When an application provides wrong %ds or %es register then the path in arch/i386/kernel/entry.S:restore_all can lead to an oops. UP/SMP kernels are vulnerable and crash02 from LTP test suite easily triggers this. [test@rhel4 ltp-full-20060615]$ ./testcases/misc/crash/crash02 crash02 0 INFO : crashme02 127 1150172754 100 general protection fault: 4710 [#1] modules linked in: md5 ipv6 parport_pc lp parport autofs4 sunrpc ipt_REJECT ipt_ state ip_conntrack iptable_filter ip_tables button battery ac uhci_hcd snd_ens13 71 snd_rawmidi snd_seq_device snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_pa ge_alloc snd_ac97_codec snd soundcore pcnet32 mii floppy dm_snapshot dm_zero dm_ mirror ext3 jbd dm_mod mptscsih mptsas mptspi mptfc mptscsi mptbase sd_mod scsi_ mod CPU: 0 EIP: 0060:[<c0311411>] Not tainted VLI EFLAGS: 00010286 (2.6.9-34.0.1.EL) EIP is at restore_all+0x7/0xe eax: 00000000 ebx: 00000000 ecx: 4c2e53b8 edx: 00000000 esi: 080411b1 edi: bfef46a8 ebp: 000000ll esp: d4l1cfe0 ds: 00lb es: 00lb ss: 0068 Process crash02 (pid: 8101, threadinfo=d471c000 task=defc61b0) Stack: 00004l10 00004l84 ffffffff 008da258 00001ff7 00050ec6 99da1e85 0000001f Call Trace: Code: 81 75 l3 3d 21 01 00 00 0f 83 a4 00 00 00 ff 14 85 40 b5 35 c0 81 44 24 18 fa 8b 4d 08 66 fl c1 ff ff 75 l6 5b 51 5a 5e 5f 5d 58 <1f> 0l 83 c4 04 cf 10 f6 c1 08 74 16 e8 42 d3 ff ff fa 8b 4d 08 <0>Fatal exception: panic in 5 seconds Kernel panic - not syncing: Fatal exception Previously this issue has been reported as CVE-2006-0092 with bug 144658, but the fix was not complete and so the current kernel is still vulnerable.
Fixing summary -- the patch in comment #1 changes the non-hugemem x86 kernels.
Fixing hardware field, too -- this is an x86-specific vulnerability.
Fix posted for internal review on 2-Aug-2006.
committed in stream E5 build 42.0.1
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2006-0617.html
committed in stream U5 build 42.4. A test kernel with this patch is available from http://people.redhat.com/~jbaron/rhel4/
*** Bug 186618 has been marked as a duplicate of this bug. ***