Bug 438147 (CVE-2008-1514)

Summary: CVE-2008-1514 kernel: ptrace: Padding area write - unprivileged kernel crash
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: dhoward, jan.kratochvil, jmarchan, kreilly, kseifried, lwang, mgahagan, mjc, roland, vmayatsk
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: s390   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-09-30 01:27:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 437932, 438148    
Bug Blocks:    
Attachments:
Description Flags
Upstream patch for this issue none

Description Jan Lieskovsky 2008-03-19 12:52:01 UTC 
Description of problem:

Jan Kratochvil has reported the following kernel ptrace related issue:

Description of problem:
Accidentally found one can crash the kernel.
No root privileges are needed.

Version-Release number of selected component (if applicable):
kernel-2.6.9-68.19.EL.s390
kernel-2.6.9-68.19.EL.s390x (for -m31 binaries)

How reproducible:
Always.

Steps to Reproduce:
1. wget -O user-area-padding.c
'http://sources.redhat.com/cgi-bin/cvsweb.cgi/~checkout~/tests/ptrace-tests/tests/user-area-padding.c?cvsroot=systemtap'
2. gcc -o user-area-padding user-area-padding.c -Wall -ggdb2 -D_GNU_SOURCE -m31
3. ./user-area-padding

Actual results:

Kernel 2.6.9-68.19.EL on an s390x

z205 login:
03/18/08 03:16:06  JobID:17819 Test:/distribution/reservesys
Unable to handle kernel pointer dereference at virtual kernel address 000000008c
8d8000
Oops: 003b Ý#1¨
CPU:    1    Not tainted
Process user-area-paddi (pid: 12275, task: 000000001c008040, ksp: 0000000010ba7c
60)
Krnl PSW : 0700200180000000 00000000000ff58a (exit_sem+0x26/0x1bc)
Krnl GPRS: 0000000000200200 0000000000000001 000000001c008040 0000000000000002
           0000000000040ef4 00000000008fa480 0000000010ba7f58 0000000010ba7e88
           0000000000000001 0000000000000009 000000001c008040 000000001c7e5b58
           000000008c8d8e8f 0000000000206ca8 0000000010ba7c60 0000000010ba7c20
Krnl Code: 58 20 c0 00 18 32 1b 31 ba 23 c0 00 a7 44 ff fc 12 33 a7 74
Call Trace:
(Ý<000000001c7e5b58>¨ 0x1c7e5b58)
 Ý<0000000000040efe>¨ do_exit+0x382/0xf40
 Ý<0000000000041be6>¨ do_group_exit+0xce/0xd0
 Ý<000000000004d90a>¨ get_signal_to_deliver+0x3a2/0x3d0
 Ý<000000000001c4d4>¨ do_signal+0xc0/0x620
 Ý<000000000002f27e>¨ sysc_sigpending+0x12/0x1e
 Ý<0000000045b905f4>¨ 0x45b905f4

 <0>Kernel panic - not syncing: Fatal exception: panic_on_oops
00: HCPGSP2629I The virtual machine is placed in CP mode due to a SIGP stop from
 CPU 01.
01: HCPGIR450W CP entered; disabled wait PSW 00020001 80000000 00000000 00017E06


Kernel 2.6.9-68.19.EL on an s390

z203 login:
03/18/08 03:00:25  JobID:17818 Test:/distribution/reservesys
specification exception: 0006 Ý#1¨
CPU:    1    Not tainted
Process user-area-paddi (pid: 14407, task: 1daee7e8, ksp: 0ad85db8)
Krnl PSW : 07081000 800d8740 (exit_sem+0x28/0x1a0)
Krnl GPRS: 00200200 00000001 fc77d074 fc77d073
           8002faf8 1c99fa2c 77ff68e0 1daeeb4c
           00000001 00000009 1daee7e8 1eb71d30
           8c8d8e8f 800d871e 0ad85dc8 0ad85da0
Krnl Code: a7 44 ff fc 12 33 a7 74 00 9e 18 8c a7 8a 00 08 bf af c0 08
Call Trace:
(Ý<000000001daee7e8>¨ 0x1daee7e8)
 Ý<000000000002fb00>¨ do_exit+0x300/0xdb0
 Ý<00000000000306be>¨ do_group_exit+0xb6/0xe0
 Ý<000000000003ad8c>¨ get_signal_to_deliver+0x30/0x380
 Ý<000000000001bc6a>¨ do_signal+0xa2/0x55c
 Ý<000000000002037c>¨ sysc_sigpending+0x10/0x1c
 Ý<000000004ec845f4>¨ 0x4ec845f4

 <0>Kernel panic - not syncing: Fatal exception: panic_on_oops
00: HCPGSP2629I The virtual machine is placed in CP mode due to a SIGP stop from
 CPU 01.
01: HCPGIR450W CP entered; disabled wait PSW 000A0000 8001758A


Expected results:
0

Additional info:
debugger-on-inferior-on-kernel:
s390-on-s390-on-s390: crash
s390-on-s390-on-s390x: crash
s390x-on-s390x-on-s390x: SKIP (no padding area there)
s390x-on-s390-on-s390x: not tested

RHEL-5 does not crash (utrace there) but it returns 1 (FAIL) - Bug 431183.
Comment 1 Jan Lieskovsky 2008-03-19 12:53:47 UTC 
This issue already public, link to public post:

http://sourceware.org/systemtap/wiki/utrace/tests
Comment 16 Eugene Teo (Security Response) 2008-09-10 05:51:28 UTC 
Proposed upstream patch:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=3d6e48f43340343d97839eadb1ab7b6a3ea98797
Comment 17 Eugene Teo (Security Response) 2008-09-10 05:52:38 UTC 
Created attachment 316274 [details]
Upstream patch for this issue
Comment 18 IBM Bug Proxy 2008-09-18 11:23:01 UTC 
See bug #46743 for SLES10 tracking.
Comment 19 Eugene Teo (Security Response) 2008-09-18 11:39:59 UTC 
(In reply to comment #18)
> See bug #46743 for SLES10 tracking.

Is there a reason why you posted this? We have no access to the mentioned bug id, and we don't keep track of SLES10. Thanks.
Comment 22 IBM Bug Proxy 2009-06-12 20:10:44 UTC 
------- Comment From abareval.com 2009-06-12 16:02 EDT-------
Hello,
Should we expect the fix for this to be included on RHEL5.4 then? Please advise, Thanks!
Comment 23 Jarod Wilson 2009-06-12 20:23:44 UTC 
(In reply to comment #22)
> ------- Comment From abareval.com 2009-06-12 16:02 EDT-------
> Hello,
> Should we expect the fix for this to be included on RHEL5.4 then? Please
> advise, Thanks!  

No, from what I recall, the inclusion of utrace in RHEL5 makes this bug irrelevant there.
Comment 24 Kurt Seifried 2011-09-30 01:27:34 UTC 
This issue has been addressed in following products:

  Red Hat Linux Enterprise 4
  Red Hat Linux Enterprise 4.7.z
  
Via RHSA-2008:0972 available at https://rhn.redhat.com/errata/RHSA-2008-0972.html