Bug 90499 (CVE-2005-1768)

Created attachment 39007 [details]
Untested patch for 2.4 for ia64 and x86-64

Should easily apply to older 2.6 kernels like SLES too

Created attachment 39009 [details]
Updated patch that handles corner case too

Use this one instead of the previous one. Still
untested :/

CAN-2005-1768  

Is this already public?

No, it's not. And it needs delay because it is serious.

Do we have the ia32 subsystem disabled on ia64? 
 
Date: Mon, 13 Jun 2005 10:10:16 -0700                                                                                    
From: David Mosberger <davidm@napali.hpl.hp.com>                                                                         
Subject: [security@suse.de] Re: race condition in ia64 and x86-64 kernel code                                            
 
Hi Ilia, 
 
Thanks for the bug-report.  I'll cc Arun Sharma, since he's the 
maintainer of the ia32 subsystem for ia64.  I don't believe the bug is 
critical for recent versions of Red Hat and SuSE, since they 
exlusively use ia32el (user-level ia32 support via binary translation) 
with the kernel's ia32 subsystem disabled.  Still, the bug obviously 
needs to be fixed. 
 
Thanks, 
 
        --david 

Not unconditionally, it is a sysconfig. AFAIK it is enabled by default in 
older releases.

Proposed CRD is Monday, 20.06. 18:00 CEST 

So, do we have a fix we can put into RC3 (kernel submission 21.6. afternoon)
and thus close this blocker?

andi should be able to say... 

Hmm, someone needs to test the fix first, I didnt :/

I have asked Bodo to name someone to test this and he named Philipp Thomas. 

How do I test it? Does any exploiting code exist? 

try running 32bit executables with arguments... those should be used 
correctly and work ;) 
 
try running 32bit executable in the background and look if "ps auxw" shows 
it correctly. 

The patch doesn't apply to the SLES9 SP2 kernel. Part of the problems are only
whitespace so I can fix them myself, but the nargs in ia64 is:

static int
nargs (unsigned int arg, char **ap, int max)
{
        unsigned int addr;
        int n, err;

        if (!arg)
                return 0;

        n = 0;
        do {
                err = get_user(addr, (unsigned int *)A(arg));
                if (err)
                        return err;
                if (ap)
                        *ap++ = (char *) A(addr);
                arg += sizeof(unsigned int);
                n++;
        } while (addr);
        return n - 1;
}

How to proceed?

i am preparing a working 2.6 patch  

I already have one, just testing.

Created attachment 39665 [details]
tested and working patch (on x86-64)

philipp, can you please try this patch? 

I tested it on x86-64, but a quick test on ia64 would be good.

Can we get some traction here, please?  This is a blocker, yet no
activity for two days!  Stefan, Philipp?

It just needs a quick test on ia64

Working on it. 

Kernel is built, waiting for setup to be finished. I guess we'll have a result
in approx. 30 minutes.

Just tested with firefox on ia64 and the patch seems to work as it should.

But there is no reference to this Bugzilla in the SP2 kernel CVS!

I checked the patch in.

still need to fix it for all other kernels. 

Created attachment 39949 [details]
2.4 patch for x86-64/ia64

Only lightly tested again.

hubert, please apply to all necessary branches. 

Created attachment 40061 [details]
New 2.4 patch

I tested the 2.4 patch on x86-64 now and it was
indeed broken. Fixed version.

hubert, can you apply the 2.4 patch to the SLES 8 kernel repo please? 

not in sp2 ... needs to be pushed out with next kernelupdate. 

Fix is in all affected trees.

swampid: 1864 

updates released  

CVE-2005-1768: CVSS v2 Base Score: 3.7 (AV:L/AC:H/Au:N/C:P/I:P/A:P)