# 20 lines of C code can kill ALL 2.6.xx kernels and most 2.4.

## xiando

New Kernel Crash-Exploit discovered

http://linuxreviews.org/news/2004-06-11_kernel_crash/

writes It is unclear why the Gentoo patch/version of the 2.4.26 kernel is safe using this config...

I do now know WHY but this is the ONLY kernel I know about that can not be crashed by anyone with shell access on a Linux server. 

Kernels that can be killed (system freeze) by any remote user with SSH access include:

    * Linux 2.6.x

          o Linux 2.6.7-rc2

          o Linux 2.6.6 (all versions)

          o Linux 2.6.6 SMP (verified by riven)

          o Linux 2.6.5-gentoo (verified by RatiX)

          o Linux 2.6.5-mm6 - (verified by Mariux) 

    * Linux 2.4.2x

          o Linux 2.4.26 vanilla

          o Linux 2.4.26-rc1 vanilla

          o Linux 2.4.22

:-/ As said, 2.4.26-gentoo does not have this problem. I would like to know why, and I would like the kind Gentoo developers to assist the kernel devlopers in securing the linux kernel.

----------

## HydroSan

Is this a GCC error, or a Kernel error? Or both? I'm guessing that the Kernel would be patched either way.

----------

## ikaro

i just tried it on my box    :Mad: 

2.6.7-rc3-mm1 + some extras and the bug works.

----------

## dhurt

Just for grins tested it on my laptop.  Worked with the 3 different kernels that I have on here.  

Love 2.6.6

mm-sources 2.6.7

Gentoo 2.6.5

----------

## Hypnos

vanilla 2.6.6 + ACPI

This disturbs me.  It might very well be a gcc bug, but isn't something wrong with the kernel process security model if an exception can crash a system?

----------

## neuron

 *Hypnos wrote:*   

> vanilla 2.6.6 + ACPI
> 
> This disturbs me.  It might very well be a gcc bug, but isn't something wrong with the kernel process security model if an exception can crash a system?

 

simple enough to find out really, use it and see if magic keys still work, if they do the kernel is running.

----------

## Hypnos

 *neuron wrote:*   

>  *Hypnos wrote:*   vanilla 2.6.6 + ACPI
> 
> This disturbs me.  It might very well be a gcc bug, but isn't something wrong with the kernel process security model if an exception can crash a system? 
> 
> simple enough to find out really, use it and see if magic keys still work, if they do the kernel is running.

 

Eh, don't want to test -- ext3 buffers aren't fully flushed on "sync".

In any case, having to use sysrq is not an acceptable.

----------

## neuron

 *Hypnos wrote:*   

>  *neuron wrote:*    *Hypnos wrote:*   vanilla 2.6.6 + ACPI
> 
> This disturbs me.  It might very well be a gcc bug, but isn't something wrong with the kernel process security model if an exception can crash a system? 
> 
> simple enough to find out really, use it and see if magic keys still work, if they do the kernel is running. 
> ...

 

of course not, I meant to test for someone who's in position to do so (for example using a livecd, or in a virtual machine)

----------

## dhurt

I am not sure what process controls the network card, but after running the program my laptop will still respond to a ping.  That is the only responce that I get out of the computer.

----------

## Lisandro

I just came across this bug myself... can't try it because i'm not at home and i'm working via SSH, but it seems to be confirmed. It makes me uneasy that no one seems to know if this is a GCC bug, a kernel one, or a combination of both, at least yet....

----------

## codemaker

 *HydroSan wrote:*   

> Is this a GCC error, or a Kernel error? Or both? I'm guessing that the Kernel would be patched either way.

 

Even if it is a gcc bug, the kernel shouldn't be vulnerable to defective applications that can be run by a user. So I say that is at least a kernel bug.

----------

## nizar

Just tried it and it worked

kernel 2.6.6

Gentoo Base System version 1.4.16

gcc (GCC) 3.3.3 20040412 (Gentoo Linux 3.3.3-r6, ssp-3.3.2-2, pie-8.7.6)

----------

## nathandial

Until I tried this, I didn't realize how strange it was for Linux to lock up.  It felt like ... like Windows.

:shudder:

----------

## ikaro

and i tried with the SysREQ and yes the system reboots, so the kernel stil responds to keyboard input, .. only that key combination  :Wink: 

----------

## HydroSan

Well, five bucks says it'll already be patched in 2.6.7 when it's release, so no worries.

----------

## Tii

My 2.4.25-selinux-r2 is went down like a baby. Most disturbing.

----------

## grantangi

I just tested it on my machine and it hung...

But I could reboot it with CTRL-ALT-DEL and even work on the machine when I telneted in from my other machine.  I couldn't find any strange entries in any logs but I wasn't able to kill the process either.

I also checked some of the data in /proc but couldn't find anything anormal so far...

System:

Kernel gentoo-dev-sources 2.6.6  (gcc version 3.3.2 20031218 (Gentoo Linux 3.3.2-r5, propolice-3.3-7)) #3 SMP + noirqdebug

baselayout-1.9.4-r2

----------

## nizar

I'm trying to find entries in the logs also but nothing there!

----------

## Tii

I also tried selinux-2.4.26 and it is also affected (no suprise). I tried to ssh to the box but that didn't seem to work and I was able to get no response to any keys I tried. Hopefully they get a pacth for that soon. It's not such a big deal for me as only I and some friends have access to the computer (and they wouldn't want to crash it) but I'll still sleep better when I know that this is no longer an issue. There's some explanation for those who understand anything about it:

http://marc.theaimsgroup.com/?l=linux-kernel&m=108704809114434&w=2

edit: Of course you can't ssh to the box if you haven't got the daemon started. I'll blame the fact that it's over midnight here and I'm really tired. I'll give the ssh thing another go though before I go to bed.

edit2: Too tired. It's half past one already and my emerge sync seems to be never-ending. Bummer.Last edited by Tii on Sat Jun 12, 2004 10:26 pm; edited 2 times in total

----------

## Hypnos

 *Derryth wrote:*   

> [...] There's some explanation for those who understand anything about it:
> 
> http://marc.theaimsgroup.com/?l=linux-kernel&m=108704809114434&w=2

 

I don't understand the particulars, but the code manages to create an FPU fault in kernel space, and then the kernel trips on "fwait" which raises an exception.  Perhaps magic key/ctl-alt-del still works because it's a lower control which kills the offending thread.

----------

## dioxmat

Trivial patch:

http://marc.theaimsgroup.com/?l=bk-commits-head&m=108709606126541&w=2

and for x86-64 too:

http://marc.theaimsgroup.com/?l=bk-commits-head&m=108713580130848&w=2

----------

## grantangi

 *dioxmat wrote:*   

> Trivial patch:
> 
> http://marc.theaimsgroup.com/?l=bk-commits-head&m=108709606126541&w=2
> 
> and for x86-64 too:
> ...

 

Yep...  :Very Happy:   :Very Happy:   :Very Happy:  ...works like a charm...

   See ya

     Udo

----------

## Lews_Therin

 *dioxmat wrote:*   

> Trivial patch:
> 
> http://marc.theaimsgroup.com/?l=bk-commits-head&m=108709606126541&w=2
> 
> and for x86-64 too:
> ...

 

I have a new "you know you run Linux when..." line.

 *Quote:*   

> You know you run Linux when the latest and only major bug is crushed within two days

 

----------

## Red Sparrow

Doesn't compile on PPC either.

(- Steve -)

----------

## allucid

it only applies to the x86 architecture.

----------

## bUg-

I tested the first patch (http://linuxreviews.org/news/2004-06-11_kernel_crash/) on my 2.4.26-grsec kernel and it stopped the program from crashing the kernel. I then tested on another box with different kernel configurations (but the same 2.4.26-grsec base kernel) but it didn't work. I had to apply the second patch (http://marc.theaimsgroup.com/?l=bk-commits-head&m=108709606126541&w=2 ) in order to fix the problem. Why these differences ?

----------

## smces

I''m useing 2.6.7-rc3-mm2, and its not effected by the bug...

More Info here:

http://marc.free.net.ph/message/20040610.233948.3238e0c0.html

----------

## Lews_Therin

 *bUg- wrote:*   

> I tested the first patch (http://linuxreviews.org/news/2004-06-11_kernel_crash/) on my 2.4.26-grsec kernel and it stopped the program from crashing the kernel. I then tested on another box with different kernel configurations (but the same 2.4.26-grsec base kernel) but it didn't work. I had to apply the second patch (http://marc.theaimsgroup.com/?l=bk-commits-head&m=108709606126541&w=2 ) in order to fix the problem. Why these differences ?

 

Is the second box running a 64-bit system?

----------

## Gentoo Server

I am using the rockstable 2.6.4 ck1 update now 100 days

not affected by the bug

----------

## silicondecay

Anyone running the NSA hardened linux kernel? I'm really curious to see if its affected.

Unfortunately mine was =(  grrrr

----------

## Pythagoras1

hmm... if i try this exploit on x86_64 linux 2.6.7-rc3 i get alot of dots and stars and the cpu usage increases to 100%. this looks like this:

```
..........*..............*.*............................................*.............................*................*.............
```

until i break it using ctrl-c. i thought 2.6.7-rc3 is safe?

----------

## grantangi

 *Pythagoras1 wrote:*   

> hmm... if i try this exploit on x86_64 linux 2.6.7-rc3 i get alot of dots and stars and the cpu usage increases to 100%. this looks like this:
> 
> ```
> ..........*..............*.*............................................*.............................*................*.............
> ```
> ...

 

If you see this and still can press CTRL+C your system is save. If not...the output would stop and  you couldn't press any keys except CTRL+ALT+DEL...

  See ya

     Udo

----------

## BlockFin

I don't understand this sentence in http://marc.theaimsgroup.com/?l=linux-kernel&m=108704809114434&w=2 :

 *Quote:*   

> The buggy code in the Stian's program corrupts the FPU state - in
> 
> particular, it results in some exception bits being set in the FPU
> 
> status word.

 

Is the "FPU status word" a part of the CPU, or the kernel?  If it's the former, this would be a hardware problem, and not the fault of the kernel, right?  Couldn't it show up in other operating systems then?

----------

## andy64

I have installed the following kernel:

sys-kernel/gentoo-dev-sources

      Latest version available: 2.6.5-r1

I made an emerge sync today and still there is no update regarding this FPU bug. Why does is take so long?

I always thought that I will be up-to-date with this kernel, but that seems not to be the case???

Who can recommend me a kernel, where bugs like this FPU one are corrected immediately? Somehow I'm missing something...???    :Rolling Eyes: 

----------

## allucid

 *BlockFin wrote:*   

> I don't understand this sentence in http://marc.theaimsgroup.com/?l=linux-kernel&m=108704809114434&w=2 :
> 
>  *Quote:*   The buggy code in the Stian's program corrupts the FPU state - in
> 
> particular, it results in some exception bits being set in the FPU
> ...

 

FPU is the floating-point unit, part of the CPU. The program corrupts the FPU state, therefore it is the program's fault.  :Wink:  If it was a hardware problem with the CPU then somebody would be in really really big trouble...

----------

## jpc82

 *andy64 wrote:*   

> I have installed the following kernel:
> 
> sys-kernel/gentoo-dev-sources
> 
>       Latest version available: 2.6.5-r1
> ...

 

First off, unless you have people loging into your PC's that you don't trust this bug is not that huge a problem.  However, if you need this bug fixed right away then try out the fix on the first page of this thread.  

I have tried it on my mm-sources-2.6.7, and it worked perfectly.  Before I made the change my computer crashed and Ctrl+Alt+Del didn't even work, after the fix everything went fine.

----------

## andy64

My question was more of a general nature. I would expect, that when a security related bug is found, it is corrected in all affected gentoo packages as soon as possible.

I tested the exploit, not only my system crashed (I had to do a hard reboot); also some files got lost (e.g. bookmark file of the Mozilla browser; reiserfs is used on my system; Off topic: I thought reiserfs is a journaled FS designed to prevent these kind of problems ???)

1. I do not read the forums all the time with regard to security bugs. I found this one more or less accidently. What about other security related bugs in diverse other packages? How long does it take until there is a update/correction via emerge sync / emerge world ...???

2. Since a week is passed now without a correction of this serious bug available for my gentoo-dev-sources package; I guess that it takes al least as long for other security bugs, too. I thought, emerge sync will always keep me up-to-date...?

3. Why is the lastest version of dev-gentoo-sources 2.6.5-r1; I see other sources already with version 2.6.7? Am I using the wrong kernel package? I thought the gentoo deleloper sources are the most recent ones...? Can anybody recommend my another kernel?

What concerns me most: Why are security related bugs not corrected immediately? (It seems that the necessary patch to correct this is already known for a while !?)     :Confused: 

----------

## jpc82

I'm assuming the reason that this patch has not made it into the sources is time.  It takes time for the people responsible for the sources to patch the code, and it takes time for them to test it.  The last thing they want it to quickly put in a patch that could possible negitivly effect some users.  Also, like I said for the majority of gentoo users, who use it on a desktop as the only user, this bug does not really effect them.  Also, the fix for the patch is a matter of changing on line of code.

The 2.6.7 Kernel was just released today, and from the change log it looks like the bug has been fixed.

Also, if you want a more up to dat kernel source use development sources or mm-sources, both are in portage.

----------

## Donovan

My concern is, why is there no mention of this rather large (considering the scale of it in Linux vulnerability terms) vulnerability on neither the gentoo.org home page nor in the forum announcements?  

Why is it I found out via email from Tom's Hardware six days after the vulernability has occurred?  No, I'm not subscribed to any special mailing lists, I've never even looked into them, perhaps I obviously should.

That being said, having surfed over to gentoo.org, why are there no updates there for those that don't subscribe to the security alerts?  One sees them all the time on the homepage. Obviously I've led myself into a false sense of security.  I would have thought the largest Linux exploit to date would get some coverage and support from my distro if even Tom's Hardware is talking about it.

Looking for answers, I visited the IRC channel today...

 *Quote:*   

> Hi guys.  I just checked gentoo.org and the forums.  Why is there no mention of the mass kernel vulnerability discovered on the 15th??

 

(At the time, I didn't realize it was officially discovered on the 11th, Tom's Hardware reported it on the 15th)  The responses I got varied, but this sums it up:

 *Quote:*   

> everybody knows about it

 

 :Shocked:   Thanks, glad to know it was just me.  Would it be entirely redundant to make an announcement anyway?

I do my best to help with Gentoo, we all do what we can to help, some of us are obviously doing 1000000% more than others, so there are bound to be hard feelings sometimes.  I mean no disrepect, just wondering.

----------

## nein

Altough there is not a patched gentoo kernel I think there should have been a GLSA announcement with the link that can be found in the first post.

I sync regurarly and get the glsa info updated. I thought "glsa-check -l" would keep me informed about any security breaches (I was wrong). I am also suscribed to the gentoo security list but I am almost sure there was no announcement there either.

I would have not expected an inmmediate fix but I would have expected an announcement.

----------

## codergeek42

IIrc, kernel 2.6.7 (development-sources) fixes this exploit/bug.

----------

## Donovan

AFAIK, the only possible update in portage that is not affected is mm-sources-2.6.7-rc3, and I can't find confirmation of that.

2.6.7 rc2 and below are before the exploit was found on June 11th, with the exception of these ones that were found not vulnerable:

 *Quote:*   

> Linux nudge 2.6.5-1um i686 (the user-mode Linux kernel) Dylan Smith 
> 
> Linux Kernel 2.6.4 SMP patched with staircase scheduler Guille 
> 
> Linux kernel 2.4.26-rc3-gentoo (gcc 3.3.3) 
> ...

 

----------

## T0M3K

Did I do something wrong?

I get this:

bash-2.05b$ gcc krnl-1.c 

krnl-1.c: In function `TakeDown':

krnl-1.c:54: warning: use of memory input without lvalue in asm operand 0 is deprecated

gcc version 3.3.3 20040412 (Gentoo Linux 3.3.3-r6, ssp-3.3.2-2, pie-8.7.6)

kernel: 2.6.5-gentoo-r1 (gentoo-dev)

Anyway, it went down.  :Sad: 

What sources are stable for 2.6.7?

----------

## grantangi

 *T0M3K wrote:*   

> Did I do something wrong?
> 
> I get this:
> 
> bash-2.05b$ gcc krnl-1.c 
> ...

 

Nope...everyone (I think) gets the warnings....

   See ya

     Udo

----------

## UberLord

hardened-dev-sources-2.6.5-r5

Seems to have had the patch applied - and that was put out to portage a day or two ago

----------

