Date: Mon, 1 Feb 2010 16:04:37 -0500 (EST) From: Josh Bressers <bressers@...hat.com> To: oss-security@...ts.openwall.com Cc: "Steven M. Christey" <coley@...us.mitre.org> Subject: Re: CVE request - kernel: DoS on x86_64 ----- "Eugene Teo" <eugeneteo@...nel.sg> wrote: > Reported by Mathias Krause. The problem seams to be located in > fs/binfmt_elf.c:load_elf_binary(). It calls SET_PERSONALITY() prior > checking that the ELF interpreter is available. This in turn makes the > > previously 32 bit process a 64 bit one which would be fine if execve() > > would succeed. But after the SET_PERSONALITY() the open_exec() call > fails (because it cannot find the interpreter) and execve() almost > instantly returns with an error. If you now look at /proc/PID/maps > you'll see, that it has the vsyscall page mapped which shouldn't be. > But > the process is not dead yet, it's still running. By now generating a > segmentation fault and in turn trying to generate a core dump the > kernel just dies. > > Steps to Reproduce: > 1. Enable core dumps > 2. Start an 32 bit program that tries to execve() an 64 bit program > 3. The 64 bit program cannot be started by the kernel because it can't > > find the interpreter, i.e. execve returns with an error > 4. Generate a segmentation fault > 5. panic > > Upstream commit: > http://git.kernel.org/linus/221af7f87b97431e3ee21ce4b0e77d5411cf1549 > > References: > http://marc.info/?t=126466700200002&r=1&w=2 > https://bugzilla.redhat.com/show_bug.cgi?id=560547 > Please use CVE-2010-0307 for this. Thanks. -- JB
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ