Bug 205335 - CVE-2006-4538 Local DoS with corrupted ELF
CVE-2006-4538 Local DoS with corrupted ELF
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Dave Anderson
Brian Brock
impact=moderate,reported=20060905,sou...
: Security
Depends On:
Blocks: CVE-2006-4538
  Show dependency treegraph
 
Reported: 2006-09-06 01:49 EDT by Marcel Holtmann
Modified: 2007-11-30 17:07 EST (History)
2 users (show)

See Also:
Fixed In Version: RHSA-2007-0014
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-01-30 09:26:59 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
pre-compiled ia64 ELF file with corrupted PT_LOAD segments. (8.82 KB, application/octet-stream)
2006-09-26 08:41 EDT, Dave Anderson
no flags Details
generic binary file corrupter (2.70 KB, text/plain)
2006-09-26 08:46 EDT, Dave Anderson
no flags Details

  None (edit)
Description Marcel Holtmann 2006-09-06 01:49:40 EDT
From Kirill Korotaev:

When running on IA64 or SPARC platforms, local users can cause a denial of
service via a malformed ELF file and then triggered by cross-region mappings.

http://lkml.org/lkml/2006/9/4/116
Comment 2 Dave Anderson 2006-09-25 16:05:17 EDT

Where's the reproducer?  I don't see any reference to it anywhere
in the thread.
Comment 3 Marcel Holtmann 2006-09-25 16:15:21 EDT
I don't have a reproducer for this one.
Comment 4 Dave Anderson 2006-09-25 16:19:49 EDT
Jason,

What do you suggest in this case?  Cobble up a patch, compile it,
and post it saying, "we don't have a reproducer"?
Comment 5 Dave Anderson 2006-09-26 08:39:14 EDT
Cancel the needinfo -- I contacted Kirill Korotaev, and he forwarded me
an ia64 reproducer (actually 2).  He response follows, and I will attach
both the mangle.c program as well as his pre-compiled  :



 Subject: Re: [PATCH] IA64,sparc: local DoS with corrupted ELFs
    Date: Tue, 26 Sep 2006 10:24:21 +0400
    From: Kirill Korotaev <dev@sw.ru>
      To: Dave Anderson <anderson@redhat.com>

Dave,

> I just got assigned this CVE for a RHEL4 back-port.
> By any chance do you have a pointer to a quick-and-dirty
> reproducer for ia64?  Or instructions on how I could tinker
> with an ia64 ELF header to reproduce the DOS?

ELF file is attached.

I'd recommend RedHat to incorporate the original test with a program
which hacks ELF files randomly and run it on regular basis.
This is what we do with OpenVZ.

The original test was from security@kernel.org from Dave Jones email:

----- cut -----
1. grab http://www.digitaldwarf.be/products/mangle.c
2. create a test.c which is..

#include <stdio.h>
int main(void)
{
        printf ("Worked\n");
        return 0;
}

3. run this script..
#!/bin/bash
while [ 1 ];
do
        gcc test.c
        ~/fuzz/mangle a.out $RANDOM
        ./a.out
done

4. wait, until this happens..
----- cut -----

Thanks,
Kirill


                     Name: bad_ia64_elf
   bad_ia64_elf      Type: unspecified type (application/octet-stream)
                 Encoding: base64
Comment 6 Dave Anderson 2006-09-26 08:41:33 EDT
Created attachment 137132 [details]
pre-compiled ia64 ELF file with corrupted PT_LOAD segments.
Comment 7 Dave Anderson 2006-09-26 08:46:56 EDT
Created attachment 137133 [details]
generic binary file corrupter

Note that this program does not specifically attack the issue 
addressed by this particular bug, but in a random attempt, may
create a corrupt ELF header that does bump into it.
Comment 8 Dave Anderson 2006-09-29 10:57:41 EDT
Proposed patch posted:

http://post-office.corp.redhat.com/archives/rhkernel-list/2006-September/msg00929.html
Comment 9 Jason Baron 2006-10-10 11:24:21 EDT
committed in stream U5 build 42.17. A test kernel with this patch is available
from http://people.redhat.com/~jbaron/rhel4/
Comment 10 Jason Baron 2006-12-18 16:37:33 EST
committed in stream E5 build 42.0.4
Comment 12 Mike Gahagan 2007-01-22 13:17:54 EST
verified with the attached reproducer, I also wasn't able to see any other
problems with a few runs of fuzzing elf binaries.
Comment 14 Red Hat Bugzilla 2007-01-30 09:26:59 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0014.html

Note You need to log in before you can comment on or make changes to this bug.