Bug 205335 - CVE-2006-4538 Local DoS with corrupted ELF
CVE-2006-4538 Local DoS with corrupted ELF
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Dave Anderson
Brian Brock
: Security
Depends On:
Blocks: CVE-2006-4538
  Show dependency treegraph
Reported: 2006-09-06 01:49 EDT by Marcel Holtmann
Modified: 2007-11-30 17:07 EST (History)
2 users (show)

See Also:
Fixed In Version: RHSA-2007-0014
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-01-30 09:26:59 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
pre-compiled ia64 ELF file with corrupted PT_LOAD segments. (8.82 KB, application/octet-stream)
2006-09-26 08:41 EDT, Dave Anderson
no flags Details
generic binary file corrupter (2.70 KB, text/plain)
2006-09-26 08:46 EDT, Dave Anderson
no flags Details

  None (edit)
Description Marcel Holtmann 2006-09-06 01:49:40 EDT
From Kirill Korotaev:

When running on IA64 or SPARC platforms, local users can cause a denial of
service via a malformed ELF file and then triggered by cross-region mappings.

Comment 2 Dave Anderson 2006-09-25 16:05:17 EDT

Where's the reproducer?  I don't see any reference to it anywhere
in the thread.
Comment 3 Marcel Holtmann 2006-09-25 16:15:21 EDT
I don't have a reproducer for this one.
Comment 4 Dave Anderson 2006-09-25 16:19:49 EDT

What do you suggest in this case?  Cobble up a patch, compile it,
and post it saying, "we don't have a reproducer"?
Comment 5 Dave Anderson 2006-09-26 08:39:14 EDT
Cancel the needinfo -- I contacted Kirill Korotaev, and he forwarded me
an ia64 reproducer (actually 2).  He response follows, and I will attach
both the mangle.c program as well as his pre-compiled  :

 Subject: Re: [PATCH] IA64,sparc: local DoS with corrupted ELFs
    Date: Tue, 26 Sep 2006 10:24:21 +0400
    From: Kirill Korotaev <dev@sw.ru>
      To: Dave Anderson <anderson@redhat.com>


> I just got assigned this CVE for a RHEL4 back-port.
> By any chance do you have a pointer to a quick-and-dirty
> reproducer for ia64?  Or instructions on how I could tinker
> with an ia64 ELF header to reproduce the DOS?

ELF file is attached.

I'd recommend RedHat to incorporate the original test with a program
which hacks ELF files randomly and run it on regular basis.
This is what we do with OpenVZ.

The original test was from security@kernel.org from Dave Jones email:

----- cut -----
1. grab http://www.digitaldwarf.be/products/mangle.c
2. create a test.c which is..

#include <stdio.h>
int main(void)
        printf ("Worked\n");
        return 0;

3. run this script..
while [ 1 ];
        gcc test.c
        ~/fuzz/mangle a.out $RANDOM

4. wait, until this happens..
----- cut -----


                     Name: bad_ia64_elf
   bad_ia64_elf      Type: unspecified type (application/octet-stream)
                 Encoding: base64
Comment 6 Dave Anderson 2006-09-26 08:41:33 EDT
Created attachment 137132 [details]
pre-compiled ia64 ELF file with corrupted PT_LOAD segments.
Comment 7 Dave Anderson 2006-09-26 08:46:56 EDT
Created attachment 137133 [details]
generic binary file corrupter

Note that this program does not specifically attack the issue 
addressed by this particular bug, but in a random attempt, may
create a corrupt ELF header that does bump into it.
Comment 8 Dave Anderson 2006-09-29 10:57:41 EDT
Proposed patch posted:

Comment 9 Jason Baron 2006-10-10 11:24:21 EDT
committed in stream U5 build 42.17. A test kernel with this patch is available
from http://people.redhat.com/~jbaron/rhel4/
Comment 10 Jason Baron 2006-12-18 16:37:33 EST
committed in stream E5 build 42.0.4
Comment 12 Mike Gahagan 2007-01-22 13:17:54 EST
verified with the attached reproducer, I also wasn't able to see any other
problems with a few runs of fuzzing elf binaries.
Comment 14 Red Hat Bugzilla 2007-01-30 09:26:59 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.