From Bugzilla Helper: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; X11; Linux i686) Opera 7.23 [en] Description of problem: Crash binary (44 bytes) for the Linux kernel 2.4.21-20.EL and probably earlier versions, freezing the complete system, even when executed without root privileges. Version-Release number of selected component (if applicable): 2.4.21-20.EL (Red Hat Enterprise Linux AS release 3 / Taroon Update 3) How reproducible: Always Steps to Reproduce: 1.wget http://www.esat.kuleuven.ac.be/~wvereeck/kernel/exploit 2.chmod 755 exploit 3../exploit (as non-root) 4.freeze and cook up an excuse for your sysadmins Actual Results: The system freezes, so nothing world-astonishing happens. Expected Results: No crash/freeze, there are other OS's for this. Additional info: There seems to be a problem with the e_phnum byte in the ELF header, which crashes the linker/kernel, when it holds a zero.
Please see http://rhn.redhat.com/errata/RHSA-2004-549.html
*** Bug 142969 has been marked as a duplicate of this bug. ***
I've just confirmed that the crash is reproducible (by an unprivileged user) on the RHEL3 U4 kernel (2.4.21-27.EL), so I'm reopening this.
Crash is in fput()+2, probably called from search_binary_handler().
Fix has been posted to rhkernel-list today.
A fix for this problem has just been committed to the RHEL3 E5 patch pool this evening (in kernel version 2.4.21-27.0.1.EL).
Note this is fixed upstream, http://linux.bkbits.net:8080/linux-2.4/cset@4076466d_SqUm4azg4_v3FIG2-X6XQ CAN-2004-1234
A fix for this problem has also been committed to the RHEL3 U5 patch pool this evening (in kernel version 2.4.21-27.4.EL).
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2004-689.html
FYI, to tell the truth, this patch is written by Vasiliy Averin <vvs> from SWsoft Linux Kernel Team. I've just posted it.