Konstantin Khlebnikov from OpenVZ linux kernel team found that the code in x86_64 copy_user_c still contains an error after linux-2.6-x86_64-copy_user_c-assembler-can-leave-garbage-in-rsi.patch (bug# 456682, but i don't have permissions to see it). The problem description: copy_user_c: ... 330 shrl $3,%ecx 331 andl $7,%edx 332 .Lc1: rep 333 movsq 334 movl %edx,%ecx 335 .Lc2: rep 336 movsb 337 ret 338 339 .Lc1e: movq %rcx,%rsi 340 .Lc3: rep 341 stosq 342 .Lc2ec: movl %edx,%ecx 343 .Lc4: rep 344 stosb 345 .Lc3e: leaq (%rdx,%rsi,8),%rax 346 ret 347 /* %rsi contains source address - clear it */ 348 .Lc2e: xorq %rsi,%rsi 349 jmp .Lc2ec ... * assume we want to write 7 bytes * line 330: ecx == 0 * line 331: edx == 7 * assume we failed to copy in line 336 but NOT at the beginning of the writing, but failed to write, say, only the last byte. Then we jump to 348, having ecx == 1, edx == 7, rdi and rsi point to _6th_ byte from the beginning of the input/output buffers. * 348, 349 -> 342 * 342: ecx == 7 now! * 343, 344: we zero 7! bytes starting from the current rdi position, i.e. out of the buffer prepared for writing here => probable data corruption. Suggested patch to fix this issue: --- a/arch/x86_64/lib/copy_user.S 2009-03-18 17:55:38.000000000 +0300 +++ b/arch/x86_64/lib/copy_user.S 2009-03-18 17:58:09.000000000 +0300 @@ -339,14 +339,15 @@ copy_user_generic_c: .Lc1e: movq %rcx,%rsi .Lc3: rep stosq -.Lc2ec: movl %edx,%ecx + movl %edx,%ecx .Lc4: rep stosb .Lc3e: leaq (%rdx,%rsi,8),%rax ret /* %rsi contains source address - clear it */ .Lc2e: xorq %rsi,%rsi - jmp .Lc2ec + movl %ecx,%edx + jmp .Lc4 CFI_ENDPROC END(copy_user_generic_c) Please, fix the bug.
just a reference: the same thing for RHEL4 kernel: bug# 491284
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
in kernel-2.6.18-141.el5 You can download this test kernel from http://people.redhat.com/dzickus/el5 Please do NOT transition this bugzilla state to VERIFIED until our QE team has sent specific instructions indicating when to do so. However feel free to provide a comment indicating that this fix has been verified.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2009-1243.html