Bug#296700: [CAN-2005-0204]: AMD64, allows local users to write to privileged IO ports via OUTS instruction

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#296700: [CAN-2005-0204]: AMD64, allows local users to write to privileged IO ports via OUTS instruction
From: Micah Anderson <micah@riseup.net>
Date: Thu, 24 Feb 2005 00:29:27 -0600
Message-id: <[🔎] 20050224062928.7124F3A802@pond>
Reply-to: Micah Anderson <micah@riseup.net>, 296700@bugs.debian.org

Package: kernel-source-2.6.8
Version: 2.6.8-13
Severity: normal
Tags: security patch

Hello,

CAN-2005-0204 reads:

Linux kernel before 2.6.9, when running on the AMD64 and Intel EM64T
architectures, allows local users to write to privileged IO ports via
the OUTS instruction.

Although this says "before 2.6.9" this *includes* both 2.6.8 and 2.6.9.

REDHAT:RHSA-2005:092
URL:http://www.redhat.com/support/errata/RHSA-2005-092.html

The RedHat bug associated with this is located at:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=148855

A patch to fix the problem is attached to this bugreport, it is
located here (also linked to the RedHat bug):
https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=110424&action=view

This apparantly only affects AMD64 and EM64T, and applies to 2.6.8 as
well as 2.6.9.

Kernel 2.4.27 appears to have a similar vulnerability, although this
patch would not apply cleanly to that tree, but looks relatively
trivial to modify appropriately.

Please include this CAN number in changelog entries about this problem.

Thanks,
Micah



-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (990, 'testing'), (300, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.10
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages kernel-source-2.6.8 depends on:
ii  binutils                      2.15-5     The GNU assembler, linker and bina
ii  bzip2                         1.0.2-1    A high-quality block-sorting file 
ii  coreutils [fileutils]         5.2.1-2    The GNU core utilities
ii  fileutils                     5.2.1-2    The GNU file management utilities 

-- no debconf information

--- linux-2.6.9/include/asm-x86_64/desc.h~	2005-01-30 20:08:12.799247944 -0800
+++ linux-2.6.9/include/asm-x86_64/desc.h	2005-01-30 20:08:12.799247944 -0800
@@ -128,7 +128,7 @@
 { 
 	set_tssldt_descriptor(&cpu_gdt_table[cpu][GDT_ENTRY_TSS], (unsigned long)addr, 
 			      DESC_TSS,
-			      sizeof(struct tss_struct) - 1);
+			      IO_BITMAP_OFFSET + IO_BITMAP_BYTES + 7);
 } 
 
 static inline void set_ldt_desc(unsigned cpu, void *addr, int size)

Reply to:

Follow-Ups:
- Bug#296700: [CAN-2005-0204]: AMD64, allows local users to write to privileged IO ports via OUTS instruction
  - From: Horms <horms@debian.org>

Prev by Date: Bug#296639: kernel-source-2.4.27: nforce[23] backport of acpi_skip_timer_override
Next by Date: Bug#296700: Suspect this is in 2.6.10 as well
Previous by thread: Bug#296677: kernel-source-2.6.10: Please consider include Guido Guenther powerpc patches
Next by thread: Bug#296700: [CAN-2005-0204]: AMD64, allows local users to write to privileged IO ports via OUTS instruction
Index(es):
- Date
- Thread