <syscall+73>:        jmp    0x60e53c <syscall+44>


The _syscall6() macro (in /usr/include/linux/unistd.h passes 6 parameters however. The 
last of these parameters should be loaded in %ebp before doing the syscall. Currently, this 
results in a bogus value to be passed as sixth parameter (the current value of ebp).

Version-Release number of selected component (if applicable):
glibc-2.3.3-27

How reproducible:
Always

Steps to Reproduce:
1. Compile and run the supplied demo program
    

Actual Results:  Bus error

Expected Results:  No error

Additional info:

The program works perfectly if "my_mmap" is replaced with glibc's mmap, because that 
one does not use the _syscall6() macro internally to call mmap2. You can use strace to 
verify that a bogus value is passed as 6th parameter to the mmap2 syscall with my 
version.

Comment 1 Jonas Maebe 2004-10-15 12:07:38 UTC

Created attachment 105272 [details]
Test case to reproduce crash

Comment 2 Jakub Jelinek 2004-10-16 07:30:43 UTC

FYI glibc doesn't use linux/unistd.h _syscall* macros, but its own.
Although all the 6 argument syscalls in glibc are currently covered
by saner glibc interfaces, I have changed this upstream and the change
will make it into the next rawhide glibc build.
http://sources.redhat.com/ml/libc-hacker/2004-10/msg00020.html

Comment 3 Jonas Maebe 2004-10-16 18:41:54 UTC

Thanks!

Note You need to log in before you can comment on or make changes to this bug.