Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 3 product line. The current stable release is 3.9. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 140710

Summary: CAN-2004-1068 Missing serialisation in unix_dgram_recvmsg
Product: Red Hat Enterprise Linux 3 Reporter: Mark J. Cox <mjc>
Component: kernelAssignee: David Miller <davem>
Status: CLOSED ERRATA QA Contact: Brian Brock <bbrock>
Severity: high Docs Contact:
Priority: medium    
Version: 3.0CC: peterm, petrides, riel
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,public=20041115
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-12-10 02:59:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mark J. Cox 2004-11-24 13:06:42 UTC 
According to isec.pl on Nov19:
        "There is a subtle race condition finally permitting a
        non-root user to increment (up to 256 times) any arbitrary
        location(s) in kernel space.  The condition is not easy to
        exploit since an attacker must trick kmalloc() to sleep on
        allocation of a special chunk of memory and then convince the
        scheduler to execute another thread. But it is feasible."

http://linux.bkbits.net:8080/linux-2.4/cset@4199284dnTPrPLR-yhP_rOBHXJlltA
Therefore fixed in 2.4.28
http://linux.bkbits.net:8080/linux-2.6/cset@419927f5Wy2IOKwcqE2S3DTNYSmCqQ
Therefore will be fixed in 2.6.10

CVE name applied for
Comment 1 Ernie Petrides 2004-11-25 01:33:33 UTC 
A fix for this problem has just been committed to the RHEL3 E4
patch pool this evening (in kernel version 2.4.21-20.0.1.EL).

I'm leaving this in ASSIGNED state until the fix is also
propagated to the RHEL3 U4 and U5 patch pools.
Comment 2 Ernie Petrides 2004-12-02 02:55:52 UTC 
A fix for this problem has just been committed to the RHEL3 U4
patch pool this evening (in kernel version 2.4.21-27.EL).

I'm leaving this in ASSIGNED state until the fix is also
propagated to the RHEL3 U5 patch pool.
Comment 3 Mark J. Cox 2004-12-02 11:43:35 UTC 
http://rhn.redhat.com/errata/RHSA-2004-549.html
Comment 4 Ernie Petrides 2004-12-10 02:59:21 UTC 
A fix for this problem has just been committed to the RHEL3 U5
patch pool this evening (in kernel version 2.4.21-27.3.EL).

Work on this problem has now been completed.