Bug 154451 - CAN-2005-1762 x86_64 sysret exception leads to DoS
Summary: CAN-2005-1762 x86_64 sysret exception leads to DoS
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel
Version: 4.0
Hardware: x86_64
OS: Linux
Target Milestone: ---
: ---
Assignee: Roland McGrath
QA Contact: Brian Brock
Whiteboard: impact=important,reported=20050411,so...
: 159916 (view as bug list)
Depends On: 154221
Blocks: 156322
TreeView+ depends on / blocked
Reported: 2005-04-11 20:45 UTC by Roland McGrath
Modified: 2007-11-30 22:07 UTC (History)
7 users (show)

Fixed In Version: RHSA-2005-514
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2005-10-05 12:59:07 UTC
Target Upstream Version:

Attachments (Terms of Use)
reproducer, native 64-bit compile produces sysret fault (1.01 KB, text/plain)
2005-04-11 20:45 UTC, Roland McGrath
no flags Details
fix for sysret fault case (717 bytes, patch)
2005-04-12 07:08 UTC, Roland McGrath
no flags Details | Diff
fix for iret fault cases (6.20 KB, patch)
2005-04-12 07:11 UTC, Roland McGrath
no flags Details | Diff
reproducer for sigreturn/iret case, compile this native 64 bit (706 bytes, text/plain)
2005-04-12 07:14 UTC, Roland McGrath
no flags Details

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2005:514 qe-ready SHIPPED_LIVE Important: Updated kernel packages available for Red Hat Enterprise Linux 4 Update 2 2005-10-05 04:00:00 UTC

Comment 3 Roland McGrath 2005-04-12 07:08:42 UTC
Created attachment 113012 [details]
fix for sysret fault case

This fixes the case with that bad failure mode and DoS potential.
This patch works against 2.6.12rc2 and against RHEL4 (6.38).

Comment 4 Roland McGrath 2005-04-12 07:11:50 UTC
Created attachment 113013 [details]
fix for iret fault cases

This fixes the iret cases, and handles both a native 64-bit sigreturn case and
the cases with 32-bit processes that bug 154221 deals with.  These cases all
have a fairly harmless failure mode (some console spew and a confusing user
result), so buggy but not exploitable.

Comment 13 Mark J. Cox 2005-06-13 09:18:33 UTC
I originally labelled this issue as CAN-2005-0756 however that was in error due
to two similar ptrace check issues.  The following is as reported to vendor-sec:

Fixing rip -> CAN-2005-1762
Fixing fs_base and gs_base -> CAN-2005-0756

Comment 14 Mark J. Cox 2005-06-13 09:19:24 UTC
[PATCH] x86_64: check if ptrace RIP is canonical
This works around an AMD Erratum.

This is a DoS on 2.4 and 2.6


Comment 15 Peter Staubach 2005-07-15 15:56:22 UTC
*** Bug 159916 has been marked as a duplicate of this bug. ***

Comment 16 Mark J. Cox 2005-07-26 13:00:52 UTC
This is in linux-2.6.9-CAN-2005-0756-x86_64-ptrace-canonical-addr.patch in -11.34.EL

Comment 21 Red Hat Bugzilla 2005-10-05 12:59:07 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.