Bug#308757: CAN-2005-1263: Linux kernel ELF core dump privilege elevation
Package: kernel-source-2.4.27
Version: unavailable; reported 2005-05-12
Severity: grave
Tags: security patch
Paul Starzetz has found another flaw in the Linux kernel that can be exploited
to gain extended local privileges. Please see his detailed advisory at
http://isec.pl/vulnerabilities/isec-0023-coredump.txt
Greg Kroah-Hartman has posted a patch for 2.6, which should apply to 2.4 as
well. It's attached.
Cheers,
Moritz
-- System Information:
Debian Release: 3.0
Architecture: i386
Kernel: Linux anton 2.4.29-univention.1 #1 SMP Thu Jan 27 17:08:46 CET 2005 i686
Locale: LANG=de_DE@euro, LC_CTYPE=de_DE@euro
Subject: possibly fix Linux kernel ELF core dump privilege elevation
As noted by Paul Starzetz
references CAN-something-I-need-to-go-look-up...
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
fs/binfmt_elf.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
--- gregkh-2.6.orig/fs/binfmt_elf.c 2005-05-11 00:03:45.000000000 -0700
+++ gregkh-2.6/fs/binfmt_elf.c 2005-05-11 00:09:17.000000000 -0700
@@ -251,1 +251,1 @@
}
/* Populate argv and envp */
- p = current->mm->arg_start;
+ p = current->mm->arg_end = current->mm->arg_start;
while (argc-- > 0) {
size_t len;
__put_user((elf_addr_t)p, argv++);
@@ -1301,4 +1301,4 @@
static int fill_psinfo(struct elf_prpsinfo *psinfo, struct task_struct *p,
struct mm_struct *mm)
{
- int i, len;
+ unsigned int i, len;
/* first copy the parameters from user space */
memset(psinfo, 0, sizeof(struct elf_prpsinfo));
Reply to: