[Secure-testing-team] Re: CVE-2006-5648

[dann frazier]

On Mon, Dec 25, 2006 at 01:11:56PM +0100, Florian Weimer wrote:
> Has CVE-2006-5648 been addressed for the current linux-2.6 version?

Not completely.

> Here's what I've found out about this bug so far:

Thanks for researching this.

> NOTE: Some new futex-related system calls need arch-specific support
> NOTE: routines, or they can lead to unkillable userspace processes.
> NOTE: The following git commits add futex_atomic_cmpxchg_inatomic
> NOTE: implementations.  The initial implementation contained code
> NOTE: for amd64 and i386.  Other implementations were added here:
> NOTE: c7fed9d75074f7c243ec8ff2c55d04de2839a6f6 (sparc64, before 2.6.19)

Already included (part of 2.6.18.3)

> NOTE: 69588298188b40ed7f75c98a6fd328d82f23ca21 (powerpc, before 2.6.18)

As you note, already in 2.6.18

> NOTE: a192dc16000241dc02990a36b6830839b73c44de (ia64, before 2.6.19)

Note there, but (as you note) also not wired

> NOTE: 342a0497c23c278633f8674ab62f71e5049b7080 (parisc, before 2.6.19)

Already included in hppa.patch.

> NOTE: Expoitability depends on whether the syscall is actually wired,
> NOTE: which seems to be the case for everything but ia64 and maybe arm.

I don't see wiring for alpha, m68k, mips, or mipsel in our 2.6.18
either - do you?

s390 has both wiring and implementation, so it should be safe.

The only outstanding hole I can see is sparc32 - it includes the
generic futex.h which does not implement these functions.

Do you agree?

-- 
dann frazier