Bug 133108

Summary:	CAN-2004-0814 input/serio local DOS
Product:	Red Hat Enterprise Linux 3	Reporter:	Josh Bressers <bressers>
Component:	kernel	Assignee:	Jason Baron <jbaron>
Status:	CLOSED ERRATA	QA Contact:	Brian Brock <bbrock>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	3.0	CC:	knoel, petrides, riel
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2005-04-22 20:17:31 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Josh Bressers 2004-09-21 18:39:17 UTC

drivers/input/serio/serport.c can lead to kernel panic in serio code
followed by jbd's panic (probably due to random memory write, I don't
       now) and/or system lockup.

        Steps to exploit it:
        process 1:
            open() a tty device;
            TIOCSETD it to N_MOUSE;
            read() it. it will block.
        after that, process 2:
            open() the same device;
            TIOCSETD it to 0;
            TIOCSETD it to N_MOUSE; (not sure if it's necessary)
            kill() process 1;

Comment 1 Alan Cox 2004-09-21 19:29:55 UTC

Dup of  131672 btw - and the example case is a minor one, there are
*much* worse problems in this code including one that some times
allows remote DoS but is very tricky to exploit.

Replace N_MOUSE with other ldiscs to get crashes with 2.4

Comment 2 Ernie Petrides 2004-09-22 02:18:42 UTC

Closing as dup of bug 131674 (the RHEL3 variant of bug 131672).


*** This bug has been marked as a duplicate of 131674 ***

Comment 3 Ernie Petrides 2005-02-15 08:41:37 UTC

Fixes for these problems have just been committed to the RHEL3 U5
patch pool this evening (in kernel version 2.4.21-27.13.EL).

Comment 4 Ernie Petrides 2005-04-14 00:11:59 UTC

Fixes for these problems have also been committed to the RHEL3 E5
patch pool this evening (in kernel version 2.4.21-27.0.3.EL).

Comment 5 Josh Bressers 2005-04-22 20:17:31 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-293.html

Comment 6 Tim Powers 2005-05-18 13:28:09 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-294.html