SecurityFocus

Linux ELF loader vulnerabilities Nov 10 2004 11:59AM
Paul Starzetz (ihaquer isec pl) (3 replies)

Re: Linux ELF loader vulnerabilities Nov 12 2004 12:08PM
Jirka Kosina (jikos jikos cz)

On Wed, 10 Nov 2004, Paul Starzetz wrote:

> Synopsis: Linux kernel binfmt_elf loader vulnerabilities
> Product: Linux kernel
> Version: 2.4 up to to and including 2.4.27, 2.6 up to to and
> including 2.6.8

And also 2.6.9.

> 3) bad return value vulnerability while mapping the program intrepreter
> into memory:
>
> 301: retval = kernel_read(interpreter,interp_elf_ex->e_phoff,(char *)elf_phdata,size);
> error = retval;
> if (retval < 0)
> goto out_close;
> eppnt = elf_phdata;
> for (i=0; i<interp_elf_ex->e_phnum; i++, eppnt++) {
> map_addr = elf_map(interpreter, load_addr + vaddr, eppnt, elf_prot, elf_type);
> 322: if (BAD_ADDR(map_addr))
> goto out_close;
> out_close:
> kfree(elf_phdata);
> out:
> return error;
> }

This bug is only present in 2.4 version, in 2.6 kernels we can see

retval = kernel_read(interpreter,interp_elf_ex->e_phoff,(char *)elf_phdata,size);
error = retval;
if (retval < 0)
goto out_close;
[... cutted ... ]
map_addr = elf_map(interpreter, load_addr + vaddr, eppnt, elf_prot, elf_type);
error = map_addr;
if (BAD_ADDR(map_addr))
goto out_close;

--
JiKos.

[ reply ]

Re: Linux ELF loader vulnerabilities Nov 11 2004 07:52PM
Pavel Kankovsky (peak argo troja mff cuni cz)

Re: Linux ELF loader vulnerabilities Nov 11 2004 03:12AM
Ted Percival (ted mrphp com au) (1 replies)

Re: [Full-Disclosure] Re: Linux ELF loader vulnerabilities Nov 11 2004 11:09AM
Jirka Kosina (jikos jikos cz)