Bug 205335
| Summary: | CVE-2006-4538 Local DoS with corrupted ELF | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 4 | Reporter: | Marcel Holtmann <holtmann> | ||||||
| Component: | kernel | Assignee: | Dave Anderson <anderson> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Brian Brock <bbrock> | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | 4.0 | CC: | jbaron, security-response-team | ||||||
| Target Milestone: | --- | Keywords: | Security | ||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | impact=moderate,reported=20060905,source=lkml,public=20060823 | ||||||||
| Fixed In Version: | RHSA-2007-0014 | Doc Type: | Bug Fix | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2007-01-30 14:26:59 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 289151 | ||||||||
| Attachments: |
|
||||||||
|
Description
Marcel Holtmann
2006-09-06 05:49:40 UTC
Where's the reproducer? I don't see any reference to it anywhere in the thread. I don't have a reproducer for this one. Jason, What do you suggest in this case? Cobble up a patch, compile it, and post it saying, "we don't have a reproducer"?
Cancel the needinfo -- I contacted Kirill Korotaev, and he forwarded me
an ia64 reproducer (actually 2). He response follows, and I will attach
both the mangle.c program as well as his pre-compiled :
Subject: Re: [PATCH] IA64,sparc: local DoS with corrupted ELFs
Date: Tue, 26 Sep 2006 10:24:21 +0400
From: Kirill Korotaev <dev>
To: Dave Anderson <anderson>
Dave,
> I just got assigned this CVE for a RHEL4 back-port.
> By any chance do you have a pointer to a quick-and-dirty
> reproducer for ia64? Or instructions on how I could tinker
> with an ia64 ELF header to reproduce the DOS?
ELF file is attached.
I'd recommend RedHat to incorporate the original test with a program
which hacks ELF files randomly and run it on regular basis.
This is what we do with OpenVZ.
The original test was from security from Dave Jones email:
----- cut -----
1. grab http://www.digitaldwarf.be/products/mangle.c
2. create a test.c which is..
#include <stdio.h>
int main(void)
{
printf ("Worked\n");
return 0;
}
3. run this script..
#!/bin/bash
while [ 1 ];
do
gcc test.c
~/fuzz/mangle a.out $RANDOM
./a.out
done
4. wait, until this happens..
----- cut -----
Thanks,
Kirill
Name: bad_ia64_elf
bad_ia64_elf Type: unspecified type (application/octet-stream)
Encoding: base64
Created attachment 137132 [details]
pre-compiled ia64 ELF file with corrupted PT_LOAD segments.
Created attachment 137133 [details]
generic binary file corrupter
Note that this program does not specifically attack the issue
addressed by this particular bug, but in a random attempt, may
create a corrupt ELF header that does bump into it.
Proposed patch posted: http://post-office.corp.redhat.com/archives/rhkernel-list/2006-September/msg00929.html committed in stream U5 build 42.17. A test kernel with this patch is available from http://people.redhat.com/~jbaron/rhel4/ committed in stream E5 build 42.0.4 verified with the attached reproducer, I also wasn't able to see any other problems with a few runs of fuzzing elf binaries. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2007-0014.html |