Bug 453053 - RHSA-2008:0508 linux-2.6.9-x86_64-copy_user-zero-tail.patch broken [NEEDINFO]
RHSA-2008:0508 linux-2.6.9-x86_64-copy_user-zero-tail.patch broken
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel (Show other bugs)
4.6
x86_64 Linux
urgent Severity high
: rc
: ---
Assigned To: Larry Woodman
Martin Jenner
: ZStream
: 454865 (view as bug list)
Depends On:
Blocks: RHEL4u8_relnotes 461297 471015
  Show dependency treegraph
 
Reported: 2008-06-26 18:49 EDT by John Hawkes
Modified: 2009-05-18 15:08 EDT (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-05-18 15:08:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
rlerch: needinfo? (lwoodman)


Attachments (Terms of Use)
Test program (1.17 KB, text/plain)
2008-06-26 18:49 EDT, John Hawkes
no flags Details
fix calculation of return value in case of fault in the byte copy loop (410 bytes, patch)
2008-07-01 07:32 EDT, Vitaly Mayatskikh
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1024 normal SHIPPED_LIVE Important: Red Hat Enterprise Linux 4.8 kernel security and bug fix update 2009-05-18 10:57:26 EDT

  None (edit)
Description John Hawkes 2008-06-26 18:49:52 EDT
The latest kernel update, RHSA-2008:0508, contains a patch:
    linux-2.6.9-x86_64-copy_user-zero-tail.patch broken
for x86_64 processors which is broken.  The attached program demonstrates the
failure.  The test is derived from the LTP read02 test.

In brief:
  * create a file that contains one byte.
  * mmap a 1-byte buffer with PROT_NONE protections.
  * attempt to read that one byte into the mmap'd buffer.

With a kernel prior to 2.6.9-67.0.20, or with 2.6.9-67.0.20 and a non-x86_64
processor, this read() returns -1 and EFAULT.

With 2.6.9-67.0.20 and x86_64, the read() returns garbage and errno==0.
Comment 1 John Hawkes 2008-06-26 18:49:52 EDT
Created attachment 310399 [details]
Test program
Comment 2 Vitaly Mayatskikh 2008-07-01 07:32:50 EDT
Created attachment 310653 [details]
fix calculation of return value in case of fault in the byte copy loop
Comment 3 Vitaly Mayatskikh 2008-07-01 07:33:24 EDT
Thanks for report, John. Bug was identified and fixed.

By the way, mmap() returns MAP_FAILED in case of error, not NULL.
Comment 4 John Hawkes 2008-07-01 10:58:36 EDT
(In reply to comment #3)
> Thanks for report, John. Bug was identified and fixed.
> 
> By the way, mmap() returns MAP_FAILED in case of error, not NULL.

True.  The original LTP read02 test uses MAP_FAILED correctly.  My small test
program was a quick hack - at least it showed the problem.
Comment 5 John Hawkes 2008-07-01 13:25:21 EDT
FYI: with this patch-to-the-patch in place, a dozen other LTP tests now fail: 
pwrite03 recvmsg01 semctl03 sendmsg01 setdomainname02 setgroups04 sockioctl101
write03 write05 writev01 writev02 writev05

I haven't examined these failures yet.  I just wanted to give you a heads-up.
Comment 6 RHEL Product and Program Management 2008-09-03 09:02:11 EDT
Updating PM score.
Comment 7 Larry Woodman 2008-09-17 14:57:41 EDT
*** Bug 454865 has been marked as a duplicate of this bug. ***
Comment 8 Marat 2008-10-07 04:10:02 EDT
(In reply to comment #2)
From my point of view this patch is not correct because it zeroises %rsi value but this is not the expected behavior in all cases.
%rsi value in this context should contain the number of uncopied 8-byte blocks and the command below saves this value in %rsi register.
".Lc1e:  movq %rcx,%rsi".
So, we should zeroise %rsi value only if something was happened at ".Lc2" piece of code otherwise we should save %rsi content.
The patch from #454865 seems to avoid this.
Comment 11 Larry Woodman 2008-11-07 09:11:24 EST
Patch was applied, tested and posted to rhkernel-list

------------------------------------------------------------------------------
--- linux-2.6.9/arch/x86_64/lib/copy_user.S.orig        2008-07-31 11:52:34.000000000 -0400
+++ linux-2.6.9/arch/x86_64/lib/copy_user.S     2008-07-31 11:53:37.000000000 -0400
@@ -315,11 +315,14 @@ copy_user_generic_c:
 .Lc1e: movq %rcx,%rsi
 .Lc3:  rep
        stosq
-.Lc2e: movl %edx,%ecx
+.Lc2ec:        movl %edx,%ecx
 .Lc4:  rep
        stosb
 .Lc3e: leaq (%rdx,%rsi,8),%rax
        ret
+       /* %rsi contains source address - clear it */
+.Lc2e: xorq %rsi,%rsi
+       jmp .Lc2ec

        .section __ex_table,"a"
        .align 8
-------------------------------------------------------------------------------


Larry Woodman
Comment 13 Vivek Goyal 2008-11-18 09:31:27 EST
Committed in 78.18.EL . RPMS are available at http://people.redhat.com/vgoyal/rhel4/
Comment 17 Luo Fei 2009-04-28 23:16:46 EDT
I'm not set up to test RHEL4.8. But this testcase(read02) is included in syscalls test of LTP test(job 54944) with kernel 2.6.9-88.EL on machine gs-dl585g2-01.rhts.bos.redhat.com(x86_64), and  the fix(linux-2.6.9-kernel-fix-copy_user-on-x86_64-for-read-of-8-byte.patch) was present in the source RPM.
Comment 19 errata-xmlrpc 2009-05-18 15:08:58 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2009-1024.html

Note You need to log in before you can comment on or make changes to this bug.