Bug 431430 (CVE-2008-1615)

Summary: CVE-2008-1615 kernel: ptrace: Unprivileged crash on x86_64 %cs corruption
Product: [Other] Security Response Reporter: Jan Kratochvil <jan.kratochvil>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact: Martin Jenner <mjenner>
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: duck, k.georgiou, kreilly, lwang, roland, security-response-team
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: 2.6.23.17-88.fc7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-23 16:53:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 431314, 439785, 439786, 439787, 439788, 453136    
Bug Blocks: 431431    
Attachments:
Description Flags
untried RHEL5 backport of fix verified on upstream kernel none

Comment 1 Jan Kratochvil 2008-02-04 22:06:52 UTC 
RHTS testcases:
/kernel/syscalls/ptrace/x86_64-cs
/kernel/syscalls/ptrace/x86_64-cs-biarch
Comment 2 Roland McGrath 2008-02-06 00:27:48 UTC 
Created attachment 294062 [details]
untried RHEL5 backport of fix verified on upstream kernel
Comment 4 Jarod Wilson 2008-03-31 14:29:46 UTC 
Patched kernel, no crash:

[root@dhcp83-28 ~]# gcc -o x86_64-cs x86_64-cs.c -Wall -ggdb2 -D_GNU_SOURCE
[root@dhcp83-28 ~]# ./x86_64-cs 
x86_64-cs: x86_64-cs.c:129: main: Assertion `((((__extension__ ({ union {
__typeof(status) __in; int __i; } __u; __u.__in = (status); __u.__i; }))) &
0xff) == 0x7f)' failed.
Aborted

Would that be the expected result?
Comment 5 Jan Lieskovsky 2008-03-31 14:43:54 UTC 
Hello Jarod,

uname -a? 

This result as you are posting it, I am experincing on RHEL-3 (2.4.21-50.EL)
kernel. But there is no "WIFSTOPPED" macro on RHEL-3 kernel. 

[testuser@nec-em11 tmp]$ ./x86_64-cs 
x86_64-cs: x86_64-cs.c:129: main: Assertion `((((__extension__ ({ union {
__typeof(status) __in; int __i; } __u; __u.__in = (status); __u.__i; }))) &
0xff) == 0x7f)' failed.
Aborted

This means, your patched kernel is behaving like the older RHEL-3. 
But Jan Kratochvil needs to say, if the patched kernel is executing the
mentioned testcase in that way, as it should..
Comment 6 Jarod Wilson 2008-03-31 16:14:40 UTC 
My output is from a 2.6.18-87.el5-based x86_64 kernel carrying Roland's patch in
comment #2.
Comment 7 Jan Kratochvil 2008-03-31 16:24:40 UTC 
Sorry, going to patch it to just return RC 0 if either it did nothing or if it
returned some error.
Definitely if it did not crash it is PASS as the attempted operation is invalid.
Comment 8 Jan Kratochvil 2008-03-31 17:13:01 UTC 
(Comment 7 done.)
It looks right RHEL-3 (kernel-2.4.x) is not vulnerable as if I can cite Roland:

On Wed, 06 Feb 2008 01:03:32 +0100, Roland McGrath wrote:
...
> I think it's the same from whenever the "paranoidentry" path was
> introduced, which looks like 2.6.4 maybe.
Comment 10 Mike Gahagan 2008-04-29 17:52:10 UTC 
No longer seeing a crash on the -91 kernel so I think this particular bug is
fixed, but the testcase itself is failing. Should I open a new bug to handle the
failure?

++ cat CRASHER
+ make -C ptrace-tests-0.1/tests x86_64-cs
make[1]: Entering directory `/mnt/tests/ptrace/x86_64-cs/ptrace-tests-0.1/tests'
if gcc -DPACKAGE_NAME=\"ptrace\ regression\ test\ suite\" -DPACKAGE_TARNAME=\"pt
race-tests\" -DPACKAGE_VERSION=\"0.1\" -DPACKAGE_STRING=\"ptrace\ regression\ te
st\ suite\ 0.1\" -DPACKAGE_BUGREPORT=\"utrace-devel\" -DPACKAGE=\"ptr
ace-tests\" -DVERSION=\"0.1\" -D_GNU_SOURCE=1  -I. -I.    -std=gnu99 -Wall -Werr
or -g -O2 -MT x86_64-cs.o -MD -MP -MF ".deps/x86_64-cs.Tpo" -c -o x86_64-cs.o x8
6_64-cs.c; \
        then mv -f ".deps/x86_64-cs.Tpo" ".deps/x86_64-cs.Po"; else rm -f ".deps
/x86_64-cs.Tpo"; exit 1; fi
gcc -std=gnu99 -Wall -Werror -g -O2   -o x86_64-cs  x86_64-cs.o
make[1]: Leaving directory `/mnt/tests/ptrace/x86_64-cs/ptrace-tests-0.1/tests'
+ sync
++ cat CRASHER
+ ptrace-tests-0.1/tests/x86_64-cs
ptrace-tests-0.1/tests/x86_64-cs: WIFSIGNALED - WTERMSIG = 11
x86_64-cs: x86_64-cs.c:140: main: Assertion `0' failed.
./do-my-test: line 26:   512 Aborted                 ptrace-tests-0.1/tests/$(ca
t CRASHER)
...finished running ./do-my-test, exit code=134
Comment 11 Jan Lieskovsky 2008-05-13 11:02:22 UTC 
Attaching link to upstream commit:

http://marc.info/?l=linux-kernel&m=120219781932243
Comment 12 Fedora Update System 2008-05-17 22:21:22 UTC 
kernel-2.6.23.17-88.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Vincent Danen 2010-12-23 16:53:04 UTC 
This was addressed via:

Red Hat Enterprise Linux version 4 (RHSA-2008:0237)
Red Hat Enterprise Linux version 5 (RHSA-2008:0275)
MRG Realtime for RHEL 5 Server (RHSA-2008:0585)