[37336] in bugtraq
Re: Linux ELF loader vulnerabilities
daemon@ATHENA.MIT.EDU (Jirka Kosina)
Fri Nov 12 13:30:28 2004
Date: Fri, 12 Nov 2004 13:08:56 +0100 (CET)
From: Jirka Kosina <jikos@jikos.cz>
To: bugtraq@securityfocus.com
Cc: full-disclosure@lists.netsys.com
In-Reply-To: <Pine.LNX.4.44.0411101257070.28446-100000@isec.pl>
Message-ID: <Pine.LNX.4.58.0411121305400.30517@twin.jikos.cz>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Wed, 10 Nov 2004, Paul Starzetz wrote:
> Synopsis: Linux kernel binfmt_elf loader vulnerabilities
> Product: Linux kernel
> Version: 2.4 up to to and including 2.4.27, 2.6 up to to and
> including 2.6.8
And also 2.6.9.
> 3) bad return value vulnerability while mapping the program intrepreter
> into memory:
>
> 301: retval = kernel_read(interpreter,interp_elf_ex->e_phoff,(char *)elf_phdata,size);
> error = retval;
> if (retval < 0)
> goto out_close;
> eppnt = elf_phdata;
> for (i=0; i<interp_elf_ex->e_phnum; i++, eppnt++) {
> map_addr = elf_map(interpreter, load_addr + vaddr, eppnt, elf_prot, elf_type);
> 322: if (BAD_ADDR(map_addr))
> goto out_close;
> out_close:
> kfree(elf_phdata);
> out:
> return error;
> }
This bug is only present in 2.4 version, in 2.6 kernels we can see
retval = kernel_read(interpreter,interp_elf_ex->e_phoff,(char *)elf_phdata,size);
error = retval;
if (retval < 0)
goto out_close;
[... cutted ... ]
map_addr = elf_map(interpreter, load_addr + vaddr, eppnt, elf_prot, elf_type);
error = map_addr;
if (BAD_ADDR(map_addr))
goto out_close;
--
JiKos.
