Date: Tue, 8 Jul 2014 22:24:40 +0400 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: Re: CVE-2014-4699: Linux ptrace bug On Tue, Jul 08, 2014 at 04:52:43PM +0400, Solar Designer wrote: > Anyway, let me ask: Red Hat, how do you know RHEL5 kernels are not > vulnerable, whereas RHEL6 are? There must have been some analysis to > arrive at these conclusions. This will be very helpful to know for > downstream projects (as it relates to your kernels), including OpenVZ > and Owl. Petr Matousek has now clarified this as follows: https://bugzilla.redhat.com/show_bug.cgi?id=1115927#c14 "Red Hat Enterprise Linux 5 uses utrace which sets TIF_SIGPENDING when stopping the tracee and that is why iret path is always taken on return to user space." Thanks, Petr! I think Petr is referring to kernel/utrace.c: quiesce() calling "set_tsk_thread_flag(target, TIF_SIGPENDING);" when it is called with interrupt=0, which it is from two places in utrace_set_flags(). utrace_set_flags() is called from kernel/ptrace.c: ptrace_update() and ptrace_report(). There are many calls to these; I guess the relevant one is to ptrace_update() from ptrace_setup_finish(), which is in turn called from ptrace_traceme(), ptrace_attach(), and ptrace_clone_setup(). I wouldn't vouch that there's no bypass, but I hope Red Hat's analysis is correct. Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.