lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: jikos at jikos.cz (Jirka Kosina)
Subject: Re: Linux ELF loader vulnerabilities

On Wed, 10 Nov 2004, Paul Starzetz wrote:

> Synopsis:  Linux kernel binfmt_elf loader vulnerabilities
> Product:   Linux kernel
> Version:   2.4 up to to and including 2.4.27, 2.6 up to to and
>            including 2.6.8

And also 2.6.9.

> 3)  bad return value vulnerability while mapping the program intrepreter
> into memory:
> 
> 301:   retval = kernel_read(interpreter,interp_elf_ex->e_phoff,(char *)elf_phdata,size);
>        error = retval;
>        if (retval < 0)
>               goto out_close;
>        eppnt = elf_phdata;
>        for (i=0; i<interp_elf_ex->e_phnum; i++, eppnt++) {
>            map_addr = elf_map(interpreter, load_addr + vaddr, eppnt, elf_prot, elf_type);
> 322:       if (BAD_ADDR(map_addr))
>               goto out_close;
> out_close:
>        kfree(elf_phdata);
> out:
>        return error;
> }

This bug is only present in 2.4 version, in 2.6 kernels we can see

        retval = kernel_read(interpreter,interp_elf_ex->e_phoff,(char *)elf_phdata,size);
        error = retval;
        if (retval < 0)
                goto out_close;
[... cutted ... ]
            map_addr = elf_map(interpreter, load_addr + vaddr, eppnt, elf_prot, elf_type);
            error = map_addr;
            if (BAD_ADDR(map_addr))
                goto out_close;


-- 
JiKos.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ