Bug 205335
Summary: | CVE-2006-4538 Local DoS with corrupted ELF | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 4 | Reporter: | Marcel Holtmann <holtmann> | ||||||
Component: | kernel | Assignee: | Dave Anderson <anderson> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Brian Brock <bbrock> | ||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | 4.0 | CC: | jbaron, security-response-team | ||||||
Target Milestone: | --- | Keywords: | Security | ||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | impact=moderate,reported=20060905,source=lkml,public=20060823 | ||||||||
Fixed In Version: | RHSA-2007-0014 | Doc Type: | Bug Fix | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2007-01-30 14:26:59 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | |||||||||
Bug Blocks: | 289151 | ||||||||
Attachments: |
|
Description
Marcel Holtmann
2006-09-06 05:49:40 UTC
Where's the reproducer? I don't see any reference to it anywhere in the thread. I don't have a reproducer for this one. Jason, What do you suggest in this case? Cobble up a patch, compile it, and post it saying, "we don't have a reproducer"? Cancel the needinfo -- I contacted Kirill Korotaev, and he forwarded me an ia64 reproducer (actually 2). He response follows, and I will attach both the mangle.c program as well as his pre-compiled : Subject: Re: [PATCH] IA64,sparc: local DoS with corrupted ELFs Date: Tue, 26 Sep 2006 10:24:21 +0400 From: Kirill Korotaev <dev> To: Dave Anderson <anderson> Dave, > I just got assigned this CVE for a RHEL4 back-port. > By any chance do you have a pointer to a quick-and-dirty > reproducer for ia64? Or instructions on how I could tinker > with an ia64 ELF header to reproduce the DOS? ELF file is attached. I'd recommend RedHat to incorporate the original test with a program which hacks ELF files randomly and run it on regular basis. This is what we do with OpenVZ. The original test was from security from Dave Jones email: ----- cut ----- 1. grab http://www.digitaldwarf.be/products/mangle.c 2. create a test.c which is.. #include <stdio.h> int main(void) { printf ("Worked\n"); return 0; } 3. run this script.. #!/bin/bash while [ 1 ]; do gcc test.c ~/fuzz/mangle a.out $RANDOM ./a.out done 4. wait, until this happens.. ----- cut ----- Thanks, Kirill Name: bad_ia64_elf bad_ia64_elf Type: unspecified type (application/octet-stream) Encoding: base64 Created attachment 137132 [details]
pre-compiled ia64 ELF file with corrupted PT_LOAD segments.
Created attachment 137133 [details]
generic binary file corrupter
Note that this program does not specifically attack the issue
addressed by this particular bug, but in a random attempt, may
create a corrupt ELF header that does bump into it.
Proposed patch posted: http://post-office.corp.redhat.com/archives/rhkernel-list/2006-September/msg00929.html committed in stream U5 build 42.17. A test kernel with this patch is available from http://people.redhat.com/~jbaron/rhel4/ committed in stream E5 build 42.0.4 verified with the attached reproducer, I also wasn't able to see any other problems with a few runs of fuzzing elf binaries. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2007-0014.html |