Bug 154451 - CAN-2005-1762 x86_64 sysret exception leads to DoS
Summary: CAN-2005-1762 x86_64 sysret exception leads to DoS
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel
Version: 4.0
Hardware: x86_64
OS: Linux
medium
high
Target Milestone: ---
: ---
Assignee: Roland McGrath
QA Contact: Brian Brock
URL:
Whiteboard: impact=important,reported=20050411,so...
: 159916 (view as bug list)
Depends On: 154221
Blocks: 156322
TreeView+ depends on / blocked
 
Reported: 2005-04-11 20:45 UTC by Roland McGrath
Modified: 2007-11-30 22:07 UTC (History)
7 users (show)

Fixed In Version: RHSA-2005-514
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-10-05 12:59:07 UTC


Attachments (Terms of Use)
reproducer, native 64-bit compile produces sysret fault (1.01 KB, text/plain)
2005-04-11 20:45 UTC, Roland McGrath
no flags Details
fix for sysret fault case (717 bytes, patch)
2005-04-12 07:08 UTC, Roland McGrath
no flags Details | Diff
fix for iret fault cases (6.20 KB, patch)
2005-04-12 07:11 UTC, Roland McGrath
no flags Details | Diff
reproducer for sigreturn/iret case, compile this native 64 bit (706 bytes, text/plain)
2005-04-12 07:14 UTC, Roland McGrath
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2005:514 qe-ready SHIPPED_LIVE Important: Updated kernel packages available for Red Hat Enterprise Linux 4 Update 2 2005-10-05 04:00:00 UTC

Comment 3 Roland McGrath 2005-04-12 07:08:42 UTC
Created attachment 113012 [details]
fix for sysret fault case

This fixes the case with that bad failure mode and DoS potential.
This patch works against 2.6.12rc2 and against RHEL4 (6.38).

Comment 4 Roland McGrath 2005-04-12 07:11:50 UTC
Created attachment 113013 [details]
fix for iret fault cases

This fixes the iret cases, and handles both a native 64-bit sigreturn case and
the cases with 32-bit processes that bug 154221 deals with.  These cases all
have a fairly harmless failure mode (some console spew and a confusing user
result), so buggy but not exploitable.

Comment 13 Mark J. Cox 2005-06-13 09:18:33 UTC
I originally labelled this issue as CAN-2005-0756 however that was in error due
to two similar ptrace check issues.  The following is as reported to vendor-sec:

Fixing rip -> CAN-2005-1762
Fixing fs_base and gs_base -> CAN-2005-0756


Comment 14 Mark J. Cox 2005-06-13 09:19:24 UTC
[PATCH] x86_64: check if ptrace RIP is canonical
This works around an AMD Erratum.

This is a DoS on 2.4 and 2.6

http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=d1099e8a18960693c04507bdd7b9403db70bfd97


Comment 15 Peter Staubach 2005-07-15 15:56:22 UTC
*** Bug 159916 has been marked as a duplicate of this bug. ***

Comment 16 Mark J. Cox 2005-07-26 13:00:52 UTC
This is in linux-2.6.9-CAN-2005-0756-x86_64-ptrace-canonical-addr.patch in -11.34.EL

Comment 21 Red Hat Bugzilla 2005-10-05 12:59:07 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-514.html



Note You need to log in before you can comment on or make changes to this bug.