New Kernel Crash-Exploit discovered

Simon Weller simon at nzservers.com
Tue Jun 15 14:36:53 UTC 2004 

>On Mon, Jun 14, 2004 at 10:06:36AM -0700, Villalovos, John L wrote:
> Not sure if people have seen this.
>
>Most likely.  If you want to get technical that is neither an
>exploit or crash but you can throw 2.4 and 2.6 kernels into an
>infinite FPU exception loop on x86 and x86_64 architectures.  Bad
>enough, obviously, but "local" and denial-of-service and not a
>security risk.  LARTing should be pretty effective as a short term
>paliative if you will run into lusers having a questionable fun.
>
> I'm assuming that a patch will need
> to be figured out and done.
>
>Last time I looked there was not yet a clear agreement how to fix
>that without causing other undesirable side effects.  Anyway, this
>should do the job (nearly always?) so you can patch what you run
>currently if you are in a hurry.  This is x86 for now and for 2.4.x
>this will be similar.

Linus appears to have now approved a patch:

http://linux.bkbits.net:8080/linux-2.4/gnupatch%4040cdf6f8V7sOe5n96HA5Q7r9uDRvJQ

It's supposedly compatible with 2.4.2x

This is the same patch as posted by Dave Jones, but just the x86 patch.

- Si

>
>
>Signed-Off-By: Sergey Vlasov <vsu altlinux ru>
>
>--- linux-2.6.6/include/asm-i386/i387.h.fp-lockup       2004-05-10 06:33:06 
>+0400
>+++ linux-2.6.6/include/asm-i386/i387.h 2004-06-12 22:02:58 +0400
>@@ -48,10 +48,17 @@
>                save_init_fpu( tsk ); \
> } while (0)
> 
>+/*
>+ * There might be some pending exceptions in the FP state at this point.
>+ * However, it is too late to report them: this code is called 
>during .execve()
>+ * (when the original executable is already gone) and during sigreturn() 
>(when
>+ * the signal handler context is already lost).  So just clear them to 
>prevent
>+ * problems later.
>+ */
> #define __clear_fpu( tsk )                                     \
> do {                                                           \
>        if ((tsk)->thread_info->status & TS_USEDFPU) {          \
>-               asm volatile("fwait");                          \
>+               asm volatile("fnclex");                         \
>                (tsk)->thread_info->status &= ~TS_USEDFPU;      \
>                stts();                                         \
>        }                                                       \
>
>  Michal
-- 
Simon Weller LPIC-2, BCIP
Systems Engineer
NZServers LTD
http://www.nzservers.com/
U.S. Branch

<-
To mess up a Linux box, you need to work at it; to mess up your Windows box, 
you just need to work on it.
 - Scott Granneman, Security Focus
->

More information about the fedora-legacy-list mailing list