Description of problem: Tavis Ormandy has found a simple way how to leak data from other processes. See reproducer for more details.
removing embargo. * Tavis Ormandy discovered a deficiency in the Linux kernel 32-bit and 64-bit emulation. This could allow a local unprivileged user to prepare and run a specially crafted binary, which would use this deficiency to leak uninitialized and potentially sensitive data. (CVE-2008-0598, Important)
Created attachment 311794 [details] Patch as used in Red Hat Enterprise Linux 5 kernel-2.6.18-92.1.6.el5 First included in: https://rhn.redhat.com/errata/RHSA-2008-0519.html
Created attachment 311795 [details] Patch as used in Red Hat Enterprise Linux 4 kernel-2.6.9-67.0.20.EL First included in: https://rhn.redhat.com/errata/RHSA-2008-0508.html
(In reply to comment #21) > Created an attachment (id=311795) [edit] > Patch as used in Red Hat Enterprise Linux 4 kernel-2.6.9-67.0.20.EL This refers to linux-2.6.9-x86_64-copy_user-zero-tail.patch.
the 2.6.9 patch is probably wrong.
Created attachment 316196 [details] xx.c gcc -o xx xx.c ./xx extracted from LTP read02 testcase. on bad kernel it will result in: unexpected success with bad address, ret 0x79680000 on a good kernel it will result in: read: Bad address
(In reply to comment #38) > Created an attachment (id=316196) [details] > xx.c > > gcc -o xx xx.c > ./xx > > > extracted from LTP read02 testcase. > > on bad kernel it will result in: > unexpected success with bad address, ret 0x79680000 > > on a good kernel it will result in: > read: Bad address Thanks Marcus. This is addressed in bug #453053.
This was addressed via: Red Hat Enterprise Linux version 4 (RHSA-2008:0508) Red Hat Enterprise Linux version 5 (RHSA-2008:0519) Red Hat Enterprise Linux version 3 (RHSA-2008:0973) MRG Realtime for RHEL 5 Server (RHSA-2009:0009)