Bug 431430 (CVE-2008-1615) - CVE-2008-1615 kernel: ptrace: Unprivileged crash on x86_64 %cs corruption
Summary: CVE-2008-1615 kernel: ptrace: Unprivileged crash on x86_64 %cs corruption
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-1615
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: x86_64
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact: Martin Jenner
URL:
Whiteboard: impact=important,source=redhat,public...
Depends On: 431314 439785 439786 439787 439788 453136
Blocks: 431431
TreeView+ depends on / blocked
 
Reported: 2008-02-04 14:11 UTC by Jan Kratochvil
Modified: 2019-06-08 12:27 UTC (History)
6 users (show)

Fixed In Version: 2.6.23.17-88.fc7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-12-23 16:53:04 UTC


Attachments (Terms of Use)
untried RHEL5 backport of fix verified on upstream kernel (308 bytes, patch)
2008-02-06 00:27 UTC, Roland McGrath
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0237 normal SHIPPED_LIVE Important: kernel security and bug fix update 2008-05-07 07:28:59 UTC
Red Hat Product Errata RHSA-2008:0275 normal SHIPPED_LIVE Important: kernel security and bug fix update 2008-05-20 09:58:29 UTC
Red Hat Product Errata RHSA-2008:0585 normal SHIPPED_LIVE Important: kernel security and bug fix update 2008-08-26 19:56:57 UTC

Comment 1 Jan Kratochvil 2008-02-04 22:06:52 UTC
RHTS testcases:
/kernel/syscalls/ptrace/x86_64-cs
/kernel/syscalls/ptrace/x86_64-cs-biarch


Comment 2 Roland McGrath 2008-02-06 00:27:48 UTC
Created attachment 294062 [details]
untried RHEL5 backport of fix verified on upstream kernel

Comment 4 Jarod Wilson 2008-03-31 14:29:46 UTC
Patched kernel, no crash:

[root@dhcp83-28 ~]# gcc -o x86_64-cs x86_64-cs.c -Wall -ggdb2 -D_GNU_SOURCE
[root@dhcp83-28 ~]# ./x86_64-cs 
x86_64-cs: x86_64-cs.c:129: main: Assertion `((((__extension__ ({ union {
__typeof(status) __in; int __i; } __u; __u.__in = (status); __u.__i; }))) &
0xff) == 0x7f)' failed.
Aborted

Would that be the expected result?

Comment 5 Jan Lieskovsky 2008-03-31 14:43:54 UTC
Hello Jarod,

uname -a? 

This result as you are posting it, I am experincing on RHEL-3 (2.4.21-50.EL)
kernel. But there is no "WIFSTOPPED" macro on RHEL-3 kernel. 

[testuser@nec-em11 tmp]$ ./x86_64-cs 
x86_64-cs: x86_64-cs.c:129: main: Assertion `((((__extension__ ({ union {
__typeof(status) __in; int __i; } __u; __u.__in = (status); __u.__i; }))) &
0xff) == 0x7f)' failed.
Aborted

This means, your patched kernel is behaving like the older RHEL-3. 
But Jan Kratochvil needs to say, if the patched kernel is executing the
mentioned testcase in that way, as it should..

Comment 6 Jarod Wilson 2008-03-31 16:14:40 UTC
My output is from a 2.6.18-87.el5-based x86_64 kernel carrying Roland's patch in
comment #2.

Comment 7 Jan Kratochvil 2008-03-31 16:24:40 UTC
Sorry, going to patch it to just return RC 0 if either it did nothing or if it
returned some error.
Definitely if it did not crash it is PASS as the attempted operation is invalid.


Comment 8 Jan Kratochvil 2008-03-31 17:13:01 UTC
(Comment 7 done.)
It looks right RHEL-3 (kernel-2.4.x) is not vulnerable as if I can cite Roland:

On Wed, 06 Feb 2008 01:03:32 +0100, Roland McGrath wrote:
...
> I think it's the same from whenever the "paranoidentry" path was
> introduced, which looks like 2.6.4 maybe.


Comment 10 Mike Gahagan 2008-04-29 17:52:10 UTC
No longer seeing a crash on the -91 kernel so I think this particular bug is
fixed, but the testcase itself is failing. Should I open a new bug to handle the
failure?

++ cat CRASHER
+ make -C ptrace-tests-0.1/tests x86_64-cs
make[1]: Entering directory `/mnt/tests/ptrace/x86_64-cs/ptrace-tests-0.1/tests'
if gcc -DPACKAGE_NAME=\"ptrace\ regression\ test\ suite\" -DPACKAGE_TARNAME=\"pt
race-tests\" -DPACKAGE_VERSION=\"0.1\" -DPACKAGE_STRING=\"ptrace\ regression\ te
st\ suite\ 0.1\" -DPACKAGE_BUGREPORT=\"utrace-devel@redhat.com\" -DPACKAGE=\"ptr
ace-tests\" -DVERSION=\"0.1\" -D_GNU_SOURCE=1  -I. -I.    -std=gnu99 -Wall -Werr
or -g -O2 -MT x86_64-cs.o -MD -MP -MF ".deps/x86_64-cs.Tpo" -c -o x86_64-cs.o x8
6_64-cs.c; \
        then mv -f ".deps/x86_64-cs.Tpo" ".deps/x86_64-cs.Po"; else rm -f ".deps
/x86_64-cs.Tpo"; exit 1; fi
gcc -std=gnu99 -Wall -Werror -g -O2   -o x86_64-cs  x86_64-cs.o
make[1]: Leaving directory `/mnt/tests/ptrace/x86_64-cs/ptrace-tests-0.1/tests'
+ sync
++ cat CRASHER
+ ptrace-tests-0.1/tests/x86_64-cs
ptrace-tests-0.1/tests/x86_64-cs: WIFSIGNALED - WTERMSIG = 11
x86_64-cs: x86_64-cs.c:140: main: Assertion `0' failed.
./do-my-test: line 26:   512 Aborted                 ptrace-tests-0.1/tests/$(ca
t CRASHER)
...finished running ./do-my-test, exit code=134


Comment 11 Jan Lieskovsky 2008-05-13 11:02:22 UTC
Attaching link to upstream commit:

http://marc.info/?l=linux-kernel&m=120219781932243

Comment 12 Fedora Update System 2008-05-17 22:21:22 UTC
kernel-2.6.23.17-88.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 18 Vincent Danen 2010-12-23 16:53:04 UTC
This was addressed via:

Red Hat Enterprise Linux version 4 (RHSA-2008:0237)
Red Hat Enterprise Linux version 5 (RHSA-2008:0275)
MRG Realtime for RHEL 5 Server (RHSA-2008:0585)


Note You need to log in before you can comment on or make changes to this bug.