Bug 453053 - RHSA-2008:0508 linux-2.6.9-x86_64-copy_user-zero-tail.patch broken [NEEDINFO]
RHSA-2008:0508 linux-2.6.9-x86_64-copy_user-zero-tail.patch broken
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel (Show other bugs)
x86_64 Linux
urgent Severity high
: rc
: ---
Assigned To: Larry Woodman
Martin Jenner
: ZStream
: 454865 (view as bug list)
Depends On:
Blocks: RHEL4u8_relnotes 461297 471015
  Show dependency treegraph
Reported: 2008-06-26 18:49 EDT by John Hawkes
Modified: 2009-05-18 15:08 EDT (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-05-18 15:08:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
rlerch: needinfo? (lwoodman)

Attachments (Terms of Use)
Test program (1.17 KB, text/plain)
2008-06-26 18:49 EDT, John Hawkes
no flags Details
fix calculation of return value in case of fault in the byte copy loop (410 bytes, patch)
2008-07-01 07:32 EDT, Vitaly Mayatskikh
no flags Details | Diff

  None (edit)
Description John Hawkes 2008-06-26 18:49:52 EDT
The latest kernel update, RHSA-2008:0508, contains a patch:
    linux-2.6.9-x86_64-copy_user-zero-tail.patch broken
for x86_64 processors which is broken.  The attached program demonstrates the
failure.  The test is derived from the LTP read02 test.

In brief:
  * create a file that contains one byte.
  * mmap a 1-byte buffer with PROT_NONE protections.
  * attempt to read that one byte into the mmap'd buffer.

With a kernel prior to 2.6.9-67.0.20, or with 2.6.9-67.0.20 and a non-x86_64
processor, this read() returns -1 and EFAULT.

With 2.6.9-67.0.20 and x86_64, the read() returns garbage and errno==0.
Comment 1 John Hawkes 2008-06-26 18:49:52 EDT
Created attachment 310399 [details]
Test program
Comment 2 Vitaly Mayatskikh 2008-07-01 07:32:50 EDT
Created attachment 310653 [details]
fix calculation of return value in case of fault in the byte copy loop
Comment 3 Vitaly Mayatskikh 2008-07-01 07:33:24 EDT
Thanks for report, John. Bug was identified and fixed.

By the way, mmap() returns MAP_FAILED in case of error, not NULL.
Comment 4 John Hawkes 2008-07-01 10:58:36 EDT
(In reply to comment #3)
> Thanks for report, John. Bug was identified and fixed.
> By the way, mmap() returns MAP_FAILED in case of error, not NULL.

True.  The original LTP read02 test uses MAP_FAILED correctly.  My small test
program was a quick hack - at least it showed the problem.
Comment 5 John Hawkes 2008-07-01 13:25:21 EDT
FYI: with this patch-to-the-patch in place, a dozen other LTP tests now fail: 
pwrite03 recvmsg01 semctl03 sendmsg01 setdomainname02 setgroups04 sockioctl101
write03 write05 writev01 writev02 writev05

I haven't examined these failures yet.  I just wanted to give you a heads-up.
Comment 6 RHEL Product and Program Management 2008-09-03 09:02:11 EDT
Updating PM score.
Comment 7 Larry Woodman 2008-09-17 14:57:41 EDT
*** Bug 454865 has been marked as a duplicate of this bug. ***
Comment 8 Marat 2008-10-07 04:10:02 EDT
(In reply to comment #2)
From my point of view this patch is not correct because it zeroises %rsi value but this is not the expected behavior in all cases.
%rsi value in this context should contain the number of uncopied 8-byte blocks and the command below saves this value in %rsi register.
".Lc1e:  movq %rcx,%rsi".
So, we should zeroise %rsi value only if something was happened at ".Lc2" piece of code otherwise we should save %rsi content.
The patch from #454865 seems to avoid this.
Comment 11 Larry Woodman 2008-11-07 09:11:24 EST
Patch was applied, tested and posted to rhkernel-list

--- linux-2.6.9/arch/x86_64/lib/copy_user.S.orig        2008-07-31 11:52:34.000000000 -0400
+++ linux-2.6.9/arch/x86_64/lib/copy_user.S     2008-07-31 11:53:37.000000000 -0400
@@ -315,11 +315,14 @@ copy_user_generic_c:
 .Lc1e: movq %rcx,%rsi
 .Lc3:  rep
-.Lc2e: movl %edx,%ecx
+.Lc2ec:        movl %edx,%ecx
 .Lc4:  rep
 .Lc3e: leaq (%rdx,%rsi,8),%rax
+       /* %rsi contains source address - clear it */
+.Lc2e: xorq %rsi,%rsi
+       jmp .Lc2ec

        .section __ex_table,"a"
        .align 8

Larry Woodman
Comment 13 Vivek Goyal 2008-11-18 09:31:27 EST
Committed in 78.18.EL . RPMS are available at http://people.redhat.com/vgoyal/rhel4/
Comment 17 Luo Fei 2009-04-28 23:16:46 EDT
I'm not set up to test RHEL4.8. But this testcase(read02) is included in syscalls test of LTP test(job 54944) with kernel 2.6.9-88.EL on machine gs-dl585g2-01.rhts.bos.redhat.com(x86_64), and  the fix(linux-2.6.9-kernel-fix-copy_user-on-x86_64-for-read-of-8-byte.patch) was present in the source RPM.
Comment 19 errata-xmlrpc 2009-05-18 15:08:58 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.