Bug 193104 - Kernel crash via malformed ELF executable
Kernel crash via malformed ELF executable
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel (Show other bugs)
All Linux
medium Severity high
: ---
: ---
Assigned To: Ernie Petrides
Brian Brock
: Security
Depends On:
  Show dependency treegraph
Reported: 2006-05-25 06:49 EDT by Marcel Holtmann
Modified: 2007-11-30 17:07 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-05-26 16:43:07 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Full source code of convertcore program (2.18 KB, text/x-csrc)
2006-05-30 16:21 EDT, Marcel Holtmann
no flags Details

  None (edit)
Description Marcel Holtmann 2006-05-25 06:49:14 EDT
According to a posting from Linux Kernel mailing list it is possible to create
an ELF executable that will crash the running Linux kernel on execution:

Comment 1 Ernie Petrides 2006-05-26 16:43:07 EDT
The routine at the URL above is not a whole program.  I added the following
main() function as follows:

main(int argc, char *argv[])
        int rfd, wfd;

        if (argc != 4)
        if ((rfd = open(argv[1], O_RDONLY)) < 0)
        if ((wfd = open(argv[2], O_WRONLY | O_CREAT | O_TRUNC, 0777)) < 0)
        ChangeElfHeader(rfd, wfd, strtoul(argv[3], (char **)0, 0));

along with an include of <stdlib.h> and ran it according to the directions
in the LKML posting (on an x86_64 box).  I then ran the resulting "runt"
ELF image.  No crash occurred.  The exec() simply failed with ENOMEM.

Closing as NOTABUG.
Comment 2 Marcel Holtmann 2006-05-29 06:40:12 EDT
The whole program can be found in his own reply to his post. It contains an
additional finishWriting() routine.
Comment 3 Ernie Petrides 2006-05-30 16:05:32 EDT
Marcel, please attach the whole program that you think is capable of
reproducing the problem, and I'll retest it.  Thanks in advance.
Comment 4 Marcel Holtmann 2006-05-30 16:21:37 EDT
Created attachment 130248 [details]
Full source code of convertcore program
Comment 5 Ernie Petrides 2006-05-30 16:56:04 EDT
Thanks, Marcel.  I've tried the complete test case on both i386 and x86_64
boxes, and neither produced a crash.  Rather, the coverted "executable"
simply incurred a segmentation violation.

Please try to reproduce simple problems like this in the future.  Thanks
in advance, Marcel.

Note You need to log in before you can comment on or make changes to this bug.