SA-1997.29.txt
ffcc154a3a880972f7a31e13f7c719f7f7596f43974aec827987adec59697080
-----BEGIN PGP SIGNED MESSAGE-----
Caldera Security Advisory SA-1997.29: Pentium(R) and Linux IP fragment bugs
Original report date: 07-Nov-1997 (Pentium CMPXCHG8B bug)
Original report date: 13-Nov-1997 (Linux IP fragment overlap "teardrop" bug)
RPM build date: 01-Dec-1997
Advisory issue date: 03-Dec-1997
Topic: Vulnerabilities: The Pentium(R) chip / Linux kernel IP fragmentation
I. Problem Description
(This security advisory covers TWO problems that are un-related
except that they are both addressed in the same Linux kernel
update described in this advisory.)
1) Intel's "Invalid Operand with Locked CMPXCHG8B instruction" erratum:
When executed, a particular invalid processor instruction
(CMPXCHG8B) will cause the system to halt. This
instruction does not require special privileges and
thus can be executed by ANY user that can run programs
on the machine.
This problem affects all current versions of the
Pentium(R) processor, Pentium processor with MMX(tm)
technology, Pentium OverDrive(R) Processor and Pentium
OverDrive processors with MMX technology. It does
not affect the Pentium Pro processor, Pentium II
processor, and i486 and earlier processors. Nor does
it affect Cyrix or AMD processors.
This problem is also known as the "f00f" problem after
the first two bytes (in hex) of the CMPXCHG8B instruction.
2) The Linux IP fragment problem:
A bug in the Linux kernel's IP fragmentation code permits
maliciously created packets with pathological offsets to
cause the kernel to halt or reboot. To exploit this problem,
an attacker must be able to send IP packets to the machine.
This problem is also known as the "teardrop" problem after
the name of the exploit program.
II. Impact
1) Intel's "Invalid Operand with Locked CMPXCHG8B instruction" erratum:
The system hangs and the system must be re-booted to return to
normal operation. This issue does not cause data corruption
or physical damage to a user's system.
2) The Linux IP fragment problem:
This bug in the Linux kernel's IP fragmentation code permits
maliciously created packets to cause the kernel to halt or
reboot.
III. Solution and Other Notes
Apply the kernel update linux-kernel-binary-2.0.29-2.i386.rpm found in:
ftp://ftp.caldera.com/pub/openlinux/updates/1.1/current/RPMS
using the script:
ftp://ftp.caldera.com/pub/openlinux/updates/update.col
instructions for using the script are found in:
ftp://ftp.caldera.com/pub/openlinux/updates/update.README
A brief overview:
1. Obtain needed update files from the RPMS directory
listed above. If you have stayed current with the
updates then you would obtain only the files listed
below. If you are unsure of which updates have been
made on your system you can obtain all of the files
in the RPMS directory and update.col will only apply
the needed updates.
2. Execute update.col as shown in the update.README
using the path to the update files. (As root do)
chmod +x update.col
./update.col --fixes /tmp/update
Where /tmp/update is the directory where you put the files.
The source RPM can be obtained at:
ftp://ftp.caldera.com/pub/openlinux/updates/1.1/current/SRPMS
Note that this particular kernel update is simply the 2.0.29 kernel
originally shipped with OpenLinux 1.1 plus patches for these two
problems.
The MD5 checksums (from the "md5sum" command) for these packages are:
c4b432a7dc7e341990f30515ee57706f RPMS/linux-kernel-binary-2.0.29-2.i386.rpm
1640d1d96fd0c0666f068145843de9df RPMS/linux-kernel-doc-2.0.29-2.i386.rpm
33493d54c74d9e0014feea8eefe1f060 RPMS/linux-kernel-include-2.0.29-2.i386.rpm
e215573fdde9349e29fd8cf2836367ca RPMS/linux-source-alpha-2.0.29-2.i386.rpm
5810816530cca278f039141bc84ab22f RPMS/linux-source-common-2.0.29-2.i386.rpm
640c367c47f92baa0c80e300f698b20b RPMS/linux-source-i386-2.0.29-2.i386.rpm
d056ec93479a576b74d3a16d17003182 RPMS/linux-source-m68k-2.0.29-2.i386.rpm
7962bd5aa56acc1275ac9fb864a41621 RPMS/linux-source-mips-2.0.29-2.i386.rpm
d97aa1efacc12efae112febe1f900b7a RPMS/linux-source-ppc-2.0.29-2.i386.rpm
bd7765effa9cf3945871e0c95d1c5ee0 RPMS/linux-source-sparc-2.0.29-2.i386.rpm
bf6f68135b289d4fca7cdf026f756f00 SRPMS/linux-2.0.29-2.src.rpm
0990e12b7c13beeab600a85dac1625b9 bin/update.col
Once this update is installed, the "f00f_bug" line of the
/proc/cpuinfo file will indicate whether the CPU is vulnerable to
the CMPXCHG8B bug. If so, there will also be a boot-time message
indicating that the work-around was enabled. The version
number (as printed with "uname -v") of this particular kernel update
is "#1 Mon Dec 1 16:48:07 MET 1997".
Both of these problems are also fixed in the 2.0.32-pre5 and 2.1.63
Linux kernels available at ftp.kernel.org:
ftp://ftp.kernel.org/pub/linux/kernel/testing/pre-patch-2.0.32-5.gz
ftp://ftp.kernel.org/pub/linux/kernel/v2.1/linux-2.1.63.tgz
Compiling and installing new Linux kernels is beyond the scope of
this document.
IV. References / Credits
The Intel "Invalid Operand with Locked CMPXCHG8B instruction" erratum:
----------------------------------------------------------------------
From: ZombieMan <list@ZOMBIE.NWS.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: WARNING: Linux Intel Pentium Bug
Date: Fri, 7 Nov 1997 03:10:29 +0000
Message-ID: <Pine.LNX.3.96.971107030852.269A-101000@zombie.nws.net>
Intel "Invalid Operand with Locked CMPXCHG8B instruction" erratum:
http://support.intel.com/support/processors/pentium/ppiie/
"Intel Secrets" Web Site:
http://www.x86.org/
Linux IP fragment overlap bug:
------------------------------
From: G P R <route@RESENTMENT.INFONEXUS.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: Linux IP fragment overlap bug
Date: Thu, 13 Nov 1997 22:06:15 -0800
Message-ID: <19971114060615.7021.qmail@resentment.infonexus.com>
This and other Caldera security resources are located at:
---------------------------------------------------------
http://www.caldera.com/tech-ref/security/
This Security Alert closes Caldera internal problem reports
#1102 and #1103.
V. PGP Signature
This message was signed with the PGP key for <security@caldera.com>.
This key can be obtained from:
ftp://ftp.caldera.com/pub/pgp-keys/
Or on an OpenLinux CDROM under:
/OpenLinux/pgp-keys/
$Id: SA-1997.29,v 1.2 1997/12/04 04:52:10 ron Exp $
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBNIY3Fun+9R4958LpAQEQKQP9EjB+1uamodhVHQomnlKI+BxQhktrabKP
b4e2VPynvFvspSJz4z4b1RmlB6nJLBMHBcJhF+6WFRrP5A7En+aYMlItf+wToZHq
JKjBDvTuMZTQYbu5Koh+id5T/fWi153lg/aaDGG0VhrUXgeJCCpqThb07+4eIwJD
O8NKY328GGo=
=yQZV
-----END PGP SIGNATURE-----