Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 3 Feb 2010 19:28:05 -0700
From: dann frazier <dannf@...ian.org>
To: oss-security@...ts.openwall.com
Cc: "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE request - kernel: DoS on x86_64

On Mon, Feb 01, 2010 at 01:09:12PM +0800, Eugene Teo wrote:
> Reported by Mathias Krause. The problem seams to be located in
> fs/binfmt_elf.c:load_elf_binary(). It calls SET_PERSONALITY() prior  
> checking that the ELF interpreter is available. This in turn makes the  
> previously 32 bit process a 64 bit one which would be fine if execve()  
> would succeed. But after the SET_PERSONALITY() the open_exec() call  
> fails (because it cannot find the interpreter) and execve() almost  
> instantly returns with an error. If you now look at /proc/PID/maps  
> you'll see, that it has the vsyscall page mapped which shouldn't be. But  
> the process is not dead yet, it's still running. By now generating a  
> segmentation fault and in turn trying to generate a core dump the
> kernel just dies.
>
> Steps to Reproduce:
> 1. Enable core dumps
> 2. Start an 32 bit program that tries to execve() an 64 bit program
> 3. The 64 bit program cannot be started by the kernel because it can't  
> find the interpreter, i.e. execve returns with an error
> 4. Generate a segmentation fault
> 5. panic
>
> Upstream commit:
> http://git.kernel.org/linus/221af7f87b97431e3ee21ce4b0e77d5411cf1549

Thanks Eugene.

Also note this fix for a regression in the above:
  http://git.kernel.org/linus/7ab02af428c2d312c0cf8fb0b01cc1eb21131a3d

-- 
dann frazier

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ