Bug 183463

Summary: CVE-2006-0742 Bug in IA64 unaligned access handler causes kernel panic
Product: Red Hat Enterprise Linux 4 Reporter: Alan Robinson <alanr>
Component: kernelAssignee: Anil S Keshavamurthy <akeshava>
Status: CLOSED ERRATA QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0CC: jbaron, lwang, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: ia64   
OS: Linux   
Whiteboard:
Fixed In Version: RHSA-2006-0575 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-08-10 22:29:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 181409, 185624    

Comment 1 Alan Robinson 2006-03-01 11:03:46 UTC 
Description of problem:

There is a bug in the IA-64 unaligned access handler, which means that an
unaligned access occurring while the IA-64 big-endian flag is set can crash the
system.  The problem is in arch/ia64/kernel/unalign.c - the function
die_if_kernel() is declared "noreturn", but this function can return if the
access came from user-space.  

If an unaligned access occurs from user-space while the big-endian flag is set,
the code at the start of ia64_handle_unaligned() will call die_if_kernel(),
which will return.  What happens next depends on how gcc compiled this function
- as die_if_kernel() is marked "noreturn", you will now fall through to whatever
code gcc happens to have planted after this call.

On RHEL4, the code you fall through to has been observed to cause a kernel panic.

Version-Release number of selected component (if applicable):

kernel-2.6.9-11.EL.ia64.rpm
kernel-2.6.9-22.EL.ia64.rpm
kernel-2.6.9-22.0.2.EL.ia64.rpm

Same behaviour (system crash) observed on all these versions (corresponding to
RHEL4 update 1 and update 2).

How reproducible:

Run attached test program as any user.

Steps to Reproduce:
1. Detach attached ia64UnalignedTest.c
2. make ia64UnalignedTest
3. ./ia64UnalignedTest
  
Actual results:

System crashes

Expected results:

User process should receive a SIGBUS error (the kernel doesn't support fixing up
big-endian accesses, so we would expect the process to simply receive a SIGBUS).

Additional info:

Marked as security issue since this allows any user to crash the entire system
by simply running the test program attached (potential denial-of-service attack
if you have a non-privileged user account on the system).

Fix submitted to the upstream kernel tree via Tony Luck.  URL for the commit is:

http://tinyurl.com/mvayg
Comment 2 Mark J. Cox 2006-03-01 15:14:23 UTC 
Alan, thank's for the report
Comment 3 Mark J. Cox 2006-03-01 15:38:57 UTC 
Alan, can we share your test case in comment #1 with other Linux vendors who we
have a security exchange agreement with?
Comment 4 Alan Robinson 2006-03-01 15:44:44 UTC 
Mark, absolutely - feel free to share that test case with other Linux vendors.

FYI, we've already reported this to Gerald Pfeifer at SUSE (and the SUSE
security team), and they have this test case already.
Comment 5 Jason Baron 2006-03-19 18:57:42 UTC 
committed in stream u4 build 34.5. A test kernel with this patch is available
from http://people.redhat.com/~jbaron/rhel4/
Comment 6 Alan Robinson 2006-03-29 09:47:13 UTC 
Tessted the kernel from
http://people.redhat.com/~jbaron/rhel4/RPMS.kernel/kernel-2.6.9-34.9.EL.ia64.rpm

Confirmed that the test case now behaves correctly, a SIGBUS is received by the
process and the system does not crash.

Any word on when this patch will be included in a RedHat kernel release?  Will
it be in update 4, or will it be released ahead of that?  

Thanks
Comment 7 Bob Johnson 2006-04-11 16:00:34 UTC 
This issue is on Red Hat Engineering's list of planned work items 
for the upcoming Red Hat Enterprise Linux 4.4 release.  Engineering 
resources have been assigned and barring unforeseen circumstances, Red 
Hat intends to include this item in the 4.4 release.
Comment 8 Jason Baron 2006-05-23 21:57:24 UTC 
*** Bug 191138 has been marked as a duplicate of this bug. ***
Comment 12 Red Hat Bugzilla 2006-08-10 22:29:29 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2006-0575.html
Comment 13 Eugene Teo (Security Response) 2010-04-27 22:20:30 UTC 
Upstream commit for CVE-2006-0742:
http://git.kernel.org/linus/e963701a761aede31c9c1bfc74cf8e0ec671f0f4

commit e963701a761aede31c9c1bfc74cf8e0ec671f0f4
Author: Tony Luck <tony.luck>
Date:   Mon Feb 27 16:18:58 2006 -0800

    [IA64] die_if_kernel() can return

    arch/ia64/kernel/unaligned.c erroneously marked die_if_kernel()
    with a "noreturn" attribute ... which is silly (it returns whenever
    the argument regs say that the fault happened in user mode, as one
    might expect given the "if_kernel" part of its name!).  Thanks to
    Alan and Gareth for pointing this out.

    Signed-off-by: Tony Luck <tony.luck>