REDHAT-BUG-438147
First published: Wed Mar 19 2008(Updated: )
Description of problem: Jan Kratochvil has reported the following kernel ptrace related issue: Description of problem: Accidentally found one can crash the kernel. No root privileges are needed. Version-Release number of selected component (if applicable): kernel-2.6.9-68.19.EL.s390 kernel-2.6.9-68.19.EL.s390x (for -m31 binaries) How reproducible: Always. Steps to Reproduce: 1. wget -O user-area-padding.c '<a href="http://sources.redhat.com/cgi-bin/cvsweb.cgi/~checkout~/tests/ptrace-tests/tests/user-area-padding.c?cvsroot=systemtap">http://sources.redhat.com/cgi-bin/cvsweb.cgi/~checkout~/tests/ptrace-tests/tests/user-area-padding.c?cvsroot=systemtap</a>' 2. gcc -o user-area-padding user-area-padding.c -Wall -ggdb2 -D_GNU_SOURCE -m31 3. ./user-area-padding Actual results: Kernel 2.6.9-68.19.EL on an s390x z205 login: 03/18/08 03:16:06 JobID:17819 Test:/distribution/reservesys Unable to handle kernel pointer dereference at virtual kernel address 000000008c 8d8000 Oops: 003b Ý#1¨ CPU: 1 Not tainted Process user-area-paddi (pid: 12275, task: 000000001c008040, ksp: 0000000010ba7c 60) Krnl PSW : 0700200180000000 00000000000ff58a (exit_sem+0x26/0x1bc) Krnl GPRS: 0000000000200200 0000000000000001 000000001c008040 0000000000000002 0000000000040ef4 00000000008fa480 0000000010ba7f58 0000000010ba7e88 0000000000000001 0000000000000009 000000001c008040 000000001c7e5b58 000000008c8d8e8f 0000000000206ca8 0000000010ba7c60 0000000010ba7c20 Krnl Code: 58 20 c0 00 18 32 1b 31 ba 23 c0 00 a7 44 ff fc 12 33 a7 74 Call Trace: (Ý<000000001c7e5b58>¨ 0x1c7e5b58) Ý<0000000000040efe>¨ do_exit+0x382/0xf40 Ý<0000000000041be6>¨ do_group_exit+0xce/0xd0 Ý<000000000004d90a>¨ get_signal_to_deliver+0x3a2/0x3d0 Ý<000000000001c4d4>¨ do_signal+0xc0/0x620 Ý<000000000002f27e>¨ sysc_sigpending+0x12/0x1e Ý<0000000045b905f4>¨ 0x45b905f4 <0>Kernel panic - not syncing: Fatal exception: panic_on_oops 00: HCPGSP2629I The virtual machine is placed in CP mode due to a SIGP stop from CPU 01. 01: HCPGIR450W CP entered; disabled wait PSW 00020001 80000000 00000000 00017E06 Kernel 2.6.9-68.19.EL on an s390 z203 login: 03/18/08 03:00:25 JobID:17818 Test:/distribution/reservesys specification exception: 0006 Ý#1¨ CPU: 1 Not tainted Process user-area-paddi (pid: 14407, task: 1daee7e8, ksp: 0ad85db8) Krnl PSW : 07081000 800d8740 (exit_sem+0x28/0x1a0) Krnl GPRS: 00200200 00000001 fc77d074 fc77d073 8002faf8 1c99fa2c 77ff68e0 1daeeb4c 00000001 00000009 1daee7e8 1eb71d30 8c8d8e8f 800d871e 0ad85dc8 0ad85da0 Krnl Code: a7 44 ff fc 12 33 a7 74 00 9e 18 8c a7 8a 00 08 bf af c0 08 Call Trace: (Ý<000000001daee7e8>¨ 0x1daee7e8) Ý<000000000002fb00>¨ do_exit+0x300/0xdb0 Ý<00000000000306be>¨ do_group_exit+0xb6/0xe0 Ý<000000000003ad8c>¨ get_signal_to_deliver+0x30/0x380 Ý<000000000001bc6a>¨ do_signal+0xa2/0x55c Ý<000000000002037c>¨ sysc_sigpending+0x10/0x1c Ý<000000004ec845f4>¨ 0x4ec845f4 <0>Kernel panic - not syncing: Fatal exception: panic_on_oops 00: HCPGSP2629I The virtual machine is placed in CP mode due to a SIGP stop from CPU 01. 01: HCPGIR450W CP entered; disabled wait PSW 000A0000 8001758A Expected results: 0 Additional info: debugger-on-inferior-on-kernel: s390-on-s390-on-s390: crash s390-on-s390-on-s390x: crash s390x-on-s390x-on-s390x: SKIP (no padding area there) s390x-on-s390-on-s390x: not tested RHEL-5 does not crash (utrace there) but it returns 1 (FAIL) - <a class="bz_bug_link bz_status_CLOSED bz_closed bz_public " title="CLOSED ERRATA - utrace: PTRACE_POKEUSR_AREA corrupts ACR0" href="show_bug.cgi?id=431183">Bug 431183</a>.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Red Hat Linux kernel |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://sources.redhat.com/cgi-bin/cvsweb.cgi/~checkout~/tests/ptrace-tests/tests/user-area-padding.c?cvsroot=systemtap
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=431183
- http://sourceware.org/systemtap/wiki/utrace/tests
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=3d6e48f43340343d97839eadb1ab7b6a3ea98797
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=316274&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=316274&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=438147#c18
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=438147#c22
- https://rhn.redhat.com/errata/RHSA-2008-0972.html
- https://bugzilla.redhat.com/show_bug.cgi?id=438147
Frequently Asked Questions
What is the severity of REDHAT-BUG-438147?
The severity of REDHAT-BUG-438147 is critical as it allows for kernel crashes without requiring root privileges.
How do I fix REDHAT-BUG-438147?
To fix REDHAT-BUG-438147, users should update the kernel to the latest version provided by Red Hat.
What components are affected by REDHAT-BUG-438147?
REDHAT-BUG-438147 affects the Red Hat Linux kernel, specifically versions like kernel-2.6.9-68.19.EL.s390.
Is root access needed to exploit REDHAT-BUG-438147?
No, REDHAT-BUG-438147 can be exploited without root access.
Who reported the issue in REDHAT-BUG-438147?
The issue in REDHAT-BUG-438147 was reported by Jan Kratochvil.
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- agent/references
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2008-1514
- agent/severity
- agent/event
- agent/description
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/red hat
- canonical/red hat linux kernel