Bug 431183 - utrace: PTRACE_POKEUSR_AREA corrupts ACR0
Summary: utrace: PTRACE_POKEUSR_AREA corrupts ACR0
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel
Version: 5.1
Hardware: s390x
OS: Linux
Target Milestone: rc
: ---
Assignee: Anton Arapov
QA Contact: Martin Jenner
URL: http://sources.redhat.com/cgi-bin/cvs...
Keywords: Regression
Depends On:
Blocks: 437932 KernelPrio5.3
TreeView+ depends on / blocked
Reported: 2008-02-01 11:33 UTC by Jan Kratochvil
Modified: 2014-06-18 08:01 UTC (History)
4 users (show)

Clone Of:
Last Closed: 2009-01-20 19:42:03 UTC

Attachments (Terms of Use)
Fix. (807 bytes, patch)
2008-02-03 22:33 UTC, Jan Kratochvil
no flags Details | Diff

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:0225 normal SHIPPED_LIVE Important: Red Hat Enterprise Linux 5.3 kernel security and bug fix update 2009-01-20 16:06:24 UTC

Description Jan Kratochvil 2008-02-01 11:33:13 UTC
Description of problem:
Problem found by the GDB testsuite.

Version-Release number of selected component (if applicable):
kernel-2.6.18-75.el5.rm4.s390x (FAIL)
kernel-2.6.18-77.el5.s390x (FAIL)

kernel-2.6.18-53.el5.s390x (RHEL-5.1) surprisingly PASSes
kernel-2.6.9-67.0.1.EL.s390x (RHEL-4.6) PASSes

How reproducible:

Steps to Reproduce:
1. http://sourceware.org/systemtap/wiki/utrace/tests
2. Testcase there:

Actual results:
user-area-access: user-area-access.c:134: main: Assertion `memcmp (&u.user,
&u2.user, sizeof u.byte) == 0' failed.

Expected results:
<nothing>, rc=0

Additional info:
there is an s390x (only s390x) regression:

Reproducer so far on RHEL-5.1 with upgraded only the kernel:
rpmbuild -bc /usr/src/redhat/SPECS/gdb.spec
cd /usr/src/redhat/BUILD/gdb-6.5/build-s390x-redhat-linux-gnu/gdb/testsuite
runtest gdb.base/call-ar-st.exp
../gdb -nx -ex 'file gdb.base/call-ar-st' -ex 'b 1209' -ex 'r' -ex 'print
print_double_array(double_array)' -ex 'print
-> inferior SEGV

Testsuite regression against RHEL-5.1:
 (gdb) print print_char_array(char_array)
 array_c :


-$2 = void
-(gdb) PASS: gdb.base/call-ar-st.exp: print print_char_array(char_array)
+Program received signal SIGSEGV, Segmentation fault.
+vfprintf@@GLIBC_2.4 () from /lib64/libc.so.6
+The program being debugged was signaled while in a function called from GDB.
+GDB remains in the frame where the signal was received.
+To change this behavior use "set unwindonsignal on"
+Evaluation of the expression containing the function (print_char_array) will be
+(gdb) FAIL: gdb.base/call-ar-st.exp: print print_char_array(char_array) (pattern 3)

QA: Covered by the testcase `user-area-access' of `/kernel/syscalls/ptrace'.

Comment 1 RHEL Product and Program Management 2008-02-01 11:38:54 UTC
This bugzilla has Keywords: Regression.  

Since no regressions are allowed between releases, 
it is also being proposed as a blocker for this release.  

Please resolve ASAP.

Comment 2 Jan Kratochvil 2008-02-03 22:33:49 UTC
Created attachment 293842 [details]

I hope this is an obvious fix but sure the testsuites needs to be rerun with
It is a regression from:

Comment 3 Jan Kratochvil 2008-02-03 22:36:15 UTC
There still remains a regression since RHEL-4 for:
as currently the utrace kernels always zeroes on 32-bit s390 the 4 bytes
aligned/unused area in between:
struct user_regs_struct {
    long unsigned int orig_gpr2;
<- HERE are 4 aligned bytes
    s390_fp_regs fp_regs;
I would rather fix the testcase - or do you rather fix the kernel to be
completely backward compatible?

Comment 4 Roland McGrath 2008-03-16 23:26:27 UTC
It looks to me like the RHEL-4 kernel is actually returning a word of nearby
kernel memory, not anything sane.  It is a bug and maybe even a security/safety
issue that lets you write that word with POKEUSR.  It should be an error or
ignored to try to write that word.  It should probably read back as zero rather
than garbage/internal information leak.  If anyone cared, you could file a RHEL4
bug for that.  So, fix the test case not to expect this to work.

I applied the other fix to upstream utrace, and we'll call this bug just about
that issue and not the padding word thing.  

Comment 7 Anton Arapov 2008-07-30 12:41:30 UTC
Regression was introduced the patch in 2.6.18-60.el5 built on Fri Dec 14 2007.
- [utrace] s390 regs fixes (Roland McGrath ) [325451]

Comment 9 Don Zickus 2008-08-13 16:06:47 UTC
in kernel-2.6.18-104.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5

Comment 12 Ryan Lerch 2008-10-15 00:55:35 UTC
Release note added. If any revisions are required, please set the 
"requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly.
All revisions will be proofread by the Engineering Content Services team.

New Contents:

Comment 14 errata-xmlrpc 2009-01-20 19:42:03 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.