ID CVE-2008-4302
Summary fs/splice.c in the splice subsystem in the Linux kernel before 2.6.22.2 does not properly handle a failure of the add_to_page_cache_lru function, and subsequently attempts to unlock a page that was not locked, which allows local users to cause a denial of service (kernel BUG and system crash), as demonstrated by the fio I/O tool.
References
Vulnerable Configurations
  • cpe:2.3:o:linux:linux_kernel:2.4.36.6
    cpe:2.3:o:linux:linux_kernel:2.4.36.6
  • cpe:2.3:o:linux:linux_kernel:2.2.27
    cpe:2.3:o:linux:linux_kernel:2.2.27
  • Linux Kernel 2.6.21.5
    cpe:2.3:o:linux:linux_kernel:2.6.21.5
  • Linux Kernel 2.6.20.21
    cpe:2.3:o:linux:linux_kernel:2.6.20.21
  • Linux Kernel 2.6.20.18
    cpe:2.3:o:linux:linux_kernel:2.6.20.18
  • Linux Kernel 2.6.20.17
    cpe:2.3:o:linux:linux_kernel:2.6.20.17
  • Linux Kernel 2.6.20.20
    cpe:2.3:o:linux:linux_kernel:2.6.20.20
  • Linux Kernel 2.6.20.19
    cpe:2.3:o:linux:linux_kernel:2.6.20.19
  • Linux Kernel 2.6.18 Release Candidate 5
    cpe:2.3:o:linux:linux_kernel:2.6.18:rc5
  • Linux Kernel 2.6.19.7
    cpe:2.3:o:linux:linux_kernel:2.6.19.7
  • Linux Kernel 2.6.18 Release Candidate 6
    cpe:2.3:o:linux:linux_kernel:2.6.18:rc6
  • Linux Kernel 2.6.20.16
    cpe:2.3:o:linux:linux_kernel:2.6.20.16
  • Linux Kernel 2.6.18 Release Candidate 7
    cpe:2.3:o:linux:linux_kernel:2.6.18:rc7
  • Linux Kernel 2.6.19.5
    cpe:2.3:o:linux:linux_kernel:2.6.19.5
  • Linux Kernel 2.6.19.6
    cpe:2.3:o:linux:linux_kernel:2.6.19.6
  • Linux Kernel 2.6.18 Release Candidate 1
    cpe:2.3:o:linux:linux_kernel:2.6.18:rc1
  • Linux Kernel 2.6.18 Release Candidate 2
    cpe:2.3:o:linux:linux_kernel:2.6.18:rc2
  • Linux Kernel 2.6.19.4
    cpe:2.3:o:linux:linux_kernel:2.6.19.4
  • Linux Kernel 2.6.18 Release Candidate 3
    cpe:2.3:o:linux:linux_kernel:2.6.18:rc3
  • Linux Kernel 2.6.18 Release Candidate 4
    cpe:2.3:o:linux:linux_kernel:2.6.18:rc4
  • cpe:2.3:o:linux:linux_kernel:2.6
    cpe:2.3:o:linux:linux_kernel:2.6
  • cpe:2.3:o:linux:linux_kernel:2.4.36.4
    cpe:2.3:o:linux:linux_kernel:2.4.36.4
  • cpe:2.3:o:linux:linux_kernel:2.4.36.5
    cpe:2.3:o:linux:linux_kernel:2.4.36.5
  • cpe:2.3:o:linux:linux_kernel:2.4.36.1
    cpe:2.3:o:linux:linux_kernel:2.4.36.1
  • cpe:2.3:o:linux:linux_kernel:2.4.36
    cpe:2.3:o:linux:linux_kernel:2.4.36
  • Linux Kernel 2.6.18
    cpe:2.3:o:linux:linux_kernel:2.6.18
  • cpe:2.3:o:linux:linux_kernel:2.4.36.3
    cpe:2.3:o:linux:linux_kernel:2.4.36.3
  • cpe:2.3:o:linux:linux_kernel:2.4.36.2
    cpe:2.3:o:linux:linux_kernel:2.4.36.2
  • Linux Kernel 2.6.21.6
    cpe:2.3:o:linux:linux_kernel:2.6.21.6
  • Linux Kernel 2.6.22.1
    cpe:2.3:o:linux:linux_kernel:2.6.22.1
  • Linux Kernel 2.6.21.7
    cpe:2.3:o:linux:linux_kernel:2.6.21.7
CVSS
Base: 4.9 (as of 30-09-2008 - 09:50)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE COMPLETE
exploit-db via4
description Linux Kernel 2.6.x 'add_to_page_cache_lru()' Local Denial of Service Vulnerability. CVE-2008-4302. Dos exploit for linux platform
id EDB-ID:32384
last seen 2016-02-03
modified 2007-07-20
published 2007-07-20
reporter Jens Axboe
source https://www.exploit-db.com/download/32384/
title Linux Kernel 2.6.x - 'add_to_page_cache_lru' Local Denial of Service Vulnerability
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KERNEL-5751.NASL
    description This kernel update fixes various bugs and also several security issues : CVE-2008-4576: Fixed a crash in SCTP INIT-ACK, on mismatch between SCTP AUTH availability. This might be exploited remotely for a denial of service (crash) attack. CVE-2008-3833: The generic_file_splice_write function in fs/splice.c in the Linux kernel does not properly strip setuid and setgid bits when there is a write to a file, which allows local users to gain the privileges of a different group, and obtain sensitive information or possibly have unspecified other impact, by splicing into an inode in order to create an executable file in a setgid directory. CVE-2008-4210: fs/open.c in the Linux kernel before 2.6.22 does not properly strip setuid and setgid bits when there is a write to a file, which allows local users to gain the privileges of a different group, and obtain sensitive information or possibly have unspecified other impact, by creating an executable file in a setgid directory through the (1) truncate or (2) ftruncate function in conjunction with memory-mapped I/O. CVE-2008-4302: fs/splice.c in the splice subsystem in the Linux kernel before 2.6.22.2 does not properly handle a failure of the add_to_page_cache_lru function, and subsequently attempts to unlock a page that was not locked, which allows local users to cause a denial of service (kernel BUG and system crash), as demonstrated by the fio I/O tool. CVE-2008-3528: The ext[234] filesystem code fails to properly handle corrupted data structures. With a mounted filesystem image or partition that have corrupted dir->i_size and dir->i_blocks, a user performing either a read or write operation on the mounted image or partition can lead to a possible denial of service by spamming the logfile. CVE-2007-6716: fs/direct-io.c in the dio subsystem in the Linux kernel did not properly zero out the dio struct, which allows local users to cause a denial of service (OOPS), as demonstrated by a certain fio test. CVE-2008-3525: Added missing capability checks in sbni_ioctl(). CVE-2008-3272: Fixed range checking in the snd_seq OSS ioctl, which could be used to leak information from the kernel. CVE-2008-2931: The do_change_type function in fs/namespace.c did not verify that the caller has the CAP_SYS_ADMIN capability, which allows local users to gain privileges or cause a denial of service by modifying the properties of a mountpoint. CVE-2008-2812: Various NULL ptr checks have been added to tty op functions, which might have been used by local attackers to execute code. We think that this affects only devices openable by root, so the impact is limited. CVE-2008-1673: Added range checking in ASN.1 handling for the CIFS and SNMP NAT netfilter modules. CVE-2008-3527: arch/i386/kernel/sysenter.c in the Virtual Dynamic Shared Objects (vDSO) implementation in the Linux kernel before 2.6.21 did not properly check boundaries, which allows local users to gain privileges or cause a denial of service via unspecified vectors, related to the install_special_mapping, syscall, and syscall32_nopage functions.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 34755
    published 2008-11-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=34755
    title openSUSE 10 Security Update : kernel (kernel-5751)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20081104_KERNEL_ON_SL5_X.NASL
    description - the Xen implementation did not prevent applications running in a para-virtualized guest from modifying CR4 TSC. This could cause a local denial of service. (CVE-2007-5907, Important) - Tavis Ormandy reported missing boundary checks in the Virtual Dynamic Shared Objects (vDSO) implementation. This could allow a local unprivileged user to cause a denial of service or escalate privileges. (CVE-2008-3527, Important) - the do_truncate() and generic_file_splice_write() functions did not clear the setuid and setgid bits. This could allow a local unprivileged user to obtain access to privileged information. (CVE-2008-4210, CVE-2008-3833, Important) - a flaw was found in the Linux kernel splice implementation. This could cause a local denial of service when there is a certain failure in the add_to_page_cache_lru() function. (CVE-2008-4302, Important) - a flaw was found in the Linux kernel when running on AMD64 systems. During a context switch, EFLAGS were being neither saved nor restored. This could allow a local unprivileged user to cause a denial of service. (CVE-2006-5755, Low) - a flaw was found in the Linux kernel virtual memory implementation. This could allow a local unprivileged user to cause a denial of service. (CVE-2008-2372, Low) - an integer overflow was discovered in the Linux kernel Datagram Congestion Control Protocol (DCCP) implementation. This could allow a remote attacker to cause a denial of service. By default, remote DCCP is blocked by SELinux. (CVE-2008-3276, Low) In addition, these updated packages fix the following bugs : - random32() seeding has been improved. - in a multi-core environment, a race between the QP async event-handler and the destro_qp() function could occur. This led to unpredictable results during invalid memory access, which could lead to a kernel crash. - a format string was omitted in the call to the request_module() function. - a stack overflow caused by an infinite recursion bug in the binfmt_misc kernel module was corrected. - the ata_scsi_rbuf_get() and ata_scsi_rbuf_put() functions now check for scatterlist usage before calling kmap_atomic(). - a sentinel NUL byte was added to the device_write() function to ensure that lspace.name is NUL-terminated. - in the character device driver, a range_is_allowed() check was added to the read_mem() and write_mem() functions. It was possible for an illegitimate application to bypass these checks, and access /dev/mem beyond the 1M limit by calling mmap_mem() instead. Also, the parameters of range_is_allowed() were changed to cleanly handle greater than 32-bits of physical address on 32-bit architectures. - some of the newer Nehalem-based systems declare their CPU DSDT entries as type 'Alias'. During boot, this caused an 'Error attaching device data' message to be logged. - the evtchn event channel device lacked locks and memory barriers. This has led to xenstore becoming unresponsive on the Itanium® architecture. - sending of gratuitous ARP packets in the Xen frontend network driver is now delayed until the backend signals that its carrier status has been processed by the stack. - on forcedeth devices, whenever setting ethtool parameters for link speed, the device could stop receiving interrupts. - the CIFS 'forcedirectio' option did not allow text to be appended to files. - the gettimeofday() function returned a backwards time on Intel® 64. - residual-count corrections during UNDERRUN handling were added to the qla2xxx driver. - the fix for a small quirk was removed for certain Adaptec controllers for which it caused problems. - the 'xm trigger init' command caused a domain panic if a userland application was running on a guest on the Intel® 64 architecture.
    last seen 2019-02-21
    modified 2019-01-07
    plugin id 60488
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60488
    title Scientific Linux Security Update : kernel on SL5.x i386/x86_64
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2008-0957.NASL
    description Updated kernel packages that resolve several security issues and fix various bugs are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. [Updated 12th November 2008] The original packages distributed with this errata had a bug which prevented the Xen kernel booting on older hardware. We have updated the packages to correct this bug. The kernel packages contain the Linux kernel, the core of any Linux operating system. * the Xen implementation did not prevent applications running in a para-virtualized guest from modifying CR4 TSC. This could cause a local denial of service. (CVE-2007-5907, Important) * Tavis Ormandy reported missing boundary checks in the Virtual Dynamic Shared Objects (vDSO) implementation. This could allow a local unprivileged user to cause a denial of service or escalate privileges. (CVE-2008-3527, Important) * the do_truncate() and generic_file_splice_write() functions did not clear the setuid and setgid bits. This could allow a local unprivileged user to obtain access to privileged information. (CVE-2008-4210, CVE-2008-3833, Important) * a flaw was found in the Linux kernel splice implementation. This could cause a local denial of service when there is a certain failure in the add_to_page_cache_lru() function. (CVE-2008-4302, Important) * a flaw was found in the Linux kernel when running on AMD64 systems. During a context switch, EFLAGS were being neither saved nor restored. This could allow a local unprivileged user to cause a denial of service. (CVE-2006-5755, Low) * a flaw was found in the Linux kernel virtual memory implementation. This could allow a local unprivileged user to cause a denial of service. (CVE-2008-2372, Low) * an integer overflow was discovered in the Linux kernel Datagram Congestion Control Protocol (DCCP) implementation. This could allow a remote attacker to cause a denial of service. By default, remote DCCP is blocked by SELinux. (CVE-2008-3276, Low) In addition, these updated packages fix the following bugs : * random32() seeding has been improved. * in a multi-core environment, a race between the QP async event-handler and the destro_qp() function could occur. This led to unpredictable results during invalid memory access, which could lead to a kernel crash. * a format string was omitted in the call to the request_module() function. * a stack overflow caused by an infinite recursion bug in the binfmt_misc kernel module was corrected. * the ata_scsi_rbuf_get() and ata_scsi_rbuf_put() functions now check for scatterlist usage before calling kmap_atomic(). * a sentinel NUL byte was added to the device_write() function to ensure that lspace.name is NUL-terminated. * in the character device driver, a range_is_allowed() check was added to the read_mem() and write_mem() functions. It was possible for an illegitimate application to bypass these checks, and access /dev/mem beyond the 1M limit by calling mmap_mem() instead. Also, the parameters of range_is_allowed() were changed to cleanly handle greater than 32-bits of physical address on 32-bit architectures. * some of the newer Nehalem-based systems declare their CPU DSDT entries as type 'Alias'. During boot, this caused an 'Error attaching device data' message to be logged. * the evtchn event channel device lacked locks and memory barriers. This has led to xenstore becoming unresponsive on the Itanium(r) architecture. * sending of gratuitous ARP packets in the Xen frontend network driver is now delayed until the backend signals that its carrier status has been processed by the stack. * on forcedeth devices, whenever setting ethtool parameters for link speed, the device could stop receiving interrupts. * the CIFS 'forcedirectio' option did not allow text to be appended to files. * the gettimeofday() function returned a backwards time on Intel(r) 64. * residual-count corrections during UNDERRUN handling were added to the qla2xxx driver. * the fix for a small quirk was removed for certain Adaptec controllers for which it caused problems. * the 'xm trigger init' command caused a domain panic if a userland application was running on a guest on the Intel(r) 64 architecture. Users of kernel should upgrade to these updated packages, which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 43713
    published 2010-01-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=43713
    title CentOS 5 : kernel (CESA-2008:0957)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2008-0957.NASL
    description Updated kernel packages that resolve several security issues and fix various bugs are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. [Updated 12th November 2008] The original packages distributed with this errata had a bug which prevented the Xen kernel booting on older hardware. We have updated the packages to correct this bug. The kernel packages contain the Linux kernel, the core of any Linux operating system. * the Xen implementation did not prevent applications running in a para-virtualized guest from modifying CR4 TSC. This could cause a local denial of service. (CVE-2007-5907, Important) * Tavis Ormandy reported missing boundary checks in the Virtual Dynamic Shared Objects (vDSO) implementation. This could allow a local unprivileged user to cause a denial of service or escalate privileges. (CVE-2008-3527, Important) * the do_truncate() and generic_file_splice_write() functions did not clear the setuid and setgid bits. This could allow a local unprivileged user to obtain access to privileged information. (CVE-2008-4210, CVE-2008-3833, Important) * a flaw was found in the Linux kernel splice implementation. This could cause a local denial of service when there is a certain failure in the add_to_page_cache_lru() function. (CVE-2008-4302, Important) * a flaw was found in the Linux kernel when running on AMD64 systems. During a context switch, EFLAGS were being neither saved nor restored. This could allow a local unprivileged user to cause a denial of service. (CVE-2006-5755, Low) * a flaw was found in the Linux kernel virtual memory implementation. This could allow a local unprivileged user to cause a denial of service. (CVE-2008-2372, Low) * an integer overflow was discovered in the Linux kernel Datagram Congestion Control Protocol (DCCP) implementation. This could allow a remote attacker to cause a denial of service. By default, remote DCCP is blocked by SELinux. (CVE-2008-3276, Low) In addition, these updated packages fix the following bugs : * random32() seeding has been improved. * in a multi-core environment, a race between the QP async event-handler and the destro_qp() function could occur. This led to unpredictable results during invalid memory access, which could lead to a kernel crash. * a format string was omitted in the call to the request_module() function. * a stack overflow caused by an infinite recursion bug in the binfmt_misc kernel module was corrected. * the ata_scsi_rbuf_get() and ata_scsi_rbuf_put() functions now check for scatterlist usage before calling kmap_atomic(). * a sentinel NUL byte was added to the device_write() function to ensure that lspace.name is NUL-terminated. * in the character device driver, a range_is_allowed() check was added to the read_mem() and write_mem() functions. It was possible for an illegitimate application to bypass these checks, and access /dev/mem beyond the 1M limit by calling mmap_mem() instead. Also, the parameters of range_is_allowed() were changed to cleanly handle greater than 32-bits of physical address on 32-bit architectures. * some of the newer Nehalem-based systems declare their CPU DSDT entries as type 'Alias'. During boot, this caused an 'Error attaching device data' message to be logged. * the evtchn event channel device lacked locks and memory barriers. This has led to xenstore becoming unresponsive on the Itanium(r) architecture. * sending of gratuitous ARP packets in the Xen frontend network driver is now delayed until the backend signals that its carrier status has been processed by the stack. * on forcedeth devices, whenever setting ethtool parameters for link speed, the device could stop receiving interrupts. * the CIFS 'forcedirectio' option did not allow text to be appended to files. * the gettimeofday() function returned a backwards time on Intel(r) 64. * residual-count corrections during UNDERRUN handling were added to the qla2xxx driver. * the fix for a small quirk was removed for certain Adaptec controllers for which it caused problems. * the 'xm trigger init' command caused a domain panic if a userland application was running on a guest on the Intel(r) 64 architecture. Users of kernel should upgrade to these updated packages, which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-11-27
    plugin id 34690
    published 2008-11-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=34690
    title RHEL 5 : kernel (RHSA-2008:0957)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1653.NASL
    description Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-6716 Joe Jin reported a local denial of service vulnerability that allows system users to trigger an oops due to an improperly initialized data structure. - CVE-2008-1514 Jan Kratochvil reported a local denial of service vulnerability in the ptrace interface for the s390 architecture. Local users can trigger an invalid pointer dereference, leading to a system panic. - CVE-2008-3276 Eugene Teo reported an integer overflow in the DCCP subsystem that may allow remote attackers to cause a denial of service in the form of a kernel panic. - CVE-2008-3525 Eugene Teo reported a lack of capability checks in the kernel driver for Granch SBNI12 leased line adapters (sbni), allowing local users to perform privileged operations. - CVE-2008-3833 The S_ISUID/S_ISGID bits were not being cleared during an inode splice, which, under certain conditions, can be exploited by local users to obtain the privileges of a group for which they are not a member. Mark Fasheh reported this issue. - CVE-2008-4210 David Watson reported an issue in the open()/creat() system calls which, under certain conditions, can be exploited by local users to obtain the privileges of a group for which they are not a member. - CVE-2008-4302 A coding error in the splice subsystem allows local users to attempt to unlock a page structure that has not been locked, resulting in a system crash.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 34392
    published 2008-10-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=34392
    title Debian DSA-1653-1 : linux-2.6 - denial of service/privilege escalation
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2008-0957.NASL
    description From Red Hat Security Advisory 2008:0957 : Updated kernel packages that resolve several security issues and fix various bugs are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. [Updated 12th November 2008] The original packages distributed with this errata had a bug which prevented the Xen kernel booting on older hardware. We have updated the packages to correct this bug. The kernel packages contain the Linux kernel, the core of any Linux operating system. * the Xen implementation did not prevent applications running in a para-virtualized guest from modifying CR4 TSC. This could cause a local denial of service. (CVE-2007-5907, Important) * Tavis Ormandy reported missing boundary checks in the Virtual Dynamic Shared Objects (vDSO) implementation. This could allow a local unprivileged user to cause a denial of service or escalate privileges. (CVE-2008-3527, Important) * the do_truncate() and generic_file_splice_write() functions did not clear the setuid and setgid bits. This could allow a local unprivileged user to obtain access to privileged information. (CVE-2008-4210, CVE-2008-3833, Important) * a flaw was found in the Linux kernel splice implementation. This could cause a local denial of service when there is a certain failure in the add_to_page_cache_lru() function. (CVE-2008-4302, Important) * a flaw was found in the Linux kernel when running on AMD64 systems. During a context switch, EFLAGS were being neither saved nor restored. This could allow a local unprivileged user to cause a denial of service. (CVE-2006-5755, Low) * a flaw was found in the Linux kernel virtual memory implementation. This could allow a local unprivileged user to cause a denial of service. (CVE-2008-2372, Low) * an integer overflow was discovered in the Linux kernel Datagram Congestion Control Protocol (DCCP) implementation. This could allow a remote attacker to cause a denial of service. By default, remote DCCP is blocked by SELinux. (CVE-2008-3276, Low) In addition, these updated packages fix the following bugs : * random32() seeding has been improved. * in a multi-core environment, a race between the QP async event-handler and the destro_qp() function could occur. This led to unpredictable results during invalid memory access, which could lead to a kernel crash. * a format string was omitted in the call to the request_module() function. * a stack overflow caused by an infinite recursion bug in the binfmt_misc kernel module was corrected. * the ata_scsi_rbuf_get() and ata_scsi_rbuf_put() functions now check for scatterlist usage before calling kmap_atomic(). * a sentinel NUL byte was added to the device_write() function to ensure that lspace.name is NUL-terminated. * in the character device driver, a range_is_allowed() check was added to the read_mem() and write_mem() functions. It was possible for an illegitimate application to bypass these checks, and access /dev/mem beyond the 1M limit by calling mmap_mem() instead. Also, the parameters of range_is_allowed() were changed to cleanly handle greater than 32-bits of physical address on 32-bit architectures. * some of the newer Nehalem-based systems declare their CPU DSDT entries as type 'Alias'. During boot, this caused an 'Error attaching device data' message to be logged. * the evtchn event channel device lacked locks and memory barriers. This has led to xenstore becoming unresponsive on the Itanium(r) architecture. * sending of gratuitous ARP packets in the Xen frontend network driver is now delayed until the backend signals that its carrier status has been processed by the stack. * on forcedeth devices, whenever setting ethtool parameters for link speed, the device could stop receiving interrupts. * the CIFS 'forcedirectio' option did not allow text to be appended to files. * the gettimeofday() function returned a backwards time on Intel(r) 64. * residual-count corrections during UNDERRUN handling were added to the qla2xxx driver. * the fix for a small quirk was removed for certain Adaptec controllers for which it caused problems. * the 'xm trigger init' command caused a domain panic if a userland application was running on a guest on the Intel(r) 64 architecture. Users of kernel should upgrade to these updated packages, which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 67758
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67758
    title Oracle Linux 5 : kernel (ELSA-2008-0957)
oval via4
accepted 2013-04-29T04:06:36.214-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description fs/splice.c in the splice subsystem in the Linux kernel before 2.6.22.2 does not properly handle a failure of the add_to_page_cache_lru function, and subsequently attempts to unlock a page that was not locked, which allows local users to cause a denial of service (kernel BUG and system crash), as demonstrated by the fio I/O tool.
family unix
id oval:org.mitre.oval:def:10547
status accepted
submitted 2010-07-09T03:56:16-04:00
title fs/splice.c in the splice subsystem in the Linux kernel before 2.6.22.2 does not properly handle a failure of the add_to_page_cache_lru function, and subsequently attempts to unlock a page that was not locked, which allows local users to cause a denial of service (kernel BUG and system crash), as demonstrated by the fio I/O tool.
version 18
redhat via4
advisories
bugzilla
id 470040
title kernel-xen doesn't boot on Dell Optiplex GX280
oval
AND
  • comment Red Hat Enterprise Linux 5 is installed
    oval oval:com.redhat.rhba:tst:20070331001
  • OR
    • AND
      • comment kernel is earlier than 0:2.6.18-92.1.18.el5
        oval oval:com.redhat.rhsa:tst:20080957002
      • comment kernel is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhba:tst:20080314003
    • AND
      • comment kernel-PAE is earlier than 0:2.6.18-92.1.18.el5
        oval oval:com.redhat.rhsa:tst:20080957022
      • comment kernel-PAE is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhba:tst:20080314021
    • AND
      • comment kernel-PAE-devel is earlier than 0:2.6.18-92.1.18.el5
        oval oval:com.redhat.rhsa:tst:20080957020
      • comment kernel-PAE-devel is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhba:tst:20080314023
    • AND
      • comment kernel-debug is earlier than 0:2.6.18-92.1.18.el5
        oval oval:com.redhat.rhsa:tst:20080957006
      • comment kernel-debug is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhba:tst:20080314015
    • AND
      • comment kernel-debug-devel is earlier than 0:2.6.18-92.1.18.el5
        oval oval:com.redhat.rhsa:tst:20080957012
      • comment kernel-debug-devel is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhba:tst:20080314009
    • AND
      • comment kernel-devel is earlier than 0:2.6.18-92.1.18.el5
        oval oval:com.redhat.rhsa:tst:20080957008
      • comment kernel-devel is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhba:tst:20080314007
    • AND
      • comment kernel-doc is earlier than 0:2.6.18-92.1.18.el5
        oval oval:com.redhat.rhsa:tst:20080957024
      • comment kernel-doc is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhba:tst:20080314025
    • AND
      • comment kernel-headers is earlier than 0:2.6.18-92.1.18.el5
        oval oval:com.redhat.rhsa:tst:20080957004
      • comment kernel-headers is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhba:tst:20080314005
    • AND
      • comment kernel-kdump is earlier than 0:2.6.18-92.1.18.el5
        oval oval:com.redhat.rhsa:tst:20080957018
      • comment kernel-kdump is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhba:tst:20080314017
    • AND
      • comment kernel-kdump-devel is earlier than 0:2.6.18-92.1.18.el5
        oval oval:com.redhat.rhsa:tst:20080957016
      • comment kernel-kdump-devel is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhba:tst:20080314019
    • AND
      • comment kernel-xen is earlier than 0:2.6.18-92.1.18.el5
        oval oval:com.redhat.rhsa:tst:20080957010
      • comment kernel-xen is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhba:tst:20080314011
    • AND
      • comment kernel-xen-devel is earlier than 0:2.6.18-92.1.18.el5
        oval oval:com.redhat.rhsa:tst:20080957014
      • comment kernel-xen-devel is signed with Red Hat redhatrelease key
        oval oval:com.redhat.rhba:tst:20080314013
rhsa
id RHSA-2008:0957
released 2008-11-04
severity Important
title RHSA-2008:0957: kernel security and bug fix update (Important)
rpms
  • kernel-0:2.6.18-92.1.18.el5
  • kernel-PAE-0:2.6.18-92.1.18.el5
  • kernel-PAE-devel-0:2.6.18-92.1.18.el5
  • kernel-debug-0:2.6.18-92.1.18.el5
  • kernel-debug-devel-0:2.6.18-92.1.18.el5
  • kernel-devel-0:2.6.18-92.1.18.el5
  • kernel-doc-0:2.6.18-92.1.18.el5
  • kernel-headers-0:2.6.18-92.1.18.el5
  • kernel-kdump-0:2.6.18-92.1.18.el5
  • kernel-kdump-devel-0:2.6.18-92.1.18.el5
  • kernel-xen-0:2.6.18-92.1.18.el5
  • kernel-xen-devel-0:2.6.18-92.1.18.el5
refmap via4
bid 31201
confirm
debian DSA-1653
misc http://www.juniper.net/security/auto/vulnerabilities/vuln31201.html
mlist
  • [linux-kernel] 20070720 [PATCH] splice: fix bad unlock_page() in error case
  • [oss-security] 20080916 CVE request: kernel: splice: fix bad unlock_page() in error case
secunia
  • 32237
  • 32485
  • 32759
suse SUSE-SR:2008:025
xf linux-kernel-addtopagecachelru-dos(45191)
statements via4
contributor Tomas Hoger
lastmodified 2009-01-15
organization Red Hat
statement This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and Red Hat Enterprise MRG. It was addressed in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2008-0957.html
Last major update 19-03-2012 - 00:00
Published 29-09-2008 - 13:17
Last modified 28-09-2017 - 21:32
Back to Top