-----BEGIN PGP SIGNED MESSAGE----- Caldera Security Advisory SA-1997.29: Pentium(R) and Linux IP fragment bugs Original report date: 07-Nov-1997 (Pentium CMPXCHG8B bug) Original report date: 13-Nov-1997 (Linux IP fragment overlap "teardrop" bug) RPM build date: 01-Dec-1997 Advisory issue date: 03-Dec-1997 Topic: Vulnerabilities: The Pentium(R) chip / Linux kernel IP fragmentation I. Problem Description (This security advisory covers TWO problems that are un-related except that they are both addressed in the same Linux kernel update described in this advisory.) 1) Intel's "Invalid Operand with Locked CMPXCHG8B instruction" erratum: When executed, a particular invalid processor instruction (CMPXCHG8B) will cause the system to halt. This instruction does not require special privileges and thus can be executed by ANY user that can run programs on the machine. This problem affects all current versions of the Pentium(R) processor, Pentium processor with MMX(tm) technology, Pentium OverDrive(R) Processor and Pentium OverDrive processors with MMX technology. It does not affect the Pentium Pro processor, Pentium II processor, and i486 and earlier processors. Nor does it affect Cyrix or AMD processors. This problem is also known as the "f00f" problem after the first two bytes (in hex) of the CMPXCHG8B instruction. 2) The Linux IP fragment problem: A bug in the Linux kernel's IP fragmentation code permits maliciously created packets with pathological offsets to cause the kernel to halt or reboot. To exploit this problem, an attacker must be able to send IP packets to the machine. This problem is also known as the "teardrop" problem after the name of the exploit program. II. Impact 1) Intel's "Invalid Operand with Locked CMPXCHG8B instruction" erratum: The system hangs and the system must be re-booted to return to normal operation. This issue does not cause data corruption or physical damage to a user's system. 2) The Linux IP fragment problem: This bug in the Linux kernel's IP fragmentation code permits maliciously created packets to cause the kernel to halt or reboot. III. Solution and Other Notes Apply the kernel update linux-kernel-binary-2.0.29-2.i386.rpm found in: ftp://ftp.caldera.com/pub/openlinux/updates/1.1/current/RPMS using the script: ftp://ftp.caldera.com/pub/openlinux/updates/update.col instructions for using the script are found in: ftp://ftp.caldera.com/pub/openlinux/updates/update.README A brief overview: 1. Obtain needed update files from the RPMS directory listed above. If you have stayed current with the updates then you would obtain only the files listed below. If you are unsure of which updates have been made on your system you can obtain all of the files in the RPMS directory and update.col will only apply the needed updates. 2. Execute update.col as shown in the update.README using the path to the update files. (As root do) chmod +x update.col ./update.col --fixes /tmp/update Where /tmp/update is the directory where you put the files. The source RPM can be obtained at: ftp://ftp.caldera.com/pub/openlinux/updates/1.1/current/SRPMS Note that this particular kernel update is simply the 2.0.29 kernel originally shipped with OpenLinux 1.1 plus patches for these two problems. The MD5 checksums (from the "md5sum" command) for these packages are: c4b432a7dc7e341990f30515ee57706f RPMS/linux-kernel-binary-2.0.29-2.i386.rpm 1640d1d96fd0c0666f068145843de9df RPMS/linux-kernel-doc-2.0.29-2.i386.rpm 33493d54c74d9e0014feea8eefe1f060 RPMS/linux-kernel-include-2.0.29-2.i386.rpm e215573fdde9349e29fd8cf2836367ca RPMS/linux-source-alpha-2.0.29-2.i386.rpm 5810816530cca278f039141bc84ab22f RPMS/linux-source-common-2.0.29-2.i386.rpm 640c367c47f92baa0c80e300f698b20b RPMS/linux-source-i386-2.0.29-2.i386.rpm d056ec93479a576b74d3a16d17003182 RPMS/linux-source-m68k-2.0.29-2.i386.rpm 7962bd5aa56acc1275ac9fb864a41621 RPMS/linux-source-mips-2.0.29-2.i386.rpm d97aa1efacc12efae112febe1f900b7a RPMS/linux-source-ppc-2.0.29-2.i386.rpm bd7765effa9cf3945871e0c95d1c5ee0 RPMS/linux-source-sparc-2.0.29-2.i386.rpm bf6f68135b289d4fca7cdf026f756f00 SRPMS/linux-2.0.29-2.src.rpm 0990e12b7c13beeab600a85dac1625b9 bin/update.col Once this update is installed, the "f00f_bug" line of the /proc/cpuinfo file will indicate whether the CPU is vulnerable to the CMPXCHG8B bug. If so, there will also be a boot-time message indicating that the work-around was enabled. The version number (as printed with "uname -v") of this particular kernel update is "#1 Mon Dec 1 16:48:07 MET 1997". Both of these problems are also fixed in the 2.0.32-pre5 and 2.1.63 Linux kernels available at ftp.kernel.org: ftp://ftp.kernel.org/pub/linux/kernel/testing/pre-patch-2.0.32-5.gz ftp://ftp.kernel.org/pub/linux/kernel/v2.1/linux-2.1.63.tgz Compiling and installing new Linux kernels is beyond the scope of this document. IV. References / Credits The Intel "Invalid Operand with Locked CMPXCHG8B instruction" erratum: ---------------------------------------------------------------------- From: ZombieMan To: BUGTRAQ@NETSPACE.ORG Subject: WARNING: Linux Intel Pentium Bug Date: Fri, 7 Nov 1997 03:10:29 +0000 Message-ID: Intel "Invalid Operand with Locked CMPXCHG8B instruction" erratum: http://support.intel.com/support/processors/pentium/ppiie/ "Intel Secrets" Web Site: http://www.x86.org/ Linux IP fragment overlap bug: ------------------------------ From: G P R To: BUGTRAQ@NETSPACE.ORG Subject: Linux IP fragment overlap bug Date: Thu, 13 Nov 1997 22:06:15 -0800 Message-ID: <19971114060615.7021.qmail@resentment.infonexus.com> This and other Caldera security resources are located at: --------------------------------------------------------- http://www.caldera.com/tech-ref/security/ This Security Alert closes Caldera internal problem reports #1102 and #1103. V. PGP Signature This message was signed with the PGP key for . This key can be obtained from: ftp://ftp.caldera.com/pub/pgp-keys/ Or on an OpenLinux CDROM under: /OpenLinux/pgp-keys/ $Id: SA-1997.29,v 1.2 1997/12/04 04:52:10 ron Exp $ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNIY3Fun+9R4958LpAQEQKQP9EjB+1uamodhVHQomnlKI+BxQhktrabKP b4e2VPynvFvspSJz4z4b1RmlB6nJLBMHBcJhF+6WFRrP5A7En+aYMlItf+wToZHq JKjBDvTuMZTQYbu5Koh+id5T/fWi153lg/aaDGG0VhrUXgeJCCpqThb07+4eIwJD O8NKY328GGo= =yQZV -----END PGP SIGNATURE-----