Re: CVE request - kernel: DoS on x86_64

[Josh Bressers <bressers () redhat com>]

----- "Eugene Teo" <eugeneteo () kernel sg> wrote:

> Reported by Mathias Krause. The problem seams to be located in
> fs/binfmt_elf.c:load_elf_binary(). It calls SET_PERSONALITY() prior 
> checking that the ELF interpreter is available. This in turn makes the
>
> previously 32 bit process a 64 bit one which would be fine if execve()
>
> would succeed. But after the SET_PERSONALITY() the open_exec() call 
> fails (because it cannot find the interpreter) and execve() almost 
> instantly returns with an error. If you now look at /proc/PID/maps 
> you'll see, that it has the vsyscall page mapped which shouldn't be.
> But 
> the process is not dead yet, it's still running. By now generating a 
> segmentation fault and in turn trying to generate a core dump the
> kernel just dies.
>
> Steps to Reproduce:
> 1. Enable core dumps
> 2. Start an 32 bit program that tries to execve() an 64 bit program
> 3. The 64 bit program cannot be started by the kernel because it can't
>
> find the interpreter, i.e. execve returns with an error
> 4. Generate a segmentation fault
> 5. panic
>
> Upstream commit:
> http://git.kernel.org/linus/221af7f87b97431e3ee21ce4b0e77d5411cf1549
>
> References:
> http://marc.info/?t=126466700200002&r=1&w=2
> https://bugzilla.redhat.com/show_bug.cgi?id=560547

Please use CVE-2010-0307 for this.

Thanks.

-- 
    JB