Bug 183463 - CVE-2006-0742 Bug in IA64 unaligned access handler causes kernel panic
CVE-2006-0742 Bug in IA64 unaligned access handler causes kernel panic
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel (Show other bugs)
ia64 Linux
medium Severity medium
: ---
: ---
Assigned To: Anil S Keshavamurthy
Brian Brock
: Security
: 191138 (view as bug list)
Depends On:
Blocks: 181409 185624
  Show dependency treegraph
Reported: 2006-03-01 06:03 EST by Alan Robinson
Modified: 2010-04-27 18:31 EDT (History)
3 users (show)

See Also:
Fixed In Version: RHSA-2006-0575
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-08-10 18:29:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2006:0575 normal SHIPPED_LIVE Important: Updated kernel packages available for Red Hat Enterprise Linux 4 Update 4 2006-08-10 00:00:00 EDT

  None (edit)
Comment 1 Alan Robinson 2006-03-01 06:03:46 EST
Description of problem:

There is a bug in the IA-64 unaligned access handler, which means that an
unaligned access occurring while the IA-64 big-endian flag is set can crash the
system.  The problem is in arch/ia64/kernel/unalign.c - the function
die_if_kernel() is declared "noreturn", but this function can return if the
access came from user-space.  

If an unaligned access occurs from user-space while the big-endian flag is set,
the code at the start of ia64_handle_unaligned() will call die_if_kernel(),
which will return.  What happens next depends on how gcc compiled this function
- as die_if_kernel() is marked "noreturn", you will now fall through to whatever
code gcc happens to have planted after this call.

On RHEL4, the code you fall through to has been observed to cause a kernel panic.

Version-Release number of selected component (if applicable):


Same behaviour (system crash) observed on all these versions (corresponding to
RHEL4 update 1 and update 2).

How reproducible:

Run attached test program as any user.

Steps to Reproduce:
1. Detach attached ia64UnalignedTest.c
2. make ia64UnalignedTest
3. ./ia64UnalignedTest
Actual results:

System crashes

Expected results:

User process should receive a SIGBUS error (the kernel doesn't support fixing up
big-endian accesses, so we would expect the process to simply receive a SIGBUS).

Additional info:

Marked as security issue since this allows any user to crash the entire system
by simply running the test program attached (potential denial-of-service attack
if you have a non-privileged user account on the system).

Fix submitted to the upstream kernel tree via Tony Luck.  URL for the commit is:

Comment 2 Mark J. Cox 2006-03-01 10:14:23 EST
Alan, thank's for the report
Comment 3 Mark J. Cox 2006-03-01 10:38:57 EST
Alan, can we share your test case in comment #1 with other Linux vendors who we
have a security exchange agreement with? 
Comment 4 Alan Robinson 2006-03-01 10:44:44 EST
Mark, absolutely - feel free to share that test case with other Linux vendors.

FYI, we've already reported this to Gerald Pfeifer at SUSE (and the SUSE
security team), and they have this test case already.
Comment 5 Jason Baron 2006-03-19 13:57:42 EST
committed in stream u4 build 34.5. A test kernel with this patch is available
from http://people.redhat.com/~jbaron/rhel4/
Comment 6 Alan Robinson 2006-03-29 04:47:13 EST
Tessted the kernel from

Confirmed that the test case now behaves correctly, a SIGBUS is received by the
process and the system does not crash.

Any word on when this patch will be included in a RedHat kernel release?  Will
it be in update 4, or will it be released ahead of that?  

Comment 7 Bob Johnson 2006-04-11 12:00:34 EDT
This issue is on Red Hat Engineering's list of planned work items 
for the upcoming Red Hat Enterprise Linux 4.4 release.  Engineering 
resources have been assigned and barring unforeseen circumstances, Red 
Hat intends to include this item in the 4.4 release.
Comment 8 Jason Baron 2006-05-23 17:57:24 EDT
*** Bug 191138 has been marked as a duplicate of this bug. ***
Comment 12 Red Hat Bugzilla 2006-08-10 18:29:29 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

Comment 13 Eugene Teo (Security Response) 2010-04-27 18:20:30 EDT
Upstream commit for CVE-2006-0742:

commit e963701a761aede31c9c1bfc74cf8e0ec671f0f4
Author: Tony Luck <tony.luck@intel.com>
Date:   Mon Feb 27 16:18:58 2006 -0800

    [IA64] die_if_kernel() can return

    arch/ia64/kernel/unaligned.c erroneously marked die_if_kernel()
    with a "noreturn" attribute ... which is silly (it returns whenever
    the argument regs say that the fault happened in user mode, as one
    might expect given the "if_kernel" part of its name!).  Thanks to
    Alan and Gareth for pointing this out.

    Signed-off-by: Tony Luck <tony.luck@intel.com>

Note You need to log in before you can comment on or make changes to this bug.