Bug 134981 - CAN-2004-0138 Program crashes the kernel
CAN-2004-0138 Program crashes the kernel
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: kernel (Show other bugs)
x86_64 Linux
high Severity high
: ---
: ---
Assigned To: Jim Paradis
Brian Brock
: Security
: 127915 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2004-10-07 13:31 EDT by Bastien Nocera
Modified: 2007-11-30 17:07 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-12-02 06:36:38 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch that fixes this bug (567 bytes, patch)
2004-10-15 23:46 EDT, Jim Paradis
no flags Details | Diff

  None (edit)
Description Bastien Nocera 2004-10-07 13:31:24 EDT
Description of problem:
Kernel crash (somewhere in binfmt...)

Version-Release number of selected component (if applicable):

How reproducible:
Every time

Steps to Reproduce:
1. Unzip the attached zip file
2. run the program, or
2a. run "ldd program"
Actual results:
Crashes the kernel

Expected results:
It just fails

Additional info:
Comment 8 Bill Nottingham 2004-10-07 17:00:02 EDT
Under U2:

# ./crash.out
Unable to load interpreter
request_moduloe[binfmt-464c]: wiatpid(2727,...) failed, errno 512
memory.c:553: bad pgd 000001011a22d000(706d617473656d69)

However, it only hangs crash.out there, not the system.
Comment 13 Jim Paradis 2004-10-15 00:27:43 EDT
urk... the problem is that the main binary is a 64-bit image, but it
links to a 32-bit loader and shared library (probably because it's
looking for things in /lib rather than in /lib64).  I don't know HOW
it manages to smash these different flavors together into one image,
but it does.  That's why we're going nuts in "load_elf**32**_binary()"
even though it's a 64-bit main image.

RHEL4 manages to correctly reject this mongrel binary, and it
shouldn't be hard to add similar checks to RHEL3.
Comment 14 Jim Paradis 2004-10-15 23:46:15 EDT
Created attachment 105318 [details]
Patch that fixes this bug

I lifted this patch from 2.6; it's an extra sanity check in load_elf_binary()
to ensure that the ELF interpreter is of an arch compatible with the main
program.  I tested it and it fixes the problem.  Now when you attempt to run
the test program you get the message:

-bash: ./crash.out: Accessing a corrupted shared library
Comment 22 Ernie Petrides 2004-11-12 21:11:12 EST
A fix for this problem has just been committed to the RHEL3 U4
patch pool this evening (in kernel version 2.4.21-25.EL).
Comment 24 Ernie Petrides 2004-11-17 16:37:28 EST
*** Bug 127915 has been marked as a duplicate of this bug. ***
Comment 25 Ernie Petrides 2004-11-24 20:28:02 EST
The fix for this problem has also been committed to the RHEL3 E4
patch pool this evening (in kernel version 2.4.21-20.0.1.EL).
Comment 26 Mark J. Cox (Product Security) 2004-12-02 06:36:38 EST
Comment 28 Marcel Holtmann 2006-05-31 09:23:34 EDT
The correct CVE name for this issue is CVE-2004-0138.

Note You need to log in before you can comment on or make changes to this bug.