oss-sec mailing list archives
Re: CVE-2014-4699: Linux ptrace bug
From: Solar Designer <solar () openwall com>
Date: Wed, 9 Jul 2014 10:38:13 +0400
On Tue, Jul 08, 2014 at 03:15:47PM -0700, Andy Lutomirski wrote:
In the event that anyone changes TASK_SIZE_MAX to equal the first non-canonical address, then this is the least of your worries: someone can put a syscall instruction at the very last canonical address, and game over.
You're right.
This bug affected a lot of operating systems a few years ago, but AFAIK Linux was never vulnerable.
Looks like it was until 2.6.11.11: http://lwn.net/Articles/137821/ Andi Kleen: [...] o x86_64: Add a guard page at the end of the 47bit address space o x86_64: Fix canonical checking for segment registers in ptrace o x86_64: check if ptrace RIP is canonical http://www.x86-64.org/pipermail/discuss/2005-May/006031.html https://kernel.googlesource.com/pub/scm/linux/kernel/git/stable/stable-queue/+/9cb395089b0a1aeaabd7900437c146a45a7ff067/2.6.11.11/x86_64-add-guard-page.patch "Add a guard page at the end of the 47bit address space. This works around a bug in the AMD K8 CPUs." https://access.redhat.com/security/cve/CVE-2005-1762 "The ptrace call in the Linux kernel 2.6.8.1 and 2.6.10 for the AMD64 platform allows local users to cause a denial of service (kernel crash) via a "non-canonical" address." So apparently the ptrace attack vector was tracked as CVE-2005-1762 at the time, whereas TASK_SIZE being equal to the first non-canonical address and triggering "a bug in the AMD K8 CPUs" (the known impact at the time, whatever it was) wasn't tracked as a security issue. Also related: "Bug 437712 - ptrace: PTRACE_SETREGS does not set RIP" https://bugzilla.redhat.com/show_bug.cgi?id=437712 (some discussion of an earlier fix at ptrace level, NOTABUG by that time). Alexander
Current thread:
- Re: CVE-2014-4699: Linux ptrace bug, (continued)
- Re: CVE-2014-4699: Linux ptrace bug Solar Designer (Jul 04)
- Re: CVE-2014-4699: Linux ptrace bug Solar Designer (Jul 05)
- Re: CVE-2014-4699: Linux ptrace bug Yves-Alexis Perez (Jul 05)
- Re: CVE-2014-4699: Linux ptrace bug Solar Designer (Jul 05)
- Re: CVE-2014-4699: Linux ptrace bug Yves-Alexis Perez (Jul 05)
- Re: CVE-2014-4699: Linux ptrace bug Solar Designer (Jul 05)
- Re: CVE-2014-4699: Linux ptrace bug Yves-Alexis Perez (Jul 05)
- Re: CVE-2014-4699: Linux ptrace bug Solar Designer (Jul 05)
- Re: CVE-2014-4699: Linux ptrace bug Yves-Alexis Perez (Jul 05)
- Re: CVE-2014-4699: Linux ptrace bug Andy Lutomirski (Jul 08)
- Re: CVE-2014-4699: Linux ptrace bug Solar Designer (Jul 08)
- Re: CVE-2014-4699: Linux ptrace bug Marc Deslauriers (Jul 05)
- Re: CVE-2014-4699: Linux ptrace bug John Johansen (Jul 06)
- Re: CVE-2014-4699: Linux ptrace bug Solar Designer (Jul 06)
- Re: CVE-2014-4699: Linux ptrace bug John Johansen (Jul 06)
- Re: CVE-2014-4699: Linux ptrace bug Solar Designer (Jul 08)