Description of problem: There is a bug in the IA-64 unaligned access handler, which means that an unaligned access occurring while the IA-64 big-endian flag is set can crash the system. The problem is in arch/ia64/kernel/unalign.c - the function die_if_kernel() is declared "noreturn", but this function can return if the access came from user-space. If an unaligned access occurs from user-space while the big-endian flag is set, the code at the start of ia64_handle_unaligned() will call die_if_kernel(), which will return. What happens next depends on how gcc compiled this function - as die_if_kernel() is marked "noreturn", you will now fall through to whatever code gcc happens to have planted after this call. On RHEL4, the code you fall through to has been observed to cause a kernel panic. Version-Release number of selected component (if applicable): kernel-2.6.9-11.EL.ia64.rpm kernel-2.6.9-22.EL.ia64.rpm kernel-2.6.9-22.0.2.EL.ia64.rpm Same behaviour (system crash) observed on all these versions (corresponding to RHEL4 update 1 and update 2). How reproducible: Run attached test program as any user. Steps to Reproduce: 1. Detach attached ia64UnalignedTest.c 2. make ia64UnalignedTest 3. ./ia64UnalignedTest Actual results: System crashes Expected results: User process should receive a SIGBUS error (the kernel doesn't support fixing up big-endian accesses, so we would expect the process to simply receive a SIGBUS). Additional info: Marked as security issue since this allows any user to crash the entire system by simply running the test program attached (potential denial-of-service attack if you have a non-privileged user account on the system). Fix submitted to the upstream kernel tree via Tony Luck. URL for the commit is: http://tinyurl.com/mvayg
Alan, thank's for the report
Alan, can we share your test case in comment #1 with other Linux vendors who we have a security exchange agreement with?
Mark, absolutely - feel free to share that test case with other Linux vendors. FYI, we've already reported this to Gerald Pfeifer at SUSE (and the SUSE security team), and they have this test case already.
committed in stream u4 build 34.5. A test kernel with this patch is available from http://people.redhat.com/~jbaron/rhel4/
Tessted the kernel from http://people.redhat.com/~jbaron/rhel4/RPMS.kernel/kernel-2.6.9-34.9.EL.ia64.rpm Confirmed that the test case now behaves correctly, a SIGBUS is received by the process and the system does not crash. Any word on when this patch will be included in a RedHat kernel release? Will it be in update 4, or will it be released ahead of that? Thanks
This issue is on Red Hat Engineering's list of planned work items for the upcoming Red Hat Enterprise Linux 4.4 release. Engineering resources have been assigned and barring unforeseen circumstances, Red Hat intends to include this item in the 4.4 release.
*** Bug 191138 has been marked as a duplicate of this bug. ***
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2006-0575.html
Upstream commit for CVE-2006-0742: http://git.kernel.org/linus/e963701a761aede31c9c1bfc74cf8e0ec671f0f4 commit e963701a761aede31c9c1bfc74cf8e0ec671f0f4 Author: Tony Luck <tony.luck> Date: Mon Feb 27 16:18:58 2006 -0800 [IA64] die_if_kernel() can return arch/ia64/kernel/unaligned.c erroneously marked die_if_kernel() with a "noreturn" attribute ... which is silly (it returns whenever the argument regs say that the fault happened in user mode, as one might expect given the "if_kernel" part of its name!). Thanks to Alan and Gareth for pointing this out. Signed-off-by: Tony Luck <tony.luck>