Bug 433938 (CVE-2008-0598) - CVE-2008-0598 kernel: linux x86_64 ia32 emulation leaks uninitialized data
Summary: CVE-2008-0598 kernel: linux x86_64 ia32 emulation leaks uninitialized data
Status: CLOSED ERRATA
Alias: CVE-2008-0598
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: public=20080625,reported=20080221,imp...
Keywords: Security
Depends On: 433941 433942 433943 433944 433945 453136 459505
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-02-22 09:28 UTC by Jan Lieskovsky
Modified: 2019-06-08 12:28 UTC (History)
15 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2010-12-23 16:30:39 UTC


Attachments (Terms of Use)
Patch as used in Red Hat Enterprise Linux 5 kernel-2.6.18-92.1.6.el5 (3.31 KB, patch)
2008-07-15 08:37 UTC, Tomas Hoger
no flags Details | Diff
Patch as used in Red Hat Enterprise Linux 4 kernel-2.6.9-67.0.20.EL (931 bytes, patch)
2008-07-15 08:38 UTC, Tomas Hoger
no flags Details | Diff
xx.c (317 bytes, text/x-csrc)
2008-09-09 15:09 UTC, Marcus Meissner
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0508 normal SHIPPED_LIVE Important: kernel security and bug fix update 2008-06-25 15:18:03 UTC
Red Hat Product Errata RHSA-2008:0519 normal SHIPPED_LIVE Important: kernel security and bug fix update 2008-06-25 15:47:49 UTC
Red Hat Product Errata RHSA-2008:0973 normal SHIPPED_LIVE Important: kernel security and bug fix update 2008-12-17 03:18:50 UTC
Red Hat Product Errata RHSA-2009:0009 normal SHIPPED_LIVE Important: kernel security and bug fix update 2009-01-22 10:43:54 UTC

Description Jan Lieskovsky 2008-02-22 09:28:32 UTC
Description of problem:

Tavis Ormandy has found a simple way how to leak data from other processes.

See reproducer for more details.

Comment 18 Mark J. Cox 2008-06-25 13:01:19 UTC
removing embargo.

* Tavis Ormandy discovered a deficiency in the Linux kernel 32-bit and
64-bit emulation. This could allow a local unprivileged user to prepare and
run a specially crafted binary, which would use this deficiency to leak
uninitialized and potentially sensitive data. (CVE-2008-0598, Important)

Comment 20 Tomas Hoger 2008-07-15 08:37:47 UTC
Created attachment 311794 [details]
Patch as used in Red Hat Enterprise Linux 5 kernel-2.6.18-92.1.6.el5

First included in: https://rhn.redhat.com/errata/RHSA-2008-0519.html

Comment 21 Tomas Hoger 2008-07-15 08:38:53 UTC
Created attachment 311795 [details]
Patch as used in Red Hat Enterprise Linux 4 kernel-2.6.9-67.0.20.EL

First included in: https://rhn.redhat.com/errata/RHSA-2008-0508.html

Comment 22 Eugene Teo (Security Response) 2008-07-28 07:56:08 UTC
(In reply to comment #21)
> Created an attachment (id=311795) [edit]
> Patch as used in Red Hat Enterprise Linux 4 kernel-2.6.9-67.0.20.EL

This refers to linux-2.6.9-x86_64-copy_user-zero-tail.patch.



Comment 37 Marcus Meissner 2008-09-09 15:07:16 UTC
the 2.6.9 patch is probably wrong.

Comment 38 Marcus Meissner 2008-09-09 15:09:06 UTC
Created attachment 316196 [details]
xx.c

gcc -o xx xx.c
./xx


extracted from LTP read02 testcase.

on bad kernel it will result in:
unexpected success with bad address, ret 0x79680000

on a good kernel it will result in:
read: Bad address

Comment 39 Eugene Teo (Security Response) 2008-09-09 15:27:20 UTC
(In reply to comment #38)
> Created an attachment (id=316196) [details]
> xx.c
> 
> gcc -o xx xx.c
> ./xx
> 
> 
> extracted from LTP read02 testcase.
> 
> on bad kernel it will result in:
> unexpected success with bad address, ret 0x79680000
> 
> on a good kernel it will result in:
> read: Bad address

Thanks Marcus. This is addressed in bug #453053.

Comment 44 Vincent Danen 2010-12-23 16:30:39 UTC
This was addressed via:

Red Hat Enterprise Linux version 4 (RHSA-2008:0508)
Red Hat Enterprise Linux version 5 (RHSA-2008:0519)
Red Hat Enterprise Linux version 3 (RHSA-2008:0973)
MRG Realtime for RHEL 5 Server (RHSA-2009:0009)


Note You need to log in before you can comment on or make changes to this bug.