Date: Tue, 8 Jul 2014 22:24:40 +0400 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: Re: CVE-2014-4699: Linux ptrace bug On Tue, Jul 08, 2014 at 04:52:43PM +0400, Solar Designer wrote: > Anyway, let me ask: Red Hat, how do you know RHEL5 kernels are not > vulnerable, whereas RHEL6 are? There must have been some analysis to > arrive at these conclusions. This will be very helpful to know for > downstream projects (as it relates to your kernels), including OpenVZ > and Owl. Petr Matousek has now clarified this as follows: https://bugzilla.redhat.com/show_bug.cgi?id=1115927#c14 "Red Hat Enterprise Linux 5 uses utrace which sets TIF_SIGPENDING when stopping the tracee and that is why iret path is always taken on return to user space." Thanks, Petr! I think Petr is referring to kernel/utrace.c: quiesce() calling "set_tsk_thread_flag(target, TIF_SIGPENDING);" when it is called with interrupt=0, which it is from two places in utrace_set_flags(). utrace_set_flags() is called from kernel/ptrace.c: ptrace_update() and ptrace_report(). There are many calls to these; I guess the relevant one is to ptrace_update() from ptrace_setup_finish(), which is in turn called from ptrace_traceme(), ptrace_attach(), and ptrace_clone_setup(). I wouldn't vouch that there's no bypass, but I hope Red Hat's analysis is correct. Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ