Red Hat Bugzilla – Bug 433938
CVE-2008-0598 kernel: linux x86_64 ia32 emulation leaks uninitialized data
Last modified: 2010-12-23 11:30:39 EST
Description of problem:
Tavis Ormandy has found a simple way how to leak data from other processes.
See reproducer for more details.
* Tavis Ormandy discovered a deficiency in the Linux kernel 32-bit and
64-bit emulation. This could allow a local unprivileged user to prepare and
run a specially crafted binary, which would use this deficiency to leak
uninitialized and potentially sensitive data. (CVE-2008-0598, Important)
Created attachment 311794 [details]
Patch as used in Red Hat Enterprise Linux 5 kernel-2.6.18-92.1.6.el5
First included in: https://rhn.redhat.com/errata/RHSA-2008-0519.html
Created attachment 311795 [details]
Patch as used in Red Hat Enterprise Linux 4 kernel-2.6.9-67.0.20.EL
First included in: https://rhn.redhat.com/errata/RHSA-2008-0508.html
(In reply to comment #21)
> Created an attachment (id=311795) 
> Patch as used in Red Hat Enterprise Linux 4 kernel-2.6.9-67.0.20.EL
This refers to linux-2.6.9-x86_64-copy_user-zero-tail.patch.
the 2.6.9 patch is probably wrong.
Created attachment 316196 [details]
gcc -o xx xx.c
extracted from LTP read02 testcase.
on bad kernel it will result in:
unexpected success with bad address, ret 0x79680000
on a good kernel it will result in:
read: Bad address
(In reply to comment #38)
> Created an attachment (id=316196) [details]
> gcc -o xx xx.c
> extracted from LTP read02 testcase.
> on bad kernel it will result in:
> unexpected success with bad address, ret 0x79680000
> on a good kernel it will result in:
> read: Bad address
Thanks Marcus. This is addressed in bug #453053.
This was addressed via:
Red Hat Enterprise Linux version 4 (RHSA-2008:0508)
Red Hat Enterprise Linux version 5 (RHSA-2008:0519)
Red Hat Enterprise Linux version 3 (RHSA-2008:0973)
MRG Realtime for RHEL 5 Server (RHSA-2009:0009)