Bug 457790 (CVE-2013-0871)

Summary:	Kernel : race condition with PTRACE_SETREGS (CVE-2013-0871)
Product:	Gentoo Security	Reporter:	Agostino Sarubbo <ago>
Component:	Kernel	Assignee:	Gentoo Kernel Security <security-kernel>
Status:	RESOLVED OBSOLETE
Severity:	normal	CC:	ale, bugs.gentoo.org, kernel
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://www.openwall.com/lists/oss-security/2013/02/15/16
Whiteboard:
Package list:		Runtime testing required:	---

Description Agostino Sarubbo gentoo-dev

2013-02-16 07:41:20 UTC

From $URL :

Linux kernel stack corruption due to race condition with PTRACE_SETREGS
-----------------------------------------------------------------------

A race conditon in ptrace can lead to kernel stack corruption and arbitrary
kernel-mode code execution.

This should be tracked as CVE-2013-0871.

Solution
------------

The following commits from Oleg Nesterov should address the issue:

- 910ffdb18a6408e14febbb6e4b6840fd2c928c82
- 9899d11f654474d2d54ea52ceaa2a1f4db3abd68
- 9067ac85d533651b98c2ff903182a20cbb361fcb

Credit
---------

This was discovered by Suleiman Souhlal and Salman Qazi of Google, with help
from Aaron Durbin and Michael Davidson, also of Google.

Comment 1 William Waisse 2013-02-18 20:02:19 UTC

just a fyi for people wanting to fix tht as fast as possible : 

(21:49) <  ne0futur> 20:59 < neofutur> hardened-sources-3.7.8.ebuild include
                     grsecurity-2.9.1-3.7.8-201302161158
(21:49) <  ne0futur> 20:59 < neofutur> can anyone confirm that grsec version includes a fix for CVE-2013-0871 ?
(21:49) <  ne0futur> 21:00 < spender> it does

 so gentoo hardened at least have something against this bad race condition ;)

Comment 2 Aaron Bauman (RETIRED) gentoo-dev

2018-04-04 18:30:50 UTC

There are no longer any 2.x or <3.7.5 kernels available in the repository with the exception of sys-kernel/xbox-sources which is unsupported by security.