95644 – Multiple 64-bit Local DoS (CAN-2005-{0756,1762,1764,1765})

Bug 95644 - Multiple 64-bit Local DoS (CAN-2005-{0756,1762,1764,1765})

Summary: Multiple 64-bit Local DoS (CAN-2005-{0756,1762,1764,1765})

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Kernel (show other bugs)
Hardware:	All Other

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	[linux <2.6.11.11]
Keywords:

Depends on:
Blocks:

Reported:	2005-06-10 01:54 UTC by Thierry Carrez (RETIRED)
Modified:	2009-05-03 15:28 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thierry Carrez (RETIRED) gentoo-dev

2005-06-10 01:54:32 UTC

From Ubuntu's latest :

CAN-2005-0756
Alexander Nyberg discovered that ptrace() insufficiently validated
addresses on the amd64 platform so that it was possible to set an
invalid segment base. A local attacker could exploit this to crash the
kernel. This does not affect the i386 and powerpc platforms in any
way.

Comment 1 Thierry Carrez (RETIRED) gentoo-dev

2005-06-10 02:10:27 UTC

OK, there are more (from SuSE latest) :

ptrace-canonical Local DoS issue (2.4+2.6) CAN-2005-1762
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=d1099e8a18960693c04507bdd7b9403db70bfd97

ptrace-check-segment Local DoS issue (2.4+2.6) CAN-2005-0756
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=f6b8d4778c04148729cc0b0dcd335a4411c44276

syscall-page-fix Local DoS issue (2.6 only) CAN-2005-1765

diff -urNp linux-2.6.11/arch/x86_64/mm/fault.c
linux-2.6.11.SUSE/arch/x86_64/mm/fault.c
--- linux-2.6.11/arch/x86_64/mm/fault.c	2005-06-02 16:18:33.999340707 +0200
+++ linux-2.6.11.SUSE/arch/x86_64/mm/fault.c	2005-06-02 16:21:36.922002147 +0200
@@ -474,7 +474,7 @@ bad_area_nosemaphore:
 
 #ifdef CONFIG_IA32_EMULATION
 	/* 32bit vsyscall. map on demand. */
-	if (test_thread_flag(TIF_IA32) &&
+	if (test_thread_flag(TIF_IA32) && ((error_code & 0x6) == 0x4) &&
 	    address >= VSYSCALL32_BASE && address < VSYSCALL32_END) {
 		if (map_syscall32(mm, address) < 0)
 			goto out_of_memory2;

x86_64-sysret-fix Local DoS issue (2.6 only) CAN-2005-1764
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=637716a3825e186555361574aa1fa3c0ebf8018b

Comment 2 Tim Yamin (RETIRED) gentoo-dev

2005-06-11 10:50:03 UTC

Non-issue for 2.4 here as Gentoo/AMD64 only uses 2.6.

Comment 3 Daniel Drake (RETIRED) gentoo-dev

2005-06-11 17:15:08 UTC

(In reply to comment #1)
> ptrace-canonical Local DoS issue (2.4+2.6) CAN-2005-1762
>
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=d1099e8a18960693c04507bdd7b9403db70bfd97

This one is fixed in 2.6.11.11

Comment 4 Daniel Drake (RETIRED) gentoo-dev

2005-06-11 17:20:17 UTC

CAN-2005-0756 and CAN-2005-1764 are also fixed in 2.6.11, leaving only

syscall-page-fix Local DoS issue (2.6 only) CAN-2005-1765

Comment 5 Daniel Drake (RETIRED) gentoo-dev

2005-06-13 14:13:52 UTC

Fixed in genpatches 2.6.11-14
Fixed in gentoo-sources-2.6.11-r11

Comment 6 Tim Yamin (RETIRED) gentoo-dev

2005-08-26 12:59:37 UTC

kang: 2.6.11 requires CAN-2005-1765 fix, see comment #1 for details.

Comment 7 Tim Yamin (RETIRED) gentoo-dev

2005-11-26 03:41:24 UTC

All fixed, closing.