154451 – CAN-2005-1762 x86_64 sysret exception leads to DoS

Bug 154451 - CAN-2005-1762 x86_64 sysret exception leads to DoS

Summary: CAN-2005-1762 x86_64 sysret exception leads to DoS

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 4
Classification:	Red Hat
Component:	kernel
Sub Component:
Version:	4.0
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	Roland McGrath
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:	impact=important,reported=20050411,so...
Duplicates (1):	159916 (view as bug list)
Depends On:	154221
Blocks:	156322
TreeView+	depends on / blocked

Reported:	2005-04-11 20:45 UTC by Roland McGrath
Modified:	2007-11-30 22:07 UTC (History)
CC List:	7 users (show)
Fixed In Version:	RHSA-2005-514
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2005-10-05 12:59:07 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
reproducer, native 64-bit compile produces sysret fault (1.01 KB, text/plain) 2005-04-11 20:45 UTC, Roland McGrath	no flags	Details
fix for sysret fault case (717 bytes, patch) 2005-04-12 07:08 UTC, Roland McGrath	no flags	Details \| Diff
fix for iret fault cases (6.20 KB, patch) 2005-04-12 07:11 UTC, Roland McGrath	no flags	Details \| Diff
reproducer for sigreturn/iret case, compile this native 64 bit (706 bytes, text/plain) 2005-04-12 07:14 UTC, Roland McGrath	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2005:514	0	qe-ready	SHIPPED_LIVE	Important: Updated kernel packages available for Red Hat Enterprise Linux 4 Update 2	2005-10-05 04:00:00 UTC

Comment 3 Roland McGrath 2005-04-12 07:08:42 UTC

Created attachment 113012 [details]
fix for sysret fault case

This fixes the case with that bad failure mode and DoS potential.
This patch works against 2.6.12rc2 and against RHEL4 (6.38).

Comment 4 Roland McGrath 2005-04-12 07:11:50 UTC

Created attachment 113013 [details]
fix for iret fault cases

This fixes the iret cases, and handles both a native 64-bit sigreturn case and
the cases with 32-bit processes that bug 154221 deals with.  These cases all
have a fairly harmless failure mode (some console spew and a confusing user
result), so buggy but not exploitable.

Comment 13 Mark J. Cox 2005-06-13 09:18:33 UTC

I originally labelled this issue as CAN-2005-0756 however that was in error due
to two similar ptrace check issues.  The following is as reported to vendor-sec:

Fixing rip -> CAN-2005-1762
Fixing fs_base and gs_base -> CAN-2005-0756

Comment 14 Mark J. Cox 2005-06-13 09:19:24 UTC

[PATCH] x86_64: check if ptrace RIP is canonical
This works around an AMD Erratum.

This is a DoS on 2.4 and 2.6

http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=d1099e8a18960693c04507bdd7b9403db70bfd97

Comment 15 Peter Staubach 2005-07-15 15:56:22 UTC

*** Bug 159916 has been marked as a duplicate of this bug. ***

Comment 16 Mark J. Cox 2005-07-26 13:00:52 UTC

This is in linux-2.6.9-CAN-2005-0756-x86_64-ptrace-canonical-addr.patch in -11.34.EL

Comment 21 Red Hat Bugzilla 2005-10-05 12:59:07 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-514.html

Note You need to log in before you can comment on or make changes to this bug.