Bug 135848 - syscall() behaviour wrong when called using _syscall6 macro
Summary: syscall() behaviour wrong when called using _syscall6 macro
Alias: None
Product: Fedora
Classification: Fedora
Component: glibc
Version: 2
Hardware: i686
OS: Linux
Target Milestone: ---
Assignee: Jakub Jelinek
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2004-10-15 12:06 UTC by Jonas Maebe
Modified: 2007-11-30 22:10 UTC (History)
0 users

Clone Of:
Last Closed: 2004-10-16 07:30:43 UTC

Attachments (Terms of Use)
Test case to reproduce crash (765 bytes, text/plain)
2004-10-15 12:07 UTC, Jonas Maebe
no flags Details

Description Jonas Maebe 2004-10-15 12:06:22 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/125.5 (KHTML, 
like Gecko) Safari/125.9

Description of problem:
This is the compiled code for syscall() in glibc:

0x0060e510 <syscall+0>: push   %edi
0x0060e511 <syscall+1>: push   %esi
0x0060e512 <syscall+2>: push   %ebx
0x0060e513 <syscall+3>: mov    0x24(%esp),%edi
0x0060e517 <syscall+7>: mov    0x20(%esp),%esi
0x0060e51b <syscall+11>:        mov    0x1c(%esp),%edx
0x0060e51f <syscall+15>:        mov    0x18(%esp),%ecx
0x0060e523 <syscall+19>:        mov    0x14(%esp),%ebx
0x0060e527 <syscall+23>:        mov    0x10(%esp),%eax
0x0060e52b <syscall+27>:        call   *%gs:0x10
0x0060e532 <syscall+34>:        pop    %ebx
0x0060e533 <syscall+35>:        pop    %esi
0x0060e534 <syscall+36>:        pop    %edi
0x0060e535 <syscall+37>:        cmp    $0xfffff001,%eax
0x0060e53a <syscall+42>:        jae    0x60e53d <syscall+45>
0x0060e53c <syscall+44>:        ret    
0x0060e53d <syscall+45>:        call   0x648ed6 <__i686.get_pc_thunk.cx>
0x0060e542 <syscall+50>:        add    $0x5faba,%ecx
0x0060e548 <syscall+56>:        mov    0xffffff3c(%ecx),%ecx
0x0060e54e <syscall+62>:        xor    %edx,%edx
0x0060e550 <syscall+64>:        sub    %eax,%edx
0x0060e552 <syscall+66>:        mov    %edx,%gs:0x0(%ecx)
0x0060e556 <syscall+70>:        or     $0xffffffff,%eax
0x0060e559 <syscall+73>:        jmp    0x60e53c <syscall+44>

The _syscall6() macro (in /usr/include/linux/unistd.h passes 6 parameters however. The 
last of these parameters should be loaded in %ebp before doing the syscall. Currently, this 
results in a bogus value to be passed as sixth parameter (the current value of ebp).

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Compile and run the supplied demo program

Actual Results:  Bus error

Expected Results:  No error

Additional info:

The program works perfectly if "my_mmap" is replaced with glibc's mmap, because that 
one does not use the _syscall6() macro internally to call mmap2. You can use strace to 
verify that a bogus value is passed as 6th parameter to the mmap2 syscall with my 

Comment 1 Jonas Maebe 2004-10-15 12:07:38 UTC
Created attachment 105272 [details]
Test case to reproduce crash

Comment 2 Jakub Jelinek 2004-10-16 07:30:43 UTC
FYI glibc doesn't use linux/unistd.h _syscall* macros, but its own.
Although all the 6 argument syscalls in glibc are currently covered
by saner glibc interfaces, I have changed this upstream and the change
will make it into the next rawhide glibc build.

Comment 3 Jonas Maebe 2004-10-16 18:41:54 UTC

Note You need to log in before you can comment on or make changes to this bug.