Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 8 Jul 2014 22:24:40 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2014-4699: Linux ptrace bug

On Tue, Jul 08, 2014 at 04:52:43PM +0400, Solar Designer wrote:
> Anyway, let me ask: Red Hat, how do you know RHEL5 kernels are not
> vulnerable, whereas RHEL6 are?  There must have been some analysis to
> arrive at these conclusions.  This will be very helpful to know for
> downstream projects (as it relates to your kernels), including OpenVZ
> and Owl.

Petr Matousek has now clarified this as follows:

https://bugzilla.redhat.com/show_bug.cgi?id=1115927#c14

"Red Hat Enterprise Linux 5 uses utrace which sets TIF_SIGPENDING when
stopping the tracee and that is why iret path is always taken on return
to user space."

Thanks, Petr!

I think Petr is referring to kernel/utrace.c: quiesce() calling
"set_tsk_thread_flag(target, TIF_SIGPENDING);" when it is called with
interrupt=0, which it is from two places in utrace_set_flags().
utrace_set_flags() is called from kernel/ptrace.c: ptrace_update() and
ptrace_report().  There are many calls to these; I guess the relevant
one is to ptrace_update() from ptrace_setup_finish(), which is in turn
called from ptrace_traceme(), ptrace_attach(), and ptrace_clone_setup().

I wouldn't vouch that there's no bypass, but I hope Red Hat's analysis
is correct.

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ