Bug 147666 - Memory corruption when reading /proc/kcore
Summary: Memory corruption when reading /proc/kcore
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: kernel
Version: 2.1
Hardware: All
OS: Linux
medium
high
Target Milestone: ---
Assignee: Don Howard
QA Contact: Brian Brock
URL: http://marc.theaimsgroup.com/?t=11073...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-02-10 08:59 UTC by Martin Wilck
Modified: 2007-11-30 22:06 UTC (History)
4 users (show)

Fixed In Version: RHSA-2007-0013
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-01-17 10:14:02 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:0013 0 normal SHIPPED_LIVE Moderate: kernel security update 2007-01-17 10:13:36 UTC

Description Martin Wilck 2005-02-10 08:59:15 UTC
Description of problem:
Possible memory corruption when /proc/kcore is read


Version-Release number of selected component (if applicable):
2.4.9-e.57


How reproducible:
dd if=/proc/kcore of=/tmp/kcore bs=4k count=10
(if necessary, repeat a few times)

Steps to Reproduce:
see above
  
Actual results:
Various; usually the machine freezes after some /proc/kcore reads.

Expected results:
No problems, /proc/lcore is correctly read.

Additional info:
The problem is that the size of the kcore header is calculated incorrectly if
there are lots of VMAs. The reason is that the size of the data fields in the
ELF notes is not accounted for oin get_kcore_size() (fs/proc/kcore.c).


RH's Ernie Petrides has posted a patch for this to LKML.
http://marc.theaimsgroup.com/?t=110739734900006&r=1&w=2

It was accepted by Marcelo into 2.4 mainline.
http://linux.bkbits.net:8080/linux-2.4/cset@42024081gb19vludDwvjkxZjV0NvPg?nav=index.html|src/|src/fs|src/fs/proc|related/fs/proc/kcore.c

In 2.6 the problem has been fixed for 1.5 years.
ftp://ftp.kernel.org/pub/linux/kernel/people/akpm/patches/2.5/2.5.69/2.5.69-mm9/broken-out/proc-kcore-rework.patch

BUG 141394 contains references to this problem for RHEL3.

Comment 1 Martin Wilck 2005-02-10 09:05:53 UTC
According to Ernie, this was accepted into the RHEL-U3 patch set.
The patch is pretty small and can hardly break stuff, so it'd be nice to see it
in AS2.1 ASAP, too.


Comment 2 Suzanne Hillman 2005-02-10 20:55:55 UTC
As of February 7th, all new requests must go through Issue Tracker. If you have
further questions or need more information, please go through your partner manager.

Comment 4 Ernie Petrides 2005-02-25 23:57:53 UTC
Jim, please note that bug 141394 has been deemed to be caused by some other
problem, which is yet unsolved.  The RHEL3 bugs resolved by the /proc/kcore
fix are 132838, 133905, 134988, and 136317.

Comment 8 Don Howard 2006-10-20 00:04:13 UTC
I've picked this issue up.  There seems to be another bug in /proc/kcore on 2.1:
I can consistently crash the machine by repeatedly reading the kcore.  The crash
appears to be due to an unmapped region in the vmlist:

crash>  p vmlist
vmlist = $7 = (struct vm_struct *) 0xc14f1a00
crash> list -s vm_struct vm_struct.next 0xc14f1a00 | less  
     . . . 
ced68ca0
struct vm_struct {
  flags = 2,
  addr = 0xd08c3000,
  size = 20480,
  next = 0xcde37240
}
cde37240
struct vm_struct {
  flags = 2,
  addr = 0xd08c8000,
  size = 8192,
  next = 0xc14f1900
}
c14f1900
struct vm_struct {
  flags = 2,
  addr = 0xd08cf000,
  size = 36864,
  next = 0xc14f12c0
}
...


crash> kmem 0xd08c3000
d08c3000 (m) (autofs module)

VM_STRUCT     ADDRESS RANGE       SIZE
ced68ca0   d08c3000 - d08c8000   20480

  PAGE    PHYSICAL   MAPPING    INDEX CNT FLAGS
c13cea1c   e553000         0         0  1
crash> kmem 0xd08cf000
d08cf000 (m) (3c59x module)

VM_STRUCT     ADDRESS RANGE       SIZE
c14f1900   d08cf000 - d08d8000   36864

  PAGE    PHYSICAL   MAPPING    INDEX CNT FLAGS
c13e15bc   e9bb000         0         0  1
crash> kmem 0xd08c8000
d08c8000: address not found


Is it kosher for there to be unmapped regions in the vmlist?
It would seem not.


Comment 9 Don Howard 2006-11-09 21:03:14 UTC
See BZ 213567 for more regarding comment #8.

Comment 12 Mike Gahagan 2006-12-19 20:00:00 UTC
I couldn't recreate the crash with e.70, however I have verified that the fix is
in as part of linux-2.4.26-updates.patch and that patch is being applied in e.71.

Comment 14 Red Hat Bugzilla 2007-01-17 10:14:02 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0013.html



Note You need to log in before you can comment on or make changes to this bug.