Bug 205335 - CVE-2006-4538 Local DoS with corrupted ELF
Summary: CVE-2006-4538 Local DoS with corrupted ELF
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel   
(Show other bugs)
Version: 4.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Dave Anderson
QA Contact: Brian Brock
URL:
Whiteboard: impact=moderate,reported=20060905,sou...
Keywords: Security
Depends On:
Blocks: CVE-2006-4538
TreeView+ depends on / blocked
 
Reported: 2006-09-06 05:49 UTC by Marcel Holtmann
Modified: 2007-11-30 22:07 UTC (History)
2 users (show)

Fixed In Version: RHSA-2007-0014
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-01-30 14:26:59 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
pre-compiled ia64 ELF file with corrupted PT_LOAD segments. (8.82 KB, application/octet-stream)
2006-09-26 12:41 UTC, Dave Anderson
no flags Details
generic binary file corrupter (2.70 KB, text/plain)
2006-09-26 12:46 UTC, Dave Anderson
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:0014 normal SHIPPED_LIVE Important: kernel security update 2007-01-30 14:25:00 UTC

Description Marcel Holtmann 2006-09-06 05:49:40 UTC
From Kirill Korotaev:

When running on IA64 or SPARC platforms, local users can cause a denial of
service via a malformed ELF file and then triggered by cross-region mappings.

http://lkml.org/lkml/2006/9/4/116

Comment 2 Dave Anderson 2006-09-25 20:05:17 UTC

Where's the reproducer?  I don't see any reference to it anywhere
in the thread.

Comment 3 Marcel Holtmann 2006-09-25 20:15:21 UTC
I don't have a reproducer for this one.

Comment 4 Dave Anderson 2006-09-25 20:19:49 UTC
Jason,

What do you suggest in this case?  Cobble up a patch, compile it,
and post it saying, "we don't have a reproducer"?


Comment 5 Dave Anderson 2006-09-26 12:39:14 UTC
Cancel the needinfo -- I contacted Kirill Korotaev, and he forwarded me
an ia64 reproducer (actually 2).  He response follows, and I will attach
both the mangle.c program as well as his pre-compiled  :



 Subject: Re: [PATCH] IA64,sparc: local DoS with corrupted ELFs
    Date: Tue, 26 Sep 2006 10:24:21 +0400
    From: Kirill Korotaev <dev@sw.ru>
      To: Dave Anderson <anderson@redhat.com>

Dave,

> I just got assigned this CVE for a RHEL4 back-port.
> By any chance do you have a pointer to a quick-and-dirty
> reproducer for ia64?  Or instructions on how I could tinker
> with an ia64 ELF header to reproduce the DOS?

ELF file is attached.

I'd recommend RedHat to incorporate the original test with a program
which hacks ELF files randomly and run it on regular basis.
This is what we do with OpenVZ.

The original test was from security@kernel.org from Dave Jones email:

----- cut -----
1. grab http://www.digitaldwarf.be/products/mangle.c
2. create a test.c which is..

#include <stdio.h>
int main(void)
{
        printf ("Worked\n");
        return 0;
}

3. run this script..
#!/bin/bash
while [ 1 ];
do
        gcc test.c
        ~/fuzz/mangle a.out $RANDOM
        ./a.out
done

4. wait, until this happens..
----- cut -----

Thanks,
Kirill


                     Name: bad_ia64_elf
   bad_ia64_elf      Type: unspecified type (application/octet-stream)
                 Encoding: base64


Comment 6 Dave Anderson 2006-09-26 12:41:33 UTC
Created attachment 137132 [details]
pre-compiled ia64 ELF file with corrupted PT_LOAD segments.

Comment 7 Dave Anderson 2006-09-26 12:46:56 UTC
Created attachment 137133 [details]
generic binary file corrupter

Note that this program does not specifically attack the issue 
addressed by this particular bug, but in a random attempt, may
create a corrupt ELF header that does bump into it.

Comment 8 Dave Anderson 2006-09-29 14:57:41 UTC
Proposed patch posted:

http://post-office.corp.redhat.com/archives/rhkernel-list/2006-September/msg00929.html

Comment 9 Jason Baron 2006-10-10 15:24:21 UTC
committed in stream U5 build 42.17. A test kernel with this patch is available
from http://people.redhat.com/~jbaron/rhel4/


Comment 10 Jason Baron 2006-12-18 21:37:33 UTC
committed in stream E5 build 42.0.4

Comment 12 Mike Gahagan 2007-01-22 18:17:54 UTC
verified with the attached reproducer, I also wasn't able to see any other
problems with a few runs of fuzzing elf binaries.


Comment 14 Red Hat Bugzilla 2007-01-30 14:26:59 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0014.html



Note You need to log in before you can comment on or make changes to this bug.