Bug 464883 - (CVE-2008-3832) CVE-2008-3832 kernel: null pointer dereference in utrace_control
CVE-2008-3832 kernel: null pointer dereference in utrace_control
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,source=bugzilla,repo...
: Security
Depends On: 464259
Blocks:
  Show dependency treegraph
 
Reported: 2008-09-30 20:44 EDT by Eugene Teo (Security Response)
Modified: 2016-03-04 06:48 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-12-21 12:44:44 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Eugene Teo (Security Response) 2008-09-30 20:44:07 EDT
Reported by Michael Simms:

Any user can crash init with a single command

Version-Release number of selected component (if applicable):
Fedora 9, patched to latest as of 90 minutes ago

How reproducible:
Always. May have to run the command 2-3 times but it always crashes the kernel
in the end.

Steps to Reproduce:
1.as ANY user - start a shell
2.gdb any_executable 1
3.There will be a kerneloops and usually a kernel crash or hang

Actual results:
Kernel blows up

Expected results:
Kernel doesnt blow up, permission denied for process init

Additional info:
Comment 1 Eugene Teo (Security Response) 2008-09-30 20:46:42 EDT
Thanks Michael.

This is reproducible with kernel-2.6.26.3-29.fc9 on x86 and x86_64.

[eugene@localhost ~]$ gdb /bin/sh 1
GNU gdb Fedora (6.8-21.fc9)
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu"...
(no debugging symbols found)
Attaching to program: /bin/sh, process 1

[...]
BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
IP: [<ffffffff8106a404>] utrace_control+0x56/0x231
PGD 132d0b067 PUD 1249bf067 PMD 2e08f067 PTE 0
Oops: 0000 [1] SMP 
CPU 0 
Modules linked in: aes_x86_64 aes_generic ipt_MASQUERADE iptable_nat nf_nat
bridge bnep rfcomm l2cap ib_iser rdma_cm ib_cm iw_cm ib_sa ib_mad ib_core
ib_addr iscsi_tcp libiscsi scsi_transport_iscsi fuse sunrpc ipt_REJECT
nf_conntrack_ipv4 iptable_filter ip_tables ip6t_REJECT xt_tcpudp
nf_conntrack_ipv6 xt_state nf_conntrack ip6table_filter ip6_tables x_tables
cpufreq_ondemand acpi_cpufreq freq_table dm_multipath ipv6 uinput kvm_intel kvm
sr_mod cdrom thinkpad_acpi hwmon snd_hda_intel pcspkr joydev arc4 ecb
firewire_ohci crypto_blkcipher sdhci firewire_core snd_seq_dummy mmc_core
crc_itu_t ricoh_mmc snd_seq_oss yenta_socket snd_seq_midi_event rsrc_nonstatic
iTCO_wdt snd_seq iTCO_vendor_support i2c_i801 snd_seq_device sg ata_piix
snd_pcm_oss snd_mixer_oss iwl3945 snd_pcm rfkill mac80211 snd_timer
snd_page_alloc snd_hwdep cfg80211 snd soundcore battery ac video output bay
i915 wmi drm e1000e i2c_algo_bit hci_usb pata_acpi ata_generic i2c_core
bluetooth dm_snapshot dm_zero dm_mirror dm_log dm_mod ahci libata sd_mod
scsi_mod ext3 jbd mbcache uhci_hcd ohci_hcd ehci_hcd [last unloaded: microcode]
Pid: 25599, comm: gdb Not tainted 2.6.26.3-29.fc9.x86_64 #1
RIP: 0010:[<ffffffff8106a404>]  [<ffffffff8106a404>] utrace_control+0x56/0x231
RSP: 0018:ffff8100228fbeb8  EFLAGS: 00010246
RAX: 0000000000000202 RBX: ffff81013b064000 RCX: 0000000000000013
RDX: 0000000000000006 RSI: 0000000000000000 RDI: ffff81013b064020
RBP: ffff8100228fbef8 R08: 0000000000000006 R09: 0000000000000001
R10: 0000000000000000 R11: ffff81013bab8000 R12: 00000000ffffffff
R13: ffff81013b064000 R14: ffff81013bab8000 R15: 0000000000000000
FS:  00007f6058d6f780(0000) GS:ffffffff81417000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000028 CR3: 0000000115875000 CR4: 00000000000026e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process gdb (pid: 25599, threadinfo ffff8100228fa000, task ffff81013a45ad40)
Stack:  ffff810000000006 ffff81013bab8000 ffff8100228fbed8 ffff81013bab8000
 00000000ffffffff 0000000000000246 ffff81013bab85f8 0000000000000000
 ffff8100228fbf38 ffffffff8103f78b ffff8100228fbf18 ffff81013bab8000
Call Trace:
 [<ffffffff8103f78b>] ptrace_attach+0x144/0x174
 [<ffffffff8103f8bd>] sys_ptrace+0x54/0xaf
 [<ffffffff8100c291>] tracesys+0xd0/0xd5


Code: 00 48 85 db 74 41 83 bf 28 02 00 00 20 74 38 48 8d 7b 20 89 55 c0 e8 6b
24 23 00 4d 8b ae e0 05 00 00 44 8b 45 c0 49 39 dd 75 0c <49> 8b 47 28 48 3d 00
e2 2b 81 75 05 fe 43 20 eb 0b 49 81 fd 00 
RIP  [<ffffffff8106a404>] utrace_control+0x56/0x231
 RSP <ffff8100228fbeb8>
CR2: 0000000000000028
Comment 2 Eugene Teo (Security Response) 2008-09-30 20:46:56 EDT
rhel-5 and upstream kernels appear to be unaffected. Tested with
kernel-2.6.18-116.el5.i686 and 2.6.27-rc7.i686.

[test@dell-pe1650-1 ~]$ gdb /bin/sh 1
[...]
Attaching to program: /bin/sh, process 1
ptrace: Operation not permitted.
/home/test/1: No such file or directory.

utrace_control came from F-9/linux-2.6-utrace.patch.
Comment 10 Eugene Teo (Security Response) 2008-10-01 21:03:47 EDT
2.6.26.5 kernels for f-8 and f-9 got pushed yesterday.

2.6.26.5-28.fc8
2.6.26.5-45.fc9
Comment 11 Eugene Teo (Security Response) 2008-10-01 21:25:02 EDT
Reference:
http://article.gmane.org/gmane.comp.security.oss.general/1003
Comment 12 Eugene Teo (Security Response) 2008-10-09 21:46:58 EDT
This is fixed in 2.6.26.5-45.fc9. Thanks.

Note You need to log in before you can comment on or make changes to this bug.