Bug 156580 (CVE-2006-0744)

Summary: VUL-0: CVE-2006-0744: kernel: AMD64 Local-DOS: Need better checking for non canonical RIPs
Product: [Novell Products] SUSE Security Incidents Reporter: Andreas Kleen <ak>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P5 - None CC: meissner, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: x86-64   
OS: Other   
Whiteboard: affected:sles9sp3,sles9sp4, 9.2,9.3,10.0 applied:sles9sp3,sles9sp4,9 .2,9.3,10.0 - CVE-2006-0744: CVSS v2 Base Score: 4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C )
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: 2.6 fix
2.4 patch
Correct 2.6 fix
2.6 patch 1
2.6 patch #2. Both are needed

Description Andreas Kleen 2006-03-09 16:33:18 UTC 
Intel EM64T handles non canonical RIPs different in IRET/SYSRET.
This breaks the way the kernel handles them and can cause 
endless double fault loops.

In addition (thanks to Ernie Petrides for noticing) the existing
check for non canonical addresses in signal handling in 2.4 is wrong.
Comment 1 Marcus Meissner 2006-03-13 12:24:33 UTC 
(sles8 not affected, we did not support em64t there)

right?
Comment 2 Andreas Kleen 2006-03-14 12:17:41 UTC 
The problem actually can happen in a different way on AMD systems too.
Comment 3 Andreas Kleen 2006-03-14 12:21:00 UTC 
Created attachment 72752 [details]
2.6 fix
Comment 4 Andreas Kleen 2006-03-14 12:22:11 UTC 
Created attachment 72753 [details]
2.4 patch
Comment 5 Andreas Kleen 2006-03-14 12:24:51 UTC 
Created attachment 72754 [details]
Correct 2.6 fix
Comment 6 Andreas Kleen 2006-03-14 12:26:52 UTC 
Sorry don't have time to check it into all supported trees before I leave
for vacation. We need 2.6 and 2.4 patches for the next security update.
Comment 7 Andreas Kleen 2006-03-14 17:50:51 UTC 
The 2.6 patch has some trouble so it can't be applied right now without
further debugging.
Comment 8 Olaf Kirch 2006-03-17 15:12:36 UTC 
Assigning to Andi for further tracking.
Comment 9 Andreas Kleen 2006-03-30 19:27:56 UTC 
I have patches for 2.6 that should be ok now, but some more testing needed.
Comment 10 Andreas Kleen 2006-03-30 19:28:53 UTC 
Created attachment 75839 [details]
2.6 patch 1
Comment 11 Andreas Kleen 2006-03-30 19:29:29 UTC 
Created attachment 75840 [details]
2.6 patch #2. Both are needed
Comment 12 Andreas Kleen 2006-04-12 16:43:03 UTC 
Patch checked in in all maintained trees. I also added the related elf
entry check to sles8 where it was still missing.
Comment 13 Greg Kroah-Hartman 2006-04-12 18:24:52 UTC 
Andi, should these be in mainline and in the -stable tree?
Comment 14 Greg Kroah-Hartman 2006-04-12 18:31:31 UTC 
Oh never mind, you've already send them to -stable, sorry about that.
Comment 15 Ludwig Nussel 2006-04-19 06:37:35 UTC 
CVE-2006-0744

Linux kernel before 2.6.16.5 does not properly handle uncanonical return addresses on Intel EM64T CPUs, which reports an exception in the SYSRET instead of the next instruction, which causes the kernel exception handler to run on the user stack with the wrong GS.
Comment 16 Greg Kroah-Hartman 2006-04-19 20:21:25 UTC 
Already checked them into HEAD, will be in the next 10.1 beta.

Someone should check these into all other branches too.
Comment 17 Andreas Kleen 2006-04-26 05:43:18 UTC 
They're in all branches
Comment 18 Marcus Meissner 2006-04-26 13:46:28 UTC 
thanks!
Comment 19 Marcus Meissner 2006-05-03 06:52:35 UTC 
since it is in all branches, and just need to be pushed out, we can mark it fixed.
Comment 20 Andreas Kleen 2006-05-26 10:38:08 UTC 
Have to fix the fix - the original fix broke UML.
Comment 21 Andreas Kleen 2006-06-01 00:45:50 UTC 
Fixed for SLES10.
Comment 22 Andreas Kleen 2006-06-08 16:19:17 UTC 
Fixes checked in everywhere
Comment 23 Marcus Meissner 2006-07-11 16:18:28 UTC 
released the updates.
Comment 24 Marcus Meissner 2006-07-11 20:08:07 UTC 
of course we releaed only sles9 ... sorry, reopen
Comment 25 Marcus Meissner 2006-07-24 12:12:24 UTC 
released 9.2 - 10.0 too now.
Comment 26 Thomas Biege 2009-10-13 23:00:53 UTC 
CVE-2006-0744: CVSS v2 Base Score: 4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C)