Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 431183 - utrace: PTRACE_POKEUSR_AREA corrupts ACR0
utrace: PTRACE_POKEUSR_AREA corrupts ACR0
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel (Show other bugs)
s390x Linux
high Severity medium
: rc
: ---
Assigned To: Anton Arapov
Martin Jenner
: Regression
Depends On:
Blocks: 437932 KernelPrio5.3
  Show dependency treegraph
Reported: 2008-02-01 06:33 EST by Jan Kratochvil
Modified: 2014-06-18 04:01 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-01-20 14:42:03 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Fix. (807 bytes, patch)
2008-02-03 17:33 EST, Jan Kratochvil
no flags Details | Diff

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:0225 normal SHIPPED_LIVE Important: Red Hat Enterprise Linux 5.3 kernel security and bug fix update 2009-01-20 11:06:24 EST

  None (edit)
Description Jan Kratochvil 2008-02-01 06:33:13 EST
Description of problem:
Problem found by the GDB testsuite.

Version-Release number of selected component (if applicable):
kernel-2.6.18-75.el5.rm4.s390x (FAIL)
kernel-2.6.18-77.el5.s390x (FAIL)

kernel-2.6.18-53.el5.s390x (RHEL-5.1) surprisingly PASSes
kernel-2.6.9-67.0.1.EL.s390x (RHEL-4.6) PASSes

How reproducible:

Steps to Reproduce:
1. http://sourceware.org/systemtap/wiki/utrace/tests
2. Testcase there:

Actual results:
user-area-access: user-area-access.c:134: main: Assertion `memcmp (&u.user,
&u2.user, sizeof u.byte) == 0' failed.

Expected results:
<nothing>, rc=0

Additional info:
there is an s390x (only s390x) regression:

Reproducer so far on RHEL-5.1 with upgraded only the kernel:
rpmbuild -bc /usr/src/redhat/SPECS/gdb.spec
cd /usr/src/redhat/BUILD/gdb-6.5/build-s390x-redhat-linux-gnu/gdb/testsuite
runtest gdb.base/call-ar-st.exp
../gdb -nx -ex 'file gdb.base/call-ar-st' -ex 'b 1209' -ex 'r' -ex 'print
print_double_array(double_array)' -ex 'print
-> inferior SEGV

Testsuite regression against RHEL-5.1:
 (gdb) print print_char_array(char_array)
 array_c :


-$2 = void
-(gdb) PASS: gdb.base/call-ar-st.exp: print print_char_array(char_array)
+Program received signal SIGSEGV, Segmentation fault.
+vfprintf@@GLIBC_2.4 () from /lib64/libc.so.6
+The program being debugged was signaled while in a function called from GDB.
+GDB remains in the frame where the signal was received.
+To change this behavior use "set unwindonsignal on"
+Evaluation of the expression containing the function (print_char_array) will be
+(gdb) FAIL: gdb.base/call-ar-st.exp: print print_char_array(char_array) (pattern 3)

QA: Covered by the testcase `user-area-access' of `/kernel/syscalls/ptrace'.
Comment 1 RHEL Product and Program Management 2008-02-01 06:38:54 EST
This bugzilla has Keywords: Regression.  

Since no regressions are allowed between releases, 
it is also being proposed as a blocker for this release.  

Please resolve ASAP.
Comment 2 Jan Kratochvil 2008-02-03 17:33:49 EST
Created attachment 293842 [details]

I hope this is an obvious fix but sure the testsuites needs to be rerun with
It is a regression from:
Comment 3 Jan Kratochvil 2008-02-03 17:36:15 EST
There still remains a regression since RHEL-4 for:
as currently the utrace kernels always zeroes on 32-bit s390 the 4 bytes
aligned/unused area in between:
struct user_regs_struct {
    long unsigned int orig_gpr2;
<- HERE are 4 aligned bytes
    s390_fp_regs fp_regs;
I would rather fix the testcase - or do you rather fix the kernel to be
completely backward compatible?
Comment 4 Roland McGrath 2008-03-16 19:26:27 EDT
It looks to me like the RHEL-4 kernel is actually returning a word of nearby
kernel memory, not anything sane.  It is a bug and maybe even a security/safety
issue that lets you write that word with POKEUSR.  It should be an error or
ignored to try to write that word.  It should probably read back as zero rather
than garbage/internal information leak.  If anyone cared, you could file a RHEL4
bug for that.  So, fix the test case not to expect this to work.

I applied the other fix to upstream utrace, and we'll call this bug just about
that issue and not the padding word thing.  
Comment 7 Anton Arapov 2008-07-30 08:41:30 EDT
Regression was introduced the patch in 2.6.18-60.el5 built on Fri Dec 14 2007.
- [utrace] s390 regs fixes (Roland McGrath ) [325451]
Comment 9 Don Zickus 2008-08-13 12:06:47 EDT
in kernel-2.6.18-104.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5
Comment 12 Ryan Lerch 2008-10-14 20:55:35 EDT
Release note added. If any revisions are required, please set the 
"requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly.
All revisions will be proofread by the Engineering Content Services team.

New Contents:
Comment 14 errata-xmlrpc 2009-01-20 14:42:03 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.