Bug 431430 - (CVE-2008-1615) CVE-2008-1615 kernel: ptrace: Unprivileged crash on x86_64 %cs corruption
CVE-2008-1615 kernel: ptrace: Unprivileged crash on x86_64 %cs corruption
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
x86_64 Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
Martin Jenner
: Reopened, Security
Depends On: 431314 439785 439786 439787 439788 453136
Blocks: 431431
  Show dependency treegraph
Reported: 2008-02-04 09:11 EST by Jan Kratochvil
Modified: 2010-12-23 11:53 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-12-23 11:53:04 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
untried RHEL5 backport of fix verified on upstream kernel (308 bytes, patch)
2008-02-05 19:27 EST, Roland McGrath
no flags Details | Diff

  None (edit)
Comment 1 Jan Kratochvil 2008-02-04 17:06:52 EST
RHTS testcases:
Comment 2 Roland McGrath 2008-02-05 19:27:48 EST
Created attachment 294062 [details]
untried RHEL5 backport of fix verified on upstream kernel
Comment 4 Jarod Wilson 2008-03-31 10:29:46 EDT
Patched kernel, no crash:

[root@dhcp83-28 ~]# gcc -o x86_64-cs x86_64-cs.c -Wall -ggdb2 -D_GNU_SOURCE
[root@dhcp83-28 ~]# ./x86_64-cs 
x86_64-cs: x86_64-cs.c:129: main: Assertion `((((__extension__ ({ union {
__typeof(status) __in; int __i; } __u; __u.__in = (status); __u.__i; }))) &
0xff) == 0x7f)' failed.

Would that be the expected result?
Comment 5 Jan Lieskovsky 2008-03-31 10:43:54 EDT
Hello Jarod,

uname -a? 

This result as you are posting it, I am experincing on RHEL-3 (2.4.21-50.EL)
kernel. But there is no "WIFSTOPPED" macro on RHEL-3 kernel. 

[testuser@nec-em11 tmp]$ ./x86_64-cs 
x86_64-cs: x86_64-cs.c:129: main: Assertion `((((__extension__ ({ union {
__typeof(status) __in; int __i; } __u; __u.__in = (status); __u.__i; }))) &
0xff) == 0x7f)' failed.

This means, your patched kernel is behaving like the older RHEL-3. 
But Jan Kratochvil needs to say, if the patched kernel is executing the
mentioned testcase in that way, as it should..
Comment 6 Jarod Wilson 2008-03-31 12:14:40 EDT
My output is from a 2.6.18-87.el5-based x86_64 kernel carrying Roland's patch in
comment #2.
Comment 7 Jan Kratochvil 2008-03-31 12:24:40 EDT
Sorry, going to patch it to just return RC 0 if either it did nothing or if it
returned some error.
Definitely if it did not crash it is PASS as the attempted operation is invalid.
Comment 8 Jan Kratochvil 2008-03-31 13:13:01 EDT
(Comment 7 done.)
It looks right RHEL-3 (kernel-2.4.x) is not vulnerable as if I can cite Roland:

On Wed, 06 Feb 2008 01:03:32 +0100, Roland McGrath wrote:
> I think it's the same from whenever the "paranoidentry" path was
> introduced, which looks like 2.6.4 maybe.
Comment 10 Mike Gahagan 2008-04-29 13:52:10 EDT
No longer seeing a crash on the -91 kernel so I think this particular bug is
fixed, but the testcase itself is failing. Should I open a new bug to handle the

++ cat CRASHER
+ make -C ptrace-tests-0.1/tests x86_64-cs
make[1]: Entering directory `/mnt/tests/ptrace/x86_64-cs/ptrace-tests-0.1/tests'
if gcc -DPACKAGE_NAME=\"ptrace\ regression\ test\ suite\" -DPACKAGE_TARNAME=\"pt
race-tests\" -DPACKAGE_VERSION=\"0.1\" -DPACKAGE_STRING=\"ptrace\ regression\ te
st\ suite\ 0.1\" -DPACKAGE_BUGREPORT=\"utrace-devel@redhat.com\" -DPACKAGE=\"ptr
ace-tests\" -DVERSION=\"0.1\" -D_GNU_SOURCE=1  -I. -I.    -std=gnu99 -Wall -Werr
or -g -O2 -MT x86_64-cs.o -MD -MP -MF ".deps/x86_64-cs.Tpo" -c -o x86_64-cs.o x8
6_64-cs.c; \
        then mv -f ".deps/x86_64-cs.Tpo" ".deps/x86_64-cs.Po"; else rm -f ".deps
/x86_64-cs.Tpo"; exit 1; fi
gcc -std=gnu99 -Wall -Werror -g -O2   -o x86_64-cs  x86_64-cs.o
make[1]: Leaving directory `/mnt/tests/ptrace/x86_64-cs/ptrace-tests-0.1/tests'
+ sync
++ cat CRASHER
+ ptrace-tests-0.1/tests/x86_64-cs
ptrace-tests-0.1/tests/x86_64-cs: WIFSIGNALED - WTERMSIG = 11
x86_64-cs: x86_64-cs.c:140: main: Assertion `0' failed.
./do-my-test: line 26:   512 Aborted                 ptrace-tests-0.1/tests/$(ca
...finished running ./do-my-test, exit code=134
Comment 11 Jan Lieskovsky 2008-05-13 07:02:22 EDT
Attaching link to upstream commit:

Comment 12 Fedora Update System 2008-05-17 18:21:22 EDT
kernel- has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Vincent Danen 2010-12-23 11:53:04 EST
This was addressed via:

Red Hat Enterprise Linux version 4 (RHSA-2008:0237)
Red Hat Enterprise Linux version 5 (RHSA-2008:0275)
MRG Realtime for RHEL 5 Server (RHSA-2008:0585)

Note You need to log in before you can comment on or make changes to this bug.