From Kirill Korotaev: When running on IA64 or SPARC platforms, local users can cause a denial of service via a malformed ELF file and then triggered by cross-region mappings. http://lkml.org/lkml/2006/9/4/116
Where's the reproducer? I don't see any reference to it anywhere in the thread.
I don't have a reproducer for this one.
Jason, What do you suggest in this case? Cobble up a patch, compile it, and post it saying, "we don't have a reproducer"?
Cancel the needinfo -- I contacted Kirill Korotaev, and he forwarded me an ia64 reproducer (actually 2). He response follows, and I will attach both the mangle.c program as well as his pre-compiled : Subject: Re: [PATCH] IA64,sparc: local DoS with corrupted ELFs Date: Tue, 26 Sep 2006 10:24:21 +0400 From: Kirill Korotaev <dev> To: Dave Anderson <anderson> Dave, > I just got assigned this CVE for a RHEL4 back-port. > By any chance do you have a pointer to a quick-and-dirty > reproducer for ia64? Or instructions on how I could tinker > with an ia64 ELF header to reproduce the DOS? ELF file is attached. I'd recommend RedHat to incorporate the original test with a program which hacks ELF files randomly and run it on regular basis. This is what we do with OpenVZ. The original test was from security from Dave Jones email: ----- cut ----- 1. grab http://www.digitaldwarf.be/products/mangle.c 2. create a test.c which is.. #include <stdio.h> int main(void) { printf ("Worked\n"); return 0; } 3. run this script.. #!/bin/bash while [ 1 ]; do gcc test.c ~/fuzz/mangle a.out $RANDOM ./a.out done 4. wait, until this happens.. ----- cut ----- Thanks, Kirill Name: bad_ia64_elf bad_ia64_elf Type: unspecified type (application/octet-stream) Encoding: base64
Created attachment 137132 [details] pre-compiled ia64 ELF file with corrupted PT_LOAD segments.
Created attachment 137133 [details] generic binary file corrupter Note that this program does not specifically attack the issue addressed by this particular bug, but in a random attempt, may create a corrupt ELF header that does bump into it.
Proposed patch posted: http://post-office.corp.redhat.com/archives/rhkernel-list/2006-September/msg00929.html
committed in stream U5 build 42.17. A test kernel with this patch is available from http://people.redhat.com/~jbaron/rhel4/
committed in stream E5 build 42.0.4
verified with the attached reproducer, I also wasn't able to see any other problems with a few runs of fuzzing elf binaries.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2007-0014.html