Re: Linux ELF loader vulnerabilities

[Jirka Kosina <jikos () jikos cz>]

On Wed, 10 Nov 2004, Paul Starzetz wrote:

> Synopsis:  Linux kernel binfmt_elf loader vulnerabilities
> Product:   Linux kernel
> Version:   2.4 up to to and including 2.4.27, 2.6 up to to and
>            including 2.6.8

And also 2.6.9.

> 3)  bad return value vulnerability while mapping the program intrepreter
> into memory:
>
> 301:   retval = kernel_read(interpreter,interp_elf_ex->e_phoff,(char *)elf_phdata,size);
>        error = retval;
>        if (retval < 0)
>               goto out_close;
>        eppnt = elf_phdata;
>        for (i=0; i<interp_elf_ex->e_phnum; i++, eppnt++) {
>            map_addr = elf_map(interpreter, load_addr + vaddr, eppnt, elf_prot, elf_type);
> 322:       if (BAD_ADDR(map_addr))
>               goto out_close;
> out_close:
>        kfree(elf_phdata);
> out:
>        return error;
> }

This bug is only present in 2.4 version, in 2.6 kernels we can see

        retval = kernel_read(interpreter,interp_elf_ex->e_phoff,(char *)elf_phdata,size);
        error = retval;
        if (retval < 0)
                goto out_close;
[... cutted ... ]
            map_addr = elf_map(interpreter, load_addr + vaddr, eppnt, elf_prot, elf_type);
            error = map_addr;
            if (BAD_ADDR(map_addr))
                goto out_close;


-- 
JiKos.