Bug 188935 - CVE-2006-0741 kernel DoS issue
Summary: CVE-2006-0741 kernel DoS issue
Keywords:
Status: CLOSED DUPLICATE of bug 200034
Alias: None
Product: Fedora Legacy
Classification: Retired
Component: kernel
Version: unspecified
Hardware: ia64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Fedora Legacy Bugs
QA Contact:
URL: http://www.kernel.org/git/?p=linux/ke...
Whiteboard: LEGACY
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-04-13 19:07 UTC by James Kosin
Modified: 2007-04-18 17:41 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-07-24 22:21:36 UTC
Embargoed:

Attachments (Terms of Use)
Patch for CVE-2006-0741 (2.01 KB, patch)
2006-04-13 19:07 UTC, James Kosin 		no flags Details | Diff
Ammended patch for CVE-2006-0741 (1.79 KB, patch)
2006-04-20 13:04 UTC, James Kosin 		no flags Details | Diff
View All

Description James Kosin 2006-04-13 19:07:24 UTC 
This effects all 2.4 kernels at the very least.

[PATCH] Always check that RIPs are canonical during signal handling master
author	Andi Kleen <ak>
	Tue, 11 Apr 2006 10:34:45 +0000 (12:34 +0200)
committer	Marcelo Tosatti <marcelo>
	Wed, 12 Apr 2006 20:16:58 +0000 (15:16 -0500)
commit	e5a190da220758a739a31189440669c37fcd9773
tree	5ce75f4f0a50a2dba708533cb2b855f20cc2894d	tree
parent	09d3b3dcfa80c9094f1748c1be064b9326c9ef2b	commit | commitdiff
[PATCH] Always check that RIPs are canonical during signal handling

First the already existing check in COPY_CANON for sigreturn
wasn't correct. Replace it with a better check against TASK_SIZE.

Also add a check to sigaction which was missing it previously.

This works around a problem in handling non canonical RIPs on SYSRET on Intel
CPUs. They report the #GP on the SYSRET, not the next instruction
as Linux expects it. With these changes this path should never
see a non canonical user RIP.

Roughly based on a patch by Ernie Petrides, but redone by AK.

This is CVE-2006-0741

Cc: petrides
Signed-off-by: Andi Kleen <ak>
arch/x86_64/kernel/signal.c 		blob | diff | history
Comment 1 James Kosin 2006-04-13 19:07:24 UTC 
Created attachment 127720 [details]
Patch for CVE-2006-0741
Comment 2 David Eisenstein 2006-04-13 23:03:31 UTC 
Thanks for posting this here, James, and for the patch.  The CVE says, "Linux
kernel before 2.6.15.5, when running on Intel processors, allows local users to
cause a denial of service ('endless recursive fault') via unknown attack vectors
related to a 'bad elf entry address.'"

Is this an x86_64-only condition??  Am noticing that the patch is for the x86_64
architecture kernel directory...

Potentially affects legacy kernels:

   Distro  i386?  x86_64?    Package
---------  -----  -------    ------------------------------
   RHL7.3    X               kernel-2.4.20-46.7.legacy
   RHL9      X               kernel-2.4.20-46.9.legacy
   FC1       X               kernel-2.4.22-1.2199.8.legacy.nptl
   FC2       X               kernel-2.6.10-2.3.legacy_FC2
   FC3       X       X       kernel-2.6.12-2.3.legacy_FC3

If this is i386 and x86_64, then it affects all distros we support.  If it's
x86_64 only, then it affects only FC3, as Legacy doesn't support x86_64 packages
for any other distros...
Comment 3 James Kosin 2006-04-14 12:20:36 UTC 
Hmmm....

It may be a security issue if anyone builds their own kernel for x86_64 on the 
platforms that legacy only ships i386 packages for.  From the sources provided 
by such packages.

It is just for x86_64 though.  The file patched is in that directory.

--James
Comment 4 James Kosin 2006-04-20 13:01:30 UTC 
The author is still working on the issue.  I've attached another ammended patch 
to help fix the issue.
Comment 5 James Kosin 2006-04-20 13:04:38 UTC 
Created attachment 128037 [details]
Ammended patch for CVE-2006-0741

This patch goes with the last patch.  We can build a single patch when
complete.
Comment 6 Marc Deslauriers 2006-07-24 22:21:36 UTC 

*** This bug has been marked as a duplicate of 200034 ***
Note You need to log in before you can comment on or make changes to this bug.