Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 8 Jul 2014 22:24:40 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2014-4699: Linux ptrace bug

On Tue, Jul 08, 2014 at 04:52:43PM +0400, Solar Designer wrote:
> Anyway, let me ask: Red Hat, how do you know RHEL5 kernels are not
> vulnerable, whereas RHEL6 are?  There must have been some analysis to
> arrive at these conclusions.  This will be very helpful to know for
> downstream projects (as it relates to your kernels), including OpenVZ
> and Owl.

Petr Matousek has now clarified this as follows:

https://bugzilla.redhat.com/show_bug.cgi?id=1115927#c14

"Red Hat Enterprise Linux 5 uses utrace which sets TIF_SIGPENDING when
stopping the tracee and that is why iret path is always taken on return
to user space."

Thanks, Petr!

I think Petr is referring to kernel/utrace.c: quiesce() calling
"set_tsk_thread_flag(target, TIF_SIGPENDING);" when it is called with
interrupt=0, which it is from two places in utrace_set_flags().
utrace_set_flags() is called from kernel/ptrace.c: ptrace_update() and
ptrace_report().  There are many calls to these; I guess the relevant
one is to ptrace_update() from ptrace_setup_finish(), which is in turn
called from ptrace_traceme(), ptrace_attach(), and ptrace_clone_setup().

I wouldn't vouch that there's no bypass, but I hope Red Hat's analysis
is correct.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.