New Kernel Crash-Exploit discovered

Jon Peatfield J.S.Peatfield at damtp.cam.ac.uk
Wed Jun 16 19:53:01 UTC 2004 

RH80 kernels based on the last RH9 update (with NPTL disabled as in
previous RH80 updates), and with this patch added can be found at:

http://www.damtp.cam.ac.uk/user/jp107/rh80-updates/RPMS/i386/kernel-2.4.20-32.8.JSP.i386.rpm
http://www.damtp.cam.ac.uk/user/jp107/rh80-updates/RPMS/i386/kernel-doc-2.4.20-32.8.JSP.i386.rpm
http://www.damtp.cam.ac.uk/user/jp107/rh80-updates/RPMS/i386/kernel-source-2.4.20-32.8.JSP.i386.rpm
http://www.damtp.cam.ac.uk/user/jp107/rh80-updates/RPMS/i386/kernel-BOOT-2.4.20-32.8.JSP.i386.rpm
http://www.damtp.cam.ac.uk/user/jp107/rh80-updates/RPMS/athlon/kernel-2.4.20-32.8.JSP.athlon.rpm
http://www.damtp.cam.ac.uk/user/jp107/rh80-updates/RPMS/athlon/kernel-smp-2.4.20-32.8.JSP.athlon.rpm
http://www.damtp.cam.ac.uk/user/jp107/rh80-updates/RPMS/i586/kernel-2.4.20-32.8.JSP.i586.rpm
http://www.damtp.cam.ac.uk/user/jp107/rh80-updates/RPMS/i586/kernel-smp-2.4.20-32.8.JSP.i586.rpm
http://www.damtp.cam.ac.uk/user/jp107/rh80-updates/RPMS/i686/kernel-2.4.20-32.8.JSP.i686.rpm
http://www.damtp.cam.ac.uk/user/jp107/rh80-updates/RPMS/i686/kernel-smp-2.4.20-32.8.JSP.i686.rpm
http://www.damtp.cam.ac.uk/user/jp107/rh80-updates/RPMS/i686/kernel-bigmem-2.4.20-32.8.JSP.i686.rpm
http://www.damtp.cam.ac.uk/user/jp107/rh80-updates/SRPMS/kernel-2.4.20-32.8.JSP.src.rpm

Since people might want the sha1sums (I see they seem to be used
here):

3a79a1cbcc79998b98c22526d6e09f501f8c0f4a  RPMS/i386/kernel-2.4.20-32.8.JSP.i386.rpm
33d5aea841d1ca542ffd3760fe6b64d440b63172  RPMS/i386/kernel-doc-2.4.20-32.8.JSP.i386.rpm
a222398e39c897811f3c8dac86eaa610a7ceb67a  RPMS/i386/kernel-source-2.4.20-32.8.JSP.i386.rpm
775f9a4ad1a141d630e103ccfb72861b43b3defb  RPMS/i386/kernel-BOOT-2.4.20-32.8.JSP.i386.rpm
fad7c109aa22dafc04046c05854fa80ae9016ef8  RPMS/athlon/kernel-2.4.20-32.8.JSP.athlon.rpm
018626e369f22e34989afc7d8fe6713ba4c4a7fc  RPMS/athlon/kernel-smp-2.4.20-32.8.JSP.athlon.rpm
bbbbd1af7a77477ab4f0cd29708752283587add6  RPMS/i586/kernel-2.4.20-32.8.JSP.i586.rpm
6ef48ed2dfe0faccfd386c19f8af1a836b06cd25  RPMS/i586/kernel-smp-2.4.20-32.8.JSP.i586.rpm
1fef3b9107632451176766932b0f84ecaf18ce36  RPMS/i686/kernel-2.4.20-32.8.JSP.i686.rpm
ff94e743d3021c0a658c4d595ba48f7891a71b3d  RPMS/i686/kernel-smp-2.4.20-32.8.JSP.i686.rpm
8a4d554d41cfb06646ff45875cdb2bbc6dbc7d1c  RPMS/i686/kernel-bigmem-2.4.20-32.8.JSP.i686.rpm
d01c17d65f36ad277e7f136f81e9723a16762e8f  SRPMS/kernel-2.4.20-32.8.JSP.src.rpm

Now for the bit people might not like, the FP exception isn't the only
patch in there since I was already about to roll out a new kernel
anyway with the following trond NFS server patch (for talking to OSX
10.3 and FreeBSD clients):

  http://www.fys.uio.no/~trondmy/src/Linux-2.4.x/2.4.23-rc1/linux-2.4.23-03-fix_osx.dif

New changelog bits are:

* Tue Jun 15 2004 Jon Peatfield <J.S.Peatfield at damtp.cam.ac.uk>

- fix fpu state to prevent kernel crash, see the redhat bugzilla entry:
- http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=125900
- which has a proposed patch for RHEL/FC1
- http://bugzilla.redhat.com/bugzilla/attachment.cgi?id=101125&action=view

* Sat Jun 12 2004 Jon Peatfield <J.S.Peatfield at damtp.cam.ac.uk>

- nfs patch from Trond to allow us to serve clients which use
- cookies != 8 bytes, OSX 10.3 uses 30 FreeBSD uses 20...
- See http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=125996
- http://www.fys.uio.no/~trondmy/src/Linux-2.4.x/2.4.23-rc1/linux-2.4.23-03-fix_osx.dif

The specfile diff from my previous RH80 kernels is:

--cut-here--
--- kernel-2.4.spec.old-31.8.JSP	2004-04-22 19:46:01.000000000 +0100
+++ kernel-2.4.spec	2004-06-15 08:39:29.000000000 +0100
@@ -21,7 +21,7 @@
 # that the kernel isn't the stock RHL kernel, for example by
 # adding some text to the end of the version number.
 #
-%define release 31.8.JSP
+%define release 32.8.JSP
 %define sublevel 20
 %define kversion 2.4.%{sublevel}
 # /usr/src/%{kslnk} -> /usr/src/linux-%{KVERREL}
@@ -288,6 +288,7 @@
 Patch940: linux-2.4.22-kmod.patch
 Patch950: linux-2.4.25pre-selected-bits.patch
 Patch960: linux-2.4.26pre-selected-bits.patch
+Patch961: linux-2.4.x.fpu.patch
 
 #
 # Patches 1000 to 5000 are reserved for bugfixes to drivers and filesystems
@@ -333,6 +334,7 @@
 Patch1380: linux-2.4.9-fstat.patch
 Patch1390: linux-2.4.18-irixnfs.patch
 Patch1391: linux-2.4.18-nfs-default-size.patch
+Patch1392: linux-2.4.23-03-fix_osx.dif
 Patch1410: linux-2.4.20-sbp2-smpfixes.patch
 Patch1420: linux-2.4.7-suspend.patch
 Patch1450: linux-2.4.18-orinoco.patch
@@ -742,6 +744,9 @@
 %patch950 -p1
 %patch960 -p1
 
+# Add in fpu patch
+%patch961 -p1
+
 #
 # Patches 1000 to 5000 are reserved for bugfixes to drivers and filesystems
 #
@@ -944,6 +949,10 @@
 %patch1391 -p1
 #
 
+# this fixes the nfs cookie handling to allow over 8-byte cookies
+# needed for support of osx 10.3 and freebsd.
+%patch1392 -p1
+
 #
 # Fix some firewire deadlocks (fixes from upstream maintainter)
 #
@@ -1922,6 +1931,18 @@
 #
 
 %changelog
+* Tue Jun 15 2004 Jon Peatfield <J.S.Peatfield at damtp.cam.ac.uk>
+- fix fpu state to prevent kernel crash, see the redhat bugzilla entry:
+- http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=125900
+- which has a proposed patch for RHEL/FC1
+- http://bugzilla.redhat.com/bugzilla/attachment.cgi?id=101125&action=view
+
+* Sat Jun 12 2004 Jon Peatfield <J.S.Peatfield at damtp.cam.ac.uk>
+- nfs patch from Trond to allow us to serve clients which use
+- cookies != 8 bytes, OSX 10.3 uses 30 FreeBSD uses 20...
+- See http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=125996
+- http://www.fys.uio.no/~trondmy/src/Linux-2.4.x/2.4.23-rc1/linux-2.4.23-03-fix_osx.dif
+
 * Tue Apr 13 2004 Dave Jones <davej at redhat.com>
 - Yet another additional r128 DRM check. (CAN-2004-0003)
 - Bounds checking in ISO9660 filesystem. (CAN-2004-0109)
--cut-here--

I've been using these kernels on 6 of my RH8 machines since ~2pm (BST)
yesterday:

  2  Pentium-3 UP   kernel      i686
  1  Pentium-4 UP   kernel      i686
  1  Xeon 4-cpu     kernel-smp  i686
  1  Pentium-MMX    kernel      i586
  1  Athlon         kernel      athlon

As soon as one of our SMP athlons and a hyperthread-aware Intel
machine stops running jobs code I'll test on those too.  I no longer
have access to any i586 SMP machines or any which need i386 kernels.
Unless something bad shows up I'll be upgrading the rest of our RH80
machines to this next week (in our regular reboot slot).

Sorry for the delay in posting these but I was (finally) upgrading our
site firewall yesterday so was spending most of my time reading
through logs looking for errors in the config...

 -- Jon

Jon Peatfield,  Computer Officer,  DAMTP,  University of Cambridge
Mail:  jp107 at damtp.cam.ac.uk     Web:  http://www.damtp.cam.ac.uk/

More information about the fedora-legacy-list mailing list