Bug 205335 - CVE-2006-4538 Local DoS with corrupted ELF
Summary: CVE-2006-4538 Local DoS with corrupted ELF
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel
Version: 4.0
Hardware: All
OS: Linux
Target Milestone: ---
: ---
Assignee: Dave Anderson
QA Contact: Brian Brock
Whiteboard: impact=moderate,reported=20060905,sou...
Depends On:
Blocks: CVE-2006-4538
TreeView+ depends on / blocked
Reported: 2006-09-06 05:49 UTC by Marcel Holtmann
Modified: 2007-11-30 22:07 UTC (History)
2 users (show)

Fixed In Version: RHSA-2007-0014
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2007-01-30 14:26:59 UTC
Target Upstream Version:

Attachments (Terms of Use)
pre-compiled ia64 ELF file with corrupted PT_LOAD segments. (8.82 KB, application/octet-stream)
2006-09-26 12:41 UTC, Dave Anderson
no flags Details
generic binary file corrupter (2.70 KB, text/plain)
2006-09-26 12:46 UTC, Dave Anderson
no flags Details

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:0014 0 normal SHIPPED_LIVE Important: kernel security update 2007-01-30 14:25:00 UTC

Description Marcel Holtmann 2006-09-06 05:49:40 UTC
From Kirill Korotaev:

When running on IA64 or SPARC platforms, local users can cause a denial of
service via a malformed ELF file and then triggered by cross-region mappings.


Comment 2 Dave Anderson 2006-09-25 20:05:17 UTC

Where's the reproducer?  I don't see any reference to it anywhere
in the thread.

Comment 3 Marcel Holtmann 2006-09-25 20:15:21 UTC
I don't have a reproducer for this one.

Comment 4 Dave Anderson 2006-09-25 20:19:49 UTC

What do you suggest in this case?  Cobble up a patch, compile it,
and post it saying, "we don't have a reproducer"?

Comment 5 Dave Anderson 2006-09-26 12:39:14 UTC
Cancel the needinfo -- I contacted Kirill Korotaev, and he forwarded me
an ia64 reproducer (actually 2).  He response follows, and I will attach
both the mangle.c program as well as his pre-compiled  :

 Subject: Re: [PATCH] IA64,sparc: local DoS with corrupted ELFs
    Date: Tue, 26 Sep 2006 10:24:21 +0400
    From: Kirill Korotaev <dev@sw.ru>
      To: Dave Anderson <anderson@redhat.com>


> I just got assigned this CVE for a RHEL4 back-port.
> By any chance do you have a pointer to a quick-and-dirty
> reproducer for ia64?  Or instructions on how I could tinker
> with an ia64 ELF header to reproduce the DOS?

ELF file is attached.

I'd recommend RedHat to incorporate the original test with a program
which hacks ELF files randomly and run it on regular basis.
This is what we do with OpenVZ.

The original test was from security@kernel.org from Dave Jones email:

----- cut -----
1. grab http://www.digitaldwarf.be/products/mangle.c
2. create a test.c which is..

#include <stdio.h>
int main(void)
        printf ("Worked\n");
        return 0;

3. run this script..
while [ 1 ];
        gcc test.c
        ~/fuzz/mangle a.out $RANDOM

4. wait, until this happens..
----- cut -----


                     Name: bad_ia64_elf
   bad_ia64_elf      Type: unspecified type (application/octet-stream)
                 Encoding: base64

Comment 6 Dave Anderson 2006-09-26 12:41:33 UTC
Created attachment 137132 [details]
pre-compiled ia64 ELF file with corrupted PT_LOAD segments.

Comment 7 Dave Anderson 2006-09-26 12:46:56 UTC
Created attachment 137133 [details]
generic binary file corrupter

Note that this program does not specifically attack the issue 
addressed by this particular bug, but in a random attempt, may
create a corrupt ELF header that does bump into it.

Comment 8 Dave Anderson 2006-09-29 14:57:41 UTC
Proposed patch posted:


Comment 9 Jason Baron 2006-10-10 15:24:21 UTC
committed in stream U5 build 42.17. A test kernel with this patch is available
from http://people.redhat.com/~jbaron/rhel4/

Comment 10 Jason Baron 2006-12-18 21:37:33 UTC
committed in stream E5 build 42.0.4

Comment 12 Mike Gahagan 2007-01-22 18:17:54 UTC
verified with the attached reproducer, I also wasn't able to see any other
problems with a few runs of fuzzing elf binaries.

Comment 14 Red Hat Bugzilla 2007-01-30 14:26:59 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.