Bug 196280 - CVE-2006-2932 bogus %ds/%es security issue in restore_all
Summary: CVE-2006-2932 bogus %ds/%es security issue in restore_all
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel
Version: 4.0
Hardware: i686
OS: Linux
medium
high
Target Milestone: ---
: ---
Assignee: Ernie Petrides
QA Contact: Brian Brock
URL:
Whiteboard: impact=important,source=secalert,repo...
: 186618 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-06-22 13:19 UTC by Marcel Holtmann
Modified: 2007-11-30 22:07 UTC (History)
6 users (show)

Fixed In Version: RHSA-2006-0617
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-08-22 18:49:24 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2006:0617 0 normal SHIPPED_LIVE Important: kernel security update 2006-08-22 04:00:00 UTC

Description Marcel Holtmann 2006-06-22 13:19:28 UTC 
When an application provides wrong %ds or %es register then the path in
arch/i386/kernel/entry.S:restore_all can lead to an oops. UP/SMP kernels are
vulnerable and crash02 from LTP test suite easily triggers this.

[test@rhel4 ltp-full-20060615]$ ./testcases/misc/crash/crash02
crash02    0  INFO  :  crashme02 127 1150172754 100
general protection fault: 4710 [#1]
modules linked in: md5 ipv6 parport_pc lp parport autofs4 sunrpc ipt_REJECT ipt_
state ip_conntrack iptable_filter ip_tables button battery ac uhci_hcd snd_ens13
71 snd_rawmidi snd_seq_device snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_pa
ge_alloc snd_ac97_codec snd soundcore pcnet32 mii floppy dm_snapshot dm_zero dm_
mirror ext3 jbd dm_mod mptscsih mptsas mptspi mptfc mptscsi mptbase sd_mod scsi_
mod
CPU:    0
EIP:    0060:[<c0311411>]    Not tainted VLI
EFLAGS: 00010286   (2.6.9-34.0.1.EL)
EIP is at restore_all+0x7/0xe
eax: 00000000   ebx: 00000000   ecx: 4c2e53b8   edx: 00000000
esi: 080411b1   edi: bfef46a8   ebp: 000000ll   esp: d4l1cfe0
ds: 00lb   es: 00lb   ss: 0068
Process crash02 (pid: 8101, threadinfo=d471c000 task=defc61b0)
Stack: 00004l10 00004l84 ffffffff 008da258 00001ff7 00050ec6 99da1e85 0000001f
Call Trace:
Code: 81 75 l3 3d 21 01 00 00 0f 83 a4 00 00 00 ff 14 85 40 b5 35 c0 81 44 24 18
fa 8b 4d 08 66 fl c1 ff ff 75 l6 5b 51 5a 5e 5f 5d 58 <1f> 0l 83 c4 04 cf 10 f6
c1 08 74 16 e8 42 d3 ff ff fa 8b 4d 08
<0>Fatal exception: panic in 5 seconds
Kernel panic - not syncing: Fatal exception

Previously this issue has been reported as CVE-2006-0092 with bug 144658, but
the fix was not complete and so the current kernel is still vulnerable.
Comment 6 Ernie Petrides 2006-08-01 21:38:22 UTC 
Fixing summary -- the patch in comment #1 changes the non-hugemem x86 kernels.
Comment 7 Ernie Petrides 2006-08-01 22:30:00 UTC 
Fixing hardware field, too -- this is an x86-specific vulnerability.
Comment 8 Ernie Petrides 2006-08-03 00:28:07 UTC 
Fix posted for internal review on 2-Aug-2006.
Comment 11 Jason Baron 2006-08-07 18:54:36 UTC 
committed in stream E5 build 42.0.1
Comment 14 Red Hat Bugzilla 2006-08-22 18:49:24 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2006-0617.html
Comment 15 Jason Baron 2006-08-30 17:54:13 UTC 
committed in stream U5 build 42.4. A test kernel with this patch is available
from http://people.redhat.com/~jbaron/rhel4/
Comment 16 Neil Horman 2006-10-17 19:32:38 UTC 
*** Bug 186618 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.