Bug 154451 - CAN-2005-1762 x86_64 sysret exception leads to DoS
CAN-2005-1762 x86_64 sysret exception leads to DoS
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel (Show other bugs)
4.0
x86_64 Linux
medium Severity high
: ---
: ---
Assigned To: Roland McGrath
Brian Brock
impact=important,reported=20050411,so...
: Security
: 159916 (view as bug list)
Depends On: 154221
Blocks: 156322
  Show dependency treegraph
 
Reported: 2005-04-11 16:45 EDT by Roland McGrath
Modified: 2007-11-30 17:07 EST (History)
7 users (show)

See Also:
Fixed In Version: RHSA-2005-514
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-10-05 08:59:07 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
reproducer, native 64-bit compile produces sysret fault (1.01 KB, text/plain)
2005-04-11 16:45 EDT, Roland McGrath
no flags Details
fix for sysret fault case (717 bytes, patch)
2005-04-12 03:08 EDT, Roland McGrath
no flags Details | Diff
fix for iret fault cases (6.20 KB, patch)
2005-04-12 03:11 EDT, Roland McGrath
no flags Details | Diff
reproducer for sigreturn/iret case, compile this native 64 bit (706 bytes, text/plain)
2005-04-12 03:14 EDT, Roland McGrath
no flags Details

  None (edit)
Comment 3 Roland McGrath 2005-04-12 03:08:42 EDT
Created attachment 113012 [details]
fix for sysret fault case

This fixes the case with that bad failure mode and DoS potential.
This patch works against 2.6.12rc2 and against RHEL4 (6.38).
Comment 4 Roland McGrath 2005-04-12 03:11:50 EDT
Created attachment 113013 [details]
fix for iret fault cases

This fixes the iret cases, and handles both a native 64-bit sigreturn case and
the cases with 32-bit processes that bug 154221 deals with.  These cases all
have a fairly harmless failure mode (some console spew and a confusing user
result), so buggy but not exploitable.
Comment 13 Mark J. Cox (Product Security) 2005-06-13 05:18:33 EDT
I originally labelled this issue as CAN-2005-0756 however that was in error due
to two similar ptrace check issues.  The following is as reported to vendor-sec:

Fixing rip -> CAN-2005-1762
Fixing fs_base and gs_base -> CAN-2005-0756
Comment 14 Mark J. Cox (Product Security) 2005-06-13 05:19:24 EDT
[PATCH] x86_64: check if ptrace RIP is canonical
This works around an AMD Erratum.

This is a DoS on 2.4 and 2.6

http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=d1099e8a18960693c04507bdd7b9403db70bfd97
Comment 15 Peter Staubach 2005-07-15 11:56:22 EDT
*** Bug 159916 has been marked as a duplicate of this bug. ***
Comment 16 Mark J. Cox (Product Security) 2005-07-26 09:00:52 EDT
This is in linux-2.6.9-CAN-2005-0756-x86_64-ptrace-canonical-addr.patch in -11.34.EL
Comment 21 Red Hat Bugzilla 2005-10-05 08:59:07 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-514.html

Note You need to log in before you can comment on or make changes to this bug.