Red Hat Bugzilla – Bug 151847
Bad return address on signal stack breaks klibc
Last modified: 2015-01-04 17:17:56 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.6) Gecko/20050302 Firefox/1.0.1 Fedora/1.0.1-1.3.2
Description of problem:
I received a bug report from a user that Fedora kernels break klibc. The reason, it turns out, is that the topmost dword on the stack, which is supposed to point to a return handler (in the vsyscall page on stock kernels) is nonsensical.
This is a dump of the top of the stack from one instance:
0xbffff178: 0x00000420 0x00000002 0x00000000 0x00000000
0xbffff188: 0x0000007b 0x0000007b 0x00000000 0x080480a0
0xbffff198: 0x10000000 0xbffff454 0x00006639 0x00000000
0xbffff1a8: 0xbffff468 0xfffffdfe 0x00000001 0x00000000
0xbffff1b8: 0x0804836f 0x00000073 0x00200206 0xbffff454
0xbffff1c8: 0x0000007b 0x00000000 0x00000000 0x00000000
0xbffff1d8: 0x00000000 0x00000000 0x00000000 0x00000000
0xbffff1e8: 0x00000000 0x00000000 0x00000000 0x00000000
0x00000420 is clearly not a return address.
The code that generates this address is modified in Fedora versus the stock kernel:
- restorer = &__kernel_sigreturn;
+ restorer = current->mm->context.vdso + (long)&__kernel_sigreturn;
This apparently doesn't produce a valid image.
I have gotten one report that turning vdso on makes it work; I can't verify it because if I enable vdso my system crashes hard.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Download klibc-1.0.4
2. Run klibc/tests/getint
3. Observe core dump. Setting a gdb breakpoint on the signal handler reveals corrupt return address as shown above.
Actual Results: Core dump
Expected Results: Test completion
An update has been released for Fedora Core 3 (kernel-2.6.12-1.1372_FC3) which
may contain a fix for your problem. Please update to this new kernel, and
report whether or not it fixes your problem.
If you have updated to Fedora Core 4 since this bug was opened, and the problem
still occurs with the latest updates for that release, please change the version
field of this bug to 'fc4'.
This bug has been automatically closed as part of a mass update.
It had been in NEEDINFO state since July 2005.
If this bug still exists in current errata kernels, please reopen this bug.
There are a large number of inactive bugs in the database, and this is the only
way to purge them.
I just verified proper operation on 2.6.12-1.1447_FC4smp, so this can definitely
be put to rest.