Bug 159671
Summary: | CAN-2005-1761 local user can use ptrace to crash system | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 4 | Reporter: | Tony Luck <tony.luck> | ||||||||
Component: | kernel | Assignee: | Jason Baron <jbaron> | ||||||||
Status: | CLOSED ERRATA | QA Contact: | Brian Brock <bbrock> | ||||||||
Severity: | high | Docs Contact: | |||||||||
Priority: | medium | ||||||||||
Version: | 4.0 | CC: | knoel, poelstra, security-response-team | ||||||||
Target Milestone: | --- | Keywords: | Security | ||||||||
Target Release: | --- | ||||||||||
Hardware: | ia64 | ||||||||||
OS: | Linux | ||||||||||
Whiteboard: | reported=20050607,impact=important,source=bugzilla,public=20050621:10 | ||||||||||
Fixed In Version: | RHSA-2005-514 | Doc Type: | Bug Fix | ||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2005-10-05 13:22:42 UTC | Type: | --- | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Bug Depends On: | |||||||||||
Bug Blocks: | 156322 | ||||||||||
Attachments: |
|
I have an ACK from David Mosberger that the new patch is OK. But now Chris Wright has pointed out that restore_sigcontext() will also load an arbitrary value into ar.rsc from userspace. So I'm stopping trying to rush this into 2.6.12. It will go into 2.6.12.y. Created attachment 115375 [details]
Fix restore_sigcontext() path too
This should be the final version. If there are no problems with it, then I
will release this on Wed June 22nd at noon PDT.
commit from 2.6.12 stable: http://www.kernel.org/git/?p=linux/kernel/git/gregkh/linux-2.6.12.y.git;a=commitdiff;h=df0112ae92e768bda81105cff85d7c8e46004d7b CAN-2005-1761 ptrace crasher HP reported via Intel a way that on ia64 a local user could write to the pl field via ptrace and therefore read/write kernel memory. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-514.html |
Created attachment 115326 [details] close another path to the same hole Aargh! David Mosberger e-mailed me last night with a concern that Matt's fix only closed one code path that allowed ar.rsc to be set. He's right. Here's my attempt at closing the ptrace_setregs() path too. Fresh out of the tree. Untested (apart from that it compiles). No reviews yet either.