Bug 213229 (CVE-2006-5331) - VUL-0: CVE-2006-5331: kernel: altivec DoS
Summary: VUL-0: CVE-2006-5331: kernel: altivec DoS
Status: RESOLVED WORKSFORME
Alias: CVE-2006-5331
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: PowerPC-64 Other
: P5 - None : Normal
Target Milestone: ---
Assignee: Olaf Hering
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-10-18 07:37 UTC by Sebastian Krahmer
Modified: 2017-08-02 06:18 UTC (History)
2 users (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Krahmer 2006-10-18 07:37:01 UTC 
Date: Tue, 17 Oct 2006 19:24:42 +0200
From: Marcel Holtmann <holtmann@redhat.com>
To:  <vendor-sec@lst.de>
Cc: Steven M. Christey <coley@mitre.org>, Anton Blanchard <anton@samba.org>,
    <"Paul Mackerras"@redhat.com>
Subject: [vendor-sec] Never panic when taking altivec exceptions from
    userspace

Hi,

I was reading through the latest commits of the vanilla kernel and this one
came to my attention:

http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commi
t;h=6c4841c2b6c32a134f9f36e5e08857138cc12b10

It looks to me like a local DoS in case we have CONFIG_ALTIVEC and running
that kernel on a non Altivec hardware. If so, we need a CVE name for this
and this should also proposed for -stable inclusion.

Regards

Marcel
Comment 1 Sebastian Krahmer 2006-10-18 07:37:18 UTC 
CVE-2006-5331
Comment 2 Sebastian Krahmer 2006-10-18 07:38:09 UTC 
Date: Wed, 18 Oct 2006 14:14:31 +1000
From: Paul Mackerras <paulus@au1.ibm.com>
To: Marcel Holtmann <holtmann@redhat.com>
Cc:  <vendor-sec@lst.de>, Steven M. Christey <coley@mitre.org>,
    Anton Blanchard <anton@samba.org>,  <"Paul Mackerras"@redhat.com>
Subject: Re: [vendor-sec] Never panic when taking altivec exceptions from
    userspace

Marcel Holtmann writes:

> I was reading through the latest commits of the vanilla kernel and this 
> one came to my attention:
> 
>
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commi
> t;h=6c4841c2b6c32a134f9f36e5e08857138cc12b10
> 
> It looks to me like a local DoS in case we have CONFIG_ALTIVEC and 
> running that kernel on a non Altivec hardware. If so, we need a CVE name 
> for this and this should also proposed for -stable inclusion.

No, the problem only occurs in the case where you have CONFIG_ALTIVEC
and you are running on a 64-bit processor that has Altivec, but the
kernel doesn't realize that it has Altivec.

Each PowerPC processor has a "processor version register" (PVR) which
identifies the particular implementation, and the kernel has a table
of all the known PVR values for all the PowerPC implementations that
Linux runs on.  This table has a bit that says whether the processor
supports Altivec, and that bit is set for all the processors we know
of that have Altivec.

So the exposure is only for as-yet-unreleased 64-bit processors.  (The
exposure doesn't exist on 32-bit processors because of a slight
difference between the 32-bit and 64-bit code.)

Anton found the problem on the unreleased POWER6 processor.  There we
don't have the altivec bit in the PVR table, but there won't be an
exposure in practice because firmware will either give us a
device-tree property telling the kernel that the processor has
altivec, or else disable altivec entirely.

The bottom line is that it isn't a local DoS on any existing machine,
nor on any I am are aware of being planned for release in the next few
years.  It might be a DoS on some future processor some years down the
track.

Paul.
Comment 3 Sebastian Krahmer 2006-10-18 07:38:44 UTC 
Hm. last email reads like this bug can be closed.
Its a DoS for non-existing machines :)
Comment 4 Olaf Hering 2006-10-18 08:25:26 UTC 
we are a software company.