exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

SA-1997.29.txt

SA-1997.29.txt
Posted Sep 23, 1999

SA-1997.29.txt

SHA-256 | ffcc154a3a880972f7a31e13f7c719f7f7596f43974aec827987adec59697080

SA-1997.29.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----

Caldera Security Advisory SA-1997.29: Pentium(R) and Linux IP fragment bugs

Original report date: 07-Nov-1997 (Pentium CMPXCHG8B bug)
Original report date: 13-Nov-1997 (Linux IP fragment overlap "teardrop" bug)
RPM build date: 01-Dec-1997
Advisory issue date: 03-Dec-1997

Topic: Vulnerabilities: The Pentium(R) chip / Linux kernel IP fragmentation

I. Problem Description

(This security advisory covers TWO problems that are un-related
except that they are both addressed in the same Linux kernel
update described in this advisory.)

1) Intel's "Invalid Operand with Locked CMPXCHG8B instruction" erratum:

When executed, a particular invalid processor instruction
(CMPXCHG8B) will cause the system to halt. This
instruction does not require special privileges and
thus can be executed by ANY user that can run programs
on the machine.

This problem affects all current versions of the
Pentium(R) processor, Pentium processor with MMX(tm)
technology, Pentium OverDrive(R) Processor and Pentium
OverDrive processors with MMX technology. It does
not affect the Pentium Pro processor, Pentium II
processor, and i486 and earlier processors. Nor does
it affect Cyrix or AMD processors.

This problem is also known as the "f00f" problem after
the first two bytes (in hex) of the CMPXCHG8B instruction.

2) The Linux IP fragment problem:

A bug in the Linux kernel's IP fragmentation code permits
maliciously created packets with pathological offsets to
cause the kernel to halt or reboot. To exploit this problem,
an attacker must be able to send IP packets to the machine.

This problem is also known as the "teardrop" problem after
the name of the exploit program.

II. Impact

1) Intel's "Invalid Operand with Locked CMPXCHG8B instruction" erratum:

The system hangs and the system must be re-booted to return to
normal operation. This issue does not cause data corruption
or physical damage to a user's system.

2) The Linux IP fragment problem:

This bug in the Linux kernel's IP fragmentation code permits
maliciously created packets to cause the kernel to halt or
reboot.


III. Solution and Other Notes

Apply the kernel update linux-kernel-binary-2.0.29-2.i386.rpm found in:

ftp://ftp.caldera.com/pub/openlinux/updates/1.1/current/RPMS

using the script:

ftp://ftp.caldera.com/pub/openlinux/updates/update.col

instructions for using the script are found in:

ftp://ftp.caldera.com/pub/openlinux/updates/update.README

A brief overview:
1. Obtain needed update files from the RPMS directory
listed above. If you have stayed current with the
updates then you would obtain only the files listed
below. If you are unsure of which updates have been
made on your system you can obtain all of the files
in the RPMS directory and update.col will only apply
the needed updates.
2. Execute update.col as shown in the update.README
using the path to the update files. (As root do)

chmod +x update.col
./update.col --fixes /tmp/update

Where /tmp/update is the directory where you put the files.

The source RPM can be obtained at:

ftp://ftp.caldera.com/pub/openlinux/updates/1.1/current/SRPMS

Note that this particular kernel update is simply the 2.0.29 kernel
originally shipped with OpenLinux 1.1 plus patches for these two
problems.

The MD5 checksums (from the "md5sum" command) for these packages are:

c4b432a7dc7e341990f30515ee57706f RPMS/linux-kernel-binary-2.0.29-2.i386.rpm
1640d1d96fd0c0666f068145843de9df RPMS/linux-kernel-doc-2.0.29-2.i386.rpm
33493d54c74d9e0014feea8eefe1f060 RPMS/linux-kernel-include-2.0.29-2.i386.rpm
e215573fdde9349e29fd8cf2836367ca RPMS/linux-source-alpha-2.0.29-2.i386.rpm
5810816530cca278f039141bc84ab22f RPMS/linux-source-common-2.0.29-2.i386.rpm
640c367c47f92baa0c80e300f698b20b RPMS/linux-source-i386-2.0.29-2.i386.rpm
d056ec93479a576b74d3a16d17003182 RPMS/linux-source-m68k-2.0.29-2.i386.rpm
7962bd5aa56acc1275ac9fb864a41621 RPMS/linux-source-mips-2.0.29-2.i386.rpm
d97aa1efacc12efae112febe1f900b7a RPMS/linux-source-ppc-2.0.29-2.i386.rpm
bd7765effa9cf3945871e0c95d1c5ee0 RPMS/linux-source-sparc-2.0.29-2.i386.rpm
bf6f68135b289d4fca7cdf026f756f00 SRPMS/linux-2.0.29-2.src.rpm
0990e12b7c13beeab600a85dac1625b9 bin/update.col

Once this update is installed, the "f00f_bug" line of the
/proc/cpuinfo file will indicate whether the CPU is vulnerable to
the CMPXCHG8B bug. If so, there will also be a boot-time message
indicating that the work-around was enabled. The version
number (as printed with "uname -v") of this particular kernel update
is "#1 Mon Dec 1 16:48:07 MET 1997".

Both of these problems are also fixed in the 2.0.32-pre5 and 2.1.63
Linux kernels available at ftp.kernel.org:

ftp://ftp.kernel.org/pub/linux/kernel/testing/pre-patch-2.0.32-5.gz
ftp://ftp.kernel.org/pub/linux/kernel/v2.1/linux-2.1.63.tgz

Compiling and installing new Linux kernels is beyond the scope of
this document.

IV. References / Credits

The Intel "Invalid Operand with Locked CMPXCHG8B instruction" erratum:
----------------------------------------------------------------------

From: ZombieMan <list@ZOMBIE.NWS.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: WARNING: Linux Intel Pentium Bug
Date: Fri, 7 Nov 1997 03:10:29 +0000
Message-ID: <Pine.LNX.3.96.971107030852.269A-101000@zombie.nws.net>

Intel "Invalid Operand with Locked CMPXCHG8B instruction" erratum:

http://support.intel.com/support/processors/pentium/ppiie/

"Intel Secrets" Web Site:

http://www.x86.org/

Linux IP fragment overlap bug:
------------------------------

From: G P R <route@RESENTMENT.INFONEXUS.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: Linux IP fragment overlap bug
Date: Thu, 13 Nov 1997 22:06:15 -0800
Message-ID: <19971114060615.7021.qmail@resentment.infonexus.com>

This and other Caldera security resources are located at:
---------------------------------------------------------

http://www.caldera.com/tech-ref/security/

This Security Alert closes Caldera internal problem reports
#1102 and #1103.

V. PGP Signature

This message was signed with the PGP key for <security@caldera.com>.

This key can be obtained from:
ftp://ftp.caldera.com/pub/pgp-keys/

Or on an OpenLinux CDROM under:
/OpenLinux/pgp-keys/

$Id: SA-1997.29,v 1.2 1997/12/04 04:52:10 ron Exp $

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBNIY3Fun+9R4958LpAQEQKQP9EjB+1uamodhVHQomnlKI+BxQhktrabKP
b4e2VPynvFvspSJz4z4b1RmlB6nJLBMHBcJhF+6WFRrP5A7En+aYMlItf+wToZHq
JKjBDvTuMZTQYbu5Koh+id5T/fWi153lg/aaDGG0VhrUXgeJCCpqThb07+4eIwJD
O8NKY328GGo=
=yQZV
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close