Red Hat Bugzilla – Bug 205335
CVE-2006-4538 Local DoS with corrupted ELF
Last modified: 2007-11-30 17:07:27 EST
From Kirill Korotaev:
When running on IA64 or SPARC platforms, local users can cause a denial of
service via a malformed ELF file and then triggered by cross-region mappings.
Where's the reproducer? I don't see any reference to it anywhere
in the thread.
I don't have a reproducer for this one.
What do you suggest in this case? Cobble up a patch, compile it,
and post it saying, "we don't have a reproducer"?
Cancel the needinfo -- I contacted Kirill Korotaev, and he forwarded me
an ia64 reproducer (actually 2). He response follows, and I will attach
both the mangle.c program as well as his pre-compiled :
Subject: Re: [PATCH] IA64,sparc: local DoS with corrupted ELFs
Date: Tue, 26 Sep 2006 10:24:21 +0400
From: Kirill Korotaev <firstname.lastname@example.org>
To: Dave Anderson <email@example.com>
> I just got assigned this CVE for a RHEL4 back-port.
> By any chance do you have a pointer to a quick-and-dirty
> reproducer for ia64? Or instructions on how I could tinker
> with an ia64 ELF header to reproduce the DOS?
ELF file is attached.
I'd recommend RedHat to incorporate the original test with a program
which hacks ELF files randomly and run it on regular basis.
This is what we do with OpenVZ.
The original test was from firstname.lastname@example.org from Dave Jones email:
----- cut -----
1. grab http://www.digitaldwarf.be/products/mangle.c
2. create a test.c which is..
3. run this script..
while [ 1 ];
~/fuzz/mangle a.out $RANDOM
4. wait, until this happens..
----- cut -----
bad_ia64_elf Type: unspecified type (application/octet-stream)
Created attachment 137132 [details]
pre-compiled ia64 ELF file with corrupted PT_LOAD segments.
Created attachment 137133 [details]
generic binary file corrupter
Note that this program does not specifically attack the issue
addressed by this particular bug, but in a random attempt, may
create a corrupt ELF header that does bump into it.
Proposed patch posted:
committed in stream U5 build 42.17. A test kernel with this patch is available
committed in stream E5 build 42.0.4
verified with the attached reproducer, I also wasn't able to see any other
problems with a few runs of fuzzing elf binaries.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.