Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 316274 Details for
Bug 438147
CVE-2008-1514 kernel: ptrace: Padding area write - unprivileged kernel crash
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Upstream patch for this issue
0001--S390-CVE-2008-1514-prevent-ptrace-padding-area-re.patch (text/plain), 3.78 KB, created by
Eugene Teo (Security Response)
on 2008-09-10 05:52:38 UTC
(
hide
)
Description:
Upstream patch for this issue
Filename:
MIME Type:
Creator:
Eugene Teo (Security Response)
Created:
2008-09-10 05:52:38 UTC
Size:
3.78 KB
patch
obsolete
>From 3d6e48f43340343d97839eadb1ab7b6a3ea98797 Mon Sep 17 00:00:00 2001 >From: Jarod Wilson <jwilson@redhat.com> >Date: Tue, 9 Sep 2008 12:38:56 +0200 >Subject: [PATCH] [S390] CVE-2008-1514: prevent ptrace padding area read/write in 31-bit mode > >When running a 31-bit ptrace, on either an s390 or s390x kernel, >reads and writes into a padding area in struct user_regs_struct32 >will result in a kernel panic. > >This is also known as CVE-2008-1514. > >Test case available here: >http://sources.redhat.com/cgi-bin/cvsweb.cgi/~checkout~/tests/ptrace-tests/tests/user-area-padding.c?cvsroot=systemtap > >Steps to reproduce: >1) wget the above >2) gcc -o user-area-padding-31bit user-area-padding.c -Wall -ggdb2 -D_GNU_SOURCE -m31 >3) ./user-area-padding-31bit ><panic> > >Test status >----------- >Without patch, both s390 and s390x kernels panic. With patch, the test case, >as well as the gdb testsuite, pass without incident, padding area reads >returning zero, writes ignored. > >Nb: original version returned -EINVAL on write attempts, which broke the >gdb test and made the test case slightly unhappy, Jan Kratochvil suggested >the change to return 0 on write attempts. > >Signed-off-by: Jarod Wilson <jarod@redhat.com> >Tested-by: Jan Kratochvil <jan.kratochvil@redhat.com> >Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com> >--- > arch/s390/kernel/compat_ptrace.h | 1 + > arch/s390/kernel/ptrace.c | 28 ++++++++++++++++++++++++++++ > 2 files changed, 29 insertions(+), 0 deletions(-) > >diff --git a/arch/s390/kernel/compat_ptrace.h b/arch/s390/kernel/compat_ptrace.h >index cde81fa..a2be3a9 100644 >--- a/arch/s390/kernel/compat_ptrace.h >+++ b/arch/s390/kernel/compat_ptrace.h >@@ -42,6 +42,7 @@ struct user_regs_struct32 > u32 gprs[NUM_GPRS]; > u32 acrs[NUM_ACRS]; > u32 orig_gpr2; >+ /* nb: there's a 4-byte hole here */ > s390_fp_regs fp_regs; > /* > * These per registers are in here so that gdb can modify them >diff --git a/arch/s390/kernel/ptrace.c b/arch/s390/kernel/ptrace.c >index 2815bfe..c8b0828 100644 >--- a/arch/s390/kernel/ptrace.c >+++ b/arch/s390/kernel/ptrace.c >@@ -170,6 +170,13 @@ static unsigned long __peek_user(struct task_struct *child, addr_t addr) > */ > tmp = (addr_t) task_pt_regs(child)->orig_gpr2; > >+ } else if (addr < (addr_t) &dummy->regs.fp_regs) { >+ /* >+ * prevent reads of padding hole between >+ * orig_gpr2 and fp_regs on s390. >+ */ >+ tmp = 0; >+ > } else if (addr < (addr_t) (&dummy->regs.fp_regs + 1)) { > /* > * floating point regs. are stored in the thread structure >@@ -270,6 +277,13 @@ static int __poke_user(struct task_struct *child, addr_t addr, addr_t data) > */ > task_pt_regs(child)->orig_gpr2 = data; > >+ } else if (addr < (addr_t) &dummy->regs.fp_regs) { >+ /* >+ * prevent writes of padding hole between >+ * orig_gpr2 and fp_regs on s390. >+ */ >+ return 0; >+ > } else if (addr < (addr_t) (&dummy->regs.fp_regs + 1)) { > /* > * floating point regs. are stored in the thread structure >@@ -428,6 +442,13 @@ static u32 __peek_user_compat(struct task_struct *child, addr_t addr) > */ > tmp = *(__u32*)((addr_t) &task_pt_regs(child)->orig_gpr2 + 4); > >+ } else if (addr < (addr_t) &dummy32->regs.fp_regs) { >+ /* >+ * prevent reads of padding hole between >+ * orig_gpr2 and fp_regs on s390. >+ */ >+ tmp = 0; >+ > } else if (addr < (addr_t) (&dummy32->regs.fp_regs + 1)) { > /* > * floating point regs. are stored in the thread structure >@@ -514,6 +535,13 @@ static int __poke_user_compat(struct task_struct *child, > */ > *(__u32*)((addr_t) &task_pt_regs(child)->orig_gpr2 + 4) = tmp; > >+ } else if (addr < (addr_t) &dummy32->regs.fp_regs) { >+ /* >+ * prevent writess of padding hole between >+ * orig_gpr2 and fp_regs on s390. >+ */ >+ return 0; >+ > } else if (addr < (addr_t) (&dummy32->regs.fp_regs + 1)) { > /* > * floating point regs. are stored in the thread structure >-- >1.5.5.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=316274">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 438147
: 316274