Bug 56951 - (CVE-2004-0554) VUL-0: CVE-2004-0554: user-triggerable local DoS against all 2.4 and 2.6 series kernels on i386 (maybe x86_64 too)
VUL-0: CVE-2004-0554: user-triggerable local DoS against all 2.4 and 2.6 seri...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
i386 Linux
: P3 - Medium : Blocker
: ---
Assigned To: Thomas Biege
E-mail List
CVE-2004-0554: CVSS v2 Base Score: 2....
Depends on:
  Show dependency treegraph
Reported: 2004-06-12 22:18 UTC by Carl-Daniel Hailfinger
Modified: 2021-10-02 09:26 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

x86 fpu crash.c, compile, run and see the lockup (528 bytes, text/plain)
2004-06-12 22:20 UTC, Carl-Daniel Hailfinger
proposed patch (6.30 KB, patch)
2004-06-13 05:44 UTC, Andreas Kleen
Details | Diff
Simpler official mainline fix (950 bytes, patch)
2004-06-13 18:41 UTC, Andreas Kleen
Details | Diff
Fix for 2.4 based kernels (995 bytes, patch)
2004-06-15 15:41 UTC, Hubert Mantel
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Carl-Daniel Hailfinger 2004-06-12 22:18:37 UTC
Compile and run the attached program on any x86 box. It will lock up hard inside
fpu handling in the kernel. Yes, I know the asm in the test program is buggy.
However, this is irrelevant because no user should be able to lock up the whole

This bug affects all 2.4 and 2.6 kernels we ever issued on x86 (maybe x86_64),
since the bug was introduced in the 2.3 series.

A small writeup about the bug is here:

This bug is already public and has been exploited for some days.
Comment 1 Carl-Daniel Hailfinger 2004-06-12 22:18:37 UTC
<!-- SBZ_reproduce  -->
run the attached program
Comment 2 Carl-Daniel Hailfinger 2004-06-12 22:20:50 UTC
Created attachment 21095 [details]
x86 fpu crash.c, compile, run and see the lockup
Comment 3 Carl-Daniel Hailfinger 2004-06-12 22:40:04 UTC
Oh, and the patch in the "small writeup" seems not to work for some people.
Comment 4 Andreas Kleen 2004-06-12 22:47:11 UTC
Correct fix will be to handle the exception from the kernel correct.
The fwait cannot be just removed imho.
Comment 5 Andreas Kleen 2004-06-13 05:44:26 UTC
Created attachment 21098 [details]
proposed patch

This patch fixes it. 

But for SLES9 it's probably better to use a version of this that doesn't cause
oopses for kernel exceptions. They are most likely bugs, but it's too late now
to handle such latent bugs.
Comment 6 Andreas Kleen 2004-06-13 05:53:42 UTC
After some thought the simpler fwait->fnclex patch from l-k is probably 
Comment 7 Andreas Kleen 2004-06-13 18:41:21 UTC
Created attachment 21103 [details]
Simpler official mainline fix

That patch will go into mainline, it's simpler than mine.
Comment 8 Andreas Kleen 2004-06-14 09:04:36 UTC
Patch checked in for SLES9.

Mon Jun 14 01:00:45 CEST 2004 - ak@suse.de

- Fix kernel hang with uncleared FPU exceptions on i386/x86-64

Reassigning to Hubert and retargeting to SLES8 so that
he can handle it for all other maintained trees.
Comment 9 Carl-Daniel Hailfinger 2004-06-15 15:24:06 UTC
Heise just made a big announcement about the bug:
Comment 10 Hubert Mantel 2004-06-15 15:41:53 UTC
Created attachment 21181 [details]
Fix for 2.4 based kernels

In 2.4, things are slightly different. I'm going to apply this patch to all 2.4
based trees. Please have a short look and complain if I messed things up.
Comment 11 Andreas Gruenbacher 2004-06-15 15:52:49 UTC
Looks good.
Comment 12 Hubert Mantel 2004-06-15 16:02:40 UTC
Fix has been added to every maintained tree and kernels have been submitted for
check in.
I don't know if we want to wait for the fixes for the other pending problems or
if we need to provide fixed kernels immediately due to the severity of this
issue. At least we now have the option of releasing kernels soon.
Comment 13 Thomas Biege 2004-06-15 20:40:31 UTC
Comment 14 Andreas Kleen 2004-06-15 22:45:30 UTC
BTW I should add that long term we may want a different fix for this
(similar to my original fix, but not exactly the same)
It seems fnclex is extremly slow on P4 boxes and this is a hot path.
Comment 15 Thomas Biege 2004-06-16 20:30:11 UTC
all packages approved. advisory goes out in a few minutes. 
Comment 16 Thomas Biege 2009-10-13 20:25:33 UTC
CVE-2004-0554: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:N/A:P)