kvm ptrace 32bit DoS bug - bisected

[Antoine Martin <antoine@nagafix.co.uk>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

I reported this bug a while ago but no-one picked up on it.
Just launch any UML 32-bit kernel on a 64-bit KVM guest:

test $ ./kernel32-2.6.16.62
Checking that ptrace can change system call numbers...OK
Checking syscall emulation patch for ptrace...OK
Trace/breakpoint trap
test@localhost ~ $ Kernel panic - not syncing: Attempted to kill init!
Kernel panic - not syncing: Attempted to kill init!


You can find some pre-built binaries here:
http://uml.devloop.org.uk/kernels.html

Since then, I've bisected it down to:
d4d67150165df8bf1cc05e532f6efca96f907cab is first bad commit
Author: Roland McGrath <roland@redhat.com>
Date:   Wed Jul 9 02:38:07 2008 -0700
Subject: x86 ptrace: unify syscall tracing

It looks exploitable at first sight (ptrace generally is), but this is
beyond me (I am not a kernel hacker)

QEMU without KVM is not affected.

I've added some printf in a test UML kernel to see more precisely where
it dies in arch/um/os-Linux/startup.c: in check_sysemu():
		non_fatal("Before singlestep\n");
                if (ptrace(PTRACE_SYSEMU_SINGLESTEP, pid, 0, 0) < 0)
                        goto fail;
                non_fatal("Before waitpid\n");
(also added a non_fatal() in fail)

It prints these two statements 30 times from the while(1) loop and stops on:
Before singlestep

Whatever the fix is, this should be queued for stable too.

Antoine
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREKAAYFAkqiaoUACgkQGK2zHPGK1rt1cwCfWgGeuTrD+rpfa9SsUc7/h3eL
+DEAn1LgzrhOjbyEss2zRez+0dk0smZv
=MUXh
-----END PGP SIGNATURE-----