This effects all 2.4 kernels at the very least. [PATCH] Always check that RIPs are canonical during signal handling master author Andi Kleen <ak> Tue, 11 Apr 2006 10:34:45 +0000 (12:34 +0200) committer Marcelo Tosatti <marcelo> Wed, 12 Apr 2006 20:16:58 +0000 (15:16 -0500) commit e5a190da220758a739a31189440669c37fcd9773 tree 5ce75f4f0a50a2dba708533cb2b855f20cc2894d tree parent 09d3b3dcfa80c9094f1748c1be064b9326c9ef2b commit | commitdiff [PATCH] Always check that RIPs are canonical during signal handling First the already existing check in COPY_CANON for sigreturn wasn't correct. Replace it with a better check against TASK_SIZE. Also add a check to sigaction which was missing it previously. This works around a problem in handling non canonical RIPs on SYSRET on Intel CPUs. They report the #GP on the SYSRET, not the next instruction as Linux expects it. With these changes this path should never see a non canonical user RIP. Roughly based on a patch by Ernie Petrides, but redone by AK. This is CVE-2006-0741 Cc: petrides Signed-off-by: Andi Kleen <ak> arch/x86_64/kernel/signal.c blob | diff | history
Created attachment 127720 [details] Patch for CVE-2006-0741
Thanks for posting this here, James, and for the patch. The CVE says, "Linux kernel before 2.6.15.5, when running on Intel processors, allows local users to cause a denial of service ('endless recursive fault') via unknown attack vectors related to a 'bad elf entry address.'" Is this an x86_64-only condition?? Am noticing that the patch is for the x86_64 architecture kernel directory... Potentially affects legacy kernels: Distro i386? x86_64? Package --------- ----- ------- ------------------------------ RHL7.3 X kernel-2.4.20-46.7.legacy RHL9 X kernel-2.4.20-46.9.legacy FC1 X kernel-2.4.22-1.2199.8.legacy.nptl FC2 X kernel-2.6.10-2.3.legacy_FC2 FC3 X X kernel-2.6.12-2.3.legacy_FC3 If this is i386 and x86_64, then it affects all distros we support. If it's x86_64 only, then it affects only FC3, as Legacy doesn't support x86_64 packages for any other distros...
Hmmm.... It may be a security issue if anyone builds their own kernel for x86_64 on the platforms that legacy only ships i386 packages for. From the sources provided by such packages. It is just for x86_64 though. The file patched is in that directory. --James
The author is still working on the issue. I've attached another ammended patch to help fix the issue.
Created attachment 128037 [details] Ammended patch for CVE-2006-0741 This patch goes with the last patch. We can build a single patch when complete.
*** This bug has been marked as a duplicate of 200034 ***