Bug 598615 - Changing register contents (such as $return) causes crash
Summary: Changing register contents (such as $return) causes crash
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: systemtap   
(Show other bugs)
Version: 5.5
Hardware: ia64
OS: Linux
Target Milestone: rc
: ---
Assignee: Frank Ch. Eigler
QA Contact: qe-baseos-tools
Keywords: ZStream
Depends On:
Blocks: 617100
TreeView+ depends on / blocked
Reported: 2010-06-01 17:56 UTC by Fabio Olive Leite
Modified: 2018-10-27 12:08 UTC (History)
4 users (show)

Fixed In Version: systemtap-1.1-5.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2011-01-13 22:36:41 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Partner-verified patch (299 bytes, patch)
2010-06-01 17:56 UTC, Fabio Olive Leite
no flags Details | Diff
Test probe that changes $return (76 bytes, text/plain)
2010-06-01 17:57 UTC, Fabio Olive Leite
no flags Details
Test program to be used with the probe (86 bytes, text/plain)
2010-06-01 17:59 UTC, Fabio Olive Leite
no flags Details

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2011:0037 normal SHIPPED_LIVE systemtap enhancement update 2011-01-12 17:15:40 UTC

Description Fabio Olive Leite 2010-06-01 17:56:37 UTC
Created attachment 418754 [details]
Partner-verified patch

Description of problem:

When probing into a system call's return point and changing $return, process state (or random memory) gets corrupted and the box crashes. This is because ia64_store_register() on runtime/regs-ia64.c does not return after changing registers within [r8-r11] (usual register for $return on ia64 is r8), but instead goes on and also tries to store a value somewhere else as if it was some other register, even doing stack unwinding.

Version-Release number of selected component (if applicable):

RHEL-5.5, systemtap-1.1-3.el5.

How reproducible:

I would say 50%. A partner had a 100% sure reproducer, tests in the Red Hat labs sometimes did crash and sometimes did not. In any case, the code change is obvious, so it is 100% sure it IS corrupting memory somewhere. Could just not be somewhere important enough to cause a crash (yet).

Steps to Reproduce:
1. Compile the attached foobar.c program into the foobar executable:
# gcc -o foobar foobar.c

2. Run foobar with stap loading the sys_write_return.stap:
# stap -vg sys_write_return.stap -c ./foobar
write: Input/output error

Actual results:

3. $return (and something else) is changed and the system crashes very soon.

Expected results:

3. $return is changed and system keeps going.

Additional info:

Patch adds a return statement in runtime/regs-ia64.c after line 116:

Comment 1 Fabio Olive Leite 2010-06-01 17:57:55 UTC
Created attachment 418755 [details]
Test probe that changes $return

Comment 2 Fabio Olive Leite 2010-06-01 17:59:46 UTC
Created attachment 418756 [details]
Test program to be used with the probe

Comment 4 Frank Ch. Eigler 2010-06-01 18:10:31 UTC
patch in hand

Comment 10 David Smith 2010-06-14 18:30:13 UTC
Fixed upstream in commit 9f2f086:


This patch will need to be backported.

Comment 18 errata-xmlrpc 2011-01-13 22:36:41 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.