Bug 73701 (CVE-2005-1762) - VUL-0: CVE-2005-1762: kernel: AMD64 sysret local DoS
Summary: VUL-0: CVE-2005-1762: kernel: AMD64 sysret local DoS
Status: RESOLVED FIXED
Alias: CVE-2005-1762
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: x86-64 SLES 9
: P5 - None : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: CVE-2005-1764: CVSS v2 Base Score: 2....
Keywords:
Depends on:
Blocks:
 
Reported: 2005-03-17 18:51 UTC by Andreas Kleen
Modified: 2021-09-25 14:35 UTC (History)
3 users (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Proposed patch (638 bytes, patch)
2005-03-21 14:34 UTC, Andreas Kleen 		Details | Diff
Additional patch needed for 9.3 (1.95 KB, patch)
2005-03-22 15:39 UTC, Andreas Kleen 		Details | Diff
Safer version of the originally proposed patch. (757 bytes, patch)
2005-06-01 09:51 UTC, Andreas Kleen 		Details | Diff
proposed patch for 2.4 based kernels (813 bytes, patch)
2005-06-01 12:12 UTC, Hubert Mantel 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Ludwig Nussel 2005-03-18 08:28:53 UTC 
I'll mark this bug as security internal as it's not public. Only sec-team and 
people in CC/assigned/reporter can read it.
Comment 3 Andreas Kleen 2005-03-21 14:34:47 UTC 
Created attachment 32446 [details]
Proposed patch

Proposed kernel patch to work around the hang problem. Check for non canonical
addresses in ptrace.

It would be good if someone from AMD could verify
that the check added matches the canonical checking in the CPU.
Comment 4 Andreas Kleen 2005-03-22 15:39:28 UTC 
Created attachment 32562 [details]
Additional patch needed for 9.3

9.3 with 4level page tables needs an additional patch
to stop user programs from executing into non canonical
space and hanging the CPU.

This patch adds a 4K guard page at the end of the address space.
Comment 5 Marcus Meissner 2005-03-23 08:59:11 UTC 
no answer yet... so it won't make 9.3 master.
Comment 6 Marcus Meissner 2005-04-08 08:16:29 UTC 
bodo has brought up this issue again with AMD this week.
Comment 7 Marcus Meissner 2005-04-11 12:51:14 UTC 
sp2 deadline is approaching fast... would be good to have it in.
Comment 8 Mark Langsdorf 2005-04-13 17:17:34 UTC 
We will make this public by April 30th, 2005.
Comment 9 Marcus Meissner 2005-04-15 10:30:59 UTC 
Thanks! 
 
do you have a CAN number we can cite then?
Comment 10 Mark Langsdorf 2005-04-18 17:34:36 UTC 
No, but you can look at Errata 121 at http://www.amd.com/us-
en/assets/content_type/white_papers_and_tech_docs/25759.pdf 

If you decide to forward that link to the LKML, please copy Rich Brunner 
(richard.brunner@amd.com) when you do because the Errata text is a bit unclear 
and he'd like to explain it.
Comment 11 Marcus Meissner 2005-04-25 12:09:11 UTC 
local denial of service attack, so its at most major I think.
Comment 12 Andreas Kleen 2005-05-09 20:56:27 UTC 
Mark, I assume you made it public now and will send it soon to mainline
(this evening). Please complain if not.

Marcus, it would need to be included into a security update.
Comment 13 Marcus Meissner 2005-05-10 07:35:27 UTC 
andi, if the patch is good, either apply to all relevant branches 
or we can have hubert do it ;)
Comment 14 Marcus Meissner 2005-05-10 11:15:17 UTC 
hubert, can you please apply the attached patches to all active branches with 
amd64 support? (all except 8.2 and SLEC I think)
Comment 15 Hubert Mantel 2005-05-10 12:02:47 UTC 
Can I do this already right now or is there some embargo? Think kotd!
Comment 16 Hubert Mantel 2005-05-13 15:02:09 UTC 
No answer, so I will go ahead. to sum things up:
All (older) 2.6 based kernels (< 2.6.11) only need ptrace-canonical
The 9.3 kernel needs ptrace-canonical _AND_ guard-page
Right?

What about 2.4 based trees? There is SLES8...
Comment 17 Andreas Kleen 2005-05-13 15:05:21 UTC 
Yes, correct. 2.4 also needs ptrace-canonical.
In addition all kernels need ptrace-check-segment (different bug number). But 
it is in related code so you can do it in one go.
Comment 18 Hubert Mantel 2005-05-13 15:11:36 UTC 
What the heck is "ptrace-check-segment"? I cannot find a patch with that name in
any of our trees. And the information "different bug number" is totally useless :(
Comment 19 Andreas Kleen 2005-05-13 15:24:27 UTC 
Sorry, it's #83143
Comment 20 Hubert Mantel 2005-05-13 15:28:26 UTC 
Aeh, isn't that exactly the same patch as in comment #3
Comment 21 Hubert Mantel 2005-05-13 15:32:21 UTC 
Fix(es) ha(s|ve) been committed to all trees.
Comment 22 Andreas Kleen 2005-05-13 15:33:02 UTC 
Opps, indeed. I attached the wrong patch :-/ Fix in a jiffie.
Comment 23 Andreas Gruenbacher 2005-05-19 16:00:56 UTC 
Andi, the patch from comment 4 appears to break things (bug 84587).
Comment 24 Ludwig Nussel 2005-05-19 16:20:54 UTC 
so I guess the current update packages for released distros are broken as  
well? Please tell Hubert the correct patch so he can submit new packages.
Comment 25 Heiko Rommel 2005-05-30 15:07:47 UTC 
While QA testing the update package for SLES9 (012927c610add3677c52ec3a28a1648d, 
kernel-default-2.6.5-7.155.23), I found that the DoS given at comment #2 still
works.

Please advise.
Comment 26 Andreas Kleen 2005-05-30 16:42:26 UTC 
That's because the patch was disabled in most trees because the original
version was broken.
Comment 27 Andreas Kleen 2005-05-31 13:59:13 UTC 
I believe it should be fixed in 9.3 and HEAD now.
Comment 28 Heiko Rommel 2005-06-01 09:06:55 UTC 
Does this mean it won't be fixed for SLES9 ?
Comment 29 Andreas Kleen 2005-06-01 09:12:13 UTC 
No, that one should be fixed for 9.2 and SLES9 too
I think I was confused in comment #27.
Comment 30 Ludwig Nussel 2005-06-01 09:27:30 UTC 
so the current sles9 update misses this fix? But apart from that the kernel 
works?
Comment 31 Hubert Mantel 2005-06-01 09:33:14 UTC 
Sorry, I'm totally lost now. Please check all the existing trees and/or advise
which patch should go into which tree.
Comment 32 Andreas Kleen 2005-06-01 09:51:11 UTC 
Created attachment 38432 [details]
Safer version of the originally proposed patch.
Comment 33 Andreas Kleen 2005-06-01 09:52:40 UTC 
Hi Hubert,

The patch in comment #32 still needs to get into all branches. Can you please
do that?
Comment 34 Hubert Mantel 2005-06-01 12:12:39 UTC 
Created attachment 38441 [details]
proposed patch for 2.4 based kernels

Andi, since your patch does not apply against our 2.4 based trees, does
attached version look correct to you?
Comment 35 Hubert Mantel 2005-06-01 12:19:22 UTC 
Fixes have been committed to all trees.
Comment 36 Andreas Kleen 2005-06-01 12:22:57 UTC 
Yes, the 2.4 patch is fine.
Comment 37 Marcus Meissner 2005-06-02 12:24:45 UTC 
is the guardpage patch only needed on 9.3? 
 
9.3/patches.fixes/x86_64-sysret-fix  only contains 1 patched file, not all 3?
Comment 38 Hubert Mantel 2005-06-02 12:30:23 UTC 
Just read comment #23  :)
Comment 39 Olaf Kirch 2005-06-07 09:43:28 UTC 
Security team, is this still blocking SLES9 SP2? If not, can we change it 
to RESOLVED or at least change severity/target appropriately?
Comment 40 Ludwig Nussel 2005-06-07 10:01:28 UTC 
AFAICS the fix is in 9.1/BETA so it's not blocking SP2. 
2.6 kernels for released products are in qa.
Comment 41 Ludwig Nussel 2005-06-08 16:07:11 UTC 
ptrace-canonical   CAN-2005-1762 
x86_64-sysret-fix  CAN-2005-1764
Comment 42 Ludwig Nussel 2005-06-09 12:49:03 UTC 
updates released
Comment 43 Thomas Biege 2009-10-13 21:11:48 UTC 
CVE-2005-1764: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:N/A:P)