Re: CVE-2014-4699: Linux ptrace bug

[Yves-Alexis Perez <corsac () debian org>]

On sam., 2014-07-05 at 22:51 +0400, Solar Designer wrote:
> Maybe it's just me, but I find the above ambiguous.

Sorry.
> What exactly do you mean by "crash" and "panic" above?  How do you
> know
> it's a double fault?
> What appears in dmesg on the first system, 

I don't have the dmesg, only a smartphone photo. It says:

PANIC: double faute, error_code: 0x0
Kernel panic - not syncing: Machine halted
CPU 1: PID: 26960 Comm: ptraace Not tainted 3.14-1-amd64 #1 Debian 3.14.9-1

> and
> what on the second system?  

[  127.690932] double fault: 0000 [#1] SMP 
[  127.691029] CPU 1 
[  127.691069] Modules linked in: cpufreq_userspace cpufreq_powersave cpufreq_conservative cpufreq_stats bnep rfcomm 
bluetooth parport_pc parport ip6table_filter ip6_tables xt_helper ipt_LOG xt_tcpudp xt_pkttype nf_conntrack_ipv4 
nf_defrag_ipv4 xt_state xt_addrtype iptable_filter ip_tables x_tables fuse ext2 nf_conntrack_ftp nf_conntrack 
tp_smapi(O) thinkpad_ec(O) ecryptfs kvm_intel kvm usbhid hid arc4 sg sr_mod cdrom snd_hda_codec_analog iwl4965 
ata_generic snd_hda_intel iwl_legacy ata_piix snd_hda_codec mac80211 thinkpad_acpi nvram uhci_hcd pcmcia snd_hwdep 
snd_pcm snd_page_alloc cfg80211 ehci_hcd snd_seq snd_seq_device snd_timer snd usbcore rfkill yenta_socket ac battery 
tpm_tis tpm coretemp soundcore tpm_bios e1000e iTCO_wdt usb_common i2c_i801 pcmcia_rsrc iTCO_vendor_support pcmcia_core 
power_supply psmouse serio_raw wmi evdev ext4 crc16 mbcache jbd2 cryptd aes_x86_64 aes_generic xts gf128mul dm_crypt 
dm_mod sd_mod crc_t10dif i915 thermal acpi_cpufreq mperf ahci libahci video libata scsi_mod processor i2c_algo_bit 
drm_kms_helper drm button i2c_core thermal_sys
[  127.693595] 
[  127.693631] Pid: 3893, comm: ptrace Tainted: G           O 3.2.0-4-amd64 #1 Debian 3.2.57-3+deb7u2 LENOVO 
8897CTO/8897CTO
[  127.693840] RIP: 0010:[<ffffffff81354c73>]  [<ffffffff81354c73>] sysret_check+0x57/0x5a
[  127.693995] RSP: 0018:00007fff2e68a230  EFLAGS: 00010046
[  127.694089] RAX: 0000000000000f36 RBX: 0000000000000000 RCX: 0001000000000000
[  127.694212] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011
[  127.694336] RBP: 00007fff2e68a250 R08: 0000000000000f35 R09: 0000000000000f35
[  127.694458] R10: 00007f17e6c9f9d0 R11: 0000000000000246 R12: 0000000000000000
[  127.694581] R13: 00007fff2e68a3f0 R14: 0000000000000000 R15: 0000000000000000
[  127.694705] FS:  00007f17e6c9f700(0000) GS:ffff8800be500000(0000) knlGS:0000000000000000
[  127.694844] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[  127.694915] CR2: 00007fff2e68a228 CR3: 00000000b917d000 CR4: 00000000000006e0
[  127.694915] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  127.694915] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[  127.694915] Process ptrace (pid: 3893, threadinfo ffff88007ff56000, task ffff8800b89e0780)
[  127.694915] Stack:
[  127.694915]  0000000000000000 0000000000400670 00007fff2e68a3f0 0000000000000000
[  127.694915]  00007fff2e68a310 000000000040090f 0000000100000006 00007fff2e68a2fe
[  127.694915]  00000000000000bf 0000000000400444 00007fff2e68a2fe 00007f17e67a836c
[  127.694915] Call Trace:
[  127.694915] Code: 08 4c 8b 4c 24 10 4c 8b 44 24 18 48 8b 44 24 20 48 8b 54 24 30 48 8b 74 24 38 48 8b 7c 24 40 65 48 
8b 24 25 00 bf 00 00 0f 01 f8 <48> 0f 07 0f ba e2 03 73 11 fb 66 66 66 90 66 66 90 57 e8 2a 9e 
[  127.694915] RIP  [<ffffffff81354c73>] sysret_check+0x57/0x5a
[  127.694915]  RSP <00007fff2e68a230>
[  127.694915] ---[ end trace 0585c7d1a1a4e1cf ]---

And the system is usable after that.

> What's the value of the kernel.panic_on_oops
> sysctl, and is it the same on both systems?

0 in both cases.

Regards,
-- 
Yves-Alexis

Attachment: signature.asc
Description: This is a digitally signed message part