Bug 135848 - syscall() behaviour wrong when called using _syscall6 macro
syscall() behaviour wrong when called using _syscall6 macro
Status: CLOSED UPSTREAM
Product: Fedora
Classification: Fedora
Component: glibc (Show other bugs)
2
i686 Linux
medium Severity high
: ---
: ---
Assigned To: Jakub Jelinek
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-10-15 08:06 EDT by Jonas Maebe
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-10-16 03:30:43 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Test case to reproduce crash (765 bytes, text/plain)
2004-10-15 08:07 EDT, Jonas Maebe
no flags Details

  None (edit)
Description Jonas Maebe 2004-10-15 08:06:22 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/125.5 (KHTML, 
like Gecko) Safari/125.9

Description of problem:
This is the compiled code for syscall() in glibc:

0x0060e510 <syscall+0>: push   %edi
0x0060e511 <syscall+1>: push   %esi
0x0060e512 <syscall+2>: push   %ebx
0x0060e513 <syscall+3>: mov    0x24(%esp),%edi
0x0060e517 <syscall+7>: mov    0x20(%esp),%esi
0x0060e51b <syscall+11>:        mov    0x1c(%esp),%edx
0x0060e51f <syscall+15>:        mov    0x18(%esp),%ecx
0x0060e523 <syscall+19>:        mov    0x14(%esp),%ebx
0x0060e527 <syscall+23>:        mov    0x10(%esp),%eax
0x0060e52b <syscall+27>:        call   *%gs:0x10
0x0060e532 <syscall+34>:        pop    %ebx
0x0060e533 <syscall+35>:        pop    %esi
0x0060e534 <syscall+36>:        pop    %edi
0x0060e535 <syscall+37>:        cmp    $0xfffff001,%eax
0x0060e53a <syscall+42>:        jae    0x60e53d <syscall+45>
0x0060e53c <syscall+44>:        ret    
0x0060e53d <syscall+45>:        call   0x648ed6 <__i686.get_pc_thunk.cx>
0x0060e542 <syscall+50>:        add    $0x5faba,%ecx
0x0060e548 <syscall+56>:        mov    0xffffff3c(%ecx),%ecx
0x0060e54e <syscall+62>:        xor    %edx,%edx
0x0060e550 <syscall+64>:        sub    %eax,%edx
0x0060e552 <syscall+66>:        mov    %edx,%gs:0x0(%ecx)
0x0060e556 <syscall+70>:        or     $0xffffffff,%eax
0x0060e559 <syscall+73>:        jmp    0x60e53c <syscall+44>


The _syscall6() macro (in /usr/include/linux/unistd.h passes 6 parameters however. The 
last of these parameters should be loaded in %ebp before doing the syscall. Currently, this 
results in a bogus value to be passed as sixth parameter (the current value of ebp).

Version-Release number of selected component (if applicable):
glibc-2.3.3-27

How reproducible:
Always

Steps to Reproduce:
1. Compile and run the supplied demo program
    

Actual Results:  Bus error

Expected Results:  No error

Additional info:

The program works perfectly if "my_mmap" is replaced with glibc's mmap, because that 
one does not use the _syscall6() macro internally to call mmap2. You can use strace to 
verify that a bogus value is passed as 6th parameter to the mmap2 syscall with my 
version.
Comment 1 Jonas Maebe 2004-10-15 08:07:38 EDT
Created attachment 105272 [details]
Test case to reproduce crash
Comment 2 Jakub Jelinek 2004-10-16 03:30:43 EDT
FYI glibc doesn't use linux/unistd.h _syscall* macros, but its own.
Although all the 6 argument syscalls in glibc are currently covered
by saner glibc interfaces, I have changed this upstream and the change
will make it into the next rawhide glibc build.
http://sources.redhat.com/ml/libc-hacker/2004-10/msg00020.html
Comment 3 Jonas Maebe 2004-10-16 14:41:54 EDT
Thanks!

Note You need to log in before you can comment on or make changes to this bug.