Bug 193104
Summary: | Kernel crash via malformed ELF executable | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 4 | Reporter: | Marcel Holtmann <holtmann> | ||||
Component: | kernel | Assignee: | Ernie Petrides <petrides> | ||||
Status: | CLOSED NOTABUG | QA Contact: | Brian Brock <bbrock> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 4.0 | CC: | jbaron, security-response-team | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | impact=important,source=lkml,reported=20060524,public=20060524 | ||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2006-05-26 20:43:07 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Marcel Holtmann
2006-05-25 10:49:14 UTC
The routine at the URL above is not a whole program. I added the following main() function as follows: main(int argc, char *argv[]) { int rfd, wfd; if (argc != 4) exit(1); if ((rfd = open(argv[1], O_RDONLY)) < 0) exit(2); if ((wfd = open(argv[2], O_WRONLY | O_CREAT | O_TRUNC, 0777)) < 0) exit(3); ChangeElfHeader(rfd, wfd, strtoul(argv[3], (char **)0, 0)); exit(0); } along with an include of <stdlib.h> and ran it according to the directions in the LKML posting (on an x86_64 box). I then ran the resulting "runt" ELF image. No crash occurred. The exec() simply failed with ENOMEM. Closing as NOTABUG. The whole program can be found in his own reply to his post. It contains an additional finishWriting() routine. Marcel, please attach the whole program that you think is capable of reproducing the problem, and I'll retest it. Thanks in advance. Created attachment 130248 [details]
Full source code of convertcore program
Thanks, Marcel. I've tried the complete test case on both i386 and x86_64 boxes, and neither produced a crash. Rather, the coverted "executable" simply incurred a segmentation violation. Please try to reproduce simple problems like this in the future. Thanks in advance, Marcel. |