Bug 144362 - CAN-2004-1074 a.out binfmt DoS
Summary: CAN-2004-1074 a.out binfmt DoS
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: kernel
Version: 2.1
Hardware: i386
OS: Linux
medium
high
Target Milestone: ---
Assignee: Jim Paradis
QA Contact: Brian Brock
URL:
Whiteboard: public=20041111,impact=important
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-01-06 15:24 UTC by Josh Bressers
Modified: 2007-11-30 22:06 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-01-17 21:31:10 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Josh Bressers 2005-01-06 15:24:08 UTC
*** This bug has been split off bug 144361 ***

------- Original comment by Josh Bressers (Security Response Team) on 2005.01.06
10:21 -------

From the lkml mailing list.
http://www.ussg.iu.edu/hypermail/linux/kernel/0411.1/1222.html

It is possible that an improperly formed a.out binary can cause a
kernel-oops, which if executed in a loop will ead fd's and memory.
It seems that you have to turn on memory overcommit on for this to
work.

davej says we didn't enable a.out binaries on FC3 and RHEL4.  This
will be undone in the future though.

We do not turn on memory overcommit by default in RHEL2.1 or 3.
This should make the impact of this issue significantly mitigated
since it seems the issue is only exploitable when overcommit
is on (sysctl -w vm.overcommit_memory=1).  However note that
we do tell customers how to turn this on.

fixed=2.6.10 (20041116 cset@419aaba8xdR0decwoMnVpt3G8_f8kQ)
not fixed for 2.4 (as at Nov24)

Patch: http://www.ussg.iu.edu/hypermail/linux/kernel/0411.1/1290.html

Comment 1 Jim Paradis 2005-01-17 21:31:10 UTC
This is NOTABUG for AS2.1-i386 since it is based on 2.4.9 which handles vma's
differently.  The poisoned binary exits with an error rather than crashing, so
there's no DoS.



Note You need to log in before you can comment on or make changes to this bug.