Bug 436131
| Summary: | CVE-2008-1367 [RHEL5] Kernel doesn't clear DF for signal handlers | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Jakub Jelinek <jakub> | ||||||||
| Component: | kernel | Assignee: | Jason Baron <jbaron> | ||||||||
| Status: | CLOSED ERRATA | QA Contact: | Martin Jenner <mjenner> | ||||||||
| Severity: | high | Docs Contact: | |||||||||
| Priority: | urgent | ||||||||||
| Version: | 5.2 | CC: | anton, dhoward, dzickus, knoel, mingo, rdieter | ||||||||
| Target Milestone: | rc | Keywords: | Security | ||||||||
| Target Release: | --- | ||||||||||
| Hardware: | All | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | RHBA-2008-0314 | Doc Type: | Bug Fix | ||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2008-05-21 15:11:19 UTC | Type: | --- | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Bug Depends On: | |||||||||||
| Bug Blocks: | 434401, 437312 | ||||||||||
| Attachments: |
|
||||||||||
|
Description
Jakub Jelinek
2008-03-05 16:02:38 UTC
Upstream patch: http://git.kernel.org/?p=linux/kernel/git/x86/linux-2.6-x86.git;a=commitdiff;h=52c841e1012b8e73cc04b53f92fb933db580fb42 RHEL5 patch will be different, as it doesn't have unified x86 tree, etc. Testcase for QA in http://gcc.gnu.org/ml/gcc/2008-03/msg00267.html (on x86_64 testing with both -m32 and -m64 compiled/linked testcase is needed). Whenever i run the test case (sending SIGUSR1 to the test process), i get: 'DF = 1'. indicating that the the df flag is set...I expected it to be unset b/c from reading this gcc clears the df flags...i've tried older distros and compat-gcc and still i get DF = 1...what am i missing? thanks. If you get DF = 1, then that means the kernel is buggy. The psABI says that the DF flag must be clear upon entry to a function and also on exit from function. GCC <= 4.2.x would add cld just in case, whenever it used some string instruction (movs*/stos*/loads*/cmps* etc.), GCC 4.3.0 relies on the ABI guarantee. As GCC itself never issues std insn, it is just inline or out-of-line assembly which has to reset cld after it did std (AFAIK all such assembly I saw does that), the kernel has to start a process with cleared DF flag (also done) and the kernel signal handler needs to clear it for the signal handler (this is the bug). Created attachment 297246 [details]
rhel5 clear df flags patch
this looks like what we want...i'm going to go test it. its very similar to the
upstream match modulo the flags->eflags rename, and file locations.
Wouldn't:
--- linux-2.6.18/arch/i386/kernel/signal.c.jj 2008-03-07 16:16:32.000000000 -0500
+++ linux-2.6.18/arch/i386/kernel/signal.c 2008-03-07 16:26:44.000000000 -0500
@@ -540,7 +540,7 @@ handle_signal(unsigned long sig, siginfo
* The tracer may want to single-step inside the
* handler too.
*/
- regs->eflags &= ~TF_MASK;
+ regs->eflags &= ~(TF_MASK | X86_EFLAGS_DF);
tracehook_report_handle_signal(sig, ka, oldset, regs);
}
--- linux-2.6.18/arch/x86_64/kernel/signal.c.jj 2008-03-07 16:16:34.000000000 -0500
+++ linux-2.6.18/arch/x86_64/kernel/signal.c 2008-03-07 16:24:38.000000000 -0500
@@ -384,7 +384,7 @@ handle_signal(unsigned long sig, siginfo
* The tracer may want to single-step inside the
* handler too.
*/
- regs->eflags &= ~TF_MASK;
+ regs->eflags &= ~(TF_MASK | X86_EFLAGS_DF);
tracehook_report_handle_signal(sig, ka, oldset, regs);
}
be better? Shorter plus doesn't add any extra instructions, just changes the
andl immediate operands. The places you were adding regs->eflags &=
X86_EFLAGS_DF; to all very soon return 0; and these two places are the only
places where the *setup_*frame functions return to.
Created attachment 297257 [details]
32-bit test case
Created attachment 297942 [details]
Modified reproducer (runs on both {32,64} architectures) -- Thanks Jakub for help.
in kernel-2.6.18-87.el5 You can download this test kernel from http://people.redhat.com/dzickus/el5 Confirmed DF is being cleared with the test on the -89.el5 kernel, tested both 32-bit and 64-bit on an x86_64 box. *** Bug 444178 has been marked as a duplicate of this bug. *** An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0314.html |