Re: CVE-2014-4699: Linux ptrace bug

[Solar Designer <solar () openwall com>]

On Tue, Jul 08, 2014 at 04:52:43PM +0400, Solar Designer wrote:
> Anyway, let me ask: Red Hat, how do you know RHEL5 kernels are not
> vulnerable, whereas RHEL6 are?  There must have been some analysis to
> arrive at these conclusions.  This will be very helpful to know for
> downstream projects (as it relates to your kernels), including OpenVZ
> and Owl.

Petr Matousek has now clarified this as follows:

https://bugzilla.redhat.com/show_bug.cgi?id=1115927#c14

"Red Hat Enterprise Linux 5 uses utrace which sets TIF_SIGPENDING when
stopping the tracee and that is why iret path is always taken on return
to user space."

Thanks, Petr!

I think Petr is referring to kernel/utrace.c: quiesce() calling
"set_tsk_thread_flag(target, TIF_SIGPENDING);" when it is called with
interrupt=0, which it is from two places in utrace_set_flags().
utrace_set_flags() is called from kernel/ptrace.c: ptrace_update() and
ptrace_report().  There are many calls to these; I guess the relevant
one is to ptrace_update() from ptrace_setup_finish(), which is in turn
called from ptrace_traceme(), ptrace_attach(), and ptrace_clone_setup().

I wouldn't vouch that there's no bypass, but I hope Red Hat's analysis
is correct.

Alexander