Bug 87244 (CVE-2005-1761)

Summary: VUL-0: CVE-2005-1761: kernel: Malicious user can use ptrace to crash the system
Product: [Novell Products] SUSE Security Incidents Reporter: Tony Luck <tony.luck>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Critical    
Priority: P5 - None CC: andreas.taschner, gp, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: IA64   
OS: SLES 9   
Whiteboard: CVE-2005-1761: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:N/A:P)
Found By: Customer Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: patch from Matt Chapman
version 2 - close hole via ptrace_setregs too
Fix restore_sigcontext() path too
Backport to 2.4.21

Description Tony Luck 2005-06-06 19:52:16 UTC 
Is this bug publicly visible ... I'd like to defer adding details until I know 
whether I'm writing for the whole world.  The bug is old ... most kernel 
versions are affected.  IA64 specific.  I'd like to send the patch to Linus for 
inclusion in 2.6.12 (only about a week away according to rumour).
Comment 1 Marcus Meissner 2005-06-07 08:42:03 UTC 
it now no longer is publically visible, so please add. 
 
we had several ia64 ptrace issues already fixed, is this a previously known 
one?
Comment 2 Tony Luck 2005-06-07 16:18:25 UTC 
Created attachment 38758 [details]
patch from Matt Chapman

New ptrace bug for ia64 (sigh).

Matt Chapman found this, and supplied the attached fix.
Comment 3 Marcus Meissner 2005-06-07 20:35:25 UTC 
can you work with the security@kernel.org contact please.  
  
and keep us posted on disclosure dates.  
  
andreas, this must stay out of CVS until disclosure ...  
 
Greg, FYI only for now
Comment 4 Ludwig Nussel 2005-06-08 16:01:39 UTC 
CAN-2005-0761
Comment 5 Ludwig Nussel 2005-06-09 06:56:38 UTC 
wrong number, it's CAN-2005-1761
Comment 6 Tony Luck 2005-06-11 17:04:12 UTC 
Created attachment 39006 [details]
version 2 - close hole via ptrace_setregs too

Aargh! David Mosberger sent me e-mail last night saying that he thought there
might be another code path for this bug through ptrace_setregs().  He's right. 
Here's an updated patch that should close that too.  But so far it is untested
(apart from that it compiles).	No reviews yet either.
Comment 7 Tony Luck 2005-06-11 19:40:35 UTC 
I have an ACK from David Mosberger that the new patch is OK.
Comment 8 Tony Luck 2005-06-11 23:32:01 UTC 
But now Christ Wright has spotted another place (restore_sigcontext) where 
ar.rsc can be loaded with an arbitrary value supplied from user space.

I'm giving up on trying to coordinate this with the 2.6.12 release.  It will go 
into a 2.6.12.y release.
Comment 9 Tony Luck 2005-06-13 21:14:32 UTC 
Created attachment 39074 [details]
Fix restore_sigcontext() path too

This should be the final version.  If there are no problems with it, then I
will release this on Wed June 22nd at noon PDT.
Comment 10 Marcus Meissner 2005-06-23 10:35:47 UTC 
public now
Comment 11 Andreas Schwab 2005-06-23 11:30:18 UTC 
Checked into SP2. Any other branch?
Comment 12 Marcus Meissner 2005-06-27 08:37:48 UTC 
no, unless Intel thinks it is problematic for SLES 8 too.
Comment 13 Marcus Meissner 2005-06-30 09:22:20 UTC 
Tony? does this affect the 2.4 kernels?
Comment 14 Tony Luck 2005-06-30 17:06:31 UTC 
ptrace.c has seen some major changes between 2.4 and 2.6, but it looks like the 
same problem is present there too.
Comment 15 Andreas Schwab 2005-07-05 15:41:19 UTC 
Created attachment 41174 [details]
Backport to 2.4.21
Comment 16 Andreas Schwab 2005-07-05 15:43:50 UTC 
Checked into SLES8 kernel.
Comment 17 Ludwig Nussel 2005-08-04 07:11:20 UTC 
updates released
Comment 18 Marcus Meissner 2005-09-14 08:33:55 UTC 
this patch does not appear in the mainline 2.4 yet.
Comment 19 Thomas Biege 2009-10-13 21:26:32 UTC 
CVE-2005-1761: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:N/A:P)