Red Hat Bugzilla – Bug 142965
CAN-2004-1234 kernel denial of service vulnerability and exploit
Last modified: 2007-11-30 17:07:05 EST
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; X11; Linux i686) Opera
Description of problem:
Crash binary (44 bytes) for the Linux kernel 2.4.21-20.EL and
probably earlier versions, freezing the complete system, even when
executed without root privileges.
Version-Release number of selected component (if applicable):
2.4.21-20.EL (Red Hat Enterprise Linux AS release 3 / Taroon Update
Steps to Reproduce:
2.chmod 755 exploit
3../exploit (as non-root)
4.freeze and cook up an excuse for your sysadmins
Actual Results: The system freezes, so nothing world-astonishing
Expected Results: No crash/freeze, there are other OS's for this.
There seems to be a problem with the e_phnum byte in the ELF header,
which crashes the linker/kernel, when it holds a zero.
Please see http://rhn.redhat.com/errata/RHSA-2004-549.html
*** Bug 142969 has been marked as a duplicate of this bug. ***
I've just confirmed that the crash is reproducible (by an unprivileged user)
on the RHEL3 U4 kernel (2.4.21-27.EL), so I'm reopening this.
Crash is in fput()+2, probably called from search_binary_handler().
Fix has been posted to rhkernel-list today.
A fix for this problem has just been committed to the RHEL3 E5
patch pool this evening (in kernel version 2.4.21-27.0.1.EL).
Note this is fixed upstream,
A fix for this problem has also been committed to the RHEL3 U5
patch pool this evening (in kernel version 2.4.21-27.4.EL).
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.
FYI, to tell the truth, this patch is written by
Vasiliy Averin <email@example.com> from SWsoft Linux Kernel Team.
I've just posted it.