Re: CVE-2014-4699: Linux ptrace bug

[Andy Lutomirski <luto () amacapital net>]

On 07/05/2014 12:35 PM, Solar Designer wrote:
> Andy, all -
>
> On Sat, Jul 05, 2014 at 10:25:47PM +0400, Solar Designer wrote:
> > "x86_64,ptrace: Enforce RIP <= TASK_SIZE_MAX (CVE-2014-4699)"
> [...]
> > "CVE-2014-4699 Kernel: x86_64,ptrace: Enforce RIP <= TASK_SIZE_MAX"
>
> BTW, I'm not convinced it's such a good idea to allow setting RIP to
> exactly TASK_SIZE_MAX just because user code could run to that address
> (this was Andy's rationale).  Imagine that TASK_SIZE_MAX is ever set
> such that it's the very first non-canonical address.  If user code
> simply runs to that address, it gets a user mode fault.  However, if the
> kernel tries to set user RIP to that address via SYSRET, it'll get #GP
> while still in kernel mode - exactly the problem we're trying to fix.
>
> So when fixing the problem in this way, or when including this as a
> hardening measure along with forcing the IRET path as well, I'd prefer
> to allow only "< TASK_SIZE_MAX", not "<= TASK_SIZE_MAX".

In the event that anyone changes TASK_SIZE_MAX to equal the first
non-canonical address, then this is the least of your worries: someone
can put a syscall instruction at the very last canonical address, and
game over.

This bug affected a lot of operating systems a few years ago, but AFAIK
Linux was never vulnerable.

--Andy