Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 151847 - Bad return address on signal stack breaks klibc
Bad return address on signal stack breaks klibc
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
i386 Linux
medium Severity high
: ---
: ---
Assigned To: Dave Jones
Brian Brock
Depends On:
  Show dependency treegraph
Reported: 2005-03-22 16:01 EST by H. Peter Anvin
Modified: 2015-01-04 17:17 EST (History)
2 users (show)

See Also:
Fixed In Version: kernel-2.6.12-1.1372_FC3
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-10-02 20:36:43 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description H. Peter Anvin 2005-03-22 16:01:14 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.6) Gecko/20050302 Firefox/1.0.1 Fedora/1.0.1-1.3.2

Description of problem:
I received a bug report from a user that Fedora kernels break klibc.  The reason, it turns out, is that the topmost dword on the stack, which is supposed to point to a return handler (in the vsyscall page on stock kernels) is nonsensical.

This is a dump of the top of the stack from one instance:

0xbffff178:     0x00000420      0x00000002      0x00000000      0x00000000
0xbffff188:     0x0000007b      0x0000007b      0x00000000      0x080480a0
0xbffff198:     0x10000000      0xbffff454      0x00006639      0x00000000
0xbffff1a8:     0xbffff468      0xfffffdfe      0x00000001      0x00000000
0xbffff1b8:     0x0804836f      0x00000073      0x00200206      0xbffff454
0xbffff1c8:     0x0000007b      0x00000000      0x00000000      0x00000000
0xbffff1d8:     0x00000000      0x00000000      0x00000000      0x00000000
0xbffff1e8:     0x00000000      0x00000000      0x00000000      0x00000000

0x00000420 is clearly not a return address.

The code that generates this address is modified in Fedora versus the stock kernel:

-       restorer = &__kernel_sigreturn;
+       restorer = current->mm->context.vdso + (long)&__kernel_sigreturn;

This apparently doesn't produce a valid image.

I have gotten one report that turning vdso on makes it work; I can't verify it because if I enable vdso my system crashes hard.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Download klibc-1.0.4
2. Run klibc/tests/getint
3. Observe core dump.  Setting a gdb breakpoint on the signal handler reveals corrupt return address as shown above.

Actual Results:  Core dump

Expected Results:  Test completion

Additional info:
Comment 1 Dave Jones 2005-07-15 14:09:35 EDT
An update has been released for Fedora Core 3 (kernel-2.6.12-1.1372_FC3) which
may contain a fix for your problem.   Please update to this new kernel, and
report whether or not it fixes your problem.

If you have updated to Fedora Core 4 since this bug was opened, and the problem
still occurs with the latest updates for that release, please change the version
field of this bug to 'fc4'.

Thank you.
Comment 2 Dave Jones 2005-10-02 20:36:43 EDT
This bug has been automatically closed as part of a mass update.
It had been in NEEDINFO state since July 2005.
If this bug still exists in current errata kernels, please reopen this bug.

There are a large number of inactive bugs in the database, and this is the only
way to purge them.

Thank you.
Comment 3 H. Peter Anvin 2005-10-03 17:28:26 EDT
I just verified proper operation on 2.6.12-1.1447_FC4smp, so this can definitely
be put to rest.

Note You need to log in before you can comment on or make changes to this bug.