Bug 64147 - kstat_read_proc() overflow
Summary: kstat_read_proc() overflow
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: kernel (Show other bugs)
(Show other bugs)
Version: 7.2
Hardware: i386 Linux
medium
medium
Target Milestone: ---
Assignee: Arjan van de Ven
QA Contact: Brian Brock
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2002-04-26 16:30 UTC by Heather Conway
Modified: 2007-04-18 16:42 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-02-13 18:17:31 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
vsnprintf-fix.patch (2.74 KB, patch)
2002-04-27 00:18 UTC, Ben LaHaise
no flags Details | Diff
stat-fix.patch (3.96 KB, patch)
2002-04-27 00:20 UTC, Ben LaHaise
no flags Details | Diff

Description Heather Conway 2002-04-26 16:30:01 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)

Description of problem:
Whenever kstat_read_proc() in fs/proc/proc_misc.c is called,it's trashing the 
first 95 bytes in the the virtual
page which follows the page that is legitimately being written
to by kstat_read_proc().



Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
Comments in this file indicate that overflow off the end of the
page is a definite possibility and is handled gracefully.  I have
used the linux kdb in-kernel debugger from SGI to see the actual
corrupted pages.  The ASCII text written by kstat_read_proc() can
be seen overflowing from the virtual page before the corruption
over to the (in our case) first 95 bytes of the next page.  The
case I've debugged caused a panic in the kmem_cache subsystem because
the slab header of a buffer_header slab was corrupted.  I have also
seem the same text strings corrupting various files on our system.
This evidence combined with the high potential that the page being
corrupted is a data buffer leads me to believe that this bug could
easily cause data corruption.

RedHat added a call to print_tux_procinfo() to both the 2.4.9-31
and 2.4.3-12 versions of kstat_read_proc().  Despite the fact that
we have only seen this problem occur with the 2.4.9-31 kernel, it
has not been shown that the problem cannot/will not occur with the
2.4.3-12 kernel also.  We have commented out this call to print_tux_procinfo()
and not seen the problem again.	

Additional info:

Comment 1 Arjan van de Ven 2002-04-26 16:40:17 UTC
Thanks for this debugging!

(oh and I assume you used the kdb kernel we ship.. at least I hope you didn't
have to go through all the trouble of getting that to work with our kernels
yourself ;
)

Comment 2 Ben LaHaise 2002-04-27 00:16:16 UTC
The following two patches should fix the problem.

Comment 3 Ben LaHaise 2002-04-27 00:18:05 UTC
Created attachment 55564 [details]
vsnprintf-fix.patch

Comment 4 Ben LaHaise 2002-04-27 00:20:43 UTC
Created attachment 55565 [details]
stat-fix.patch

Comment 5 Matt Domsch 2002-07-18 19:13:35 UTC
Both of the above patches are included in the first Pensacola errata kernel 
2.4.9-e.5.



Comment 6 Matt Domsch 2002-08-12 18:52:23 UTC
This appears to still be an outstanding issue with the 2.4.9-34 errata kernel 
(latest released for 7.1/7.2), but is not a problem with Hampton or Milan.  
Please look to include this into the next 7.[12] errata kernel.

Comment 7 Arjan van de Ven 2002-08-12 18:57:04 UTC
oh this will be fixed that way, sure


Comment 8 Matt Domsch 2003-02-13 18:17:31 UTC
Milan kernel 2.4.18-14 and errata kernels released after that have this 
fixed.  Closing.


Note You need to log in before you can comment on or make changes to this bug.