Bug 64147 - kstat_read_proc() overflow
kstat_read_proc() overflow
Status: CLOSED CURRENTRELEASE
Product: Red Hat Linux
Classification: Retired
Component: kernel (Show other bugs)
7.2
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Arjan van de Ven
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2002-04-26 12:30 EDT by Heather Conway
Modified: 2007-04-18 12:42 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-02-13 13:17:31 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
vsnprintf-fix.patch (2.74 KB, patch)
2002-04-26 20:18 EDT, Ben LaHaise
no flags Details | Diff
stat-fix.patch (3.96 KB, patch)
2002-04-26 20:20 EDT, Ben LaHaise
no flags Details | Diff

  None (edit)
Description Heather Conway 2002-04-26 12:30:01 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)

Description of problem:
Whenever kstat_read_proc() in fs/proc/proc_misc.c is called,it's trashing the 
first 95 bytes in the the virtual
page which follows the page that is legitimately being written
to by kstat_read_proc().



Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
Comments in this file indicate that overflow off the end of the
page is a definite possibility and is handled gracefully.  I have
used the linux kdb in-kernel debugger from SGI to see the actual
corrupted pages.  The ASCII text written by kstat_read_proc() can
be seen overflowing from the virtual page before the corruption
over to the (in our case) first 95 bytes of the next page.  The
case I've debugged caused a panic in the kmem_cache subsystem because
the slab header of a buffer_header slab was corrupted.  I have also
seem the same text strings corrupting various files on our system.
This evidence combined with the high potential that the page being
corrupted is a data buffer leads me to believe that this bug could
easily cause data corruption.

RedHat added a call to print_tux_procinfo() to both the 2.4.9-31
and 2.4.3-12 versions of kstat_read_proc().  Despite the fact that
we have only seen this problem occur with the 2.4.9-31 kernel, it
has not been shown that the problem cannot/will not occur with the
2.4.3-12 kernel also.  We have commented out this call to print_tux_procinfo()
and not seen the problem again.	

Additional info:
Comment 1 Arjan van de Ven 2002-04-26 12:40:17 EDT
Thanks for this debugging!

(oh and I assume you used the kdb kernel we ship.. at least I hope you didn't
have to go through all the trouble of getting that to work with our kernels
yourself ;
)
Comment 2 Ben LaHaise 2002-04-26 20:16:16 EDT
The following two patches should fix the problem.
Comment 3 Ben LaHaise 2002-04-26 20:18:05 EDT
Created attachment 55564 [details]
vsnprintf-fix.patch
Comment 4 Ben LaHaise 2002-04-26 20:20:43 EDT
Created attachment 55565 [details]
stat-fix.patch
Comment 5 Matt Domsch 2002-07-18 15:13:35 EDT
Both of the above patches are included in the first Pensacola errata kernel 
2.4.9-e.5.

Comment 6 Matt Domsch 2002-08-12 14:52:23 EDT
This appears to still be an outstanding issue with the 2.4.9-34 errata kernel 
(latest released for 7.1/7.2), but is not a problem with Hampton or Milan.  
Please look to include this into the next 7.[12] errata kernel.
Comment 7 Arjan van de Ven 2002-08-12 14:57:04 EDT
oh this will be fixed that way, sure
Comment 8 Matt Domsch 2003-02-13 13:17:31 EST
Milan kernel 2.4.18-14 and errata kernels released after that have this 
fixed.  Closing.

Note You need to log in before you can comment on or make changes to this bug.