Bug 148855 - CAN-2005-0204 OUTS instruction does not cause SIGSEGV for all ports
Summary: CAN-2005-0204 OUTS instruction does not cause SIGSEGV for all ports
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: kernel
Version: 3.0
Hardware: x86_64
OS: Linux
medium
high
Target Milestone: ---
Assignee: Ernie Petrides
QA Contact: Brian Brock
URL:
Whiteboard: public=20050126,impact=important
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-02-16 12:34 UTC by Mark J. Cox
Modified: 2007-11-30 22:07 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-04-22 20:17:35 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
RHEL3 x86_64 reproducer (799 bytes, text/plain)
2005-04-09 00:46 UTC, Ernie Petrides
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2005:293 0 high SHIPPED_LIVE Important: kernel security update 2005-04-22 04:00:00 UTC
Red Hat Product Errata RHSA-2005:294 0 normal SHIPPED_LIVE Moderate: Updated kernel packages available for Red Hat Enterprise Linux 3 Update 5 2005-05-18 04:00:00 UTC

Description Mark J. Cox 2005-02-16 12:34:31 UTC
Verified as affecting RHEL3 (also can result in DoS)

*** This bug has been split off bug 146244 ***

------- Original comment by Staffan Larsen on 2005.01.26 08:28 -------

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5)
Gecko/20041107 Firefox/1.0

Description of problem:
Compile the attached program on x86

Run on x86 - it should not print anything. This behaviour is correct.

Run (the same binary) on x86_64 - it prints out a number of port
values for which the OUTS instruction did not cause a SIGSEGV. This
behaviour is not correct.

Version-Release number of selected component (if applicable):
Linux version 2.6.9-1.906_ELsmp (bhcompile.redhat.com)
(gcc version 3.4.3 20041125 (Red Hat 3.4.3-6.EL4)) #1 SMP Sun Dec 12
23:05:02 EST 2004

How reproducible:
Always

Steps to Reproduce:
1. Compile program on x86

A. 
2. Run on x86

B.
2. Run on x86_64


    

Actual Results:  A.
<nothing>

B.
didn't get signal for port=440
didn't get signal for port=441
didn't get signal for port=442
didn't get signal for port=443
didn't get signal for port=444
didn't get signal for port=445
didn't get signal for port=446
didn't get signal for port=447
didn't get signal for port=448
didn't get signal for port=449
didn't get signal for port=44a
didn't get signal for port=44b
didn't get signal for port=44c
didn't get signal for port=44d
didn't get signal for port=44e
didn't get signal for port=44f
didn't get signal for port=450
didn't get signal for port=451
didn't get signal for port=452
didn't get signal for port=453
didn't get signal for port=454
didn't get signal for port=455
didn't get signal for port=456
didn't get signal for port=457
didn't get signal for port=458
didn't get signal for port=459
didn't get signal for port=45a
didn't get signal for port=45b
didn't get signal for port=45c
didn't get signal for port=45d
didn't get signal for port=45e
didn't get signal for port=45f
didn't get signal for port=460
didn't get signal for port=461
didn't get signal for port=462
didn't get signal for port=463
didn't get signal for port=464
didn't get signal for port=465
didn't get signal for port=466
didn't get signal for port=467
didn't get signal for port=468
didn't get signal for port=469
didn't get signal for port=46a
didn't get signal for port=46b
didn't get signal for port=46c
didn't get signal for port=46d
didn't get signal for port=46e
didn't get signal for port=46f
didn't get signal for port=470
didn't get signal for port=471
didn't get signal for port=472
didn't get signal for port=473
didn't get signal for port=474
didn't get signal for port=475
didn't get signal for port=476
didn't get signal for port=477
didn't get signal for port=478
didn't get signal for port=479
didn't get signal for port=47a
didn't get signal for port=47b
didn't get signal for port=47c
didn't get signal for port=47d
didn't get signal for port=47e
didn't get signal for port=47f
didn't get signal for port=480
didn't get signal for port=481
didn't get signal for port=482
didn't get signal for port=483
didn't get signal for port=484
didn't get signal for port=485
didn't get signal for port=486
didn't get signal for port=487
didn't get signal for port=488
didn't get signal for port=489
didn't get signal for port=48a
didn't get signal for port=48b
didn't get signal for port=48c
didn't get signal for port=48d
didn't get signal for port=48e
didn't get signal for port=48f
didn't get signal for port=490
didn't get signal for port=491
didn't get signal for port=492
didn't get signal for port=493
didn't get signal for port=494
didn't get signal for port=495
didn't get signal for port=496
didn't get signal for port=497
didn't get signal for port=498
didn't get signal for port=499
didn't get signal for port=49a
didn't get signal for port=49b
didn't get signal for port=49c
didn't get signal for port=49d
didn't get signal for port=49e
didn't get signal for port=49f
didn't get signal for port=4a0
didn't get signal for port=4a1
didn't get signal for port=4a2
didn't get signal for port=4a3
didn't get signal for port=4a4
didn't get signal for port=4a5
didn't get signal for port=4a6
didn't get signal for port=4a7
didn't get signal for port=4a8
didn't get signal for port=4a9
didn't get signal for port=4aa
didn't get signal for port=4ab
didn't get signal for port=4ac
didn't get signal for port=4ad
didn't get signal for port=4ae
didn't get signal for port=4af
didn't get signal for port=4b0
didn't get signal for port=4b1
didn't get signal for port=4b2
didn't get signal for port=4b3
didn't get signal for port=4b4
didn't get signal for port=4b5
didn't get signal for port=4b6
didn't get signal for port=4b7


Expected Results:  A.
<nothing>

B.
<nothing>

Additional info:

Comment 1 Mark J. Cox 2005-02-16 14:53:13 UTC
*** Important Note ** Running the program above without modifications
allowed me as a normal user to mess up the CMOS on a dual Opteron box

Comment 2 Mark J. Cox 2005-02-23 12:46:27 UTC
ping

Comment 3 Ernie Petrides 2005-03-08 19:59:05 UTC
Mark, just for clarification, does your comment #1 reflect the results of
runnning the reproducer on a RHEL3-based system?

(I don't believe the results in the initial comment are relevant to RHEL3.)

Comment 4 Jim Paradis 2005-03-08 20:04:42 UTC
I'm trying this out on RHEL3 right now...


Comment 5 Jim Paradis 2005-03-08 20:43:57 UTC
Ernie suggested that different sizes of the IO bitmaps between RHEL3 and RHEL4
might make this not a problem on RHEL3.  I tried the reproducer and verified
that on RHEL3 it generates SEGVs for all the OUTs.  Closing this as NOTABUG.

Comment 6 Mark J. Cox 2005-03-08 23:56:28 UTC
At home I have a RHEL3 SMP x86_64 box using a standard kernel that was
vulnerable to this exploit.  I'm away so I don't have access to this today, so I
can't tell you if it was a completely up2date kernel.  

Comment 7 Mark J. Cox 2005-03-16 13:10:18 UTC
(with altered program to just poll port 100)

[mark@pindrop mark]$ uname -a
Linux pindrop 2.4.21-20.ELsmp #1 SMP Wed Aug 18 20:34:58 EDT 2004 x86_64 x86_64
x86_64 GNU/Linux
[mark@pindrop mark]$ ./a.out
didn't get signal for port=64


Comment 8 Ernie Petrides 2005-04-08 23:36:14 UTC
The reproducer in comment #1 of bug 146244 does not "work" on RHEL3
because access to the i/o port map is not enabled by default (as it
is in 2.6).  Thus, whatever problem Mark induced on RHEL3 must be
unrelated to this vulnerability.

I do believe that RHEL3 does have a problem on x86_64 if the i/o port
map does get enabled.  I will try to develop a revised reproducer.


Comment 9 Ernie Petrides 2005-04-09 00:46:54 UTC
Created attachment 112894 [details]
RHEL3 x86_64 reproducer

Here is a working RHEL3 reproducer.  It requires root privileges in order
to invoke a "ioperm(0L, 1L, 1);" system call, and the scanning loop needed
to be changed to start from port 1 (to avoid corrupting the port 0 enabled
by the ioperm() call).

Comment 10 Ernie Petrides 2005-04-09 01:34:03 UTC
Patch posted for review on 8-Apr-2005.

Comment 11 Ernie Petrides 2005-04-14 00:25:46 UTC
A fix for this problem has just been committed to the RHEL3 E5
patch pool this evening (in kernel version 2.4.21-27.0.3.EL).


Comment 12 Ernie Petrides 2005-04-16 01:28:15 UTC
A fix for this problem has also been committed to the RHEL3 U5
patch pool this evening (in kernel version 2.4.21-32.EL).


Comment 13 Josh Bressers 2005-04-22 20:17:35 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-293.html


Comment 14 Tim Powers 2005-05-18 13:29:18 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-294.html



Note You need to log in before you can comment on or make changes to this bug.