Bug 183489
Summary: | CVE-2006-0741 bad elf entry address (CVE-2006-0744) | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 4 | Reporter: | Mark J. Cox <mjc> | ||||||
Component: | kernel | Assignee: | Ernie Petrides <petrides> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Brian Brock <bbrock> | ||||||
Severity: | high | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | 4.0 | CC: | jbaron, jburke, jparadis | ||||||
Target Milestone: | --- | Keywords: | Security | ||||||
Target Release: | --- | ||||||||
Hardware: | x86_64 | ||||||||
OS: | Linux | ||||||||
Whiteboard: | reported=20060226,source=bk,impact=important,public=20060226 | ||||||||
Fixed In Version: | RHSA-2006-0493 | Doc Type: | Bug Fix | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2006-05-24 09:28:30 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Mark J. Cox
2006-03-01 14:39:34 UTC
Comment #5 From Ernie Petrides (petrides) on 2006-03-09 17:22 EST Created an attachment (id=125908) [edit] patch posted for internal review today to address this The attached patch addresses all known vulnerabilities of EM64T cpus returning to user-space at non-canonical RIP values. Comment #6 From Mark J. Cox (Security Response Team) (mjc) on Whilst fixing a fix for invalid ELF Ernie discovered signal catching is still vulnerable, with a trivial test case causing a double-fault on EM64T-based systems. Allocated CVE-2006-0744. The patch above addresses CVE-2006-0741 and CVE-2006-0744 Upstream commits are here: http://marc.theaimsgroup.com/?l=git-commits-head&m=114097681403026&w=2 http://marc.theaimsgroup.com/?l=git-commits-head&m=114223318030280&w=2 The 2nd upstream commit listed above has been found to cause regressions and has been reverted by Linus yesterday. I've decided to port the RHEL3 patch from bug 183492 comment #5 instead. Created attachment 126179 [details]
patch posted for internal review today to address this
The attached patch addresses all known vulnerabilities of EM64T
cpus returning to user-space at non-canonical RIP values.
Created attachment 127095 [details] revised patch posted for internal re-review tonight This updated version of the patch in comment #9 addresses a regression in the RIP validation check introduced in restore_sigcontext(). The x86_64 "vsyscall" region must be excluded from the invalid addr range. committed in stream U4 build 34.12. A test kernel with this patch is available from http://people.redhat.com/~jbaron/rhel4/ An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2006-0493.html *** Bug 186925 has been marked as a duplicate of this bug. *** |