FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu Kernel Team

 
 
LinkBack Thread Tools
 
Old 06-24-2008, 05:49 AM
Kees Cook
 
Default pending stable kernel security updates

Hello! I've got more pending kernel updates waiting in the
ubuntu-security git trees now:

dapper feisty gutsy hardy
CVE-2007-6282: pending pending pending pending
CVE-2008-1615: needed needed needed needed
CVE-2008-1673: pending pending pending pending
CVE-2008-2136: pending pending pending pending
CVE-2008-2137: pending pending pending pending
CVE-2008-2148: N/A N/A pending pending
CVE-2008-2358: N/A pending pending pending
CVE-2008-2750: N/A N/A N/A pending

I need help with CVE-2008-1615: the code has changed a lot between
revisions, has been touched by the virt bits, and is pretty non-obvious
to me.

I'd like to publish as soon as possible after 8.04.1 is released. To
that end, can someone start build and boot testing? None of the patches
looked like ABI bumpers.

Thanks,

-Kees

--
Kees Cook
Ubuntu Security Team

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 06-24-2008, 02:45 PM
Tim Gardner
 
Default pending stable kernel security updates

Kees Cook wrote:
> Hello! I've got more pending kernel updates waiting in the
> ubuntu-security git trees now:
>
> dapper feisty gutsy hardy
> CVE-2007-6282: pending pending pending pending
> CVE-2008-1615: needed needed needed needed
> CVE-2008-1673: pending pending pending pending
> CVE-2008-2136: pending pending pending pending
> CVE-2008-2137: pending pending pending pending
> CVE-2008-2148: N/A N/A pending pending
> CVE-2008-2358: N/A pending pending pending
> CVE-2008-2750: N/A N/A N/A pending
>
> I need help with CVE-2008-1615: the code has changed a lot between
> revisions, has been touched by the virt bits, and is pretty non-obvious
> to me.
>
> I'd like to publish as soon as possible after 8.04.1 is released. To
> that end, can someone start build and boot testing? None of the patches
> looked like ABI bumpers.
>
> Thanks,
>
> -Kees
>

Kees - As far as I can tell CVE-2008-1615 does not apply to
Dapper/Feisty/Gutsy/Hardy. See

https://bugzilla.redhat.com/show_bug.cgi?id=431430

The issue was introduced with commit
72fe4858544292ad64600765cb78bc02298c6b1c which was during the 2.6.25
merge window. The key is that the definition of 'iret_label' was
changed, i.e., it lost its alignment statement:

- .quad iret_label,bad_iret
+ .quad native_iret, bad_iret

Yet the interrupt return code later on continued to use 'iret_label'
which is now unaligned (a bad thing):

leaq iret_label(%rip),%rbp

You can also read Roland McGrath's somewhat caustic commit log entry in
a57dae3aa4d00a000b5bac4238025438204c78b2 if you are in need of some humor.

rtg
--
Tim Gardner tim.gardner@ubuntu.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 06-24-2008, 03:28 PM
Kees Cook
 
Default pending stable kernel security updates

On Tue, Jun 24, 2008 at 08:45:38AM -0600, Tim Gardner wrote:
> Kees Cook wrote:
> > I need help with CVE-2008-1615: the code has changed a lot between
> > revisions, has been touched by the virt bits, and is pretty non-obvious
> > to me.
>
> Kees - As far as I can tell CVE-2008-1615 does not apply to
> Dapper/Feisty/Gutsy/Hardy. See

That's what I was thinking too, except that I got seriously confused
comparing the upstream fix (a57dae3aa4d00a000b5bac4238025438204c78b2)
with what was in the RH bug and what Debian used:

https://bugzilla.redhat.com/attachment.cgi?id=294062
http://svn.debian.org/wsvn/kernel/dists/etch-security/linux-2.6/debian/patches/bugfix/amd64-cs-corruption.patch?op=file&rev=0&sc=0

It seems almost unrelated to the upstream commit. ?

> You can also read Roland McGrath's somewhat caustic commit log entry in
> a57dae3aa4d00a000b5bac4238025438204c78b2 if you are in need of some humor.

Yeah, owchy.

-Kees

--
Kees Cook
Ubuntu Security Team

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 06-24-2008, 04:21 PM
Tim Gardner
 
Default pending stable kernel security updates

Kees Cook wrote:
> On Tue, Jun 24, 2008 at 08:45:38AM -0600, Tim Gardner wrote:
>> Kees Cook wrote:
>>> I need help with CVE-2008-1615: the code has changed a lot between
>>> revisions, has been touched by the virt bits, and is pretty non-obvious
>>> to me.
>> Kees - As far as I can tell CVE-2008-1615 does not apply to
>> Dapper/Feisty/Gutsy/Hardy. See
>
> That's what I was thinking too, except that I got seriously confused
> comparing the upstream fix (a57dae3aa4d00a000b5bac4238025438204c78b2)
> with what was in the RH bug and what Debian used:
>
> https://bugzilla.redhat.com/attachment.cgi?id=294062
> http://svn.debian.org/wsvn/kernel/dists/etch-security/linux-2.6/debian/patches/bugfix/amd64-cs-corruption.patch?op=file&rev=0&sc=0
>
> It seems almost unrelated to the upstream commit. ?
>
>> You can also read Roland McGrath's somewhat caustic commit log entry in
>> a57dae3aa4d00a000b5bac4238025438204c78b2 if you are in need of some humor.
>
> Yeah, owchy.
>
> -Kees
>

It looks like there are 2 ways CS can get corrupted (and two fixes for
these corruption cases), e.g., the original patch against 2.6.4 and
higher (the Debian patch), and the Roland McGrath patch (which is a bit
of a red herring in the bugzilla report, nor does it really apply to
this CVE).

The Debian patch looks correct. Its my guess that 'RESTORE_ALL 8'
immediately prior to 'iretq' does not restore segment registers. Due to
assembler magic the jump to the iret_label symbol will load CS with the
destination segment, in essence restoring CS to the trap segment which
is necessary for a successful 'iretq'.

rtg
--
Tim Gardner tim.gardner@ubuntu.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 06-24-2008, 05:26 PM
Kees Cook
 
Default pending stable kernel security updates

Hi Tim,

On Tue, Jun 24, 2008 at 10:21:01AM -0600, Tim Gardner wrote:
> The Debian patch looks correct. Its my guess that 'RESTORE_ALL 8'
> immediately prior to 'iretq' does not restore segment registers. Due to
> assembler magic the jump to the iret_label symbol will load CS with the
> destination segment, in essence restoring CS to the trap segment which
> is necessary for a successful 'iretq'.

Okay, great. I've pushed the patch into the ubuntu-security trees.

Thanks again for digging this up!

-Kees

--
Kees Cook
Ubuntu Security Team

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 06-26-2008, 05:58 AM
Kees Cook
 
Default pending stable kernel security updates

On Mon, Jun 23, 2008 at 10:49:39PM -0700, Kees Cook wrote:
> Hello! I've got more pending kernel updates waiting in the
> ubuntu-security git trees now:

Here's an update, given the 4 recently-public CVEs. Current state of
the CVEs, where "pending" means the fix is in the corresponding
ubuntu-security git repo:

dapper feisty gutsy hardy
CVE-2007-6282 pending pending pending pending
CVE-2007-6712 not-affected pending pending not-affected
CVE-2008-0598 needs-triage needs-triage needs-triage not-affected
CVE-2008-1615 pending pending pending pending
CVE-2008-1673 pending pending pending pending
CVE-2008-2136 pending pending pending pending
CVE-2008-2137 pending pending pending pending
CVE-2008-2148 not-affected not-affected pending pending
CVE-2008-2358 not-affected pending pending pending
CVE-2008-2372 not-affected not-affected not-affected needed
CVE-2008-2729 pending not-affected not-affected not-affected
CVE-2008-2750 not-affected not-affected not-affected pending
CVE-2008-2826 pending pending pending pending

I will likely ignore CVE-2008-2372, as I don't think it's actually a
vulnerability. What I now need help with is CVE-2008-0598 and
CVE-2008-2729. The changes are pretty different from release to
release. Looking at other vendor's patches just make me feel even less
secure about doing the merges myself. I think I have CVE-2008-2729
sorted out, but I'd to have the commit I used double-checked.

CVE-2008-0598
http://lkml.org/lkml/diff/2008/6/25/157/1
and maybe 64649a58919e66ec21792dbb6c48cb3da22cbd7f

Thanks guys,

-Kees

--
Kees Cook
Ubuntu Security Team

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 06-27-2008, 07:47 PM
Tim Gardner
 
Default pending stable kernel security updates

Kees Cook wrote:
> On Mon, Jun 23, 2008 at 10:49:39PM -0700, Kees Cook wrote:
>> Hello! I've got more pending kernel updates waiting in the
>> ubuntu-security git trees now:
>
> Here's an update, given the 4 recently-public CVEs. Current state of
> the CVEs, where "pending" means the fix is in the corresponding
> ubuntu-security git repo:
>
> dapper feisty gutsy hardy
> CVE-2007-6282 pending pending pending pending
> CVE-2007-6712 not-affected pending pending not-affected
> CVE-2008-0598 needs-triage needs-triage needs-triage not-affected
> CVE-2008-1615 pending pending pending pending
> CVE-2008-1673 pending pending pending pending
> CVE-2008-2136 pending pending pending pending
> CVE-2008-2137 pending pending pending pending
> CVE-2008-2148 not-affected not-affected pending pending
> CVE-2008-2358 not-affected pending pending pending
> CVE-2008-2372 not-affected not-affected not-affected needed
> CVE-2008-2729 pending not-affected not-affected not-affected
> CVE-2008-2750 not-affected not-affected not-affected pending
> CVE-2008-2826 pending pending pending pending
>
> I will likely ignore CVE-2008-2372, as I don't think it's actually a
> vulnerability. What I now need help with is CVE-2008-0598 and
> CVE-2008-2729. The changes are pretty different from release to
> release. Looking at other vendor's patches just make me feel even less
> secure about doing the merges myself. I think I have CVE-2008-2729
> sorted out, but I'd to have the commit I used double-checked.
>
> CVE-2008-0598
> http://lkml.org/lkml/diff/2008/6/25/157/1
> and maybe 64649a58919e66ec21792dbb6c48cb3da22cbd7f
>
> Thanks guys,
>
> -Kees
>

Kees - please pull CVE-2008-0598 for dapper/feisty/gutsy from:

git://kernel.ubuntu.com/rtg/ubuntu-dapper.git master
git://kernel.ubuntu.com/rtg/ubuntu-feisty.git master
git://kernel.ubuntu.com/rtg/ubuntu-gutsy.git master

CVE-2008-2729 is kind of related, but different. Some of the symptoms
appear similar. Backporting the copy_user assembler is going to be quite
difficult. However, it has yet to land upstream.

rtg
--
Tim Gardner tim.gardner@ubuntu.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 07-02-2008, 01:21 PM
Tim Gardner
 
Default pending stable kernel security updates

Tim Gardner wrote:
> Kees Cook wrote:
>> On Mon, Jun 23, 2008 at 10:49:39PM -0700, Kees Cook wrote:
>>> Hello! I've got more pending kernel updates waiting in the
>>> ubuntu-security git trees now:
>> Here's an update, given the 4 recently-public CVEs. Current state of
>> the CVEs, where "pending" means the fix is in the corresponding
>> ubuntu-security git repo:
>>
>> dapper feisty gutsy hardy
>> CVE-2007-6282 pending pending pending pending
>> CVE-2007-6712 not-affected pending pending not-affected
>> CVE-2008-0598 needs-triage needs-triage needs-triage not-affected
>> CVE-2008-1615 pending pending pending pending
>> CVE-2008-1673 pending pending pending pending
>> CVE-2008-2136 pending pending pending pending
>> CVE-2008-2137 pending pending pending pending
>> CVE-2008-2148 not-affected not-affected pending pending
>> CVE-2008-2358 not-affected pending pending pending
>> CVE-2008-2372 not-affected not-affected not-affected needed
>> CVE-2008-2729 pending not-affected not-affected not-affected
>> CVE-2008-2750 not-affected not-affected not-affected pending
>> CVE-2008-2826 pending pending pending pending
>>
>> I will likely ignore CVE-2008-2372, as I don't think it's actually a
>> vulnerability. What I now need help with is CVE-2008-0598 and
>> CVE-2008-2729. The changes are pretty different from release to
>> release. Looking at other vendor's patches just make me feel even less
>> secure about doing the merges myself. I think I have CVE-2008-2729
>> sorted out, but I'd to have the commit I used double-checked.
>>
>> CVE-2008-0598
>> http://lkml.org/lkml/diff/2008/6/25/157/1
>> and maybe 64649a58919e66ec21792dbb6c48cb3da22cbd7f
>>
>> Thanks guys,
>>
>> -Kees
>>
>
> Kees - please pull CVE-2008-0598 for dapper/feisty/gutsy from:
>
> git://kernel.ubuntu.com/rtg/ubuntu-dapper.git master
> git://kernel.ubuntu.com/rtg/ubuntu-feisty.git master
> git://kernel.ubuntu.com/rtg/ubuntu-gutsy.git master
>
> CVE-2008-2729 is kind of related, but different. Some of the symptoms
> appear similar. Backporting the copy_user assembler is going to be quite
> difficult. However, it has yet to land upstream.
>
> rtg

Kees - Please pull from

git://kernel.ubuntu.com/rtg/ubuntu-security/ubuntu-dapper master
git://kernel.ubuntu.com/rtg/ubuntu-security/ubuntu-feisty master
git://kernel.ubuntu.com/rtg/ubuntu-security/ubuntu-gutsy master
git://kernel.ubuntu.com/rtg/ubuntu-security/ubuntu-hardy master

These are the fully packaged versions with correct changelog and ABI
files. The corresponding i386 and amd64 binary packages can be found at
chinstrap.canonical.com:~rtg/kern/security.

If your boot and regression tests prove successful, then I think these
security updates are ready to be uploaded.

rtg
--
Tim Gardner tim.gardner@ubuntu.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 

Thread Tools




All times are GMT. The time now is 05:45 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org