Bug 91434 (CVE-2005-1913)

Summary: VUL-0: CVE-2005-1913: kernel: "zombie" itimer panics kernel
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Biege <thomas>
Component: IncidentsAssignee: Marcus Meissner <meissner>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: andreas.taschner, patch-request, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: All   
Whiteboard: CVE-2005-1913: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:N/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: itimer-patch.diff
thread_itimer.c
itimer-fix1.patch

Description Thomas Biege 2005-06-20 06:03:45 UTC 
rom: Chris Wright <chrisw@osdl.org>
To: vendor-sec@lst.de
User-Agent: Mutt/1.5.6i
Subject: [vendor-sec] kernel itimer local DoS
Errors-To: vendor-sec-admin@lst.de
Date: Sun, 19 Jun 2005 12:49:19 -0700

[-- Anhang #1 --]
[-- Typ: text/plain, Kodierung: 7bit, GröÃe: 2,3K --]

CAN-2005-1913

When a (non group-leader) thread exec's while an itimer is pending, the
timer expiry will signal a non-existant task (the old group-leader) and
panic the kernel.  This was discovered by Oleg Nesterov <oleg@tv-sign.ru>
and is assigned CAN-2005-1913.  Linus committed the fix below.  Attached
is a trivial example of exploiting the bug.  I haven't looked back beyond
2.6.11, but 2.6.11 and forward are certainly vulnerable.  I assume older
2.6 kernels have this issue as well.  I gave the exploit a quick run on
2.4 and it didn't cause any problems, but I haven't inspected the 2.4
code yet to verify whether it's safe or not.  I have this queued for the
-stable tree, and am currently planning to push this out on Wednesday
along with Tony Luck's ia64 patch.  Please yell if this is an issue.

thanks,
-chris
--

Author: Linus Torvalds <torvalds@ppc970.osdl.org>
Date: Sat, 18 Jun 2005 20:06:22 +0000 (-0700)
Source:
http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=c2a0f5943d8935766a42b2d0870aa4c645e3423d

  Clean up subthread exec

  Make sure we re-parent itimers, and use BUG_ON() instead of an explicit
  conditional BUG().

--- a/fs/exec.c
+++ b/fs/exec.c
[...]
Comment 1 Thomas Biege 2005-06-20 06:04:57 UTC 
Created attachment 39465 [details]
itimer-patch.diff
Comment 2 Thomas Biege 2005-06-20 06:05:27 UTC 
Created attachment 39466 [details]
thread_itimer.c

test case
Comment 3 Olaf Hering 2005-06-29 20:20:18 UTC 
doesnt trigger with 9.3 ga and sp2 rc4 on ppc64
Comment 4 Hubert Mantel 2005-07-04 11:42:28 UTC 
I assume this is already public, so I can add it to all trees?
Comment 5 Marcus Meissner 2005-07-04 11:48:31 UTC 
yes, please. only the 2.6 branches are affected.
Comment 6 Hubert Mantel 2005-07-18 15:02:33 UTC 
The patch does not apply at all to our SLES9 tree. And with regards to comment
#3 it seems we are not vulnerable here. The code looks quite different to newer
kernels.
Comment 7 Hubert Mantel 2005-07-19 09:11:30 UTC 
Seems that 9.3 is the only kernel vulnerable by this problem. Fix has been
committed to that tree.
Comment 8 Hubert Mantel 2005-07-19 12:40:50 UTC 
While the patch applies against our 9.3, it does not even compile. I will drop
the patch now. If somebody comes up with a working patch, we can re-consider
adding it.
Comment 9 Marcus Meissner 2005-08-15 14:16:28 UTC 
we need to test the exploit. 
 
9.3 has very different looking code.
Comment 10 Marcus Meissner 2005-08-18 13:20:06 UTC 
There seems to be a previous patch to this: 
http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=5323125031799a7fd8602ce150c3902aedfdcba6 
 
 
[PATCH] reset real_timer target on exec leader change 
  
When a noninitial thread does exec, it becomes the new group leader.  If 
there is a ITIMER_REAL timer running, it points at the old group leader and 
when it fires it can follow a stale pointer.  The timer data needs to be 
reset to point at the exec'ing thread that is becoming the group leader. 
This has to synchronize with any concurrent firing of the timer to make 
sure that it_real_fn can never run when the data points to a thread that 
might have been reaped already. 
 
On july 12th 2005. 
 
 
even this comment suggests that the issue was there before.
Comment 11 Marcus Meissner 2005-08-18 13:22:52 UTC 
Created attachment 46481 [details]
itimer-fix1.patch

git extract
Comment 12 Marcus Meissner 2005-08-18 14:02:36 UTC 
atrually the last patch was added on July 12... so it is newer.
Comment 13 Marcus Meissner 2005-08-18 14:32:06 UTC 
inquired at vendor-sec. 
 
i am a bit at loss here.
Comment 14 Marcus Meissner 2005-08-19 11:20:57 UTC 
Waiting for more input...
Comment 15 Marcus Meissner 2005-08-23 13:55:35 UTC 
From: Chris Wright <chrisw@osdl.org> 
To: Marcus Meissner <meissner@suse.de> 
Cc: vendor-sec@lst.de, security@kernel.org 
User-Agent: Mutt/1.5.6i 
Subject: [vendor-sec] Re: [Security] kernel / itimer reparenting problems 
Errors-To: vendor-sec-admin@lst.de 
Date: Mon, 22 Aug 2005 11:53:08 -0700 
 
* Marcus Meissner (meissner@suse.de) wrote: 
> I am a bit at loss with the itimer reparenting problems. 
> The first one was mailed by Chris Wright to vendor-sec ... 
> With sample exploit, which I was not able to get running on a 2.6.11 or 
> earlier kernels. 
 
(This definitely killed 2.6.11 for me, but I vaguely recall Marcelo having 
some problem getting that to work as well, which I assumed to be lack of 
NPTL). 
 
> 
+http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h 
+=c2a0f5943d8935766a42b2d0870aa4c645e3423d 
> 
> |Clean up subthread exec 
> | 
> |Make sure we re-parent itimers, and use BUG_ON() instead of an explicit 
> |conditional BUG(). 
> 
> 
> Then this change happened a month ago which also seems security relevant, 
> but was announced: 
> 
> 
+http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=532 
+3125031799a7fd8602ce150c3902aedfdcba6 
> 
> |[PATCH] reset real_timer target on exec leader change 
> | 
> |When a noninitial thread does exec, it becomes the new group leader.  If 
> |there is a ITIMER_REAL timer running, it points at the old group leader and   
> |when it fires it can follow a stale pointer.  The timer data needs to be 
> |reset to point at the exec'ing thread that is becoming the group leader. 
> |This has to synchronize with any concurrent firing of the timer to make 
> |sure that it_real_fn can never run when the data points to a thread that 
> |might have been reaped already. 
> 
> The latter seems to be security critical too, correct? 
 
It's intended as a more complete version of same fix.  The first one 
still has a theoritical race (albeit a quite narrow window instead of 
a window as wide as you'd like). 
 
thanks, 
-chris
Comment 16 Chris L Mason 2005-08-29 18:41:16 UTC 
Reading the code, the main issue is that after the exec, the old group leader is gone   
without first removing any timers pending on his real_timer.   
   
I tried the exploit on a sles9 kernel and could not trigger the oops.   It isn't immediately  
clear why the oops isn't happening, looking through the code the timer is not being  
deleted.  My guess is that I'm happily stomping on ram somewhere. 
 
I think we need the patch from comment #11.  I'm changing around the exploit to make 
sure I can trigger/understand the bug.
Comment 17 Chris L Mason 2005-08-29 21:01:42 UTC 
Ok, I understand now.  We don't need to patch sles9 because real_timer lives in the task 
struct there.  The timer is properly deleted with the task exits. 
 
SL93 does have the bug.  I'm attaching a patch ported there.
Comment 18 Chris L Mason 2005-08-29 21:13:59 UTC 
I spoke too soon.  SL93 also has real_timer in the task struct.  I don't see how kernels 
without this patch can trigger. 
 
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/old-2.6-bkcvs.git;a=commit;h=1c4505555d420ca1678320b79a379dc6efc01705
Comment 19 Marcus Meissner 2005-08-30 09:53:06 UTC 
reinquired at vendorsec, security@kernel.org 
  
this patch is in 2.6.12-rc1 , it was not in 2.6.11.
Comment 20 Chris L Mason 2005-08-30 13:08:29 UTC 
Correct, which means there's a conflict between my analysis and comment #1.  Did 
vendorsec/security@kernel.org decide 2.6.11 was safe?
Comment 21 Marcus Meissner 2005-08-30 13:14:20 UTC 
still waiting for a reply.
Comment 22 Marcus Meissner 2005-08-31 08:17:15 UTC 
I just got this reply from Chris Wright, making this a non-issue for us. 
 
Date: Tue, 30 Aug 2005 11:42:08 -0700  
From: Chris Wright <chrisw@osdl.org>  
To: Marcus Meissner <meissner@suse.de>  
Cc: Chris Wright <chrisw@osdl.org>, Chris L Mason <mason@suse.de>,  
        Olaf Kirch <okir@suse.de>, vendor-sec@lst.de, security@kernel.org  
Subject: Re: [vendor-sec] Re: [Security] kernel / itimer reparenting problems     
User-Agent: Mutt/1.5.6i  
  
* Marcus Meissner (meissner@suse.de) wrote:   
> Chris Mason, Olaf Kirch and I had looks at this, and we think that this  
> started to be problematic with this BK change moving the itimers from  
> the task struct to where it is now.  
>  
>  
+http://www.kernel.org/git/?p=linux/kernel/git/torvalds/old-2.6-bkcvs.git;a=comm  
+it;h=1c4505555d420ca1678320b79a379dc6efc01705  
>  
> It appeared in 2.6.12-rc1, so it was _AFTER_ the 2.6.11 release.  
>  
> Can you confirm that you saw it with 2.6.11 vanilla?  
  
I just rebuilt from clean 2.6.11, and I cannot recreate it.  I must have  
had a kernel marked as 2.6.11 which was actually an updated bk pull (and  
2.6.12-rc1 wasn't out yet, so version didn't change).  This is my fault,  
sorry for confusion.  
  
thanks,  
-chris
Comment 23 Thomas Biege 2009-10-13 21:28:41 UTC 
CVE-2005-1913: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:N/A:P)