Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 142965 - CAN-2004-1234 kernel denial of service vulnerability and exploit
CAN-2004-1234 kernel denial of service vulnerability and exploit
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: kernel (Show other bugs)
i686 Linux
medium Severity high
: ---
: ---
Assigned To: Dave Anderson
Brian Brock
: 142969 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2004-12-15 09:30 EST by Wim Vereecken
Modified: 2007-11-30 17:07 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-12-23 15:48:02 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2004:689 normal SHIPPED_LIVE Important: kernel security update 2004-12-23 00:00:00 EST

  None (edit)
Description Wim Vereecken 2004-12-15 09:30:20 EST
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; X11; Linux i686) Opera 
7.23  [en]

Description of problem:
Crash binary (44 bytes) for the Linux kernel 2.4.21-20.EL and 
probably earlier versions, freezing the complete system, even when 
executed without root privileges.

Version-Release number of selected component (if applicable):
2.4.21-20.EL (Red Hat Enterprise Linux AS release 3 / Taroon Update 

How reproducible:

Steps to Reproduce:
1.wget http://www.esat.kuleuven.ac.be/~wvereeck/kernel/exploit
2.chmod 755 exploit
3../exploit (as non-root)
4.freeze and cook up an excuse for your sysadmins

Actual Results:  The system freezes, so nothing world-astonishing 

Expected Results:  No crash/freeze, there are other OS's for this.

Additional info:

There seems to be a problem with the e_phnum byte in the ELF header,
which crashes the linker/kernel, when it holds a zero.
Comment 1 Mark J. Cox 2004-12-15 09:51:33 EST
Please see http://rhn.redhat.com/errata/RHSA-2004-549.html
Comment 2 Mark J. Cox 2004-12-15 11:53:37 EST
*** Bug 142969 has been marked as a duplicate of this bug. ***
Comment 3 Ernie Petrides 2004-12-15 17:54:16 EST
I've just confirmed that the crash is reproducible (by an unprivileged user)
on the RHEL3 U4 kernel (2.4.21-27.EL), so I'm reopening this.
Comment 4 Ernie Petrides 2004-12-15 17:57:43 EST
Crash is in fput()+2, probably called from search_binary_handler().
Comment 5 Dave Anderson 2004-12-17 10:40:42 EST
Fix has been posted to rhkernel-list today.
Comment 6 Ernie Petrides 2004-12-20 18:42:30 EST
A fix for this problem has just been committed to the RHEL3 E5
patch pool this evening (in kernel version 2.4.21-27.0.1.EL).
Comment 7 Mark J. Cox 2004-12-21 08:21:23 EST
Note this is fixed upstream,

Comment 8 Ernie Petrides 2004-12-22 16:56:23 EST
A fix for this problem has also been committed to the RHEL3 U5
patch pool this evening (in kernel version 2.4.21-27.4.EL).
Comment 9 Josh Bressers 2004-12-23 15:48:02 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

Comment 10 Kirill Korotaev 2004-12-25 09:03:47 EST
FYI, to tell the truth, this patch is written by
Vasiliy Averin <vvs@sw.ru> from SWsoft Linux Kernel Team.
I've just posted it.

Note You need to log in before you can comment on or make changes to this bug.