Bug 154451

Summary: CAN-2005-1762 x86_64 sysret exception leads to DoS
Product: Red Hat Enterprise Linux 4 Reporter: Roland McGrath <roland>
Component: kernelAssignee: Roland McGrath <roland>
Status: CLOSED ERRATA QA Contact: Brian Brock <bbrock>
Severity: high Docs Contact:
Priority: medium    
Version: 4.0CC: davej, jbaron, jparadis, mingo, mjc, riel, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: impact=important,reported=20050411,source=redhat
Fixed In Version: RHSA-2005-514 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-10-05 12:59:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 154221    
Bug Blocks: 156322    
Attachments:
Description Flags
reproducer, native 64-bit compile produces sysret fault
none
fix for sysret fault case
none
fix for iret fault cases
none
reproducer for sigreturn/iret case, compile this native 64 bit none

Comment 3 Roland McGrath 2005-04-12 07:08:42 UTC
Created attachment 113012 [details]
fix for sysret fault case

This fixes the case with that bad failure mode and DoS potential.
This patch works against 2.6.12rc2 and against RHEL4 (6.38).

Comment 4 Roland McGrath 2005-04-12 07:11:50 UTC
Created attachment 113013 [details]
fix for iret fault cases

This fixes the iret cases, and handles both a native 64-bit sigreturn case and
the cases with 32-bit processes that bug 154221 deals with.  These cases all
have a fairly harmless failure mode (some console spew and a confusing user
result), so buggy but not exploitable.

Comment 13 Mark J. Cox 2005-06-13 09:18:33 UTC
I originally labelled this issue as CAN-2005-0756 however that was in error due
to two similar ptrace check issues.  The following is as reported to vendor-sec:

Fixing rip -> CAN-2005-1762
Fixing fs_base and gs_base -> CAN-2005-0756


Comment 14 Mark J. Cox 2005-06-13 09:19:24 UTC
[PATCH] x86_64: check if ptrace RIP is canonical
This works around an AMD Erratum.

This is a DoS on 2.4 and 2.6

http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=d1099e8a18960693c04507bdd7b9403db70bfd97


Comment 15 Peter Staubach 2005-07-15 15:56:22 UTC
*** Bug 159916 has been marked as a duplicate of this bug. ***

Comment 16 Mark J. Cox 2005-07-26 13:00:52 UTC
This is in linux-2.6.9-CAN-2005-0756-x86_64-ptrace-canonical-addr.patch in -11.34.EL

Comment 21 Red Hat Bugzilla 2005-10-05 12:59:07 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-514.html