Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 453053 - RHSA-2008:0508 linux-2.6.9-x86_64-copy_user-zero-tail.patch broken [NEEDINFO]
Summary: RHSA-2008:0508 linux-2.6.9-x86_64-copy_user-zero-tail.patch broken
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel
Version: 4.6
Hardware: x86_64
OS: Linux
urgent
high
Target Milestone: rc
: ---
Assignee: Larry Woodman
QA Contact: Martin Jenner
URL:
Whiteboard:
: 454865 (view as bug list)
Depends On:
Blocks: RHEL4u8_relnotes 461297 471015
TreeView+ depends on / blocked
 
Reported: 2008-06-26 22:49 UTC by John Hawkes
Modified: 2009-05-18 19:08 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-05-18 19:08:58 UTC
Target Upstream Version:
rlerch: needinfo? (lwoodman)


Attachments (Terms of Use)
Test program (deleted)
2008-06-26 22:49 UTC, John Hawkes
no flags Details
fix calculation of return value in case of fault in the byte copy loop (deleted)
2008-07-01 11:32 UTC, Vitaly Mayatskikh
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1024 normal SHIPPED_LIVE Important: Red Hat Enterprise Linux 4.8 kernel security and bug fix update 2009-05-18 14:57:26 UTC

Description John Hawkes 2008-06-26 22:49:52 UTC
The latest kernel update, RHSA-2008:0508, contains a patch:
    linux-2.6.9-x86_64-copy_user-zero-tail.patch broken
for x86_64 processors which is broken.  The attached program demonstrates the
failure.  The test is derived from the LTP read02 test.

In brief:
  * create a file that contains one byte.
  * mmap a 1-byte buffer with PROT_NONE protections.
  * attempt to read that one byte into the mmap'd buffer.

With a kernel prior to 2.6.9-67.0.20, or with 2.6.9-67.0.20 and a non-x86_64
processor, this read() returns -1 and EFAULT.

With 2.6.9-67.0.20 and x86_64, the read() returns garbage and errno==0.

Comment 1 John Hawkes 2008-06-26 22:49:52 UTC
Created attachment 310399 [details]
Test program

Comment 2 Vitaly Mayatskikh 2008-07-01 11:32:50 UTC
Created attachment 310653 [details]
fix calculation of return value in case of fault in the byte copy loop

Comment 3 Vitaly Mayatskikh 2008-07-01 11:33:24 UTC
Thanks for report, John. Bug was identified and fixed.

By the way, mmap() returns MAP_FAILED in case of error, not NULL.

Comment 4 John Hawkes 2008-07-01 14:58:36 UTC
(In reply to comment #3)
> Thanks for report, John. Bug was identified and fixed.
> 
> By the way, mmap() returns MAP_FAILED in case of error, not NULL.

True.  The original LTP read02 test uses MAP_FAILED correctly.  My small test
program was a quick hack - at least it showed the problem.

Comment 5 John Hawkes 2008-07-01 17:25:21 UTC
FYI: with this patch-to-the-patch in place, a dozen other LTP tests now fail: 
pwrite03 recvmsg01 semctl03 sendmsg01 setdomainname02 setgroups04 sockioctl101
write03 write05 writev01 writev02 writev05

I haven't examined these failures yet.  I just wanted to give you a heads-up.


Comment 6 RHEL Product and Program Management 2008-09-03 13:02:11 UTC
Updating PM score.

Comment 7 Larry Woodman 2008-09-17 18:57:41 UTC
*** Bug 454865 has been marked as a duplicate of this bug. ***

Comment 8 Marat 2008-10-07 08:10:02 UTC
(In reply to comment #2)
From my point of view this patch is not correct because it zeroises %rsi value but this is not the expected behavior in all cases.
%rsi value in this context should contain the number of uncopied 8-byte blocks and the command below saves this value in %rsi register.
".Lc1e:  movq %rcx,%rsi".
So, we should zeroise %rsi value only if something was happened at ".Lc2" piece of code otherwise we should save %rsi content.
The patch from #454865 seems to avoid this.

Comment 11 Larry Woodman 2008-11-07 14:11:24 UTC
Patch was applied, tested and posted to rhkernel-list

------------------------------------------------------------------------------
--- linux-2.6.9/arch/x86_64/lib/copy_user.S.orig        2008-07-31 11:52:34.000000000 -0400
+++ linux-2.6.9/arch/x86_64/lib/copy_user.S     2008-07-31 11:53:37.000000000 -0400
@@ -315,11 +315,14 @@ copy_user_generic_c:
 .Lc1e: movq %rcx,%rsi
 .Lc3:  rep
        stosq
-.Lc2e: movl %edx,%ecx
+.Lc2ec:        movl %edx,%ecx
 .Lc4:  rep
        stosb
 .Lc3e: leaq (%rdx,%rsi,8),%rax
        ret
+       /* %rsi contains source address - clear it */
+.Lc2e: xorq %rsi,%rsi
+       jmp .Lc2ec

        .section __ex_table,"a"
        .align 8
-------------------------------------------------------------------------------


Larry Woodman

Comment 13 Vivek Goyal 2008-11-18 14:31:27 UTC
Committed in 78.18.EL . RPMS are available at http://people.redhat.com/vgoyal/rhel4/

Comment 17 Luo Fei 2009-04-29 03:16:46 UTC
I'm not set up to test RHEL4.8. But this testcase(read02) is included in syscalls test of LTP test(job 54944) with kernel 2.6.9-88.EL on machine gs-dl585g2-01.rhts.bos.redhat.com(x86_64), and  the fix(linux-2.6.9-kernel-fix-copy_user-on-x86_64-for-read-of-8-byte.patch) was present in the source RPM.

Comment 19 errata-xmlrpc 2009-05-18 19:08:58 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2009-1024.html


Note You need to log in before you can comment on or make changes to this bug.