Bug 183489 - CVE-2006-0741 bad elf entry address (CVE-2006-0744)
Summary: CVE-2006-0741 bad elf entry address (CVE-2006-0744)
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel
Version: 4.0
Hardware: x86_64
OS: Linux
medium
high
Target Milestone: ---
: ---
Assignee: Ernie Petrides
QA Contact: Brian Brock
URL:
Whiteboard: reported=20060226,source=bk,impact=im...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-03-01 14:39 UTC by Mark J. Cox
Modified: 2007-11-30 22:07 UTC (History)
3 users (show)

Fixed In Version: RHSA-2006-0493
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-05-24 09:28:30 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
patch posted for internal review today to address this (2.92 KB, patch)
2006-03-16 00:04 UTC, Ernie Petrides 		no flags Details | Diff
revised patch posted for internal re-review tonight (3.10 KB, patch)
2006-03-31 03:47 UTC, Ernie Petrides 		no flags Details | Diff
Show Obsolete (1) View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2006:0493 0 normal SHIPPED_LIVE Important: kernel security update 2006-05-24 04:00:00 UTC

Description Mark J. Cox 2006-03-01 14:39:34 UTC 
http://linux.bkbits.net:8080/linux-2.6/cset@4401eb1byTR_y2KtLU4V7RCcTlhdgw

"[PATCH] x86_64: Check for bad elf entry address.

Fixes a local DOS on Intel systems that lead to an endless
recursive fault.  AMD machines don't seem to be affected."
Comment 6 Mark J. Cox 2006-03-10 10:23:39 UTC 
Comment #5 From Ernie Petrides (petrides)  	 on 2006-03-09 17:22 EST  

Created an attachment (id=125908) [edit]
patch posted for internal review today to address this

The attached patch addresses all known vulnerabilities of EM64T
cpus returning to user-space at non-canonical RIP values.


Comment #6 From Mark J. Cox (Security Response Team) (mjc) 	on 

Whilst fixing a fix for invalid ELF Ernie discovered signal catching is still
vulnerable, with a trivial test case causing a double-fault on EM64T-based
systems.  Allocated CVE-2006-0744.  The patch above addresses CVE-2006-0741 and
CVE-2006-0744
Comment 7 Ernie Petrides 2006-03-13 22:28:37 UTC 
Upstream commits are here:

  http://marc.theaimsgroup.com/?l=git-commits-head&m=114097681403026&w=2
  http://marc.theaimsgroup.com/?l=git-commits-head&m=114223318030280&w=2
Comment 8 Ernie Petrides 2006-03-15 23:30:27 UTC 
The 2nd upstream commit listed above has been found to cause regressions
and has been reverted by Linus yesterday.  I've decided to port the RHEL3
patch from bug 183492 comment #5 instead.
Comment 9 Ernie Petrides 2006-03-16 00:04:06 UTC 
Created attachment 126179 [details]
patch posted for internal review today to address this

The attached patch addresses all known vulnerabilities of EM64T
cpus returning to user-space at non-canonical RIP values.
Comment 10 Ernie Petrides 2006-03-31 03:47:07 UTC 
Created attachment 127095 [details]
revised patch posted for internal re-review tonight

This updated version of the patch in comment #9 addresses a regression
in the RIP validation check introduced in restore_sigcontext().  The
x86_64 "vsyscall" region must be excluded from the invalid addr range.
Comment 11 Jason Baron 2006-04-05 18:14:08 UTC 
committed in stream U4 build 34.12. A test kernel with this patch is available
from http://people.redhat.com/~jbaron/rhel4/
Comment 16 Red Hat Bugzilla 2006-05-24 09:28:30 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2006-0493.html
Comment 18 Linda Wang 2006-06-23 23:58:55 UTC 
*** Bug 186925 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.