[parisc-linux-cvs] linux-2.6 carlos
Carlos O'Donell
carlos at parisc-linux.org
Sat Aug 21 00:43:21 MDT 2004
CVSROOT: /var/cvs
Module name: linux-2.6
Changes by: carlos 04/08/21 00:43:21
Modified files:
arch/parisc/kernel: traps.c
Log message:
SECURITY ALERT:
Date:
2004-08-21
Affected kernels:
Every kernel until now.
Information:
The default interruption handler
"handle_interruption" does not properly check to see
if the faulting space is the same as the users space.
The problem lies in the fact that if a fault happens
on the gateway we will not deliver signals to the
process, the process will not die, and we may continue
handling the same fault in a loop forever.
Any malicious user code can crash the kernel by
jumping into the gateway page at an inopportune
address.
Fix:
The problem is fixed in 2.6.8.1-pa6.
The solution is to check if the user has the right
privelege and if the spaces match, both faulting and
currently active. The best action is to force the
process back to it's own space of execution at
address zero, and let it take a SIGSEGV. The process
can never recover from this because it happens
immediately after the return from the interrupt via
rfi or rfir.
More information about the parisc-linux-cvs
mailing list