Red Hat Bugzilla – Bug 183463
CVE-2006-0742 Bug in IA64 unaligned access handler causes kernel panic
Last modified: 2010-04-27 18:31:23 EDT
Description of problem:
There is a bug in the IA-64 unaligned access handler, which means that an
unaligned access occurring while the IA-64 big-endian flag is set can crash the
system. The problem is in arch/ia64/kernel/unalign.c - the function
die_if_kernel() is declared "noreturn", but this function can return if the
access came from user-space.
If an unaligned access occurs from user-space while the big-endian flag is set,
the code at the start of ia64_handle_unaligned() will call die_if_kernel(),
which will return. What happens next depends on how gcc compiled this function
- as die_if_kernel() is marked "noreturn", you will now fall through to whatever
code gcc happens to have planted after this call.
On RHEL4, the code you fall through to has been observed to cause a kernel panic.
Version-Release number of selected component (if applicable):
Same behaviour (system crash) observed on all these versions (corresponding to
RHEL4 update 1 and update 2).
Run attached test program as any user.
Steps to Reproduce:
1. Detach attached ia64UnalignedTest.c
2. make ia64UnalignedTest
User process should receive a SIGBUS error (the kernel doesn't support fixing up
big-endian accesses, so we would expect the process to simply receive a SIGBUS).
Marked as security issue since this allows any user to crash the entire system
by simply running the test program attached (potential denial-of-service attack
if you have a non-privileged user account on the system).
Fix submitted to the upstream kernel tree via Tony Luck. URL for the commit is:
Alan, thank's for the report
Alan, can we share your test case in comment #1 with other Linux vendors who we
have a security exchange agreement with?
Mark, absolutely - feel free to share that test case with other Linux vendors.
FYI, we've already reported this to Gerald Pfeifer at SUSE (and the SUSE
security team), and they have this test case already.
committed in stream u4 build 34.5. A test kernel with this patch is available
Tessted the kernel from
Confirmed that the test case now behaves correctly, a SIGBUS is received by the
process and the system does not crash.
Any word on when this patch will be included in a RedHat kernel release? Will
it be in update 4, or will it be released ahead of that?
This issue is on Red Hat Engineering's list of planned work items
for the upcoming Red Hat Enterprise Linux 4.4 release. Engineering
resources have been assigned and barring unforeseen circumstances, Red
Hat intends to include this item in the 4.4 release.
*** Bug 191138 has been marked as a duplicate of this bug. ***
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.
Upstream commit for CVE-2006-0742:
Author: Tony Luck <firstname.lastname@example.org>
Date: Mon Feb 27 16:18:58 2006 -0800
[IA64] die_if_kernel() can return
arch/ia64/kernel/unaligned.c erroneously marked die_if_kernel()
with a "noreturn" attribute ... which is silly (it returns whenever
the argument regs say that the fault happened in user mode, as one
might expect given the "if_kernel" part of its name!). Thanks to
Alan and Gareth for pointing this out.
Signed-off-by: Tony Luck <email@example.com>