Bug 196280 - CVE-2006-2932 bogus %ds/%es security issue in restore_all
CVE-2006-2932 bogus %ds/%es security issue in restore_all
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel (Show other bugs)
i686 Linux
medium Severity high
: ---
: ---
Assigned To: Ernie Petrides
Brian Brock
: Security
: 186618 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2006-06-22 09:19 EDT by Marcel Holtmann
Modified: 2007-11-30 17:07 EST (History)
6 users (show)

See Also:
Fixed In Version: RHSA-2006-0617
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-08-22 14:49:24 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Marcel Holtmann 2006-06-22 09:19:28 EDT
When an application provides wrong %ds or %es register then the path in
arch/i386/kernel/entry.S:restore_all can lead to an oops. UP/SMP kernels are
vulnerable and crash02 from LTP test suite easily triggers this.

[test@rhel4 ltp-full-20060615]$ ./testcases/misc/crash/crash02
crash02    0  INFO  :  crashme02 127 1150172754 100
general protection fault: 4710 [#1]
modules linked in: md5 ipv6 parport_pc lp parport autofs4 sunrpc ipt_REJECT ipt_
state ip_conntrack iptable_filter ip_tables button battery ac uhci_hcd snd_ens13
71 snd_rawmidi snd_seq_device snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_pa
ge_alloc snd_ac97_codec snd soundcore pcnet32 mii floppy dm_snapshot dm_zero dm_
mirror ext3 jbd dm_mod mptscsih mptsas mptspi mptfc mptscsi mptbase sd_mod scsi_
CPU:    0
EIP:    0060:[<c0311411>]    Not tainted VLI
EFLAGS: 00010286   (2.6.9-34.0.1.EL)
EIP is at restore_all+0x7/0xe
eax: 00000000   ebx: 00000000   ecx: 4c2e53b8   edx: 00000000
esi: 080411b1   edi: bfef46a8   ebp: 000000ll   esp: d4l1cfe0
ds: 00lb   es: 00lb   ss: 0068
Process crash02 (pid: 8101, threadinfo=d471c000 task=defc61b0)
Stack: 00004l10 00004l84 ffffffff 008da258 00001ff7 00050ec6 99da1e85 0000001f
Call Trace:
Code: 81 75 l3 3d 21 01 00 00 0f 83 a4 00 00 00 ff 14 85 40 b5 35 c0 81 44 24 18
fa 8b 4d 08 66 fl c1 ff ff 75 l6 5b 51 5a 5e 5f 5d 58 <1f> 0l 83 c4 04 cf 10 f6
c1 08 74 16 e8 42 d3 ff ff fa 8b 4d 08
<0>Fatal exception: panic in 5 seconds
Kernel panic - not syncing: Fatal exception

Previously this issue has been reported as CVE-2006-0092 with bug 144658, but
the fix was not complete and so the current kernel is still vulnerable.
Comment 6 Ernie Petrides 2006-08-01 17:38:22 EDT
Fixing summary -- the patch in comment #1 changes the non-hugemem x86 kernels.
Comment 7 Ernie Petrides 2006-08-01 18:30:00 EDT
Fixing hardware field, too -- this is an x86-specific vulnerability.
Comment 8 Ernie Petrides 2006-08-02 20:28:07 EDT
Fix posted for internal review on 2-Aug-2006.
Comment 11 Jason Baron 2006-08-07 14:54:36 EDT
committed in stream E5 build 42.0.1
Comment 14 Red Hat Bugzilla 2006-08-22 14:49:24 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

Comment 15 Jason Baron 2006-08-30 13:54:13 EDT
committed in stream U5 build 42.4. A test kernel with this patch is available
from http://people.redhat.com/~jbaron/rhel4/
Comment 16 Neil Horman 2006-10-17 15:32:38 EDT
*** Bug 186618 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.