Re: CVE-2014-4699: Linux ptrace bug

[Solar Designer <solar () openwall com>]

On Tue, Jul 08, 2014 at 03:15:47PM -0700, Andy Lutomirski wrote:
> In the event that anyone changes TASK_SIZE_MAX to equal the first
> non-canonical address, then this is the least of your worries: someone
> can put a syscall instruction at the very last canonical address, and
> game over.

You're right.

> This bug affected a lot of operating systems a few years ago, but AFAIK
> Linux was never vulnerable.

Looks like it was until 2.6.11.11:

http://lwn.net/Articles/137821/

Andi Kleen:
[...]
  o x86_64: Add a guard page at the end of the 47bit address space
  o x86_64: Fix canonical checking for segment registers in ptrace
  o x86_64: check if ptrace RIP is canonical

http://www.x86-64.org/pipermail/discuss/2005-May/006031.html
https://kernel.googlesource.com/pub/scm/linux/kernel/git/stable/stable-queue/+/9cb395089b0a1aeaabd7900437c146a45a7ff067/2.6.11.11/x86_64-add-guard-page.patch

"Add a guard page at the end of the 47bit address space.

This works around a bug in the AMD K8 CPUs."

https://access.redhat.com/security/cve/CVE-2005-1762

"The ptrace call in the Linux kernel 2.6.8.1 and 2.6.10 for the AMD64
platform allows local users to cause a denial of service (kernel crash)
via a "non-canonical" address."

So apparently the ptrace attack vector was tracked as CVE-2005-1762 at
the time, whereas TASK_SIZE being equal to the first non-canonical
address and triggering "a bug in the AMD K8 CPUs" (the known impact at
the time, whatever it was) wasn't tracked as a security issue.

Also related:

"Bug 437712 - ptrace: PTRACE_SETREGS does not set RIP"
https://bugzilla.redhat.com/show_bug.cgi?id=437712

(some discussion of an earlier fix at ptrace level, NOTABUG by that time).

Alexander