Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 05 Jul 2014 21:58:15 +0200
From: Yves-Alexis Perez <corsac@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2014-4699: Linux ptrace bug

On sam., 2014-07-05 at 22:51 +0400, Solar Designer wrote:
> Maybe it's just me, but I find the above ambiguous.

Sorry.
> 
> What exactly do you mean by "crash" and "panic" above?  How do you
> know
> it's a double fault?
> What appears in dmesg on the first system, 

I don't have the dmesg, only a smartphone photo. It says:

PANIC: double faute, error_code: 0x0
Kernel panic - not syncing: Machine halted
CPU 1: PID: 26960 Comm: ptraace Not tainted 3.14-1-amd64 #1 Debian 3.14.9-1

> and
> what on the second system?  

[  127.690932] double fault: 0000 [#1] SMP 
[  127.691029] CPU 1 
[  127.691069] Modules linked in: cpufreq_userspace cpufreq_powersave cpufreq_conservative cpufreq_stats bnep rfcomm bluetooth parport_pc parport ip6table_filter ip6_tables xt_helper ipt_LOG xt_tcpudp xt_pkttype nf_conntrack_ipv4 nf_defrag_ipv4 xt_state xt_addrtype iptable_filter ip_tables x_tables fuse ext2 nf_conntrack_ftp nf_conntrack tp_smapi(O) thinkpad_ec(O) ecryptfs kvm_intel kvm usbhid hid arc4 sg sr_mod cdrom snd_hda_codec_analog iwl4965 ata_generic snd_hda_intel iwl_legacy ata_piix snd_hda_codec mac80211 thinkpad_acpi nvram uhci_hcd pcmcia snd_hwdep snd_pcm snd_page_alloc cfg80211 ehci_hcd snd_seq snd_seq_device snd_timer snd usbcore rfkill yenta_socket ac battery tpm_tis tpm coretemp soundcore tpm_bios e1000e iTCO_wdt usb_common i2c_i801 pcmcia_rsrc iTCO_vendor_support pcmcia_core power_supply psmouse serio_raw wmi evdev ext4 crc16 mbcache jbd2 cryptd aes_x86_64 aes_generic xts gf128mul dm_crypt dm_mod sd_mod crc_t10dif i915 thermal acpi_cpufreq mperf ahci libahci video libata scsi_mod processor i2c_algo_bit drm_kms_helper drm button i2c_core thermal_sys
[  127.693595] 
[  127.693631] Pid: 3893, comm: ptrace Tainted: G           O 3.2.0-4-amd64 #1 Debian 3.2.57-3+deb7u2 LENOVO 8897CTO/8897CTO
[  127.693840] RIP: 0010:[<ffffffff81354c73>]  [<ffffffff81354c73>] sysret_check+0x57/0x5a
[  127.693995] RSP: 0018:00007fff2e68a230  EFLAGS: 00010046
[  127.694089] RAX: 0000000000000f36 RBX: 0000000000000000 RCX: 0001000000000000
[  127.694212] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011
[  127.694336] RBP: 00007fff2e68a250 R08: 0000000000000f35 R09: 0000000000000f35
[  127.694458] R10: 00007f17e6c9f9d0 R11: 0000000000000246 R12: 0000000000000000
[  127.694581] R13: 00007fff2e68a3f0 R14: 0000000000000000 R15: 0000000000000000
[  127.694705] FS:  00007f17e6c9f700(0000) GS:ffff8800be500000(0000) knlGS:0000000000000000
[  127.694844] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[  127.694915] CR2: 00007fff2e68a228 CR3: 00000000b917d000 CR4: 00000000000006e0
[  127.694915] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  127.694915] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[  127.694915] Process ptrace (pid: 3893, threadinfo ffff88007ff56000, task ffff8800b89e0780)
[  127.694915] Stack:
[  127.694915]  0000000000000000 0000000000400670 00007fff2e68a3f0 0000000000000000
[  127.694915]  00007fff2e68a310 000000000040090f 0000000100000006 00007fff2e68a2fe
[  127.694915]  00000000000000bf 0000000000400444 00007fff2e68a2fe 00007f17e67a836c
[  127.694915] Call Trace:
[  127.694915] Code: 08 4c 8b 4c 24 10 4c 8b 44 24 18 48 8b 44 24 20 48 8b 54 24 30 48 8b 74 24 38 48 8b 7c 24 40 65 48 8b 24 25 00 bf 00 00 0f 01 f8 <48> 0f 07 0f ba e2 03 73 11 fb 66 66 66 90 66 66 90 57 e8 2a 9e 
[  127.694915] RIP  [<ffffffff81354c73>] sysret_check+0x57/0x5a
[  127.694915]  RSP <00007fff2e68a230>
[  127.694915] ---[ end trace 0585c7d1a1a4e1cf ]---

And the system is usable after that.

> What's the value of the kernel.panic_on_oops
> sysctl, and is it the same on both systems?

0 in both cases.

Regards,
-- 
Yves-Alexis

Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.