Ubuntu
linux package

Random segfaults on amd64 (Hardy through Jaunty)

Bug #504164 reported by Sergio Tosti
108
This bug affects 16 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Invalid
Undecided
Unassigned
Hardy
Fix Released
Medium
Surbhi Palande
Intrepid
Fix Released
Medium
Surbhi Palande
Jaunty
Fix Released
Medium
Surbhi Palande
linux-2.6 (Debian)
Fix Released
Unknown

Bug Description

According to Debian Bug 559035 ( http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559035 ) latest hardy kernel amd64 version is affected from same bug.

this can be reproduced by launching
$ for ((i = 0; i <= 100000; i++)); do exim4 -bV || break; done > /dev/null; echo "last: $i"

the machine isn't affected anymore by setting
$ sudo sysctl kernel/randomize_va_space=0

so the problem is process address space randomization. Here's the commit:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=80938332d8cf652f6b16e0788cf0ca136befe0b5

Please evaluate it, it's a serious bug.

--Sergio

See original description
Sergio Tosti (zeno979)
description: updated
Tim Gardner (timg-tpi)
Changed in linux (Ubuntu Hardy):
assignee: nobody → John Johansen (jjohansen)
importance: Undecided → Medium
milestone: none → ubuntu-8.04.3
status: New → In Progress
Leann Ogasawara (leannogasawara)
tags: added: xen
Andy Whitcroft (apw)
tags: added: kernel-series-unknown
Revision history for this message
Sergio Tosti (zeno979) wrote :

Bug still present in 2.6.24-27
please include in upgrades.

Revision history for this message
Sergio Tosti (zeno979) wrote :

I believe that this is an important security bug.

Impact: address space randomization is unusable

Currently I'm testing kernel compiled with the attached patch that resolves the issue.
Please evaluate it for an upgrade.

Sergio

Revision history for this message
Sergio Tosti (zeno979) wrote :
Revision history for this message
Sergio Tosti (zeno979) wrote :

SRU Justification:

    Impact: Kernel address space randomization is unusable on AMD64 platform
    Fix: attached patch was adapted from http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=80938332d8cf652f6b16e0788cf0ca136befe0b5

Revision history for this message
John Dong (jdong) wrote :

I took a look at the patch but don't quite feel comfortable in giving an ACK on a kernel patch like this. Can another SRU member / the security team weigh in? Is this just SRU-worthy or should it be addressed as a security bug, as the git commit log seems to imply this can lead to at least a DoS?

Revision history for this message
Kees Cook (kees) wrote :

This patch looks fine to me, we should include it in all stable releases, hardy and later.

Revision history for this message
Kees Cook (kees) wrote :

Karmic and later have the patch. I have reproduced this on non-xen, so it appears to be a general issue.

tags: removed: kernel-series-unknown xen
Changed in linux (Ubuntu Jaunty):
status: New → Confirmed
Changed in linux (Ubuntu Intrepid):
status: New → Confirmed
tags: added: hardy intrepid jaunty
summary: - Random segfaults with linux-image-2.6.24-26-xen
+ Random segfaults on amd64 (Hardy through Jaunty)
Revision history for this message
Kees Cook (kees) wrote :

(for back-porting, note that arch/x86/include is include/asm-x86 in earlier kernels)

Changed in linux (Ubuntu Intrepid):
status: Confirmed → Triaged
Changed in linux (Ubuntu Jaunty):
status: Confirmed → Triaged
Changed in linux (Ubuntu Hardy):
milestone: ubuntu-8.04.3 → none
status: In Progress → Triaged
Changed in linux (Ubuntu):
status: New → Invalid
Changed in linux (Ubuntu Intrepid):
importance: Undecided → Medium
Changed in linux (Ubuntu Jaunty):
importance: Undecided → Medium
Changed in linux (Ubuntu Hardy):
assignee: John Johansen (jjohansen) → Leann Ogasawara (leannogasawara)
Changed in linux (Ubuntu Intrepid):
assignee: nobody → Leann Ogasawara (leannogasawara)
Changed in linux (Ubuntu Jaunty):
assignee: nobody → Leann Ogasawara (leannogasawara)
Revision history for this message
John Dong (jdong) wrote :

Thanks, Kees, sounds like a good plan to me :)

Revision history for this message
Benjamin Drung (bdrung) wrote :

First there is no debdiff to sponsor. Second the Linux kernel is a package in main. Therefore I unsubscribe ubuntu-universe-sponsors.

Leann Ogasawara (leannogasawara)
Changed in linux (Ubuntu Hardy):
assignee: Leann Ogasawara (leannogasawara) → Surbhi Palande (csurbhi)
Changed in linux (Ubuntu Intrepid):
assignee: Leann Ogasawara (leannogasawara) → Surbhi Palande (csurbhi)
Changed in linux (Ubuntu Jaunty):
assignee: Leann Ogasawara (leannogasawara) → Surbhi Palande (csurbhi)
Surbhi Palande (csurbhi)
Changed in linux (Ubuntu Hardy):
status: Triaged → In Progress
Changed in linux (Ubuntu Intrepid):
status: Triaged → In Progress
Changed in linux (Ubuntu Jaunty):
status: Triaged → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.28-18.60

---------------
linux (2.6.28-18.60) jaunty-security; urgency=low

  [ Surbhi Palande ]

  * Revert "[Upstream] e1000: enhance frame fragment detection"
    - CVE-2009-4536
  * Revert "[Upstream] e1000e: enhance frame fragment detection"
    - CVE-2009-4538

  [ Upstream Kernel Changes ]

  * e1000: enhance frame fragment detection
    - CVE-2009-4536
  * e1000/e1000e: don't use small hardware rx buffers
    - CVE-2009-4538
  * e1000e: enhance frame fragment detection
    - CVE-2009-4538
  * KVM: PIT: control word is write-only
    - CVE-2010-0309
  * connector: Delete buggy notification code.
    - CVE-2010-0410
  * Fix potential crash with sys_move_pages
    - CVE-2010-0415
  * futex: Handle user space corruption gracefully
    - CVE-2010-0622
  * x86: Increase MIN_GAP to include randomized stack
    - LP: #504164
  * Split 'flush_old_exec' into two functions
    - CVE-2010-0307
  * Fix 'flush_old_exec()/setup_new_exec()' split
    - CVE-2010-0307
  * x86: get rid of the insane TIF_ABI_PENDING bit
    - CVE-2010-0307
  * powerpc: TIF_ABI_PENDING bit removal
    - CVE-2010-0307
  * sparc: TIF_ABI_PENDING bit removal
    - CVE-2010-0307
  * x86: set_personality_ia32() misses force_personality32
    - CVE-2010-0307
 -- Stefan Bader <email address hidden> Tue, 09 Mar 2010 18:30:30 +0100

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.27-17.46

---------------
linux (2.6.27-17.46) intrepid-security; urgency=low

  [ Surbhi Palande ]

  * Revert "[Upstream] e1000: enhance frame fragment detection"
    - CVE-2009-4536
  * Revert "[Upstream] e1000e: enhance frame fragment detection"
    - CVE-2009-4538

  [ Upstream Kernel Changes ]

  * e1000: enhance frame fragment detection
    - CVE-2009-4536
  * e1000/e1000e: don't use small hardware rx buffers
    - CVE-2009-4538
  * e1000e: enhance frame fragment detection
    - CVE-2009-4538
  * KVM: PIT: control word is write-only
    - CVE-2010-0309
  * connector: Delete buggy notification code.
    - CVE-2010-0410
  * Fix potential crash with sys_move_pages
    - CVE-2010-0415
  * futex: Handle user space corruption gracefully
    - CVE-2010-0622
  * x86: Increase MIN_GAP to include randomized stack
    - LP: #504164
  * Split 'flush_old_exec' into two functions
    - CVE-2010-0307
  * Fix 'flush_old_exec()/setup_new_exec()' split
    - CVE-2010-0307
  * x86: get rid of the insane TIF_ABI_PENDING bit
    - CVE-2010-0307
  * powerpc: TIF_ABI_PENDING bit removal
    - CVE-2010-0307
  * sparc: TIF_ABI_PENDING bit removal
    - CVE-2010-0307
  * x86: set_personality_ia32() misses force_personality32
    - CVE-2010-0307
 -- Stefan Bader <email address hidden> Tue, 09 Mar 2010 20:46:15 +0100

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.24-27.68

---------------
linux (2.6.24-27.68) hardy-security; urgency=low

  [Stefan Bader]

  * xen: Remove TIF_ABI_PENDING bit
    - CVE-2010-0307
  * openvz: Remove TIF_ABI_PENDING bit
    - CVE-2010-0307
  * openvz: Adapt connector code patch
    - CVE-2010-0410
  * rt: Remove TIF_ABI_PENDING bit
    - CVE-2010-0307

  [Surbhi Palande]

  * Revert "[Upstream] e1000: enhance frame fragment detection"
    - CVE-2009-4536
  * Revert "[Upstream] e1000e: enhance frame fragment detection"
    - CVE-2009-4538

  [Upstream Kernel Changes]

  * e1000: enhance frame fragment detection
    - CVE-2009-4536
  * e1000/e1000e: don't use small hardware rx buffers
    - CVE-2009-4536
  * e1000e: enhance frame fragment detection
    - CVE-2009-4538
  * connector: Delete buggy notification code.
    - CVE-2010-0410
  * Fix potential crash with sys_move_pages
    - CVE-2010-0415
  * futex: Handle user space corruption gracefully
    - CVE-2010-0622
  * x86: Increase MIN_GAP to include randomized stack
    - LP: #504164
  * Split 'flush_old_exec' into two functions
    - CVE-2010-0307
  * Fix 'flush_old_exec()/setup_new_exec()' split
    - CVE-2010-0307
  * x86: get rid of the insane TIF_ABI_PENDING bit
    - CVE-2010-0307
  * powerpc: TIF_ABI_PENDING bit removal
    - CVE-2010-0307
  * sparc: TIF_ABI_PENDING bit removal
    - CVE-2010-0307
  * x86: set_personality_ia32() misses force_personality32
    - CVE-2010-0307
 -- Stefan Bader <email address hidden> Tue, 09 Mar 2010 22:21:39 +0100

Changed in linux (Ubuntu Hardy):
status: In Progress → Fix Released
Changed in linux (Ubuntu Intrepid):
status: In Progress → Fix Released
Changed in linux (Ubuntu Jaunty):
status: In Progress → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in linux-2.6 (Debian):
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.