Bug 453053 - RHSA-2008:0508 linux-2.6.9-x86_64-copy_user-zero-tail.patch broken [NEEDINFO]
Summary: RHSA-2008:0508 linux-2.6.9-x86_64-copy_user-zero-tail.patch broken
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel
Version: 4.6
Hardware: x86_64
OS: Linux
urgent
high
Target Milestone: rc
: ---
Assignee: Larry Woodman
QA Contact: Martin Jenner
URL:
Whiteboard:
Keywords: ZStream
: 454865 (view as bug list)
Depends On:
Blocks: RHEL4u8_relnotes 461297 471015
TreeView+ depends on / blocked
 
Reported: 2008-06-26 22:49 UTC by John Hawkes
Modified: 2009-05-18 19:08 UTC (History)
12 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2009-05-18 19:08:58 UTC
rlerch: needinfo? (lwoodman)


Attachments (Terms of Use)
Test program (1.17 KB, text/plain)
2008-06-26 22:49 UTC, John Hawkes
no flags Details
fix calculation of return value in case of fault in the byte copy loop (410 bytes, patch)
2008-07-01 11:32 UTC, Vitaly Mayatskikh
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1024 normal SHIPPED_LIVE Important: Red Hat Enterprise Linux 4.8 kernel security and bug fix update 2009-05-18 14:57:26 UTC

Description John Hawkes 2008-06-26 22:49:52 UTC
The latest kernel update, RHSA-2008:0508, contains a patch:
    linux-2.6.9-x86_64-copy_user-zero-tail.patch broken
for x86_64 processors which is broken.  The attached program demonstrates the
failure.  The test is derived from the LTP read02 test.

In brief:
  * create a file that contains one byte.
  * mmap a 1-byte buffer with PROT_NONE protections.
  * attempt to read that one byte into the mmap'd buffer.

With a kernel prior to 2.6.9-67.0.20, or with 2.6.9-67.0.20 and a non-x86_64
processor, this read() returns -1 and EFAULT.

With 2.6.9-67.0.20 and x86_64, the read() returns garbage and errno==0.

Comment 1 John Hawkes 2008-06-26 22:49:52 UTC
Created attachment 310399 [details]
Test program

Comment 2 Vitaly Mayatskikh 2008-07-01 11:32:50 UTC
Created attachment 310653 [details]
fix calculation of return value in case of fault in the byte copy loop

Comment 3 Vitaly Mayatskikh 2008-07-01 11:33:24 UTC
Thanks for report, John. Bug was identified and fixed.

By the way, mmap() returns MAP_FAILED in case of error, not NULL.

Comment 4 John Hawkes 2008-07-01 14:58:36 UTC
(In reply to comment #3)
> Thanks for report, John. Bug was identified and fixed.
> 
> By the way, mmap() returns MAP_FAILED in case of error, not NULL.

True.  The original LTP read02 test uses MAP_FAILED correctly.  My small test
program was a quick hack - at least it showed the problem.

Comment 5 John Hawkes 2008-07-01 17:25:21 UTC
FYI: with this patch-to-the-patch in place, a dozen other LTP tests now fail: 
pwrite03 recvmsg01 semctl03 sendmsg01 setdomainname02 setgroups04 sockioctl101
write03 write05 writev01 writev02 writev05

I haven't examined these failures yet.  I just wanted to give you a heads-up.


Comment 6 RHEL Product and Program Management 2008-09-03 13:02:11 UTC
Updating PM score.

Comment 7 Larry Woodman 2008-09-17 18:57:41 UTC
*** Bug 454865 has been marked as a duplicate of this bug. ***

Comment 8 Marat 2008-10-07 08:10:02 UTC
(In reply to comment #2)
From my point of view this patch is not correct because it zeroises %rsi value but this is not the expected behavior in all cases.
%rsi value in this context should contain the number of uncopied 8-byte blocks and the command below saves this value in %rsi register.
".Lc1e:  movq %rcx,%rsi".
So, we should zeroise %rsi value only if something was happened at ".Lc2" piece of code otherwise we should save %rsi content.
The patch from #454865 seems to avoid this.

Comment 11 Larry Woodman 2008-11-07 14:11:24 UTC
Patch was applied, tested and posted to rhkernel-list

------------------------------------------------------------------------------
--- linux-2.6.9/arch/x86_64/lib/copy_user.S.orig        2008-07-31 11:52:34.000000000 -0400
+++ linux-2.6.9/arch/x86_64/lib/copy_user.S     2008-07-31 11:53:37.000000000 -0400
@@ -315,11 +315,14 @@ copy_user_generic_c:
 .Lc1e: movq %rcx,%rsi
 .Lc3:  rep
        stosq
-.Lc2e: movl %edx,%ecx
+.Lc2ec:        movl %edx,%ecx
 .Lc4:  rep
        stosb
 .Lc3e: leaq (%rdx,%rsi,8),%rax
        ret
+       /* %rsi contains source address - clear it */
+.Lc2e: xorq %rsi,%rsi
+       jmp .Lc2ec

        .section __ex_table,"a"
        .align 8
-------------------------------------------------------------------------------


Larry Woodman

Comment 13 Vivek Goyal 2008-11-18 14:31:27 UTC
Committed in 78.18.EL . RPMS are available at http://people.redhat.com/vgoyal/rhel4/

Comment 17 Luo Fei 2009-04-29 03:16:46 UTC
I'm not set up to test RHEL4.8. But this testcase(read02) is included in syscalls test of LTP test(job 54944) with kernel 2.6.9-88.EL on machine gs-dl585g2-01.rhts.bos.redhat.com(x86_64), and  the fix(linux-2.6.9-kernel-fix-copy_user-on-x86_64-for-read-of-8-byte.patch) was present in the source RPM.

Comment 19 errata-xmlrpc 2009-05-18 19:08:58 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2009-1024.html


Note You need to log in before you can comment on or make changes to this bug.