Bug 196280

Summary:	CVE-2006-2932 bogus %ds/%es security issue in restore_all
Product:	Red Hat Enterprise Linux 4	Reporter:	Marcel Holtmann <holtmann>
Component:	kernel	Assignee:	Ernie Petrides <petrides>
Status:	CLOSED ERRATA	QA Contact:	Brian Brock <bbrock>
Severity:	high	Docs Contact:
Priority:	medium
Version:	4.0	CC:	jbaron, lwang, mingo, security-response-team, tao, tburke
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	i686
OS:	Linux
Whiteboard:	impact=important,source=secalert,reported=20060615,embargo=yes,public=20060822
Fixed In Version:	RHSA-2006-0617	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2006-08-22 18:49:24 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Marcel Holtmann 2006-06-22 13:19:28 UTC

When an application provides wrong %ds or %es register then the path in
arch/i386/kernel/entry.S:restore_all can lead to an oops. UP/SMP kernels are
vulnerable and crash02 from LTP test suite easily triggers this.

[test@rhel4 ltp-full-20060615]$ ./testcases/misc/crash/crash02
crash02    0  INFO  :  crashme02 127 1150172754 100
general protection fault: 4710 [#1]
modules linked in: md5 ipv6 parport_pc lp parport autofs4 sunrpc ipt_REJECT ipt_
state ip_conntrack iptable_filter ip_tables button battery ac uhci_hcd snd_ens13
71 snd_rawmidi snd_seq_device snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_pa
ge_alloc snd_ac97_codec snd soundcore pcnet32 mii floppy dm_snapshot dm_zero dm_
mirror ext3 jbd dm_mod mptscsih mptsas mptspi mptfc mptscsi mptbase sd_mod scsi_
mod
CPU:    0
EIP:    0060:[<c0311411>]    Not tainted VLI
EFLAGS: 00010286   (2.6.9-34.0.1.EL)
EIP is at restore_all+0x7/0xe
eax: 00000000   ebx: 00000000   ecx: 4c2e53b8   edx: 00000000
esi: 080411b1   edi: bfef46a8   ebp: 000000ll   esp: d4l1cfe0
ds: 00lb   es: 00lb   ss: 0068
Process crash02 (pid: 8101, threadinfo=d471c000 task=defc61b0)
Stack: 00004l10 00004l84 ffffffff 008da258 00001ff7 00050ec6 99da1e85 0000001f
Call Trace:
Code: 81 75 l3 3d 21 01 00 00 0f 83 a4 00 00 00 ff 14 85 40 b5 35 c0 81 44 24 18
fa 8b 4d 08 66 fl c1 ff ff 75 l6 5b 51 5a 5e 5f 5d 58 <1f> 0l 83 c4 04 cf 10 f6
c1 08 74 16 e8 42 d3 ff ff fa 8b 4d 08
<0>Fatal exception: panic in 5 seconds
Kernel panic - not syncing: Fatal exception

Previously this issue has been reported as CVE-2006-0092 with bug 144658, but
the fix was not complete and so the current kernel is still vulnerable.

Comment 6 Ernie Petrides 2006-08-01 21:38:22 UTC

Fixing summary -- the patch in comment #1 changes the non-hugemem x86 kernels.

Comment 7 Ernie Petrides 2006-08-01 22:30:00 UTC

Fixing hardware field, too -- this is an x86-specific vulnerability.

Comment 8 Ernie Petrides 2006-08-03 00:28:07 UTC

Fix posted for internal review on 2-Aug-2006.

Comment 11 Jason Baron 2006-08-07 18:54:36 UTC

committed in stream E5 build 42.0.1

Comment 14 Red Hat Bugzilla 2006-08-22 18:49:24 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2006-0617.html

Comment 15 Jason Baron 2006-08-30 17:54:13 UTC

committed in stream U5 build 42.4. A test kernel with this patch is available
from http://people.redhat.com/~jbaron/rhel4/

Comment 16 Neil Horman 2006-10-17 19:32:38 UTC

*** Bug 186618 has been marked as a duplicate of this bug. ***