248324 – (CVE-2007-3731) CVE-2007-3731 NULL pointer dereference triggered by ptrace

Bug 248324 (CVE-2007-3731) - CVE-2007-3731 NULL pointer dereference triggered by ptrace

Summary: CVE-2007-3731 NULL pointer dereference triggered by ptrace

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2007-3731
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	275981 275991
Blocks:
TreeView+	depends on / blocked

Reported:	2007-07-16 04:54 UTC by Marcel Holtmann
Modified:	2021-11-12 19:41 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-07-25 08:55:34 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2007:0940	0	normal	SHIPPED_LIVE	Important: kernel security update	2007-10-22 10:52:41 UTC

Description Marcel Holtmann 2007-07-16 04:54:23 UTC

From Evan Teran:

http://bugzilla.kernel.org/show_bug.cgi?id=8765

It is possible to cause the kernel to reference a null pointer with simple
ptrace code. the OOPS seems to indicate that it occurs in arch_ptrace. I
noticed  when working on my debugger, that if i set the childs CS to certain
invalid values, instead of a segfault (i believe this is the correct response
to invalid cs). Not only would the ptraced app crash, but so would the
debugger. After further investigation, I realized that the debugger crash was
the kernel terminating the ptracer due to a null pointer in one of the ptrace
functions.

BUG: unable to handle kernel NULL pointer dereference at virtual address
000000fc
 printing eip:
c0104b84
*pde = 00000000
Oops: 0000 [#1]
Modules linked in: rtc 3c59x mii ide_cd cdrom yenta_socket rsrc_nonstatic
pcmcia_core psmouse uhci_hcd usbcore evdev pcspkr
CPU:    0
EIP:    0060:[<c0104b84>]    Not tainted VLI
EFLAGS: 00010202   (2.6.20-gentoo-r8 #1)
EIP is at arch_ptrace+0x5ea/0x828
eax: 000000f8   ebx: f6dfd580   ecx: 000000ff   edx: f6f1a030
esi: 000000ff   edi: b7fad410   ebp: 00000000   esp: c2209f68
ds: 007b   es: 007b   ss: 0068
Process test (pid: 28205, ti=c2208000 task=f6dc8550 task.ti=c2208000)
Stack: c020850a f6c9f380 f6f1a030 00000000 0000000b 00000001 00000046 c01163b5
       f6f1a030 00000000 00000009 00000000 c0119033 00000000 00000000 00000009
       00000000 b7fa3ff4 c2208000 c01028be 00000009 00006e2e 00000000 00000000
Call Trace:
 [<c020850a>] net_tx_action+0x3b/0xba
 [<c01163b5>] __do_softirq+0x3e/0x83
 [<c0119033>] sys_ptrace+0x63/0x89
 [<c01028be>] sysenter_past_esp+0x5f/0x85
 [<c0240033>] sysctl_tcp_congestion_control+0x7b/0x83
 =======================
Code: 00 ff 8b 5c 01 00 00 79 0b 8d 83 5c 01 00 00 e8 d7 81 14 00 8b 54 24 08
8b 9a 80 00 00 00 89 f0 25 f8 ff 00 00 03 83 6c 01 00 00 <8b> 48 04 89 fa 81 e2
ff ff 00 00 f7 c1 00 00 40 00 0f 44 fa 0f
EIP: [<c0104b84>] arch_ptrace+0x5ea/0x828 SS:ESP 0068:c2209f68

Comment 4 Roland McGrath 2007-07-20 07:03:30 UTC

Two changes were committed upstream that together should fix this:

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=29eb51101c02df517ca64ec472d7501127ad1da8
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=a10d9a71bafd3a283da240d2868e71346d2aef6f

Comment 7 Red Hat Product Security 2008-07-25 08:55:34 UTC

This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2007-0940.html

Comment 8 Eugene Teo (Security Response) 2010-04-16 02:04:21 UTC

https://bugzilla.redhat.com/show_bug.cgi?id=248353#c2

Note You need to log in before you can comment on or make changes to this bug.