Bugtraq mailing list archives
Re: Linux ELF loader vulnerabilities
From: Jirka Kosina <jikos () jikos cz>
Date: Fri, 12 Nov 2004 13:08:56 +0100 (CET)
On Wed, 10 Nov 2004, Paul Starzetz wrote:
Synopsis: Linux kernel binfmt_elf loader vulnerabilities Product: Linux kernel Version: 2.4 up to to and including 2.4.27, 2.6 up to to and including 2.6.8
And also 2.6.9.
3) bad return value vulnerability while mapping the program intrepreter into memory: 301: retval = kernel_read(interpreter,interp_elf_ex->e_phoff,(char *)elf_phdata,size); error = retval; if (retval < 0) goto out_close; eppnt = elf_phdata; for (i=0; i<interp_elf_ex->e_phnum; i++, eppnt++) { map_addr = elf_map(interpreter, load_addr + vaddr, eppnt, elf_prot, elf_type); 322: if (BAD_ADDR(map_addr)) goto out_close; out_close: kfree(elf_phdata); out: return error; }
This bug is only present in 2.4 version, in 2.6 kernels we can see retval = kernel_read(interpreter,interp_elf_ex->e_phoff,(char *)elf_phdata,size); error = retval; if (retval < 0) goto out_close; [... cutted ... ] map_addr = elf_map(interpreter, load_addr + vaddr, eppnt, elf_prot, elf_type); error = map_addr; if (BAD_ADDR(map_addr)) goto out_close; -- JiKos.
Current thread:
- Linux ELF loader vulnerabilities Paul Starzetz (Nov 10)
- Re: Linux ELF loader vulnerabilities Ted Percival (Nov 11)
- Re: [Full-Disclosure] Re: Linux ELF loader vulnerabilities Jirka Kosina (Nov 11)
- Re: Linux ELF loader vulnerabilities Pavel Kankovsky (Nov 11)
- Re: Linux ELF loader vulnerabilities Jirka Kosina (Nov 12)
- Re: Linux ELF loader vulnerabilities Ted Percival (Nov 11)