142965 – CAN-2004-1234 kernel denial of service vulnerability and exploit

Bug 142965 - CAN-2004-1234 kernel denial of service vulnerability and exploit

Summary: CAN-2004-1234 kernel denial of service vulnerability and exploit

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 3
Classification:	Red Hat
Component:	kernel
Sub Component:
Version:	3.0
Hardware:	i686
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	---
Assignee:	Dave Anderson
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	142969 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2004-12-15 14:30 UTC by Wim Vereecken
Modified:	2007-11-30 22:07 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2004-12-23 20:48:02 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2004:689	0	normal	SHIPPED_LIVE	Important: kernel security update	2004-12-23 05:00:00 UTC

Description Wim Vereecken 2004-12-15 14:30:20 UTC

From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; X11; Linux i686) Opera 
7.23  [en]

Description of problem:
Crash binary (44 bytes) for the Linux kernel 2.4.21-20.EL and 
probably earlier versions, freezing the complete system, even when 
executed without root privileges.



Version-Release number of selected component (if applicable):
2.4.21-20.EL (Red Hat Enterprise Linux AS release 3 / Taroon Update 
3)

How reproducible:
Always

Steps to Reproduce:
1.wget http://www.esat.kuleuven.ac.be/~wvereeck/kernel/exploit
2.chmod 755 exploit
3../exploit (as non-root)
4.freeze and cook up an excuse for your sysadmins
    

Actual Results:  The system freezes, so nothing world-astonishing 
happens.

Expected Results:  No crash/freeze, there are other OS's for this.

Additional info:

There seems to be a problem with the e_phnum byte in the ELF header,
which crashes the linker/kernel, when it holds a zero.

Comment 1 Mark J. Cox 2004-12-15 14:51:33 UTC

Please see http://rhn.redhat.com/errata/RHSA-2004-549.html

Comment 2 Mark J. Cox 2004-12-15 16:53:37 UTC

*** Bug 142969 has been marked as a duplicate of this bug. ***

Comment 3 Ernie Petrides 2004-12-15 22:54:16 UTC

I've just confirmed that the crash is reproducible (by an unprivileged user)
on the RHEL3 U4 kernel (2.4.21-27.EL), so I'm reopening this.

Comment 4 Ernie Petrides 2004-12-15 22:57:43 UTC

Crash is in fput()+2, probably called from search_binary_handler().

Comment 5 Dave Anderson 2004-12-17 15:40:42 UTC

Fix has been posted to rhkernel-list today.

Comment 6 Ernie Petrides 2004-12-20 23:42:30 UTC

A fix for this problem has just been committed to the RHEL3 E5
patch pool this evening (in kernel version 2.4.21-27.0.1.EL).

Comment 7 Mark J. Cox 2004-12-21 13:21:23 UTC

Note this is fixed upstream,
http://linux.bkbits.net:8080/linux-2.4/cset@4076466d_SqUm4azg4_v3FIG2-X6XQ

CAN-2004-1234

Comment 8 Ernie Petrides 2004-12-22 21:56:23 UTC

A fix for this problem has also been committed to the RHEL3 U5
patch pool this evening (in kernel version 2.4.21-27.4.EL).

Comment 9 Josh Bressers 2004-12-23 20:48:02 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2004-689.html

Comment 10 Kirill Korotaev 2004-12-25 14:03:47 UTC

FYI, to tell the truth, this patch is written by
Vasiliy Averin <vvs> from SWsoft Linux Kernel Team.
I've just posted it.

Note You need to log in before you can comment on or make changes to this bug.