Bug 154451 - CAN-2005-1762 x86_64 sysret exception leads to DoS
CAN-2005-1762 x86_64 sysret exception leads to DoS
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel (Show other bugs)
x86_64 Linux
medium Severity high
: ---
: ---
Assigned To: Roland McGrath
Brian Brock
: Security
: 159916 (view as bug list)
Depends On: 154221
Blocks: 156322
  Show dependency treegraph
Reported: 2005-04-11 16:45 EDT by Roland McGrath
Modified: 2007-11-30 17:07 EST (History)
7 users (show)

See Also:
Fixed In Version: RHSA-2005-514
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-10-05 08:59:07 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
reproducer, native 64-bit compile produces sysret fault (1.01 KB, text/plain)
2005-04-11 16:45 EDT, Roland McGrath
no flags Details
fix for sysret fault case (717 bytes, patch)
2005-04-12 03:08 EDT, Roland McGrath
no flags Details | Diff
fix for iret fault cases (6.20 KB, patch)
2005-04-12 03:11 EDT, Roland McGrath
no flags Details | Diff
reproducer for sigreturn/iret case, compile this native 64 bit (706 bytes, text/plain)
2005-04-12 03:14 EDT, Roland McGrath
no flags Details

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2005:514 qe-ready SHIPPED_LIVE Important: Updated kernel packages available for Red Hat Enterprise Linux 4 Update 2 2005-10-05 00:00:00 EDT

  None (edit)
Comment 3 Roland McGrath 2005-04-12 03:08:42 EDT
Created attachment 113012 [details]
fix for sysret fault case

This fixes the case with that bad failure mode and DoS potential.
This patch works against 2.6.12rc2 and against RHEL4 (6.38).
Comment 4 Roland McGrath 2005-04-12 03:11:50 EDT
Created attachment 113013 [details]
fix for iret fault cases

This fixes the iret cases, and handles both a native 64-bit sigreturn case and
the cases with 32-bit processes that bug 154221 deals with.  These cases all
have a fairly harmless failure mode (some console spew and a confusing user
result), so buggy but not exploitable.
Comment 13 Mark J. Cox 2005-06-13 05:18:33 EDT
I originally labelled this issue as CAN-2005-0756 however that was in error due
to two similar ptrace check issues.  The following is as reported to vendor-sec:

Fixing rip -> CAN-2005-1762
Fixing fs_base and gs_base -> CAN-2005-0756
Comment 14 Mark J. Cox 2005-06-13 05:19:24 EDT
[PATCH] x86_64: check if ptrace RIP is canonical
This works around an AMD Erratum.

This is a DoS on 2.4 and 2.6

Comment 15 Peter Staubach 2005-07-15 11:56:22 EDT
*** Bug 159916 has been marked as a duplicate of this bug. ***
Comment 16 Mark J. Cox 2005-07-26 09:00:52 EDT
This is in linux-2.6.9-CAN-2005-0756-x86_64-ptrace-canonical-addr.patch in -11.34.EL
Comment 21 Red Hat Bugzilla 2005-10-05 08:59:07 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.