oss-sec mailing list archives
Re: CVE-2014-4699: Linux ptrace bug
From: Andy Lutomirski <luto () amacapital net>
Date: Tue, 08 Jul 2014 15:15:47 -0700
On 07/05/2014 12:35 PM, Solar Designer wrote:
Andy, all - On Sat, Jul 05, 2014 at 10:25:47PM +0400, Solar Designer wrote:"x86_64,ptrace: Enforce RIP <= TASK_SIZE_MAX (CVE-2014-4699)"[...]"CVE-2014-4699 Kernel: x86_64,ptrace: Enforce RIP <= TASK_SIZE_MAX"BTW, I'm not convinced it's such a good idea to allow setting RIP to exactly TASK_SIZE_MAX just because user code could run to that address (this was Andy's rationale). Imagine that TASK_SIZE_MAX is ever set such that it's the very first non-canonical address. If user code simply runs to that address, it gets a user mode fault. However, if the kernel tries to set user RIP to that address via SYSRET, it'll get #GP while still in kernel mode - exactly the problem we're trying to fix. So when fixing the problem in this way, or when including this as a hardening measure along with forcing the IRET path as well, I'd prefer to allow only "< TASK_SIZE_MAX", not "<= TASK_SIZE_MAX".
In the event that anyone changes TASK_SIZE_MAX to equal the first non-canonical address, then this is the least of your worries: someone can put a syscall instruction at the very last canonical address, and game over. This bug affected a lot of operating systems a few years ago, but AFAIK Linux was never vulnerable. --Andy
Current thread:
- CVE-2014-4699: Linux ptrace bug Andy Lutomirski (Jul 04)
- Re: CVE-2014-4699: Linux ptrace bug Solar Designer (Jul 04)
- Re: CVE-2014-4699: Linux ptrace bug Solar Designer (Jul 05)
- Re: CVE-2014-4699: Linux ptrace bug Yves-Alexis Perez (Jul 05)
- Re: CVE-2014-4699: Linux ptrace bug Solar Designer (Jul 05)
- Re: CVE-2014-4699: Linux ptrace bug Yves-Alexis Perez (Jul 05)
- Re: CVE-2014-4699: Linux ptrace bug Solar Designer (Jul 05)
- Re: CVE-2014-4699: Linux ptrace bug Yves-Alexis Perez (Jul 05)
- Re: CVE-2014-4699: Linux ptrace bug Solar Designer (Jul 05)
- Re: CVE-2014-4699: Linux ptrace bug Yves-Alexis Perez (Jul 05)
- Re: CVE-2014-4699: Linux ptrace bug Andy Lutomirski (Jul 08)
- Re: CVE-2014-4699: Linux ptrace bug Solar Designer (Jul 08)
- Re: CVE-2014-4699: Linux ptrace bug Marc Deslauriers (Jul 05)
- Re: CVE-2014-4699: Linux ptrace bug John Johansen (Jul 06)
- Re: CVE-2014-4699: Linux ptrace bug Solar Designer (Jul 06)
- Re: CVE-2014-4699: Linux ptrace bug John Johansen (Jul 06)
- Re: CVE-2014-4699: Linux ptrace bug Solar Designer (Jul 08)