Bug#308855: Privilege escalation in ELF core dump (fs/binfmt_elf.c)
Package: kernel-source-2.6.8
Version: 2.6.8-15
Severity: critical
Tags: security patch
>From Secunia advisory http://secunia.com/advisories/15341/
DESCRIPTION:
Paul Starzetz has reported a vulnerability in the Linux kernel, which
can be exploited by malicious, local users to gain escalated
privileges.
The vulnerability is caused due to a signedness error in the Linux
ELF binary format loader's core dump function (elf_core_dump()) and
can be exploited to cause a buffer overflow via a specially crafted
ELF binary.
Successful exploitation makes it possible to gain root privileges and
execute arbitrary code with kernel privileges.
The vulnerability has been reported in versions 2.2 through
2.2.27-rc2, versions 2.4 through 2.4.31-pre1, and versions 2.6
through 2.6.12-rc4.
ORIGINAL ADVISORY:
Kernel.org:
http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.11.9
iSEC Security Research:
http://www.isec.pl/vulnerabilities/isec-0023-coredump.txt
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.11-1-k7
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Versions of packages kernel-source-2.6.8 depends on:
ii binutils 2.15-5 The GNU assembler, linker and bina
ii bzip2 1.0.2-6 high-quality block-sorting file co
ii coreutils [fileutils] 5.2.1-2 The GNU core utilities
-- no debconf information
--- a/fs/binfmt_elf.c 2005-05-11 15:43:56 -07:00
+++ b/fs/binfmt_elf.c 2005-05-11 15:43:56 -07:00
@@ -257,7 +257,7 @@
}
/* Populate argv and envp */
- p = current->mm->arg_start;
+ p = current->mm->arg_end = current->mm->arg_start;
while (argc-- > 0) {
size_t len;
__put_user((elf_addr_t)p, argv++);
@@ -1279,7 +1279,7 @@
static int fill_psinfo(struct elf_prpsinfo *psinfo, struct task_struct *p,
struct mm_struct *mm)
{
- int i, len;
+ unsigned int i, len;
/* first copy the parameters from user space */
memset(psinfo, 0, sizeof(struct elf_prpsinfo));
Reply to: