[PATCH] i386 - Fix regression, endless loop in ptrace singlestep over an int80

[PATCH] i386 - Fix regression, endless loop in ptrace singlestep over an int80

[Jason Wessel]

[-- Attachment #1: Type: text/plain, Size: 692 bytes --]


Attached is a patch with a complete test case to fix the regression 
introduced by the commit: 635cf99a80f4ebee59d70eb64bb85ce829e4591f.

This patch is against kernel 2.6.21 but the fix is applicable to 2.6.21 
and up.  Prior to the commit that introduced the regression the ltp 
ptrace tests would complete correctly.  I augmented the test case from 
the original patch header to include the problem case that shows up in 
the lpt tests.

The brief summary is that the the TIF_SINGLESTEP state needs to be 
altered on the exit path and not the entry path to a syscall, else it 
can loop forever on the same instruction right after the syscall is 
executed in certain cases.

Thanks,
Jason.

[-- Attachment #2: ptrace_int80_loop_fix.patch --]
[-- Type: text/plain, Size: 2871 bytes --]

ptrace_int80_loop_fix.patch

[PATCH] i386: fix infinite loop with singlestep int80 syscalls

The commit 635cf99a80f4ebee59d70eb64bb85ce829e4591f introduced a
regression.  Executing a ptrace single step after certain int80
accesses will infinitely loop and never advance the PC.

The TIF_SINGLESTEP check should be done on the return from the syscall
and not before it.

The new test case is below:

/* Test whether singlestep through an int80 syscall works.
 */
#define _GNU_SOURCE
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
#include <sys/mman.h>
#include <asm/user.h>
#include <string.h>

static int child, status;
static struct user_regs_struct regs;

static void do_child()
{
	char str[80] = "child: int80 test\n";

	ptrace(PTRACE_TRACEME, 0, 0, 0);
	kill(getpid(), SIGUSR1);
	write(fileno(stdout),str,strlen(str));
	asm ("int $0x80" : : "a" (20)); /* getpid */
}
    
static void do_parent()
{
	unsigned long eip, expected = 0;
again:
	waitpid(child, &status, 0);
	if (WIFEXITED(status) || WIFSIGNALED(status))
		return;
    
	if (WIFSTOPPED(status)) {
		ptrace(PTRACE_GETREGS, child, 0, &regs);
		eip = regs.eip;
		if (expected)
			fprintf(stderr, "child stop @ %08lx, expected %08lx %s\n",
					eip, expected,
					eip == expected ? "" : " <== ERROR");
    
		if (*(unsigned short *)eip == 0x80cd) {
			fprintf(stderr, "int 0x80 at %08x\n", (unsigned int)eip);
			expected = eip + 2;
		} else
			expected = 0;
    
		ptrace(PTRACE_SINGLESTEP, child, NULL, NULL);
	}
	goto again;
}
    
int main(int argc, char * const argv[])
{
	child = fork();
	if (child)
		do_parent();
	else
		do_child();
	return 0;
}


Signed-off-by: Jason Wessel <jason.wessel@windriver.com>

---
 arch/i386/kernel/entry.S |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

Index: linux-2.6.21-standard/arch/i386/kernel/entry.S
===================================================================
--- linux-2.6.21-standard.orig/arch/i386/kernel/entry.S
+++ linux-2.6.21-standard/arch/i386/kernel/entry.S
@@ -371,10 +371,6 @@ ENTRY(system_call)
 	CFI_ADJUST_CFA_OFFSET 4
 	SAVE_ALL
 	GET_THREAD_INFO(%ebp)
-	testl $TF_MASK,PT_EFLAGS(%esp)
-	jz no_singlestep
-	orl $_TIF_SINGLESTEP,TI_flags(%ebp)
-no_singlestep:
 					# system call tracing in operation / emulation
 	/* Note, _TIF_SECCOMP is bit number 8, and so it needs testw and not testb */
 	testw $(_TIF_SYSCALL_EMU|_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT),TI_flags(%ebp)
@@ -389,6 +385,10 @@ syscall_exit:
 					# setting need_resched or sigpending
 					# between sampling and the iret
 	TRACE_IRQS_OFF
+	testl $TF_MASK,PT_EFLAGS(%esp)	# If tracing set singlestep flag on exit
+	jz no_singlestep
+	orl $_TIF_SINGLESTEP,TI_flags(%ebp)
+no_singlestep:
 	movl TI_flags(%ebp), %ecx
 	testw $_TIF_ALLWORK_MASK, %cx	# current->work
 	jne syscall_exit_work

Re: [PATCH] i386 - Fix regression, endless loop in ptrace singlestep over an int80

[Jeremy Fitzhardinge]

Jason Wessel wrote:
>
> Attached is a patch with a complete test case to fix the regression 
> introduced by the commit: 635cf99a80f4ebee59d70eb64bb85ce829e4591f.
>
> This patch is against kernel 2.6.21 but the fix is applicable to 
> 2.6.21 and up.  Prior to the commit that introduced the regression the 
> ltp ptrace tests would complete correctly.  I augmented the test case 
> from the original patch header to include the problem case that shows 
> up in the lpt tests.
>
> The brief summary is that the the TIF_SINGLESTEP state needs to be 
> altered on the exit path and not the entry path to a syscall, else it 
> can loop forever on the same instruction right after the syscall is 
> executed in certain cases. 

Looks reasonable to me, but what under what circumstances can 
TIF_SINGLESTEP get lost?

    J

Re: [PATCH] i386 - Fix regression, endless loop in ptrace singlestep over an int80

[Chuck Ebbert]

On 07/02/2007 04:53 PM, Jason Wessel wrote:
> 
> Attached is a patch with a complete test case to fix the regression
> introduced by the commit: 635cf99a80f4ebee59d70eb64bb85ce829e4591f.
> 
> This patch is against kernel 2.6.21 but the fix is applicable to 2.6.21
> and up.  Prior to the commit that introduced the regression the ltp
> ptrace tests would complete correctly.  I augmented the test case from
> the original patch header to include the problem case that shows up in
> the lpt tests.
> 
> The brief summary is that the the TIF_SINGLESTEP state needs to be
> altered on the exit path and not the entry path to a syscall, else it
> can loop forever on the same instruction right after the syscall is
> executed in certain cases.

Where does it loop?

Re: [PATCH] i386 - Fix regression, endless loop in ptrace singlestep over an int80

[Jason Wessel]

Chuck Ebbert wrote:
> On 07/02/2007 04:53 PM, Jason Wessel wrote:
>   
>> Attached is a patch with a complete test case to fix the regression
>> introduced by the commit: 635cf99a80f4ebee59d70eb64bb85ce829e4591f.
>>
>> This patch is against kernel 2.6.21 but the fix is applicable to 2.6.21
>> and up.  Prior to the commit that introduced the regression the ltp
>> ptrace tests would complete correctly.  I augmented the test case from
>> the original patch header to include the problem case that shows up in
>> the lpt tests.
>>
>> The brief summary is that the the TIF_SINGLESTEP state needs to be
>> altered on the exit path and not the entry path to a syscall, else it
>> can loop forever on the same instruction right after the syscall is
>> executed in certain cases.
>>     
>
> Where does it loop?
>
>   

On each single step on the pop right after the int80 which writes out to 
the console.  At that point you can issue as many single steps as you 
want and it will not advance any further.

Jason.