Bug 433938 - (CVE-2008-0598) CVE-2008-0598 kernel: linux x86_64 ia32 emulation leaks uninitialized data
CVE-2008-0598 kernel: linux x86_64 ia32 emulation leaks uninitialized data
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
public=20080625,reported=20080221,imp...
: Security
Depends On: 433941 433942 433943 433944 433945 453136 459505
Blocks:
  Show dependency treegraph
 
Reported: 2008-02-22 04:28 EST by Jan Lieskovsky
Modified: 2010-12-23 11:30 EST (History)
15 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-12-23 11:30:39 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Patch as used in Red Hat Enterprise Linux 5 kernel-2.6.18-92.1.6.el5 (3.31 KB, patch)
2008-07-15 04:37 EDT, Tomas Hoger
no flags Details | Diff
Patch as used in Red Hat Enterprise Linux 4 kernel-2.6.9-67.0.20.EL (931 bytes, patch)
2008-07-15 04:38 EDT, Tomas Hoger
no flags Details | Diff
xx.c (317 bytes, text/x-csrc)
2008-09-09 11:09 EDT, Marcus Meissner
no flags Details

  None (edit)
Description Jan Lieskovsky 2008-02-22 04:28:32 EST
Description of problem:

Tavis Ormandy has found a simple way how to leak data from other processes.

See reproducer for more details.
Comment 18 Mark J. Cox (Product Security) 2008-06-25 09:01:19 EDT
removing embargo.

* Tavis Ormandy discovered a deficiency in the Linux kernel 32-bit and
64-bit emulation. This could allow a local unprivileged user to prepare and
run a specially crafted binary, which would use this deficiency to leak
uninitialized and potentially sensitive data. (CVE-2008-0598, Important)
Comment 20 Tomas Hoger 2008-07-15 04:37:47 EDT
Created attachment 311794 [details]
Patch as used in Red Hat Enterprise Linux 5 kernel-2.6.18-92.1.6.el5

First included in: https://rhn.redhat.com/errata/RHSA-2008-0519.html
Comment 21 Tomas Hoger 2008-07-15 04:38:53 EDT
Created attachment 311795 [details]
Patch as used in Red Hat Enterprise Linux 4 kernel-2.6.9-67.0.20.EL

First included in: https://rhn.redhat.com/errata/RHSA-2008-0508.html
Comment 22 Eugene Teo (Security Response) 2008-07-28 03:56:08 EDT
(In reply to comment #21)
> Created an attachment (id=311795) [edit]
> Patch as used in Red Hat Enterprise Linux 4 kernel-2.6.9-67.0.20.EL

This refers to linux-2.6.9-x86_64-copy_user-zero-tail.patch.

Comment 37 Marcus Meissner 2008-09-09 11:07:16 EDT
the 2.6.9 patch is probably wrong.
Comment 38 Marcus Meissner 2008-09-09 11:09:06 EDT
Created attachment 316196 [details]
xx.c

gcc -o xx xx.c
./xx


extracted from LTP read02 testcase.

on bad kernel it will result in:
unexpected success with bad address, ret 0x79680000

on a good kernel it will result in:
read: Bad address
Comment 39 Eugene Teo (Security Response) 2008-09-09 11:27:20 EDT
(In reply to comment #38)
> Created an attachment (id=316196) [details]
> xx.c
> 
> gcc -o xx xx.c
> ./xx
> 
> 
> extracted from LTP read02 testcase.
> 
> on bad kernel it will result in:
> unexpected success with bad address, ret 0x79680000
> 
> on a good kernel it will result in:
> read: Bad address

Thanks Marcus. This is addressed in bug #453053.
Comment 44 Vincent Danen 2010-12-23 11:30:39 EST
This was addressed via:

Red Hat Enterprise Linux version 4 (RHSA-2008:0508)
Red Hat Enterprise Linux version 5 (RHSA-2008:0519)
Red Hat Enterprise Linux version 3 (RHSA-2008:0973)
MRG Realtime for RHEL 5 Server (RHSA-2009:0009)

Note You need to log in before you can comment on or make changes to this bug.