Re: Linux ELF loader vulnerabilities

• Previous message: Martin Schulze: "[SECURITY] [DSA 592-1] New ez-ipupdate packages fix format string vulnerability"
• In reply to: Paul Starzetz: "Linux ELF loader vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 12 Nov 2004 13:08:56 +0100 (CET)
To: bugtraq@securityfocus.com

On Wed, 10 Nov 2004, Paul Starzetz wrote:

> Synopsis: Linux kernel binfmt_elf loader vulnerabilities
> Product: Linux kernel
> Version: 2.4 up to to and including 2.4.27, 2.6 up to to and
> including 2.6.8

And also 2.6.9.

> 3) bad return value vulnerability while mapping the program intrepreter
> into memory:
>
> 301: retval = kernel_read(interpreter,interp_elf_ex->e_phoff,(char *)elf_phdata,size);
> error = retval;
> if (retval < 0)
> goto out_close;
> eppnt = elf_phdata;
> for (i=0; i<interp_elf_ex->e_phnum; i++, eppnt++) {
> map_addr = elf_map(interpreter, load_addr + vaddr, eppnt, elf_prot, elf_type);
> 322: if (BAD_ADDR(map_addr))
> goto out_close;
> out_close:
> kfree(elf_phdata);
> out:
> return error;
> }

This bug is only present in 2.4 version, in 2.6 kernels we can see

        retval = kernel_read(interpreter,interp_elf_ex->e_phoff,(char *)elf_phdata,size);
        error = retval;
        if (retval < 0)
                goto out_close;
[... cutted ... ]
            map_addr = elf_map(interpreter, load_addr + vaddr, eppnt, elf_prot, elf_type);
            error = map_addr;
            if (BAD_ADDR(map_addr))
                goto out_close;

-- 
JiKos.

• Previous message: Martin Schulze: "[SECURITY] [DSA 592-1] New ez-ipupdate packages fix format string vulnerability"
• In reply to: Paul Starzetz: "Linux ELF loader vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Problems on x86_64 laptops (high-load crashes?) ... I want to ask about strange behavior of linux kernel ... on some laptops (namely recent Asus laptops with ... the bug with network load -- result is that it doesn't ... (Linux-Kernel) x86_64 system lockup from userspace using setitimer() ... I think I've encountered a bug with the Linux kernel which results in a complete system lockup and which can be started without root priviliges. ... (Linux-Kernel) Re: x86_64 system lockup from userspace using setitimer() ... I think I've encountered a bug with the Linux kernel which results in a ... complete system lockup and which can be started without root priviliges. ... (Linux-Kernel) Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3 ... Linux kernel and then you run bang into some interactions that make you ... If the bug is in the non-GPLed BIOS, not in the GPLed code, too bad. ... to ship GPL3 or GPL2code pre-installed while the ... (Linux-Kernel) Linux sys_prctl LKM based hotfix ... Recently a critical vulnerability/behavioural flaw has been discovered ... Exploitation of this bug may lead a local attacker to gain root ... privileges on systems running a vulnerable version of the linux kernel. ... (Bugtraq)