Verified as affecting RHEL3 (also can result in DoS) *** This bug has been split off bug 146244 *** ------- Original comment by Staffan Larsen on 2005.01.26 08:28 ------- From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 Description of problem: Compile the attached program on x86 Run on x86 - it should not print anything. This behaviour is correct. Run (the same binary) on x86_64 - it prints out a number of port values for which the OUTS instruction did not cause a SIGSEGV. This behaviour is not correct. Version-Release number of selected component (if applicable): Linux version 2.6.9-1.906_ELsmp (bhcompile.redhat.com) (gcc version 3.4.3 20041125 (Red Hat 3.4.3-6.EL4)) #1 SMP Sun Dec 12 23:05:02 EST 2004 How reproducible: Always Steps to Reproduce: 1. Compile program on x86 A. 2. Run on x86 B. 2. Run on x86_64 Actual Results: A. <nothing> B. didn't get signal for port=440 didn't get signal for port=441 didn't get signal for port=442 didn't get signal for port=443 didn't get signal for port=444 didn't get signal for port=445 didn't get signal for port=446 didn't get signal for port=447 didn't get signal for port=448 didn't get signal for port=449 didn't get signal for port=44a didn't get signal for port=44b didn't get signal for port=44c didn't get signal for port=44d didn't get signal for port=44e didn't get signal for port=44f didn't get signal for port=450 didn't get signal for port=451 didn't get signal for port=452 didn't get signal for port=453 didn't get signal for port=454 didn't get signal for port=455 didn't get signal for port=456 didn't get signal for port=457 didn't get signal for port=458 didn't get signal for port=459 didn't get signal for port=45a didn't get signal for port=45b didn't get signal for port=45c didn't get signal for port=45d didn't get signal for port=45e didn't get signal for port=45f didn't get signal for port=460 didn't get signal for port=461 didn't get signal for port=462 didn't get signal for port=463 didn't get signal for port=464 didn't get signal for port=465 didn't get signal for port=466 didn't get signal for port=467 didn't get signal for port=468 didn't get signal for port=469 didn't get signal for port=46a didn't get signal for port=46b didn't get signal for port=46c didn't get signal for port=46d didn't get signal for port=46e didn't get signal for port=46f didn't get signal for port=470 didn't get signal for port=471 didn't get signal for port=472 didn't get signal for port=473 didn't get signal for port=474 didn't get signal for port=475 didn't get signal for port=476 didn't get signal for port=477 didn't get signal for port=478 didn't get signal for port=479 didn't get signal for port=47a didn't get signal for port=47b didn't get signal for port=47c didn't get signal for port=47d didn't get signal for port=47e didn't get signal for port=47f didn't get signal for port=480 didn't get signal for port=481 didn't get signal for port=482 didn't get signal for port=483 didn't get signal for port=484 didn't get signal for port=485 didn't get signal for port=486 didn't get signal for port=487 didn't get signal for port=488 didn't get signal for port=489 didn't get signal for port=48a didn't get signal for port=48b didn't get signal for port=48c didn't get signal for port=48d didn't get signal for port=48e didn't get signal for port=48f didn't get signal for port=490 didn't get signal for port=491 didn't get signal for port=492 didn't get signal for port=493 didn't get signal for port=494 didn't get signal for port=495 didn't get signal for port=496 didn't get signal for port=497 didn't get signal for port=498 didn't get signal for port=499 didn't get signal for port=49a didn't get signal for port=49b didn't get signal for port=49c didn't get signal for port=49d didn't get signal for port=49e didn't get signal for port=49f didn't get signal for port=4a0 didn't get signal for port=4a1 didn't get signal for port=4a2 didn't get signal for port=4a3 didn't get signal for port=4a4 didn't get signal for port=4a5 didn't get signal for port=4a6 didn't get signal for port=4a7 didn't get signal for port=4a8 didn't get signal for port=4a9 didn't get signal for port=4aa didn't get signal for port=4ab didn't get signal for port=4ac didn't get signal for port=4ad didn't get signal for port=4ae didn't get signal for port=4af didn't get signal for port=4b0 didn't get signal for port=4b1 didn't get signal for port=4b2 didn't get signal for port=4b3 didn't get signal for port=4b4 didn't get signal for port=4b5 didn't get signal for port=4b6 didn't get signal for port=4b7 Expected Results: A. <nothing> B. <nothing> Additional info:
*** Important Note ** Running the program above without modifications allowed me as a normal user to mess up the CMOS on a dual Opteron box
ping
Mark, just for clarification, does your comment #1 reflect the results of runnning the reproducer on a RHEL3-based system? (I don't believe the results in the initial comment are relevant to RHEL3.)
I'm trying this out on RHEL3 right now...
Ernie suggested that different sizes of the IO bitmaps between RHEL3 and RHEL4 might make this not a problem on RHEL3. I tried the reproducer and verified that on RHEL3 it generates SEGVs for all the OUTs. Closing this as NOTABUG.
At home I have a RHEL3 SMP x86_64 box using a standard kernel that was vulnerable to this exploit. I'm away so I don't have access to this today, so I can't tell you if it was a completely up2date kernel.
(with altered program to just poll port 100) [mark@pindrop mark]$ uname -a Linux pindrop 2.4.21-20.ELsmp #1 SMP Wed Aug 18 20:34:58 EDT 2004 x86_64 x86_64 x86_64 GNU/Linux [mark@pindrop mark]$ ./a.out didn't get signal for port=64
The reproducer in comment #1 of bug 146244 does not "work" on RHEL3 because access to the i/o port map is not enabled by default (as it is in 2.6). Thus, whatever problem Mark induced on RHEL3 must be unrelated to this vulnerability. I do believe that RHEL3 does have a problem on x86_64 if the i/o port map does get enabled. I will try to develop a revised reproducer.
Created attachment 112894 [details] RHEL3 x86_64 reproducer Here is a working RHEL3 reproducer. It requires root privileges in order to invoke a "ioperm(0L, 1L, 1);" system call, and the scanning loop needed to be changed to start from port 1 (to avoid corrupting the port 0 enabled by the ioperm() call).
Patch posted for review on 8-Apr-2005.
A fix for this problem has just been committed to the RHEL3 E5 patch pool this evening (in kernel version 2.4.21-27.0.3.EL).
A fix for this problem has also been committed to the RHEL3 U5 patch pool this evening (in kernel version 2.4.21-32.EL).
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-293.html
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-294.html