Bug 84078 (CVE-2005-1763)

Summary: VUL-0: CVE-2005-1763: kernel: Another hole in x86-64 ptrace
Product: [Novell Products] SUSE Security Incidents Reporter: Andreas Kleen <ak>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Critical    
Priority: P5 - None CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: x86-64   
OS: All   
Whiteboard: CVE-2005-1763: CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: Patch
Additional ptrace overflow patch

Description Andreas Kleen 2005-05-17 15:48:43 UTC 
This time even allows to change the kernel stack, however I don't think
it is exploitable. Still should be fixed. The issue is public already.
Comment 1 Andreas Kleen 2005-05-19 06:13:13 UTC 
Created attachment 37412 [details]
Patch
Comment 2 Marcus Meissner 2005-05-30 12:19:17 UTC 
andi? can you check up on this?
Comment 3 Andreas Kleen 2005-05-31 12:24:24 UTC 
This patch should be in all trees. While I don't think it will lead
to an immediate root exploit I would feel safer if it was fixed everywhere.
Comment 4 Hubert Mantel 2005-05-31 14:43:50 UTC 
Andi, can you please also submit a 2.4 version of the patch?
Comment 5 Marcus Meissner 2005-05-31 15:07:56 UTC 
andi thinks this is more severe ... you can overwrite the begin of pages not 
belonging to you.
Comment 6 Andreas Kleen 2005-05-31 16:14:11 UTC 
Created attachment 38387 [details]
Additional ptrace overflow patch

This patch needs to be applied *in addition* to
the previous patch in this bug to fully close
the root hole.
Comment 7 Andreas Kleen 2005-06-01 09:53:41 UTC 
Hmm, no the previous patch was no good. I will do a better one.
Comment 8 Andreas Kleen 2005-06-01 10:39:15 UTC 
After some more consideration I think only the patch in comment #1 is sufficient
to fix the problem. Forget the one in #6.

Hubert, please apply to all branches.
Comment 9 Hubert Mantel 2005-06-02 11:45:47 UTC 
Andi, I _STILL_ need a 2.4 version of this fix!
Comment 10 Marcus Meissner 2005-06-02 12:08:30 UTC 
and a final 2.6 patch if it is not done yet ... (regarding comment #8)
Comment 11 Hubert Mantel 2005-06-02 12:17:10 UTC 
According to comment #8, only the additional patch in #6 is bogus and the one
from #1 should be applied to all trees. At least this is what I did now. After
checking the 2.4 trees, we came to the conclusion that those trees are not
vulnerable by this problem. So everything should finally be fine now. Kernels
have been submitted for check in.
Comment 12 Andreas Kleen 2005-06-02 17:34:32 UTC 
The first patch should apply pretty easily 
to 2.4 too.
Comment 13 Marcus Meissner 2005-06-03 08:44:04 UTC 
no, the code is different in 2.4.21: 
 
for poke: 
                if ((addr & 7) || addr < 0 ||  
                    addr > sizeof(struct user) - 7) 
                        break; 
 
                if (addr < sizeof(struct user_regs_struct)) { 
                        ret = putreg(child, addr, data); 
                        break; 
                } 
 
and for peek similar. 
 
This code is safe against the problem fixed by the patch for 2.6 I think.
Comment 14 Olaf Kirch 2005-06-07 10:01:06 UTC 
Has the patch been applied to SLES9 SP2? If it's only the 2.4 patch that's 
missing, can we change the target to SLES8 please?
Comment 15 Ludwig Nussel 2005-06-08 16:05:52 UTC 
x86_64-ptrace-overflow CAN-2005-1763
Comment 16 Ludwig Nussel 2005-06-09 12:47:56 UTC 
updates released
Comment 17 Thomas Biege 2009-10-13 21:23:59 UTC 
CVE-2005-1763: CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)