Bugzilla – Bug 56951
VUL-0: CVE-2004-0554: user-triggerable local DoS against all 2.4 and 2.6 series kernels on i386 (maybe x86_64 too)
Last modified: 2021-10-02 09:26:19 UTC
Compile and run the attached program on any x86 box. It will lock up hard inside fpu handling in the kernel. Yes, I know the asm in the test program is buggy. However, this is irrelevant because no user should be able to lock up the whole machine. This bug affects all 2.4 and 2.6 kernels we ever issued on x86 (maybe x86_64), since the bug was introduced in the 2.3 series. A small writeup about the bug is here: http://marc.theaimsgroup.com/?l=linux-kernel&m=108704809114434&w=4 This bug is already public and has been exploited for some days.
<!-- SBZ_reproduce --> run the attached program
Created attachment 21095 [details] x86 fpu crash.c, compile, run and see the lockup
Oh, and the patch in the "small writeup" seems not to work for some people.
Correct fix will be to handle the exception from the kernel correct. The fwait cannot be just removed imho.
Created attachment 21098 [details] proposed patch This patch fixes it. But for SLES9 it's probably better to use a version of this that doesn't cause oopses for kernel exceptions. They are most likely bugs, but it's too late now to handle such latent bugs.
After some thought the simpler fwait->fnclex patch from l-k is probably better.
Created attachment 21103 [details] Simpler official mainline fix That patch will go into mainline, it's simpler than mine.
Patch checked in for SLES9. ------------------------------------------------------------------- Mon Jun 14 01:00:45 CEST 2004 - ak@suse.de - Fix kernel hang with uncleared FPU exceptions on i386/x86-64 (#41951) Reassigning to Hubert and retargeting to SLES8 so that he can handle it for all other maintained trees.
Heise just made a big announcement about the bug: http://www.heise.de/newsticker/meldung/48236
Created attachment 21181 [details] Fix for 2.4 based kernels In 2.4, things are slightly different. I'm going to apply this patch to all 2.4 based trees. Please have a short look and complain if I messed things up.
Looks good.
Fix has been added to every maintained tree and kernels have been submitted for check in. I don't know if we want to wait for the fixes for the other pending problems or if we need to provide fixed kernels immediately due to the severity of this issue. At least we now have the option of releasing kernels soon.
CAN-2004-0554
BTW I should add that long term we may want a different fix for this (similar to my original fix, but not exactly the same) It seems fnclex is extremly slow on P4 boxes and this is a hot path.
all packages approved. advisory goes out in a few minutes.
CVE-2004-0554: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:N/A:P)