Bug#296700: marked as done ([CAN-2005-0204]: AMD64, allows local users to write to privileged IO ports via OUTS instruction)

To: Simon Horman <horms@debian.org>
Cc: Debian Kernel Team <debian-kernel@lists.debian.org>
Subject: Bug#296700: marked as done ([CAN-2005-0204]: AMD64, allows local users to write to privileged IO ports via OUTS instruction)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Fri, 25 Mar 2005 23:03:35 -0800
Message-id: <[🔎] handler.296700.D296700.11118199849742.ackdone@bugs.debian.org>
In-reply-to: <E1DF55H-0002FU-00@newraff.debian.org>
References: <E1DF55H-0002FU-00@newraff.debian.org> <20050224062928.7124F3A802@pond>
Your message dated Sat, 26 Mar 2005 01:47:47 -0500
with message-id <E1DF55H-0002FU-00@newraff.debian.org>
and subject line Bug#296700: fixed in kernel-source-2.4.27 2.4.27-9
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 24 Feb 2005 06:29:15 +0000
>From micah@riseup.net Wed Feb 23 22:29:15 2005
Return-path: <micah@riseup.net>
Received: from buffy.riseup.net (mail.riseup.net) [69.90.134.155] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1D4CUt-0006l9-00; Wed, 23 Feb 2005 22:29:15 -0800
Received: from localhost (localhost [127.0.0.1])
	by mail.riseup.net (Postfix) with ESMTP id 96047A2F25
	for <submit@bugs.debian.org>; Wed, 23 Feb 2005 22:28:50 -0800 (PST)
Received: from mail.riseup.net ([127.0.0.1])
	by localhost (buffy [127.0.0.1]) (amavisd-new, port 10024) with ESMTP
	id 05000-20 for <submit@bugs.debian.org>;
	Wed, 23 Feb 2005 22:28:50 -0800 (PST)
Received: from localhost (localhost [127.0.0.1])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.riseup.net (Postfix) with ESMTP id 410B3A2F18
	for <submit@bugs.debian.org>; Wed, 23 Feb 2005 22:28:50 -0800 (PST)
Received: by pond (Postfix, from userid 1000)
	id 7124F3A802; Thu, 24 Feb 2005 00:29:28 -0600 (CST)
Content-Type: multipart/mixed; boundary="===============1195735746=="
MIME-Version: 1.0
From: Micah Anderson <micah@riseup.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: [CAN-2005-0204]: AMD64,
 allows local users to write to privileged IO ports via OUTS instruction
X-Mailer: reportbug 3.8
Date: Thu, 24 Feb 2005 00:29:27 -0600
Message-Id: <20050224062928.7124F3A802@pond>
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at riseup.net
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

This is a multi-part MIME message sent by reportbug.

--===============1195735746==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Package: kernel-source-2.6.8
Version: 2.6.8-13
Severity: normal
Tags: security patch

Hello,

CAN-2005-0204 reads:

Linux kernel before 2.6.9, when running on the AMD64 and Intel EM64T
architectures, allows local users to write to privileged IO ports via
the OUTS instruction.

Although this says "before 2.6.9" this *includes* both 2.6.8 and 2.6.9.

REDHAT:RHSA-2005:092
URL:http://www.redhat.com/support/errata/RHSA-2005-092.html

The RedHat bug associated with this is located at:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=148855

A patch to fix the problem is attached to this bugreport, it is
located here (also linked to the RedHat bug):
https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=110424&action=view

This apparantly only affects AMD64 and EM64T, and applies to 2.6.8 as
well as 2.6.9.

Kernel 2.4.27 appears to have a similar vulnerability, although this
patch would not apply cleanly to that tree, but looks relatively
trivial to modify appropriately.

Please include this CAN number in changelog entries about this problem.

Thanks,
Micah



-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (990, 'testing'), (300, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.10
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages kernel-source-2.6.8 depends on:
ii  binutils                      2.15-5     The GNU assembler, linker and bina
ii  bzip2                         1.0.2-1    A high-quality block-sorting file 
ii  coreutils [fileutils]         5.2.1-2    The GNU core utilities
ii  fileutils                     5.2.1-2    The GNU file management utilities 

-- no debconf information

--===============1195735746==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="can-2005-0204"

--- linux-2.6.9/include/asm-x86_64/desc.h~	2005-01-30 20:08:12.799247944 -0800
+++ linux-2.6.9/include/asm-x86_64/desc.h	2005-01-30 20:08:12.799247944 -0800
@@ -128,7 +128,7 @@
 { 
 	set_tssldt_descriptor(&cpu_gdt_table[cpu][GDT_ENTRY_TSS], (unsigned long)addr, 
 			      DESC_TSS,
-			      sizeof(struct tss_struct) - 1);
+			      IO_BITMAP_OFFSET + IO_BITMAP_BYTES + 7);
 } 
 
 static inline void set_ldt_desc(unsigned cpu, void *addr, int size)

--===============1195735746==--

---------------------------------------
Received: (at 296700-close) by bugs.debian.org; 26 Mar 2005 06:53:04 +0000
>From katie@ftp-master.debian.org Fri Mar 25 22:53:04 2005
Return-path: <katie@ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DF5AO-0002Ww-00; Fri, 25 Mar 2005 22:53:04 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
	id 1DF55H-0002FU-00; Sat, 26 Mar 2005 01:47:47 -0500
From: Simon Horman <horms@debian.org>
To: 296700-close@bugs.debian.org
X-Katie: $Revision: 1.55 $
Subject: Bug#296700: fixed in kernel-source-2.4.27 2.4.27-9
Message-Id: <E1DF55H-0002FU-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Sat, 26 Mar 2005 01:47:47 -0500
Delivered-To: 296700-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 
X-CrossAssassin-Score: 2

Source: kernel-source-2.4.27
Source-Version: 2.4.27-9

We believe that the bug you reported is fixed in the latest version of
kernel-source-2.4.27, which is due to be installed in the Debian FTP archive:

kernel-doc-2.4.27_2.4.27-9_all.deb
  to pool/main/k/kernel-source-2.4.27/kernel-doc-2.4.27_2.4.27-9_all.deb
kernel-patch-debian-2.4.27_2.4.27-9_all.deb
  to pool/main/k/kernel-source-2.4.27/kernel-patch-debian-2.4.27_2.4.27-9_all.deb
kernel-source-2.4.27_2.4.27-9.diff.gz
  to pool/main/k/kernel-source-2.4.27/kernel-source-2.4.27_2.4.27-9.diff.gz
kernel-source-2.4.27_2.4.27-9.dsc
  to pool/main/k/kernel-source-2.4.27/kernel-source-2.4.27_2.4.27-9.dsc
kernel-source-2.4.27_2.4.27-9_all.deb
  to pool/main/k/kernel-source-2.4.27/kernel-source-2.4.27_2.4.27-9_all.deb
kernel-tree-2.4.27_2.4.27-9_all.deb
  to pool/main/k/kernel-source-2.4.27/kernel-tree-2.4.27_2.4.27-9_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 296700@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon Horman <horms@debian.org> (supplier of updated kernel-source-2.4.27 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 25 Mar 2005 10:42:50 +0900
Source: kernel-source-2.4.27
Binary: kernel-tree-2.4.27 kernel-source-2.4.27 kernel-patch-debian-2.4.27 kernel-doc-2.4.27
Architecture: source all
Version: 2.4.27-9
Distribution: unstable
Urgency: low
Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org>
Changed-By: Simon Horman <horms@debian.org>
Description: 
 kernel-doc-2.4.27 - Linux kernel specific documentation for version 2.4.27
 kernel-patch-debian-2.4.27 - Debian patches to Linux 2.4.27
 kernel-source-2.4.27 - Linux kernel source for version 2.4.27 with Debian patches
 kernel-tree-2.4.27 - Linux kernel source tree for building Debian kernel images
Closes: 291536 296639 296700 296905
Changes: 
 kernel-source-2.4.27 (2.4.27-9) unstable; urgency=low
 .
   * There was a stray file in 2.4.27-8. Don't include it this time.
     (Simon Horman) (closes: Bug#291536)
 .
   * Updated kernel-tree description from Martin F Krafft
     (Simon Horman)
 .
   * Updated apply script so it can handle point versions
     (Simon Horman)
 .
   * 134_skb_reset_ip_summed.diff: [CAN-2005-0209] resolve checksumming
     exploit in fragmented packet forwarding (Joshua Kwan)
 .
   * 135_fix_ip_options_leak.diff: [CAN-2004-1335] fix leak of IP options
     data. (Joshua Kwan)
 .
   * 136_vc_resizing_overflow.diff: [CAN-2004-1333] make sure VC resizing
     fits in 16 bits. (Joshua Kwan)
 .
   * 137_io_edgeport_overflow.diff: [CAN-2004-1017] fix buffer overflow
     (underflow, really) that opens multiple attack vectors. (Joshua Kwan)
 .
   * 138_amd64_syscall_vuln.diff: [CAN-2004-1144] fix the "int 0x80 hole"
     that allowed overflow of the system call table. (Joshua Kwan)
 .
   * 139_sparc_context_switch.diff: fix FPU context switching dirtiness on
     sparc32 SMP. (Joshua Kwan)
 .
   * 140_VM_IO.diff: [CAN-2004-1057] fix possible DoS from accessing freed
     kernel pages by flagging VM_IO where necessary.
 .
   * 141_acpi_noirq.patch:
     [ACPI] Enhanced PCI probe, CONFIG_HPET_TIMER build warning fix
     (Simon Horman)
 .
   * 142_acpi_skip_timer_override-1.diff, 142_acpi_skip_timer_override-2.diff,
     142_acpi_skip_timer_override-3.diff, 142_acpi_skip_timer_override-4.diff:
     [ACPI] skip_timer_override including early PCI bridge detection.
     (closes: #296639) (Simon Horman)
 .
   * 121_drm-locking-checks-3.diff: LOCK_TEST_WITH_RETURN build cleanup
     (Simon Horman)
 .
   * 143_outs.diff:
     [SECURITY]: AMD64, allows local users to write to privileged
     IO ports via OUTS instruction (CAN-2005-0204) (Simon Horman)
     (closes: #296700)
 .
   * 144_sparc64-sb1500-clock-2.4.diff by David Miller: enable recognition
     of the clock chip on SunBlade 1500, it won't boot otherwise.
     (Jurij Smakov).
 .
   * 145_insert_vm_struct-no-BUG.patch:
     [SECURITY] make insert_vm_struct return an error rather than BUG().
     See CAN-2005-0003. (dann frazier)
 .
   * 146_ip6_copy_metadata_leak.diff 147_ip_copy_metadata_leak.diff:
     [SECURITY] Do not leak dst entries in ip_copy_metadata()
     See CAN-2005-0210. (Simon Horman)
 .
   * 148_ip_evitor_smp_loop.diff:
     Fix theoretical loop on SMP in ip_evictor().
     (Simon Horman, Andres Salomon)
 .
   * 149_fragment_queue_flush.diff:
     Flush fragment queue on conntrack unload. (Simon Horman, Andres Salomon)
 .
   * *** ABI Change! Notify D-I team or delay for future release
     *** Omitted from release
     *** 150_private_fragment_queues-1.diff, 150_private_fragment_queues-2.diff:
     *** Keep fragment queues private to each user. See CAN-2005-0449 and
     *** http://oss.sgi.com/archives/netdev/2005-01/msg01048.html
     *** (Simon Horman, Andres Salomon)
 .
   * 151_atm_get_addr_signedness_fix.diff:
     [SECURITY]  Fix ATM copy-to-user usage. See: CAN-2005-0531.
     See: http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html
     (closes: #296905) (Simon Horman)
 .
   * 153_ppp_async_dos.diff:
     [SECURITY] remote Linux DoS on ppp servers. See: CAN-2005-0384
     (Simon Horman)
 .
   * 111-smb-client-overflow-fix-2.diff, 111-smb-client-overflow-fix-1.diff:
     [SECURITY] The above patches, included in 2.4.27-6 resolve:
     local information leak caused by race in SMP systems with
     more than 4GB of memory. remote information leak cansed by
     handling of TRANS2 packets handling in smbfs. See CAN-2004-1191.
     (see: #300163) (Simon Horman)
 .
   * 154_cmsg_compat_signedness_fix.diff:
     Fix CMSG32_OK macros. (Dann Frazier, Simon Horman)
Files: 
 c1b495a855629746033b7672ca5a9415 886 devel optional kernel-source-2.4.27_2.4.27-9.dsc
 9cc9dbdfe3f53e4c45c331ea303de95d 678025 devel optional kernel-source-2.4.27_2.4.27-9.diff.gz
 d258368f37be562ec6f373c7a7a1f767 614256 devel optional kernel-patch-debian-2.4.27_2.4.27-9_all.deb
 5ab1e1bf82d64c245283466f81731701 3575462 doc optional kernel-doc-2.4.27_2.4.27-9_all.deb
 88a703faebb4e68fef18da39865dd42b 31019488 devel optional kernel-source-2.4.27_2.4.27-9_all.deb
 d282f3ac6f6d5b98a74415bc355b82e6 22754 devel optional kernel-tree-2.4.27_2.4.27-9_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCQ3fvdu+M6Iexz7URAqDlAJ9wbMFNFWUJi+Wh0RLR1RecI3MmQACgu/XD
R+PXjmy/ZXFfp3lZ61QsURM=
=vIso
-----END PGP SIGNATURE-----
Reply to:
Prev by Date: Bug#296905: marked as done (CAN-2005-0531: Buffer overflow in atm_get_addr)
Next by Date: Bug#296639: marked as done (kernel-source-2.4.27: nforce[23] backport of acpi_skip_timer_override)
Previous by thread: Bug#296700: marked as done ([CAN-2005-0204]: AMD64, allows local users to write to privileged IO ports via OUTS instruction)
Next by thread: kernel-source-2.6.8_2.6.8-14_i386.changes ACCEPTED
Index(es):
- Date
- Thread