Bug 433938 (CVE-2008-0598)

Summary: CVE-2008-0598 kernel: linux x86_64 ia32 emulation leaks uninitialized data
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: anton, davids, dhoward, dwu, kreilly, lgoncalv, lwang, meissner, mjenner, qcai, rwheeler, security-response-team, vgoyal, williams, zkabelac
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-23 16:30:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 433941, 433942, 433943, 433944, 433945, 453136, 459505    
Bug Blocks:    
Attachments:
Description Flags
Patch as used in Red Hat Enterprise Linux 5 kernel-2.6.18-92.1.6.el5
none
Patch as used in Red Hat Enterprise Linux 4 kernel-2.6.9-67.0.20.EL
none
xx.c none

Description Jan Lieskovsky 2008-02-22 09:28:32 UTC 
Description of problem:

Tavis Ormandy has found a simple way how to leak data from other processes.

See reproducer for more details.
Comment 18 Mark J. Cox 2008-06-25 13:01:19 UTC 
removing embargo.

* Tavis Ormandy discovered a deficiency in the Linux kernel 32-bit and
64-bit emulation. This could allow a local unprivileged user to prepare and
run a specially crafted binary, which would use this deficiency to leak
uninitialized and potentially sensitive data. (CVE-2008-0598, Important)
Comment 20 Tomas Hoger 2008-07-15 08:37:47 UTC 
Created attachment 311794 [details]
Patch as used in Red Hat Enterprise Linux 5 kernel-2.6.18-92.1.6.el5

First included in: https://rhn.redhat.com/errata/RHSA-2008-0519.html
Comment 21 Tomas Hoger 2008-07-15 08:38:53 UTC 
Created attachment 311795 [details]
Patch as used in Red Hat Enterprise Linux 4 kernel-2.6.9-67.0.20.EL

First included in: https://rhn.redhat.com/errata/RHSA-2008-0508.html
Comment 22 Eugene Teo (Security Response) 2008-07-28 07:56:08 UTC 
(In reply to comment #21)
> Created an attachment (id=311795) [edit]
> Patch as used in Red Hat Enterprise Linux 4 kernel-2.6.9-67.0.20.EL

This refers to linux-2.6.9-x86_64-copy_user-zero-tail.patch.
Comment 37 Marcus Meissner 2008-09-09 15:07:16 UTC 
the 2.6.9 patch is probably wrong.
Comment 38 Marcus Meissner 2008-09-09 15:09:06 UTC 
Created attachment 316196 [details]
xx.c

gcc -o xx xx.c
./xx


extracted from LTP read02 testcase.

on bad kernel it will result in:
unexpected success with bad address, ret 0x79680000

on a good kernel it will result in:
read: Bad address
Comment 39 Eugene Teo (Security Response) 2008-09-09 15:27:20 UTC 
(In reply to comment #38)
> Created an attachment (id=316196) [details]
> xx.c
> 
> gcc -o xx xx.c
> ./xx
> 
> 
> extracted from LTP read02 testcase.
> 
> on bad kernel it will result in:
> unexpected success with bad address, ret 0x79680000
> 
> on a good kernel it will result in:
> read: Bad address

Thanks Marcus. This is addressed in bug #453053.
Comment 44 Vincent Danen 2010-12-23 16:30:39 UTC 
This was addressed via:

Red Hat Enterprise Linux version 4 (RHSA-2008:0508)
Red Hat Enterprise Linux version 5 (RHSA-2008:0519)
Red Hat Enterprise Linux version 3 (RHSA-2008:0973)
MRG Realtime for RHEL 5 Server (RHSA-2009:0009)