Bug 56951 (CVE-2004-0554)

Summary: VUL-0: CVE-2004-0554: user-triggerable local DoS against all 2.4 and 2.6 series kernels on i386 (maybe x86_64 too)
Product: [Novell Products] SUSE Security Incidents Reporter: Carl-Daniel Hailfinger <cadaha>
Component: IncidentsAssignee: Thomas Biege <thomas>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Blocker    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: i386   
OS: Linux   
Whiteboard: CVE-2004-0554: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:N/A:P)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: x86 fpu crash.c, compile, run and see the lockup
proposed patch
Simpler official mainline fix
Fix for 2.4 based kernels

Description Carl-Daniel Hailfinger 2004-06-12 22:18:37 UTC
Compile and run the attached program on any x86 box. It will lock up hard inside
fpu handling in the kernel. Yes, I know the asm in the test program is buggy.
However, this is irrelevant because no user should be able to lock up the whole
machine.

This bug affects all 2.4 and 2.6 kernels we ever issued on x86 (maybe x86_64),
since the bug was introduced in the 2.3 series.

A small writeup about the bug is here:
http://marc.theaimsgroup.com/?l=linux-kernel&m=108704809114434&w=4

This bug is already public and has been exploited for some days.
Comment 1 Carl-Daniel Hailfinger 2004-06-12 22:18:37 UTC
<!-- SBZ_reproduce  -->
run the attached program
Comment 2 Carl-Daniel Hailfinger 2004-06-12 22:20:50 UTC
Created attachment 21095 [details]
x86 fpu crash.c, compile, run and see the lockup
Comment 3 Carl-Daniel Hailfinger 2004-06-12 22:40:04 UTC
Oh, and the patch in the "small writeup" seems not to work for some people.
Comment 4 Andreas Kleen 2004-06-12 22:47:11 UTC
Correct fix will be to handle the exception from the kernel correct.
The fwait cannot be just removed imho.
Comment 5 Andreas Kleen 2004-06-13 05:44:26 UTC
Created attachment 21098 [details]
proposed patch

This patch fixes it. 

But for SLES9 it's probably better to use a version of this that doesn't cause
oopses for kernel exceptions. They are most likely bugs, but it's too late now
to handle such latent bugs.
Comment 6 Andreas Kleen 2004-06-13 05:53:42 UTC
After some thought the simpler fwait->fnclex patch from l-k is probably 
better.
Comment 7 Andreas Kleen 2004-06-13 18:41:21 UTC
Created attachment 21103 [details]
Simpler official mainline fix


That patch will go into mainline, it's simpler than mine.
Comment 8 Andreas Kleen 2004-06-14 09:04:36 UTC
Patch checked in for SLES9.

-------------------------------------------------------------------
Mon Jun 14 01:00:45 CEST 2004 - ak@suse.de

- Fix kernel hang with uncleared FPU exceptions on i386/x86-64
  (#41951)

Reassigning to Hubert and retargeting to SLES8 so that
he can handle it for all other maintained trees.
Comment 9 Carl-Daniel Hailfinger 2004-06-15 15:24:06 UTC
Heise just made a big announcement about the bug:
http://www.heise.de/newsticker/meldung/48236
Comment 10 Hubert Mantel 2004-06-15 15:41:53 UTC
Created attachment 21181 [details]
Fix for 2.4 based kernels

In 2.4, things are slightly different. I'm going to apply this patch to all 2.4
based trees. Please have a short look and complain if I messed things up.
Comment 11 Andreas Gruenbacher 2004-06-15 15:52:49 UTC
Looks good.
Comment 12 Hubert Mantel 2004-06-15 16:02:40 UTC
Fix has been added to every maintained tree and kernels have been submitted for
check in.
I don't know if we want to wait for the fixes for the other pending problems or
if we need to provide fixed kernels immediately due to the severity of this
issue. At least we now have the option of releasing kernels soon.
Comment 13 Thomas Biege 2004-06-15 20:40:31 UTC
CAN-2004-0554 
Comment 14 Andreas Kleen 2004-06-15 22:45:30 UTC
BTW I should add that long term we may want a different fix for this
(similar to my original fix, but not exactly the same)
It seems fnclex is extremly slow on P4 boxes and this is a hot path.
Comment 15 Thomas Biege 2004-06-16 20:30:11 UTC
all packages approved. advisory goes out in a few minutes. 
Comment 16 Thomas Biege 2009-10-13 20:25:33 UTC
CVE-2004-0554: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:N/A:P)