Products Openwall GNU/*/Linux   server OS John the Ripper   password cracker Free & Open Source for any platform Pro for Linux Pro for Mac OS X Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) phpass   password hashing in PHP crypt_blowfish   ditto in C/C++ tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repository (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 2 Mar 2011 08:57:27 -0500 (EST)
From: Petr Matousek <pmatouse@...hat.com>
To: oss-security@...ts.openwall.com
Cc: nelhage@...lice.com
Subject: Re: CVE request: kernel: Multiple DoS issues in
 epoll

----- Original Message -----
> Two requests for bugs in epoll:
> 
> (1) The epoll subsystem in Linux did not prevent users from creating
> circular
> epoll file structures, potentially leading to a denial of service
> (kernel
> deadlock).
> 
> Reference: https://lkml.org/lkml/2011/2/5/220
> Upstream commit:
> http://git.kernel.org/linus/22bacca48a1755f79b7e0f192ddb9fbb7fc6e64e

Please use CVE-2011-1082.

> (2) The epoll subsystem allows users to create large nested epoll
> structures,
> which the kernel will then to walk with preemption disabled, causing a
> denial of
> service via excessive CPU consumption in the kernel.
> 
> References:
> http://thread.gmane.org/gmane.linux.kernel/1105744
> http://thread.gmane.org/gmane.linux.kernel/1105744/focus=1105888
> 
> No upstream fix yet for this one.

Please use CVE-2011-1083.

Thank you,
--
Petr Matousek / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ