Bug 193104

Summary: Kernel crash via malformed ELF executable
Product: Red Hat Enterprise Linux 4 Reporter: Marcel Holtmann <holtmann>
Component: kernelAssignee: Ernie Petrides <petrides>
Status: CLOSED NOTABUG QA Contact: Brian Brock <bbrock>
Severity: high Docs Contact:
Priority: medium    
Version: 4.0CC: jbaron, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,source=lkml,reported=20060524,public=20060524
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-05-26 20:43:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Full source code of convertcore program none

Description Marcel Holtmann 2006-05-25 10:49:14 UTC 
According to a posting from Linux Kernel mailing list it is possible to create
an ELF executable that will crash the running Linux kernel on execution:

http://lkml.org/lkml/2006/5/24/173
Comment 1 Ernie Petrides 2006-05-26 20:43:07 UTC 
The routine at the URL above is not a whole program.  I added the following
main() function as follows:

main(int argc, char *argv[])
{
        int rfd, wfd;

        if (argc != 4)
                exit(1);
        if ((rfd = open(argv[1], O_RDONLY)) < 0)
                exit(2);
        if ((wfd = open(argv[2], O_WRONLY | O_CREAT | O_TRUNC, 0777)) < 0)
                exit(3);
        ChangeElfHeader(rfd, wfd, strtoul(argv[3], (char **)0, 0));
        exit(0);
}

along with an include of <stdlib.h> and ran it according to the directions
in the LKML posting (on an x86_64 box).  I then ran the resulting "runt"
ELF image.  No crash occurred.  The exec() simply failed with ENOMEM.

Closing as NOTABUG.
Comment 2 Marcel Holtmann 2006-05-29 10:40:12 UTC 
The whole program can be found in his own reply to his post. It contains an
additional finishWriting() routine.
Comment 3 Ernie Petrides 2006-05-30 20:05:32 UTC 
Marcel, please attach the whole program that you think is capable of
reproducing the problem, and I'll retest it.  Thanks in advance.
Comment 4 Marcel Holtmann 2006-05-30 20:21:37 UTC 
Created attachment 130248 [details]
Full source code of convertcore program
Comment 5 Ernie Petrides 2006-05-30 20:56:04 UTC 
Thanks, Marcel.  I've tried the complete test case on both i386 and x86_64
boxes, and neither produced a crash.  Rather, the coverted "executable"
simply incurred a segmentation violation.

Please try to reproduce simple problems like this in the future.  Thanks
in advance, Marcel.