Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 2.1 product line. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 160200

Summary: CAN-2005-1768 64bit execve() race leads to buffer overflow
Product: Red Hat Enterprise Linux 2.1 Reporter: Mark J. Cox <mjc>
Component: kernelAssignee: Don Howard <dhoward>
Status: CLOSED ERRATA QA Contact: Brian Brock <bbrock>
Severity: high Docs Contact:
Priority: medium    
Version: 2.1CC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: ia64   
OS: Linux   
Whiteboard: source=secalert,reported=20050612,impact=important,public=20050704
Fixed In Version: RHSA-2005-551 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-08-25 13:18:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 143573    
Attachments:
Description Flags
Proposed patch from Andi Kleen none

Description Mark J. Cox 2005-06-13 10:48:19 UTC 
Reported to secalert by Ilja van Sprundel, a race condition in execve
affecting x86_64 and ia64 which exists because kmalloc() or get_user() can
block, and hence another thread can change the argv and envp pointers, causing a
bufferoverflow (also on SMP without blocking)

          na = nargs(argv, NULL);
 ...      ne = nargs(envp, NULL);
 ...      len = (na + ne + 2) * sizeof(*av);
 ...      av = kmalloc(len, GFP_KERNEL);
 ...      r = nargs(argv, av);
 ...      r = nargs(envp, ae);

"the nargs() function is used to first count the amount of argv and
envp pointers, next a kmalloc() is done, and then nargs() is called again to
copy the argv and envp pointer into this newly allocated memory.        the race
condition exists because kmalloc() or get_user() can block, and hence another
thread can change the argv and envp pointers, causing a buffer overflow."

Currently embargoed
Comment 1 Mark J. Cox 2005-06-13 10:48:20 UTC 
Created attachment 115348 [details]
Proposed patch from Andi Kleen
Comment 5 Mark J. Cox 2005-07-07 22:13:24 UTC 
Fixed in 2.4.32-pre1, therefore no need to treat as embargoed.
Comment 6 Mark J. Cox 2005-07-08 09:14:38 UTC 
Public 20050704
Comment 11 Red Hat Bugzilla 2005-08-25 13:18:56 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-551.html