Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 598615 - Changing register contents (such as $return) causes crash
Summary: Changing register contents (such as $return) causes crash
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: systemtap
Version: 5.5
Hardware: ia64
OS: Linux
Target Milestone: rc
: ---
Assignee: Frank Ch. Eigler
QA Contact: qe-baseos-tools
Depends On:
Blocks: 617100
TreeView+ depends on / blocked
Reported: 2010-06-01 17:56 UTC by Fabio Olive Leite
Modified: 2018-10-27 12:08 UTC (History)
4 users (show)

Fixed In Version: systemtap-1.1-5.el5
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2011-01-13 22:36:41 UTC
Target Upstream Version:

Attachments (Terms of Use)
Partner-verified patch (deleted)
2010-06-01 17:56 UTC, Fabio Olive Leite
no flags Details | Diff
Test probe that changes $return (deleted)
2010-06-01 17:57 UTC, Fabio Olive Leite
no flags Details
Test program to be used with the probe (deleted)
2010-06-01 17:59 UTC, Fabio Olive Leite
no flags Details

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2011:0037 normal SHIPPED_LIVE systemtap enhancement update 2011-01-12 17:15:40 UTC

Description Fabio Olive Leite 2010-06-01 17:56:37 UTC
Created attachment 418754 [details]
Partner-verified patch

Description of problem:

When probing into a system call's return point and changing $return, process state (or random memory) gets corrupted and the box crashes. This is because ia64_store_register() on runtime/regs-ia64.c does not return after changing registers within [r8-r11] (usual register for $return on ia64 is r8), but instead goes on and also tries to store a value somewhere else as if it was some other register, even doing stack unwinding.

Version-Release number of selected component (if applicable):

RHEL-5.5, systemtap-1.1-3.el5.

How reproducible:

I would say 50%. A partner had a 100% sure reproducer, tests in the Red Hat labs sometimes did crash and sometimes did not. In any case, the code change is obvious, so it is 100% sure it IS corrupting memory somewhere. Could just not be somewhere important enough to cause a crash (yet).

Steps to Reproduce:
1. Compile the attached foobar.c program into the foobar executable:
# gcc -o foobar foobar.c

2. Run foobar with stap loading the sys_write_return.stap:
# stap -vg sys_write_return.stap -c ./foobar
write: Input/output error

Actual results:

3. $return (and something else) is changed and the system crashes very soon.

Expected results:

3. $return is changed and system keeps going.

Additional info:

Patch adds a return statement in runtime/regs-ia64.c after line 116:;a=blob;f=runtime/regs-ia64.c;h=c78a757eb38fb25c5724bb62ec479aa3ad0f4389;hb=HEAD#l116

Comment 1 Fabio Olive Leite 2010-06-01 17:57:55 UTC
Created attachment 418755 [details]
Test probe that changes $return

Comment 2 Fabio Olive Leite 2010-06-01 17:59:46 UTC
Created attachment 418756 [details]
Test program to be used with the probe

Comment 4 Frank Ch. Eigler 2010-06-01 18:10:31 UTC
patch in hand

Comment 10 David Smith 2010-06-14 18:30:13 UTC
Fixed upstream in commit 9f2f086:


This patch will need to be backported.

Comment 18 errata-xmlrpc 2011-01-13 22:36:41 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

Note You need to log in before you can comment on or make changes to this bug.