Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20140708182439.GA11179@openwall.com>
Date: Tue, 8 Jul 2014 22:24:40 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2014-4699: Linux ptrace bug

On Tue, Jul 08, 2014 at 04:52:43PM +0400, Solar Designer wrote:
> Anyway, let me ask: Red Hat, how do you know RHEL5 kernels are not
> vulnerable, whereas RHEL6 are?  There must have been some analysis to
> arrive at these conclusions.  This will be very helpful to know for
> downstream projects (as it relates to your kernels), including OpenVZ
> and Owl.

Petr Matousek has now clarified this as follows:

https://bugzilla.redhat.com/show_bug.cgi?id=1115927#c14

"Red Hat Enterprise Linux 5 uses utrace which sets TIF_SIGPENDING when
stopping the tracee and that is why iret path is always taken on return
to user space."

Thanks, Petr!

I think Petr is referring to kernel/utrace.c: quiesce() calling
"set_tsk_thread_flag(target, TIF_SIGPENDING);" when it is called with
interrupt=0, which it is from two places in utrace_set_flags().
utrace_set_flags() is called from kernel/ptrace.c: ptrace_update() and
ptrace_report().  There are many calls to these; I guess the relevant
one is to ptrace_update() from ptrace_setup_finish(), which is in turn
called from ptrace_traceme(), ptrace_attach(), and ptrace_clone_setup().

I wouldn't vouch that there's no bypass, but I hope Red Hat's analysis
is correct.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.