Bug 472426 - missing compat sys_ustat corrupts userspace when sys_ustat called from 32-bit
missing compat sys_ustat corrupts userspace when sys_ustat called from 32-bit
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel (Show other bugs)
ppc64 Linux
medium Severity medium
: rc
: ---
Assigned To: Eric Sandeen
Red Hat Kernel QE team
Depends On:
  Show dependency treegraph
Reported: 2008-11-20 14:13 EST by Eric Sandeen
Modified: 2009-09-02 04:44 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-09-02 04:44:56 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Untested patch for upstream from hch (50 bytes, text/plain)
2008-11-20 14:29 EST, Eric Sandeen
no flags Details
Untested patch for upstream from hch (9.17 KB, patch)
2008-11-20 14:30 EST, Eric Sandeen
no flags Details | Diff
Tested RHEL5 patch. (9.83 KB, patch)
2008-11-20 15:02 EST, Eric Sandeen
no flags Details | Diff

  None (edit)
Description Eric Sandeen 2008-11-20 14:13:08 EST
Found this by running a 32-bit xfs_logprint on a 64-bit kernel:

# xfs_logprint /dev/loop0
*** stack smashing detected ***: xfs_logprint terminated
Aborted (core dumped)

The problem here is that there is no sys_compat_ustat, and the kernel copies out a structure larger than userspace has provided:

32-bit ustat struct from userspace:

struct ustat {
        __daddr_t                  f_tfree;              /*     0     4 */
        __ino_t                    f_tinode;             /*     4     4 */
        char                       f_fname[6];           /*     8     6 */
        char                       f_fpack[6];           /*    14     6 */

        /* size: 20, cachelines: 1 */
        /* last cacheline: 20 bytes */

kernel ustat struct:

struct ustat {
        __kernel_daddr_t           f_tfree;              /*     0     4 */

        /* XXX 4 bytes hole, try to pack */

        __kernel_ino_t             f_tinode;             /*     8     8 */
        char                       f_fname[6];           /*    16     6 */
        char                       f_fpack[6];           /*    22     6 */

        /* size: 32, cachelines: 1 */
        /* sum members: 24, holes: 1, sum holes: 4 */
        /* padding: 4 */
        /* last cacheline: 32 bytes */

... so userspace is corrupted when this syscall is called.

Christoph Hellwig mentioned that he might take a stab at fixing it, since he's done other compat syscalls, but not sure on what schedule, so perhaps I (or our ppc maintainer, if we have one...?) can take a look at the fix.

Proposing blocker since this is a memory corruptor in general.
Comment 1 Eric Sandeen 2008-11-20 14:29:06 EST
Created attachment 324223 [details]
Untested patch for upstream from hch
Comment 2 Eric Sandeen 2008-11-20 14:30:54 EST
Created attachment 324224 [details]
Untested patch for upstream from hch
Comment 3 Eric Sandeen 2008-11-20 15:02:41 EST
Created attachment 324227 [details]
Tested RHEL5 patch.
Comment 4 Eric Sandeen 2008-11-20 15:12:27 EST
See also http://rhts.redhat.com/cgi-bin/rhts/test_log.cgi?id=5087037
Comment 5 Eric Sandeen 2008-11-20 22:00:46 EST
I've tested the patch in comment #3 on ppc, and it resolves the issue I saw.
Comment 7 Eric Sandeen 2008-11-24 15:08:23 EST
FWIW, the same problem exists with x86 binaries on x86_64 or ia64.
Comment 8 Eric Sandeen 2008-11-24 15:09:53 EST
Oh, sorry, my head is not screwed on straight.  x86 already has the compat handler in place.
Comment 10 Ric Wheeler 2008-11-25 14:37:52 EST
Moving to 5.4
Comment 11 RHEL Product and Program Management 2009-01-27 15:39:22 EST
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
Comment 12 RHEL Product and Program Management 2009-02-16 10:37:09 EST
Updating PM score.
Comment 13 Eric Sandeen 2009-03-06 15:56:55 EST
Need to resend this one, but need to get it upstream first.
Comment 14 Eric Sandeen 2009-03-28 18:09:52 EDT
Ok, upstream now post-2.6.29:

From: Christoph Hellwig <hch@lst.de>
Date: Fri, 28 Nov 2008 09:09:09 +0000 (+0100)
Subject: generic compat_sys_ustat
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=2b1c6bd77d4e6a727ffac8630cd154b2144b751a

generic compat_sys_ustat

Due to a different size of ino_t ustat needs a compat handler, but
currently only x86 and mips provide one.  Add a generic compat_sys_ustat
and switch all architectures over to it.  Instead of doing various
user copy hacks compat_sys_ustat just reimplements sys_ustat as
it's trivial.  This was suggested by Arnd Bergmann.

Found by Eric Sandeen when running xfstests/017 on ppc64, which causes
stack smashing warnings on RHEL/Fedora due to the too large amount of
data writen by the syscall.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>


From: David S. Miller <davem@davemloft.net>
Date: Sat, 28 Mar 2009 01:15:02 +0000 (-0700)
Subject: sparc64: We need to use compat_sys_ustat() as well.
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=6e8a4fa651975ff808dba130eae442f4cea1671c

sparc64: We need to use compat_sys_ustat() as well.

Sparc was missed in commit 2b1c6bd77d4e6a727ffac8630cd154b2144b751a
("generic compat_sys_ustat").  We definitely need it, since our
__kernel_ino_t is "unsigned long".

Signed-off-by: David S. Miller <davem@davemloft.net>
Comment 16 Don Zickus 2009-04-06 17:16:51 EDT
in kernel-2.6.18-138.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5

Please do NOT transition this bugzilla state to VERIFIED until our QE team
has sent specific instructions indicating when to do so.  However feel free
to provide a comment indicating that this fix has been verified.
Comment 21 errata-xmlrpc 2009-09-02 04:44:56 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.