Vulnerabilities > CVE-2007-4133 - Local Denial Of Service vulnerability in Linux Kernel HugeTLB
Attack vector
LOCAL Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
COMPLETE Summary
The (1) hugetlb_vmtruncate_list and (2) hugetlb_vmtruncate functions in fs/hugetlbfs/inode.c in the Linux kernel before 2.6.19-rc4 perform certain prio_tree calculations using HPAGE_SIZE instead of PAGE_SIZE units, which allows local users to cause a denial of service (panic) via unspecified vectors.
Vulnerable Configurations
Nessus
NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2007-0940.NASL description From Red Hat Security Advisory 2007:0940 : Updated kernel packages that fix various security issues in the Red Hat Enterprise Linux 5 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the following security issues : * A flaw was found in the backported stack unwinder fixes in Red Hat Enterprise Linux 5. On AMD64 and Intel 64 platforms, a local user could trigger this flaw and cause a denial of service. (CVE-2007-4574, Important) * A flaw was found in the handling of process death signals. This allowed a local user to send arbitrary signals to the suid-process executed by that user. A successful exploitation of this flaw depends on the structure of the suid-program and its signal handling. (CVE-2007-3848, Important) * A flaw was found in the Distributed Lock Manager (DLM) in the cluster manager. This allowed a remote user who is able to connect to the DLM port to cause a denial of service. (CVE-2007-3380, Important) * A flaw was found in the aacraid SCSI driver. This allowed a local user to make ioctl calls to the driver which should otherwise be restricted to privileged users. (CVE-2007-4308, Moderate) * A flaw was found in the prio_tree handling of the hugetlb support that allowed a local user to cause a denial of service. This only affected kernels with hugetlb support. (CVE-2007-4133, Moderate) * A flaw was found in the eHCA driver on PowerPC architectures that allowed a local user to access 60k of physical address space. This address space could contain sensitive information. (CVE-2007-3850, Moderate) * A flaw was found in ptrace support that allowed a local user to cause a denial of service via a NULL pointer dereference. (CVE-2007-3731, Moderate) * A flaw was found in the usblcd driver that allowed a local user to cause a denial of service by writing data to the device node. To exploit this issue, write access to the device node was needed. (CVE-2007-3513, Moderate) * A flaw was found in the random number generator implementation that allowed a local user to cause a denial of service or possibly gain privileges. If the root user raised the default wakeup threshold over the size of the output pool, this flaw could be exploited. (CVE-2007-3105, Low) In addition to the security issues described above, several bug fixes preventing possible system crashes and data corruption were also included. Red Hat Enterprise Linux 5 users are advised to upgrade to these packages, which contain backported patches to resolve these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 67581 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67581 title Oracle Linux 5 : kernel (ELSA-2007-0940) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1381.NASL description Several local vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2006-5755 The NT bit maybe leaked into the next task which can make it possible for local attackers to cause a Denial of Service (crash) on systems which run the amd64 flavour kernel. The stable distribution ( last seen 2020-06-01 modified 2020-06-02 plugin id 26211 published 2007-10-03 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/26211 title Debian DSA-1381-2 : linux-2.6 - several vulnerabilities NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2007-0940.NASL description Updated kernel packages that fix various security issues in the Red Hat Enterprise Linux 5 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the following security issues : * A flaw was found in the backported stack unwinder fixes in Red Hat Enterprise Linux 5. On AMD64 and Intel 64 platforms, a local user could trigger this flaw and cause a denial of service. (CVE-2007-4574, Important) * A flaw was found in the handling of process death signals. This allowed a local user to send arbitrary signals to the suid-process executed by that user. A successful exploitation of this flaw depends on the structure of the suid-program and its signal handling. (CVE-2007-3848, Important) * A flaw was found in the Distributed Lock Manager (DLM) in the cluster manager. This allowed a remote user who is able to connect to the DLM port to cause a denial of service. (CVE-2007-3380, Important) * A flaw was found in the aacraid SCSI driver. This allowed a local user to make ioctl calls to the driver which should otherwise be restricted to privileged users. (CVE-2007-4308, Moderate) * A flaw was found in the prio_tree handling of the hugetlb support that allowed a local user to cause a denial of service. This only affected kernels with hugetlb support. (CVE-2007-4133, Moderate) * A flaw was found in the eHCA driver on PowerPC architectures that allowed a local user to access 60k of physical address space. This address space could contain sensitive information. (CVE-2007-3850, Moderate) * A flaw was found in ptrace support that allowed a local user to cause a denial of service via a NULL pointer dereference. (CVE-2007-3731, Moderate) * A flaw was found in the usblcd driver that allowed a local user to cause a denial of service by writing data to the device node. To exploit this issue, write access to the device node was needed. (CVE-2007-3513, Moderate) * A flaw was found in the random number generator implementation that allowed a local user to cause a denial of service or possibly gain privileges. If the root user raised the default wakeup threshold over the size of the output pool, this flaw could be exploited. (CVE-2007-3105, Low) In addition to the security issues described above, several bug fixes preventing possible system crashes and data corruption were also included. Red Hat Enterprise Linux 5 users are advised to upgrade to these packages, which contain backported patches to resolve these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 43654 published 2010-01-06 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/43654 title CentOS 5 : kernel (CESA-2007:0940) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-578-1.NASL description The minix filesystem did not properly validate certain filesystem values. If a local attacker could trick the system into attempting to mount a corrupted minix filesystem, the kernel could be made to hang for long periods of time, resulting in a denial of service. (CVE-2006-6058) Alexander Schulze discovered that the skge driver does not properly use the spin_lock and spin_unlock functions. Remote attackers could exploit this by sending a flood of network traffic and cause a denial of service (crash). (CVE-2006-7229) Hugh Dickins discovered that hugetlbfs performed certain prio_tree calculations using HPAGE_SIZE instead of PAGE_SIZE. A local user could exploit this and cause a denial of service via kernel panic. (CVE-2007-4133) Chris Evans discovered an issue with certain drivers that use the ieee80211_rx function. Remote attackers could send a crafted 802.11 frame and cause a denial of service via crash. (CVE-2007-4997) Alex Smith discovered an issue with the pwc driver for certain webcam devices. A local user with physical access to the system could remove the device while a userspace application had it open and cause the USB subsystem to block. (CVE-2007-5093) Scott James Remnant discovered a coding error in ptrace. Local users could exploit this and cause the kernel to enter an infinite loop. (CVE-2007-5500) Venustech AD-LAB discovered a buffer overflow in the isdn net subsystem. This issue is exploitable by local users via crafted input to the isdn_ioctl function. (CVE-2007-6063) It was discovered that the isdn subsystem did not properly check for NULL termination when performing ioctl handling. A local user could exploit this to cause a denial of service. (CVE-2007-6151) Blake Frantz discovered that when a root process overwrote an existing core file, the resulting core file retained the previous core file last seen 2020-06-01 modified 2020-06-02 plugin id 31093 published 2008-02-14 reporter Ubuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/31093 title Ubuntu 6.06 LTS : linux-source-2.6.15 vulnerabilities (USN-578-1) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1504.NASL description Several local and remote vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2006-5823 LMH reported a potential local DoS which could be exploited by a malicious user with the privileges to mount and read a corrupted cramfs filesystem. - CVE-2006-6054 LMH reported a potential local DoS which could be exploited by a malicious user with the privileges to mount and read a corrupted ext2 filesystem. - CVE-2006-6058 LMH reported an issue in the minix filesystem that allows local users with mount privileges to create a DoS (printk flood) by mounting a specially crafted corrupt filesystem. - CVE-2006-7203 OpenVZ Linux kernel team reported an issue in the smbfs filesystem which can be exploited by local users to cause a DoS (oops) during mount. - CVE-2007-1353 Ilja van Sprundel discovered that kernel memory could be leaked via the Bluetooth setsockopt call due to an uninitialized stack buffer. This could be used by local attackers to read the contents of sensitive kernel memory. - CVE-2007-2172 Thomas Graf reported a typo in the DECnet protocol handler that could be used by a local attacker to overrun an array via crafted packets, potentially resulting in a Denial of Service (system crash). A similar issue exists in the IPV4 protocol handler and will be fixed in a subsequent update. - CVE-2007-2525 Florian Zumbiehl discovered a memory leak in the PPPOE subsystem caused by releasing a socket before PPPIOCGCHAN is called upon it. This could be used by a local user to DoS a system by consuming all available memory. - CVE-2007-3105 The PaX Team discovered a potential buffer overflow in the random number generator which may permit local users to cause a denial of service or gain additional privileges. This issue is not believed to effect default Debian installations where only root has sufficient privileges to exploit it. - CVE-2007-3739 Adam Litke reported a potential local denial of service (oops) on powerpc platforms resulting from unchecked VMA expansion into address space reserved for hugetlb pages. - CVE-2007-3740 Steve French reported that CIFS filesystems with CAP_UNIX enabled were not honoring a process last seen 2020-06-01 modified 2020-06-02 plugin id 31148 published 2008-02-25 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/31148 title Debian DSA-1504-1 : kernel-source-2.6.8 - several vulnerabilities NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2007-0940.NASL description Updated kernel packages that fix various security issues in the Red Hat Enterprise Linux 5 kernel are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. The Linux kernel handles the basic functions of the operating system. These new kernel packages contain fixes for the following security issues : * A flaw was found in the backported stack unwinder fixes in Red Hat Enterprise Linux 5. On AMD64 and Intel 64 platforms, a local user could trigger this flaw and cause a denial of service. (CVE-2007-4574, Important) * A flaw was found in the handling of process death signals. This allowed a local user to send arbitrary signals to the suid-process executed by that user. A successful exploitation of this flaw depends on the structure of the suid-program and its signal handling. (CVE-2007-3848, Important) * A flaw was found in the Distributed Lock Manager (DLM) in the cluster manager. This allowed a remote user who is able to connect to the DLM port to cause a denial of service. (CVE-2007-3380, Important) * A flaw was found in the aacraid SCSI driver. This allowed a local user to make ioctl calls to the driver which should otherwise be restricted to privileged users. (CVE-2007-4308, Moderate) * A flaw was found in the prio_tree handling of the hugetlb support that allowed a local user to cause a denial of service. This only affected kernels with hugetlb support. (CVE-2007-4133, Moderate) * A flaw was found in the eHCA driver on PowerPC architectures that allowed a local user to access 60k of physical address space. This address space could contain sensitive information. (CVE-2007-3850, Moderate) * A flaw was found in ptrace support that allowed a local user to cause a denial of service via a NULL pointer dereference. (CVE-2007-3731, Moderate) * A flaw was found in the usblcd driver that allowed a local user to cause a denial of service by writing data to the device node. To exploit this issue, write access to the device node was needed. (CVE-2007-3513, Moderate) * A flaw was found in the random number generator implementation that allowed a local user to cause a denial of service or possibly gain privileges. If the root user raised the default wakeup threshold over the size of the output pool, this flaw could be exploited. (CVE-2007-3105, Low) In addition to the security issues described above, several bug fixes preventing possible system crashes and data corruption were also included. Red Hat Enterprise Linux 5 users are advised to upgrade to these packages, which contain backported patches to resolve these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 27565 published 2007-10-25 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/27565 title RHEL 5 : kernel (RHSA-2007:0940) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-558-1.NASL description The minix filesystem did not properly validate certain filesystem values. If a local attacker could trick the system into attempting to mount a corrupted minix filesystem, the kernel could be made to hang for long periods of time, resulting in a denial of service. (CVE-2006-6058) Certain calculations in the hugetlb code were not correct. A local attacker could exploit this to cause a kernel panic, leading to a denial of service. (CVE-2007-4133) Eric Sesterhenn and Victor Julien discovered that the hop-by-hop IPv6 extended header was not correctly validated. If a system was configured for IPv6, a remote attacker could send a specially crafted IPv6 packet and cause the kernel to panic, leading to a denial of service. This was only vulnerable in Ubuntu 7.04. (CVE-2007-4567) Permissions were not correctly stored on JFFS2 ACLs. For systems using ACLs on JFFS2, a local attacker may gain access to private files. (CVE-2007-4849) Chris Evans discovered that the 802.11 network stack did not correctly handle certain QOS frames. A remote attacker on the local wireless network could send specially crafted packets that would panic the kernel, resulting in a denial of service. (CVE-2007-4997) The Philips USB Webcam driver did not correctly handle disconnects. If a local attacker tricked another user into disconnecting a webcam unsafely, the kernel could hang or consume CPU resources, leading to a denial of service. (CVE-2007-5093) Scott James Remnant discovered that the waitid function could be made to hang the system. A local attacker could execute a specially crafted program which would leave the system unresponsive, resulting in a denial of service. (CVE-2007-5500) Ilpo Jarvinen discovered that it might be possible for the TCP stack to panic the kernel when receiving a crafted ACK response. Only Ubuntu 7.10 contained the vulnerable code, and it is believed not to have been exploitable. (CVE-2007-5501) When mounting the same remote NFS share to separate local locations, the first location last seen 2020-06-01 modified 2020-06-02 plugin id 29740 published 2007-12-19 reporter Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/29740 title Ubuntu 6.10 / 7.04 / 7.10 : linux-source-2.6.17/20/22 vulnerabilities (USN-558-1) NASL family Scientific Linux Local Security Checks NASL id SL_20071022_KERNEL_ON_SL5_X.NASL description These new kernel packages contain fixes for the following security issues : - A flaw was found in the backported stack unwinder fixes in Red Hat Enterprise Linux 5. On AMD64 and Intel 64 platforms, a local user could trigger this flaw and cause a denial of service. (CVE-2007-4574, Important) - A flaw was found in the handling of process death signals. This allowed a local user to send arbitrary signals to the suid-process executed by that user. A successful exploitation of this flaw depends on the structure of the suid-program and its signal handling. (CVE-2007-3848, Important) - A flaw was found in the Distributed Lock Manager (DLM) in the cluster manager. This allowed a remote user who is able to connect to the DLM port to cause a denial of service. (CVE-2007-3380, Important) - A flaw was found in the aacraid SCSI driver. This allowed a local user to make ioctl calls to the driver which should otherwise be restricted to privileged users. (CVE-2007-4308, Moderate) - A flaw was found in the prio_tree handling of the hugetlb support that allowed a local user to cause a denial of service. This only affected kernels with hugetlb support. (CVE-2007-4133, Moderate) - A flaw was found in the eHCA driver on PowerPC architectures that allowed a local user to access 60k of physical address space. This address space could contain sensitive information. (CVE-2007-3850, Moderate) - A flaw was found in ptrace support that allowed a local user to cause a denial of service via a NULL pointer dereference. (CVE-2007-3731, Moderate) - A flaw was found in the usblcd driver that allowed a local user to cause a denial of service by writing data to the device node. To exploit this issue, write access to the device node was needed. (CVE-2007-3513, Moderate) - A flaw was found in the random number generator implementation that allowed a local user to cause a denial of service or possibly gain privileges. If the root user raised the default wakeup threshold over the size of the output pool, this flaw could be exploited. (CVE-2007-3105, Low) In addition to the security issues described above, several bug fixes preventing possible system crashes and data corruption were also included. last seen 2020-06-01 modified 2020-06-02 plugin id 60272 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60272 title Scientific Linux Security Update : kernel on SL5.x i386/x86_64 NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2008-105.NASL description The CIFS filesystem in the Linux kernel before 2.6.22, when Unix extension support is enabled, does not honor the umask of a process, which allows local users to gain privileges. (CVE-2007-3740) The drm/i915 component in the Linux kernel before 2.6.22.2, when used with i965G and later chipsets, allows local users with access to an X11 session and Direct Rendering Manager (DRM) to write to arbitrary memory locations and gain privileges via a crafted batchbuffer. (CVE-2007-3851) The (1) hugetlb_vmtruncate_list and (2) hugetlb_vmtruncate functions in fs/hugetlbfs/inode.c in the Linux kernel before 2.6.19-rc4 perform certain prio_tree calculations using HPAGE_SIZE instead of PAGE_SIZE units, which allows local users to cause a denial of service (panic) via unspecified vectors. (CVE-2007-4133) The IA32 system call emulation functionality in Linux kernel 2.4.x and 2.6.x before 2.6.22.7, when running on the x86_64 architecture, does not zero extend the eax register after the 32bit entry path to ptrace is used, which might allow local users to gain privileges by triggering an out-of-bounds access to the system call table using the %RAX register. This vulnerability is now being fixed in the Xen kernel too. (CVE-2007-4573) Integer underflow in the ieee80211_rx function in net/ieee80211/ieee80211_rx.c in the Linux kernel 2.6.x before 2.6.23 allows remote attackers to cause a denial of service (crash) via a crafted SKB length value in a runt IEEE 802.11 frame when the IEEE80211_STYPE_QOS_DATA flag is set, aka an off-by-two error. (CVE-2007-4997) The disconnect method in the Philips USB Webcam (pwc) driver in Linux kernel 2.6.x before 2.6.22.6 relies on user space to close the device, which allows user-assisted local attackers to cause a denial of service (USB subsystem hang and CPU consumption in khubd) by not closing the device after the disconnect is invoked. NOTE: this rarely crosses privilege boundaries, unless the attacker can convince the victim to unplug the affected device. (CVE-2007-5093) A race condition in the directory notification subsystem (dnotify) in Linux kernel 2.6.x before 2.6.24.6, and 2.6.25 before 2.6.25.1, allows local users to cause a denial of service (OOPS) and possibly gain privileges via unspecified vectors. (CVE-2008-1375) The Linux kernel before 2.6.25.2 does not apply a certain protection mechanism for fcntl functionality, which allows local users to (1) execute code in parallel or (2) exploit a race condition to obtain re-ordered access to the descriptor table. (CVE-2008-1669) To update your kernel, please follow the directions located at : http://www.mandriva.com/en/security/kernelupdate last seen 2020-06-01 modified 2020-06-02 plugin id 37772 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/37772 title Mandriva Linux Security Advisory : kernel (MDVSA-2008:105)
Oval
accepted | 2013-04-29T04:05:48.257-04:00 | ||||||||||||
class | vulnerability | ||||||||||||
contributors |
| ||||||||||||
definition_extensions |
| ||||||||||||
description | The (1) hugetlb_vmtruncate_list and (2) hugetlb_vmtruncate functions in fs/hugetlbfs/inode.c in the Linux kernel before 2.6.19-rc4 perform certain prio_tree calculations using HPAGE_SIZE instead of PAGE_SIZE units, which allows local users to cause a denial of service (panic) via unspecified vectors. | ||||||||||||
family | unix | ||||||||||||
id | oval:org.mitre.oval:def:10451 | ||||||||||||
status | accepted | ||||||||||||
submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||
title | The (1) hugetlb_vmtruncate_list and (2) hugetlb_vmtruncate functions in fs/hugetlbfs/inode.c in the Linux kernel before 2.6.19-rc4 perform certain prio_tree calculations using HPAGE_SIZE instead of PAGE_SIZE units, which allows local users to cause a denial of service (panic) via unspecified vectors. | ||||||||||||
version | 18 |
Redhat
advisories |
| ||||
rpms |
|
Statements
contributor | Mark J Cox |
lastmodified | 2007-10-18 |
organization | Red Hat |
statement | This issue did not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, or 4. |
References
- http://secunia.com/advisories/26994
- http://secunia.com/advisories/27322
- http://secunia.com/advisories/28170
- http://secunia.com/advisories/28971
- http://secunia.com/advisories/29058
- http://tree.celinuxforum.org/gitstat/commit-detail.php?commit=856fc29505556cf263f3dcda2533cf3766c14ab6
- http://www.debian.org/security/2007/dsa-1381
- http://www.debian.org/security/2008/dsa-1504
- http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.19-rc4
- http://www.mandriva.com/security/advisories?name=MDKSA-2007:216
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:008
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:105
- http://www.redhat.com/support/errata/RHSA-2007-0940.html
- http://www.securityfocus.com/bid/25904
- http://www.ubuntu.com/usn/usn-558-1
- http://www.ubuntu.com/usn/usn-578-1
- https://exchange.xforce.ibmcloud.com/vulnerabilities/36925
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10451