drivers/input/serio/serport.c can lead to kernel panic in serio code followed by jbd's panic (probably due to random memory write, I don't now) and/or system lockup. Steps to exploit it: process 1: open() a tty device; TIOCSETD it to N_MOUSE; read() it. it will block. after that, process 2: open() the same device; TIOCSETD it to 0; TIOCSETD it to N_MOUSE; (not sure if it's necessary) kill() process 1;
Dup of 131672 btw - and the example case is a minor one, there are *much* worse problems in this code including one that some times allows remote DoS but is very tricky to exploit. Replace N_MOUSE with other ldiscs to get crashes with 2.4
Closing as dup of bug 131674 (the RHEL3 variant of bug 131672). *** This bug has been marked as a duplicate of 131674 ***
Fixes for these problems have just been committed to the RHEL3 U5 patch pool this evening (in kernel version 2.4.21-27.13.EL).
Fixes for these problems have also been committed to the RHEL3 E5 patch pool this evening (in kernel version 2.4.21-27.0.3.EL).
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-293.html
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-294.html