Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 598615 - Changing register contents (such as $return) causes crash
Changing register contents (such as $return) causes crash
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: systemtap (Show other bugs)
ia64 Linux
high Severity high
: rc
: ---
Assigned To: Frank Ch. Eigler
: ZStream
Depends On:
Blocks: 617100
  Show dependency treegraph
Reported: 2010-06-01 13:56 EDT by Fabio Olive Leite
Modified: 2018-10-27 08:08 EDT (History)
4 users (show)

See Also:
Fixed In Version: systemtap-1.1-5.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2011-01-13 17:36:41 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Partner-verified patch (299 bytes, patch)
2010-06-01 13:56 EDT, Fabio Olive Leite
no flags Details | Diff
Test probe that changes $return (76 bytes, text/plain)
2010-06-01 13:57 EDT, Fabio Olive Leite
no flags Details
Test program to be used with the probe (86 bytes, text/plain)
2010-06-01 13:59 EDT, Fabio Olive Leite
no flags Details

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2011:0037 normal SHIPPED_LIVE systemtap enhancement update 2011-01-12 12:15:40 EST

  None (edit)
Description Fabio Olive Leite 2010-06-01 13:56:37 EDT
Created attachment 418754 [details]
Partner-verified patch

Description of problem:

When probing into a system call's return point and changing $return, process state (or random memory) gets corrupted and the box crashes. This is because ia64_store_register() on runtime/regs-ia64.c does not return after changing registers within [r8-r11] (usual register for $return on ia64 is r8), but instead goes on and also tries to store a value somewhere else as if it was some other register, even doing stack unwinding.

Version-Release number of selected component (if applicable):

RHEL-5.5, systemtap-1.1-3.el5.

How reproducible:

I would say 50%. A partner had a 100% sure reproducer, tests in the Red Hat labs sometimes did crash and sometimes did not. In any case, the code change is obvious, so it is 100% sure it IS corrupting memory somewhere. Could just not be somewhere important enough to cause a crash (yet).

Steps to Reproduce:
1. Compile the attached foobar.c program into the foobar executable:
# gcc -o foobar foobar.c

2. Run foobar with stap loading the sys_write_return.stap:
# stap -vg sys_write_return.stap -c ./foobar
write: Input/output error

Actual results:

3. $return (and something else) is changed and the system crashes very soon.

Expected results:

3. $return is changed and system keeps going.

Additional info:

Patch adds a return statement in runtime/regs-ia64.c after line 116:
Comment 1 Fabio Olive Leite 2010-06-01 13:57:55 EDT
Created attachment 418755 [details]
Test probe that changes $return
Comment 2 Fabio Olive Leite 2010-06-01 13:59:46 EDT
Created attachment 418756 [details]
Test program to be used with the probe
Comment 4 Frank Ch. Eigler 2010-06-01 14:10:31 EDT
patch in hand
Comment 10 David Smith 2010-06-14 14:30:13 EDT
Fixed upstream in commit 9f2f086:


This patch will need to be backported.
Comment 18 errata-xmlrpc 2011-01-13 17:36:41 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.