oss-sec mailing list archives
Re: CVE-2014-4699: Linux ptrace bug
From: Solar Designer <solar () openwall com>
Date: Tue, 8 Jul 2014 22:24:40 +0400
On Tue, Jul 08, 2014 at 04:52:43PM +0400, Solar Designer wrote:
Anyway, let me ask: Red Hat, how do you know RHEL5 kernels are not vulnerable, whereas RHEL6 are? There must have been some analysis to arrive at these conclusions. This will be very helpful to know for downstream projects (as it relates to your kernels), including OpenVZ and Owl.
Petr Matousek has now clarified this as follows: https://bugzilla.redhat.com/show_bug.cgi?id=1115927#c14 "Red Hat Enterprise Linux 5 uses utrace which sets TIF_SIGPENDING when stopping the tracee and that is why iret path is always taken on return to user space." Thanks, Petr! I think Petr is referring to kernel/utrace.c: quiesce() calling "set_tsk_thread_flag(target, TIF_SIGPENDING);" when it is called with interrupt=0, which it is from two places in utrace_set_flags(). utrace_set_flags() is called from kernel/ptrace.c: ptrace_update() and ptrace_report(). There are many calls to these; I guess the relevant one is to ptrace_update() from ptrace_setup_finish(), which is in turn called from ptrace_traceme(), ptrace_attach(), and ptrace_clone_setup(). I wouldn't vouch that there's no bypass, but I hope Red Hat's analysis is correct. Alexander
Current thread:
- Re: CVE-2014-4699: Linux ptrace bug, (continued)
- Re: CVE-2014-4699: Linux ptrace bug Solar Designer (Jul 05)
- Re: CVE-2014-4699: Linux ptrace bug Solar Designer (Jul 05)
- Re: CVE-2014-4699: Linux ptrace bug Andy Lutomirski (Jul 08)
- Re: CVE-2014-4699: Linux ptrace bug Solar Designer (Jul 08)
- Re: CVE-2014-4699: Linux ptrace bug Yves-Alexis Perez (Jul 05)
- Re: CVE-2014-4699: Linux ptrace bug Marc Deslauriers (Jul 05)
- Re: CVE-2014-4699: Linux ptrace bug John Johansen (Jul 06)
- Re: CVE-2014-4699: Linux ptrace bug Solar Designer (Jul 06)
- Re: CVE-2014-4699: Linux ptrace bug John Johansen (Jul 06)
- Re: CVE-2014-4699: Linux ptrace bug Solar Designer (Jul 08)