Re: Linux kernel race condition with PTRACE_SETREGS (CVE-2013-0871)

[Julien Tinnes <julien () cr0 org>]

On Sat, Feb 16, 2013 at 2:49 AM, Solar Designer <solar () openwall com> wrote:
> I haven't looked into this closely yet, but at first glance it looks
> like the worst Linux kernel vulnerability in a few years.

The good news is that the race is not trivial to win in an exploit. It
also requires access to ptrace() (but unfortunately most distros don't
limit ptrace()).

> For distro
> vendor kernels (rather than mainline, which was patched almost a month
> ago), this is a 0-day.  We need to figure out a few things:
>
> What's the oldest affected kernel version?

I didn't spend much time looking at that, but I think it may pre-date 2.6.

> Which "stable" and distro vendor kernels are affected?  This does not
> appear to be e.g. on Red Hat's Bugzilla yet ... but it's already on HN:

I don't know, but probably all / most ?

> Are all architectures affected?  The ptrace code in the kernel is
> naturally somewhat arch-specific, so _maybe_ not all are affected.

We don't know of any other architecture other that x86 affected, but
again, I don't think anyone spent time trying to figure this out. It's
possible that the same mistake was made on another architecture.

> The mainline commits from January are by Oleg Nesterov of Red Hat.  Why
> wasn't(?) the issue handled with due severity within Red Hat, then -
> such that Red Hat would at the very least have a statement on whether
> and which of their kernels are affected by now.  My guess is that the
> full severity of the issue might not have been understood by Oleg at the
> time, but it's only a guess.

That's the eternal debate :) Since upstream doesn't want to handle
security and disclosure, I sure wish that distro vendors could
regroup, step-up and do it.

As for why it took so long for me to send this e-mail after the patch
went public: there is no good answer, mostly we were busy with other
things. Sorry about that.

Julien