|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2005-1762: kernel: AMD64 sysret local DoS | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Andreas Kleen <ak> |
| Component: | Incidents | Assignee: | Security Team bot <security-team> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P5 - None | CC: | gp, mark.langsdorf, security-team |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | x86-64 | ||
| OS: | SLES 9 | ||
| Whiteboard: | CVE-2005-1764: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:N/A:P) | ||
| Found By: | Other | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Attachments: |
Proposed patch
Additional patch needed for 9.3 Safer version of the originally proposed patch. proposed patch for 2.4 based kernels |
||
|
Comment 1
Ludwig Nussel
2005-03-18 08:28:53 UTC
Created attachment 32446 [details]
Proposed patch
Proposed kernel patch to work around the hang problem. Check for non canonical
addresses in ptrace.
It would be good if someone from AMD could verify
that the check added matches the canonical checking in the CPU.
Created attachment 32562 [details]
Additional patch needed for 9.3
9.3 with 4level page tables needs an additional patch
to stop user programs from executing into non canonical
space and hanging the CPU.
This patch adds a 4K guard page at the end of the address space.
no answer yet... so it won't make 9.3 master. bodo has brought up this issue again with AMD this week. sp2 deadline is approaching fast... would be good to have it in. We will make this public by April 30th, 2005. Thanks! do you have a CAN number we can cite then? No, but you can look at Errata 121 at http://www.amd.com/us- en/assets/content_type/white_papers_and_tech_docs/25759.pdf If you decide to forward that link to the LKML, please copy Rich Brunner (richard.brunner@amd.com) when you do because the Errata text is a bit unclear and he'd like to explain it. local denial of service attack, so its at most major I think. Mark, I assume you made it public now and will send it soon to mainline (this evening). Please complain if not. Marcus, it would need to be included into a security update. andi, if the patch is good, either apply to all relevant branches or we can have hubert do it ;) hubert, can you please apply the attached patches to all active branches with amd64 support? (all except 8.2 and SLEC I think) Can I do this already right now or is there some embargo? Think kotd! No answer, so I will go ahead. to sum things up: All (older) 2.6 based kernels (< 2.6.11) only need ptrace-canonical The 9.3 kernel needs ptrace-canonical _AND_ guard-page Right? What about 2.4 based trees? There is SLES8... Yes, correct. 2.4 also needs ptrace-canonical. In addition all kernels need ptrace-check-segment (different bug number). But it is in related code so you can do it in one go. What the heck is "ptrace-check-segment"? I cannot find a patch with that name in any of our trees. And the information "different bug number" is totally useless :( Sorry, it's #83143 Aeh, isn't that exactly the same patch as in comment #3 Fix(es) ha(s|ve) been committed to all trees. Opps, indeed. I attached the wrong patch :-/ Fix in a jiffie. so I guess the current update packages for released distros are broken as well? Please tell Hubert the correct patch so he can submit new packages. While QA testing the update package for SLES9 (012927c610add3677c52ec3a28a1648d, kernel-default-2.6.5-7.155.23), I found that the DoS given at comment #2 still works. Please advise. That's because the patch was disabled in most trees because the original version was broken. I believe it should be fixed in 9.3 and HEAD now. Does this mean it won't be fixed for SLES9 ? No, that one should be fixed for 9.2 and SLES9 too I think I was confused in comment #27. so the current sles9 update misses this fix? But apart from that the kernel works? Sorry, I'm totally lost now. Please check all the existing trees and/or advise which patch should go into which tree. Created attachment 38432 [details]
Safer version of the originally proposed patch.
Hi Hubert, The patch in comment #32 still needs to get into all branches. Can you please do that? Created attachment 38441 [details]
proposed patch for 2.4 based kernels
Andi, since your patch does not apply against our 2.4 based trees, does
attached version look correct to you?
Fixes have been committed to all trees. Yes, the 2.4 patch is fine. is the guardpage patch only needed on 9.3? 9.3/patches.fixes/x86_64-sysret-fix only contains 1 patched file, not all 3? Just read comment #23 :) Security team, is this still blocking SLES9 SP2? If not, can we change it to RESOLVED or at least change severity/target appropriately? AFAICS the fix is in 9.1/BETA so it's not blocking SP2. 2.6 kernels for released products are in qa. ptrace-canonical CAN-2005-1762 x86_64-sysret-fix CAN-2005-1764 updates released CVE-2005-1764: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:N/A:P) |