[PATCH] [CAN-2004-1144] Fix int 0x80 hole in 2.4 x86-64 linux kernels

[PATCH] [CAN-2004-1144] Fix int 0x80 hole in 2.4 x86-64 linux kernels

[Andi Kleen]

Petr Vandrovec discovered an exploitable root hole on all 2.4 x86-64 kernels.
The problem occurs because the eax register on the 32bit int 0x80 syscall
handler is not properly 64bit zero extended, which can be used to overflow the 
system call table. 

The problem only occurs on 2.4 x86-64 kernels, 2.6 doesn't have this
hole because some unrelated changes in 2.5 fixed it as a side effect.

Marcelo should be releasing a new pre* kernel with this fix 
shortly, there should be also update kernel from the various
linux distributions.

It is recommended that everybody who runs a 2.4 x86-64 kernel with
shell user access updates to a kernel which has this patch applied.

Patch is for 2.4.29pre2, but should apply to pretty much any 
2.4.x x86-64 kernel.

-Andi

diff -u linux-2.4.29pre2/arch/x86_64/ia32/ia32entry.S-o linux-2.4.29pre2/arch/x86_64/ia32/ia32entry.S
--- linux-2.4.29pre2/arch/x86_64/ia32/ia32entry.S-o	2004-11-06 07:37:32.000000000 +0100
+++ linux-2.4.29pre2/arch/x86_64/ia32/ia32entry.S	2004-12-22 18:49:05.000000000 +0100
@@ -52,6 +52,7 @@
 ENTRY(ia32_syscall)
 	swapgs	
 	sti
+	movl %eax,%eax	
 	pushq %rax
 	cld
 	SAVE_ARGS

Re: [PATCH] [CAN-2004-1144] Fix int 0x80 hole in 2.4 x86-64 linux kernels

[Willy Tarreau]

Hi Andi,

On Wed, Dec 22, 2004 at 06:58:18PM +0100, Andi Kleen wrote:
(...)
>  	sti
> +	movl %eax,%eax	
>  	pushq %rax

Although I don't know about x86_64 assembly, I know x86 and I wonder
how this patch would do anything. I would personnaly have written something
more like :

+    movzl %eax,%rax

Once again, I may be wrong, but I really don't understand at all then.
Could you please either confirm or detail a bit more ?

thanks in advance,
Willy

Re: [PATCH] [CAN-2004-1144] Fix int 0x80 hole in 2.4 x86-64 linux kernels

[Andi Kleen]

On Wed, Dec 22, 2004 at 07:20:48PM +0100, Willy Tarreau wrote:
> Hi Andi,
> 
> On Wed, Dec 22, 2004 at 06:58:18PM +0100, Andi Kleen wrote:
> (...)
> >  	sti
> > +	movl %eax,%eax	
> >  	pushq %rax
> 
> Although I don't know about x86_64 assembly, I know x86 and I wonder
> how this patch would do anything. I would personnaly have written something
> more like :

An 32bit write in long mode clears the upper 32bits of the register.
See the x86-64 architecture manuals for more details.

-Andi

Re: [PATCH] [CAN-2004-1144] Fix int 0x80 hole in 2.4 x86-64 linux kernels

[Willy Tarreau]

On Wed, Dec 22, 2004 at 07:23:13PM +0100, Andi Kleen wrote:
> > (...)
> > >  	sti
> > > +	movl %eax,%eax	
> > >  	pushq %rax
> > 
> > Although I don't know about x86_64 assembly, I know x86 and I wonder
> > how this patch would do anything. I would personnaly have written something
> > more like :
> 
> An 32bit write in long mode clears the upper 32bits of the register.

Ok, thanks for this quick precision, it wasn't obvious at first glance.

> See the x86-64 architecture manuals for more details.

Oh, I did a long time ago, when the athlon64 was only an emulator which ran
under linux, but I forgot all the details since then.

Thanks,
Willy