Bug 183489 - CVE-2006-0741 bad elf entry address (CVE-2006-0744)
CVE-2006-0741 bad elf entry address (CVE-2006-0744)
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel (Show other bugs)
4.0
x86_64 Linux
medium Severity high
: ---
: ---
Assigned To: Ernie Petrides
Brian Brock
reported=20060226,source=bk,impact=im...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-03-01 09:39 EST by Mark J. Cox (Product Security)
Modified: 2007-11-30 17:07 EST (History)
3 users (show)

See Also:
Fixed In Version: RHSA-2006-0493
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-05-24 05:28:30 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch posted for internal review today to address this (2.92 KB, patch)
2006-03-15 19:04 EST, Ernie Petrides
no flags Details | Diff
revised patch posted for internal re-review tonight (3.10 KB, patch)
2006-03-30 22:47 EST, Ernie Petrides
no flags Details | Diff

  None (edit)
Description Mark J. Cox (Product Security) 2006-03-01 09:39:34 EST
http://linux.bkbits.net:8080/linux-2.6/cset@4401eb1byTR_y2KtLU4V7RCcTlhdgw

"[PATCH] x86_64: Check for bad elf entry address.

Fixes a local DOS on Intel systems that lead to an endless
recursive fault.  AMD machines don't seem to be affected."
Comment 6 Mark J. Cox (Product Security) 2006-03-10 05:23:39 EST
Comment #5 From Ernie Petrides (petrides@redhat.com)  	 on 2006-03-09 17:22 EST  

Created an attachment (id=125908) [edit]
patch posted for internal review today to address this

The attached patch addresses all known vulnerabilities of EM64T
cpus returning to user-space at non-canonical RIP values.


Comment #6 From Mark J. Cox (Security Response Team) (mjc@redhat.com) 	on 

Whilst fixing a fix for invalid ELF Ernie discovered signal catching is still
vulnerable, with a trivial test case causing a double-fault on EM64T-based
systems.  Allocated CVE-2006-0744.  The patch above addresses CVE-2006-0741 and
CVE-2006-0744

Comment 8 Ernie Petrides 2006-03-15 18:30:27 EST
The 2nd upstream commit listed above has been found to cause regressions
and has been reverted by Linus yesterday.  I've decided to port the RHEL3
patch from bug 183492 comment #5 instead.
Comment 9 Ernie Petrides 2006-03-15 19:04:06 EST
Created attachment 126179 [details]
patch posted for internal review today to address this

The attached patch addresses all known vulnerabilities of EM64T
cpus returning to user-space at non-canonical RIP values.
Comment 10 Ernie Petrides 2006-03-30 22:47:07 EST
Created attachment 127095 [details]
revised patch posted for internal re-review tonight

This updated version of the patch in comment #9 addresses a regression
in the RIP validation check introduced in restore_sigcontext().  The
x86_64 "vsyscall" region must be excluded from the invalid addr range.
Comment 11 Jason Baron 2006-04-05 14:14:08 EDT
committed in stream U4 build 34.12. A test kernel with this patch is available
from http://people.redhat.com/~jbaron/rhel4/
Comment 16 Red Hat Bugzilla 2006-05-24 05:28:30 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2006-0493.html
Comment 18 Linda Wang 2006-06-23 19:58:55 EDT
*** Bug 186925 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.