New Kernel Crash-Exploit discovered
Jon Peatfield
J.S.Peatfield at damtp.cam.ac.uk
Wed Jun 16 19:53:01 UTC 2004
RH80 kernels based on the last RH9 update (with NPTL disabled as in
previous RH80 updates), and with this patch added can be found at:
http://www.damtp.cam.ac.uk/user/jp107/rh80-updates/RPMS/i386/kernel-2.4.20-32.8.JSP.i386.rpm
http://www.damtp.cam.ac.uk/user/jp107/rh80-updates/RPMS/i386/kernel-doc-2.4.20-32.8.JSP.i386.rpm
http://www.damtp.cam.ac.uk/user/jp107/rh80-updates/RPMS/i386/kernel-source-2.4.20-32.8.JSP.i386.rpm
http://www.damtp.cam.ac.uk/user/jp107/rh80-updates/RPMS/i386/kernel-BOOT-2.4.20-32.8.JSP.i386.rpm
http://www.damtp.cam.ac.uk/user/jp107/rh80-updates/RPMS/athlon/kernel-2.4.20-32.8.JSP.athlon.rpm
http://www.damtp.cam.ac.uk/user/jp107/rh80-updates/RPMS/athlon/kernel-smp-2.4.20-32.8.JSP.athlon.rpm
http://www.damtp.cam.ac.uk/user/jp107/rh80-updates/RPMS/i586/kernel-2.4.20-32.8.JSP.i586.rpm
http://www.damtp.cam.ac.uk/user/jp107/rh80-updates/RPMS/i586/kernel-smp-2.4.20-32.8.JSP.i586.rpm
http://www.damtp.cam.ac.uk/user/jp107/rh80-updates/RPMS/i686/kernel-2.4.20-32.8.JSP.i686.rpm
http://www.damtp.cam.ac.uk/user/jp107/rh80-updates/RPMS/i686/kernel-smp-2.4.20-32.8.JSP.i686.rpm
http://www.damtp.cam.ac.uk/user/jp107/rh80-updates/RPMS/i686/kernel-bigmem-2.4.20-32.8.JSP.i686.rpm
http://www.damtp.cam.ac.uk/user/jp107/rh80-updates/SRPMS/kernel-2.4.20-32.8.JSP.src.rpm
Since people might want the sha1sums (I see they seem to be used
here):
3a79a1cbcc79998b98c22526d6e09f501f8c0f4a RPMS/i386/kernel-2.4.20-32.8.JSP.i386.rpm
33d5aea841d1ca542ffd3760fe6b64d440b63172 RPMS/i386/kernel-doc-2.4.20-32.8.JSP.i386.rpm
a222398e39c897811f3c8dac86eaa610a7ceb67a RPMS/i386/kernel-source-2.4.20-32.8.JSP.i386.rpm
775f9a4ad1a141d630e103ccfb72861b43b3defb RPMS/i386/kernel-BOOT-2.4.20-32.8.JSP.i386.rpm
fad7c109aa22dafc04046c05854fa80ae9016ef8 RPMS/athlon/kernel-2.4.20-32.8.JSP.athlon.rpm
018626e369f22e34989afc7d8fe6713ba4c4a7fc RPMS/athlon/kernel-smp-2.4.20-32.8.JSP.athlon.rpm
bbbbd1af7a77477ab4f0cd29708752283587add6 RPMS/i586/kernel-2.4.20-32.8.JSP.i586.rpm
6ef48ed2dfe0faccfd386c19f8af1a836b06cd25 RPMS/i586/kernel-smp-2.4.20-32.8.JSP.i586.rpm
1fef3b9107632451176766932b0f84ecaf18ce36 RPMS/i686/kernel-2.4.20-32.8.JSP.i686.rpm
ff94e743d3021c0a658c4d595ba48f7891a71b3d RPMS/i686/kernel-smp-2.4.20-32.8.JSP.i686.rpm
8a4d554d41cfb06646ff45875cdb2bbc6dbc7d1c RPMS/i686/kernel-bigmem-2.4.20-32.8.JSP.i686.rpm
d01c17d65f36ad277e7f136f81e9723a16762e8f SRPMS/kernel-2.4.20-32.8.JSP.src.rpm
Now for the bit people might not like, the FP exception isn't the only
patch in there since I was already about to roll out a new kernel
anyway with the following trond NFS server patch (for talking to OSX
10.3 and FreeBSD clients):
http://www.fys.uio.no/~trondmy/src/Linux-2.4.x/2.4.23-rc1/linux-2.4.23-03-fix_osx.dif
New changelog bits are:
* Tue Jun 15 2004 Jon Peatfield <J.S.Peatfield at damtp.cam.ac.uk>
- fix fpu state to prevent kernel crash, see the redhat bugzilla entry:
- http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=125900
- which has a proposed patch for RHEL/FC1
- http://bugzilla.redhat.com/bugzilla/attachment.cgi?id=101125&action=view
* Sat Jun 12 2004 Jon Peatfield <J.S.Peatfield at damtp.cam.ac.uk>
- nfs patch from Trond to allow us to serve clients which use
- cookies != 8 bytes, OSX 10.3 uses 30 FreeBSD uses 20...
- See http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=125996
- http://www.fys.uio.no/~trondmy/src/Linux-2.4.x/2.4.23-rc1/linux-2.4.23-03-fix_osx.dif
The specfile diff from my previous RH80 kernels is:
--cut-here--
--- kernel-2.4.spec.old-31.8.JSP 2004-04-22 19:46:01.000000000 +0100
+++ kernel-2.4.spec 2004-06-15 08:39:29.000000000 +0100
@@ -21,7 +21,7 @@
# that the kernel isn't the stock RHL kernel, for example by
# adding some text to the end of the version number.
#
-%define release 31.8.JSP
+%define release 32.8.JSP
%define sublevel 20
%define kversion 2.4.%{sublevel}
# /usr/src/%{kslnk} -> /usr/src/linux-%{KVERREL}
@@ -288,6 +288,7 @@
Patch940: linux-2.4.22-kmod.patch
Patch950: linux-2.4.25pre-selected-bits.patch
Patch960: linux-2.4.26pre-selected-bits.patch
+Patch961: linux-2.4.x.fpu.patch
#
# Patches 1000 to 5000 are reserved for bugfixes to drivers and filesystems
@@ -333,6 +334,7 @@
Patch1380: linux-2.4.9-fstat.patch
Patch1390: linux-2.4.18-irixnfs.patch
Patch1391: linux-2.4.18-nfs-default-size.patch
+Patch1392: linux-2.4.23-03-fix_osx.dif
Patch1410: linux-2.4.20-sbp2-smpfixes.patch
Patch1420: linux-2.4.7-suspend.patch
Patch1450: linux-2.4.18-orinoco.patch
@@ -742,6 +744,9 @@
%patch950 -p1
%patch960 -p1
+# Add in fpu patch
+%patch961 -p1
+
#
# Patches 1000 to 5000 are reserved for bugfixes to drivers and filesystems
#
@@ -944,6 +949,10 @@
%patch1391 -p1
#
+# this fixes the nfs cookie handling to allow over 8-byte cookies
+# needed for support of osx 10.3 and freebsd.
+%patch1392 -p1
+
#
# Fix some firewire deadlocks (fixes from upstream maintainter)
#
@@ -1922,6 +1931,18 @@
#
%changelog
+* Tue Jun 15 2004 Jon Peatfield <J.S.Peatfield at damtp.cam.ac.uk>
+- fix fpu state to prevent kernel crash, see the redhat bugzilla entry:
+- http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=125900
+- which has a proposed patch for RHEL/FC1
+- http://bugzilla.redhat.com/bugzilla/attachment.cgi?id=101125&action=view
+
+* Sat Jun 12 2004 Jon Peatfield <J.S.Peatfield at damtp.cam.ac.uk>
+- nfs patch from Trond to allow us to serve clients which use
+- cookies != 8 bytes, OSX 10.3 uses 30 FreeBSD uses 20...
+- See http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=125996
+- http://www.fys.uio.no/~trondmy/src/Linux-2.4.x/2.4.23-rc1/linux-2.4.23-03-fix_osx.dif
+
* Tue Apr 13 2004 Dave Jones <davej at redhat.com>
- Yet another additional r128 DRM check. (CAN-2004-0003)
- Bounds checking in ISO9660 filesystem. (CAN-2004-0109)
--cut-here--
I've been using these kernels on 6 of my RH8 machines since ~2pm (BST)
yesterday:
2 Pentium-3 UP kernel i686
1 Pentium-4 UP kernel i686
1 Xeon 4-cpu kernel-smp i686
1 Pentium-MMX kernel i586
1 Athlon kernel athlon
As soon as one of our SMP athlons and a hyperthread-aware Intel
machine stops running jobs code I'll test on those too. I no longer
have access to any i586 SMP machines or any which need i386 kernels.
Unless something bad shows up I'll be upgrading the rest of our RH80
machines to this next week (in our regular reboot slot).
Sorry for the delay in posting these but I was (finally) upgrading our
site firewall yesterday so was spending most of my time reading
through logs looking for errors in the config...
-- Jon
Jon Peatfield, Computer Officer, DAMTP, University of Cambridge
Mail: jp107 at damtp.cam.ac.uk Web: http://www.damtp.cam.ac.uk/
More information about the fedora-legacy-list
mailing list