Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Linux ELF loader vulnerabilities
From: Jirka Kosina <jikos () jikos cz>
Date: Fri, 12 Nov 2004 13:08:56 +0100 (CET)

On Wed, 10 Nov 2004, Paul Starzetz wrote:

Synopsis:  Linux kernel binfmt_elf loader vulnerabilities
Product:   Linux kernel
Version:   2.4 up to to and including 2.4.27, 2.6 up to to and
           including 2.6.8

And also 2.6.9.

3)  bad return value vulnerability while mapping the program intrepreter
into memory:

301:   retval = kernel_read(interpreter,interp_elf_ex->e_phoff,(char *)elf_phdata,size);
       error = retval;
       if (retval < 0)
              goto out_close;
       eppnt = elf_phdata;
       for (i=0; i<interp_elf_ex->e_phnum; i++, eppnt++) {
           map_addr = elf_map(interpreter, load_addr + vaddr, eppnt, elf_prot, elf_type);
322:       if (BAD_ADDR(map_addr))
              goto out_close;
out_close:
       kfree(elf_phdata);
out:
       return error;
}

This bug is only present in 2.4 version, in 2.6 kernels we can see

        retval = kernel_read(interpreter,interp_elf_ex->e_phoff,(char *)elf_phdata,size);
        error = retval;
        if (retval < 0)
                goto out_close;
[... cutted ... ]
            map_addr = elf_map(interpreter, load_addr + vaddr, eppnt, elf_prot, elf_type);
            error = map_addr;
            if (BAD_ADDR(map_addr))
                goto out_close;


-- 
JiKos.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]