>Number:         3034
>Category:       port-sun3
>Synopsis:       Ping and assorted other utilities mysteriously dumps core
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    gnats-admin (GNATS administrator)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Dec 15 15:20:02 1996
>Last-Modified:
>Originator:     Ian Dall
>Organization:
	
>Release:        1.2
>Environment:
	
System: NetBSD harold.chez-dall.org.au 1.2B NetBSD 1.2B (GENERIC) #13: Sat Dec 14 18:15:05 CST 1996     ian@sibyl.chez-dall.org.au:/usr/netbsd-1.2/lsrc/sys/arch/sun3/compile/GENERIC sun3

>Description:
	
When a SunOs compatability mode process exec's another process it leaves
the MDP_STACKADJ flag set. This flag is never set or cleared by a native
NetBSD process and is inherited by any children. If a native NetBSD
process has a system call interrupted (EINTR is set), then its stack
will wrongly be adjusted as if it were a SunOs process. Once the stack
is corrupted anything may happen (but most likely a core dump sooner
or later).

>How-To-Repeat:
	
With a shell compiled for SunOs (say foosh),

   exec foosh
   ping localhost

ping will core dump when it receives the *second* packet.


>Fix:
	

The following patch ensures that the MDP_STACKADJ flag is cleared before
the system call completes. Since this applies to the exec system call
as well, native NetBSD processes will never inherit the MDP_STACKADJ
flag.

--- ../../../../../src/sys/arch/sun3/sun3/trap.c        Tue Oct 15 01:56:00 1996
+++ trap.c      Sat Dec 14 18:13:15 1996
@@ -690,6 +690,7 @@
        /* need new p-value for this */
        if (error == ERESTART && (p->p_md.md_flags & MDP_STACKADJ))
                frame.f_regs[SP] -= sizeof (int);
+       p->p_md.md_flags &= ~MDP_STACKADJ;
 #endif
        userret(p, &frame, sticks, (u_int)0, 0);
 #ifdef KTRACE

>Audit-Trail:
>Unformatted: