Bug 453053 - RHSA-2008:0508 linux-2.6.9-x86_64-copy_user-zero-tail.patch broken [NEEDINFO]
Summary: RHSA-2008:0508 linux-2.6.9-x86_64-copy_user-zero-tail.patch broken
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel
Version: 4.6
Hardware: x86_64
OS: Linux
Target Milestone: rc
: ---
Assignee: Larry Woodman
QA Contact: Martin Jenner
: 454865 (view as bug list)
Depends On:
Blocks: RHEL4u8_relnotes 461297 471015
TreeView+ depends on / blocked
Reported: 2008-06-26 22:49 UTC by John Hawkes
Modified: 2009-05-18 19:08 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2009-05-18 19:08:58 UTC
Target Upstream Version:
rlerch: needinfo? (lwoodman)

Attachments (Terms of Use)
Test program (1.17 KB, text/plain)
2008-06-26 22:49 UTC, John Hawkes
no flags Details
fix calculation of return value in case of fault in the byte copy loop (410 bytes, patch)
2008-07-01 11:32 UTC, Vitaly Mayatskikh
no flags Details | Diff

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1024 0 normal SHIPPED_LIVE Important: Red Hat Enterprise Linux 4.8 kernel security and bug fix update 2009-05-18 14:57:26 UTC

Description John Hawkes 2008-06-26 22:49:52 UTC
The latest kernel update, RHSA-2008:0508, contains a patch:
    linux-2.6.9-x86_64-copy_user-zero-tail.patch broken
for x86_64 processors which is broken.  The attached program demonstrates the
failure.  The test is derived from the LTP read02 test.

In brief:
  * create a file that contains one byte.
  * mmap a 1-byte buffer with PROT_NONE protections.
  * attempt to read that one byte into the mmap'd buffer.

With a kernel prior to 2.6.9-67.0.20, or with 2.6.9-67.0.20 and a non-x86_64
processor, this read() returns -1 and EFAULT.

With 2.6.9-67.0.20 and x86_64, the read() returns garbage and errno==0.

Comment 1 John Hawkes 2008-06-26 22:49:52 UTC
Created attachment 310399 [details]
Test program

Comment 2 Vitaly Mayatskikh 2008-07-01 11:32:50 UTC
Created attachment 310653 [details]
fix calculation of return value in case of fault in the byte copy loop

Comment 3 Vitaly Mayatskikh 2008-07-01 11:33:24 UTC
Thanks for report, John. Bug was identified and fixed.

By the way, mmap() returns MAP_FAILED in case of error, not NULL.

Comment 4 John Hawkes 2008-07-01 14:58:36 UTC
(In reply to comment #3)
> Thanks for report, John. Bug was identified and fixed.
> By the way, mmap() returns MAP_FAILED in case of error, not NULL.

True.  The original LTP read02 test uses MAP_FAILED correctly.  My small test
program was a quick hack - at least it showed the problem.

Comment 5 John Hawkes 2008-07-01 17:25:21 UTC
FYI: with this patch-to-the-patch in place, a dozen other LTP tests now fail: 
pwrite03 recvmsg01 semctl03 sendmsg01 setdomainname02 setgroups04 sockioctl101
write03 write05 writev01 writev02 writev05

I haven't examined these failures yet.  I just wanted to give you a heads-up.

Comment 6 RHEL Program Management 2008-09-03 13:02:11 UTC
Updating PM score.

Comment 7 Larry Woodman 2008-09-17 18:57:41 UTC
*** Bug 454865 has been marked as a duplicate of this bug. ***

Comment 8 Marat 2008-10-07 08:10:02 UTC
(In reply to comment #2)
From my point of view this patch is not correct because it zeroises %rsi value but this is not the expected behavior in all cases.
%rsi value in this context should contain the number of uncopied 8-byte blocks and the command below saves this value in %rsi register.
".Lc1e:  movq %rcx,%rsi".
So, we should zeroise %rsi value only if something was happened at ".Lc2" piece of code otherwise we should save %rsi content.
The patch from #454865 seems to avoid this.

Comment 11 Larry Woodman 2008-11-07 14:11:24 UTC
Patch was applied, tested and posted to rhkernel-list

--- linux-2.6.9/arch/x86_64/lib/copy_user.S.orig        2008-07-31 11:52:34.000000000 -0400
+++ linux-2.6.9/arch/x86_64/lib/copy_user.S     2008-07-31 11:53:37.000000000 -0400
@@ -315,11 +315,14 @@ copy_user_generic_c:
 .Lc1e: movq %rcx,%rsi
 .Lc3:  rep
-.Lc2e: movl %edx,%ecx
+.Lc2ec:        movl %edx,%ecx
 .Lc4:  rep
 .Lc3e: leaq (%rdx,%rsi,8),%rax
+       /* %rsi contains source address - clear it */
+.Lc2e: xorq %rsi,%rsi
+       jmp .Lc2ec

        .section __ex_table,"a"
        .align 8

Larry Woodman

Comment 13 Vivek Goyal 2008-11-18 14:31:27 UTC
Committed in 78.18.EL . RPMS are available at http://people.redhat.com/vgoyal/rhel4/

Comment 17 Luo Fei 2009-04-29 03:16:46 UTC
I'm not set up to test RHEL4.8. But this testcase(read02) is included in syscalls test of LTP test(job 54944) with kernel 2.6.9-88.EL on machine gs-dl585g2-01.rhts.bos.redhat.com(x86_64), and  the fix(linux-2.6.9-kernel-fix-copy_user-on-x86_64-for-read-of-8-byte.patch) was present in the source RPM.

Comment 19 errata-xmlrpc 2009-05-18 19:08:58 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.