Bug 148855
| Summary: | CAN-2005-0204 OUTS instruction does not cause SIGSEGV for all ports | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 3 | Reporter: | Mark J. Cox <mjc> | ||||
| Component: | kernel | Assignee: | Ernie Petrides <petrides> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Brian Brock <bbrock> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 3.0 | CC: | bressers, jparadis, peterm, petrides, riel | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | public=20050126,impact=important | ||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2005-04-22 20:17:35 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Mark J. Cox
2005-02-16 12:34:31 UTC
*** Important Note ** Running the program above without modifications allowed me as a normal user to mess up the CMOS on a dual Opteron box ping Mark, just for clarification, does your comment #1 reflect the results of runnning the reproducer on a RHEL3-based system? (I don't believe the results in the initial comment are relevant to RHEL3.) I'm trying this out on RHEL3 right now... Ernie suggested that different sizes of the IO bitmaps between RHEL3 and RHEL4 might make this not a problem on RHEL3. I tried the reproducer and verified that on RHEL3 it generates SEGVs for all the OUTs. Closing this as NOTABUG. At home I have a RHEL3 SMP x86_64 box using a standard kernel that was vulnerable to this exploit. I'm away so I don't have access to this today, so I can't tell you if it was a completely up2date kernel. (with altered program to just poll port 100) [mark@pindrop mark]$ uname -a Linux pindrop 2.4.21-20.ELsmp #1 SMP Wed Aug 18 20:34:58 EDT 2004 x86_64 x86_64 x86_64 GNU/Linux [mark@pindrop mark]$ ./a.out didn't get signal for port=64 The reproducer in comment #1 of bug 146244 does not "work" on RHEL3 because access to the i/o port map is not enabled by default (as it is in 2.6). Thus, whatever problem Mark induced on RHEL3 must be unrelated to this vulnerability. I do believe that RHEL3 does have a problem on x86_64 if the i/o port map does get enabled. I will try to develop a revised reproducer. Created attachment 112894 [details]
RHEL3 x86_64 reproducer
Here is a working RHEL3 reproducer. It requires root privileges in order
to invoke a "ioperm(0L, 1L, 1);" system call, and the scanning loop needed
to be changed to start from port 1 (to avoid corrupting the port 0 enabled
by the ioperm() call).
Patch posted for review on 8-Apr-2005. A fix for this problem has just been committed to the RHEL3 E5 patch pool this evening (in kernel version 2.4.21-27.0.3.EL). A fix for this problem has also been committed to the RHEL3 U5 patch pool this evening (in kernel version 2.4.21-32.EL). An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-293.html An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-294.html |