Bug#308855: Privilege escalation in ELF core dump (fs/binfmt_elf.c)

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#308855: Privilege escalation in ELF core dump (fs/binfmt_elf.c)
From: "Adam M." <gnuman1@gmail.com>
Date: Thu, 12 May 2005 13:15:48 -0500
Message-id: <[🔎] E1DWIDs-00018v-QC@mira.lan.galacticasoftware.com>
Reply-to: "Adam M." <gnuman1@gmail.com>, 308855@bugs.debian.org

Package: kernel-source-2.6.8
Version: 2.6.8-15
Severity: critical
Tags: security patch

>From Secunia advisory http://secunia.com/advisories/15341/

DESCRIPTION:
Paul Starzetz has reported a vulnerability in the Linux kernel, which
can be exploited by malicious, local users to gain escalated
privileges.

The vulnerability is caused due to a signedness error in the Linux
ELF binary format loader's core dump function (elf_core_dump()) and
can be exploited to cause a buffer overflow via a specially crafted
ELF binary.

Successful exploitation makes it possible to gain root privileges and
execute arbitrary code with kernel privileges.

The vulnerability has been reported in versions 2.2 through
2.2.27-rc2, versions 2.4 through 2.4.31-pre1, and versions 2.6
through 2.6.12-rc4.

ORIGINAL ADVISORY:
Kernel.org:
http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.11.9

iSEC Security Research:
http://www.isec.pl/vulnerabilities/isec-0023-coredump.txt


-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.11-1-k7
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)

Versions of packages kernel-source-2.6.8 depends on:
ii  binutils                      2.15-5     The GNU assembler, linker and bina
ii  bzip2                         1.0.2-6    high-quality block-sorting file co
ii  coreutils [fileutils]         5.2.1-2    The GNU core utilities

-- no debconf information

--- a/fs/binfmt_elf.c	2005-05-11 15:43:56 -07:00
+++ b/fs/binfmt_elf.c	2005-05-11 15:43:56 -07:00
@@ -257,7 +257,7 @@
 	}
 
 	/* Populate argv and envp */
-	p = current->mm->arg_start;
+	p = current->mm->arg_end = current->mm->arg_start;
 	while (argc-- > 0) {
 		size_t len;
 		__put_user((elf_addr_t)p, argv++);
@@ -1279,7 +1279,7 @@
 static int fill_psinfo(struct elf_prpsinfo *psinfo, struct task_struct *p,
 		       struct mm_struct *mm)
 {
-	int i, len;
+	unsigned int i, len;
 	
 	/* first copy the parameters from user space */
 	memset(psinfo, 0, sizeof(struct elf_prpsinfo));

Reply to:

Follow-Ups:
- Bug#308855: marked as done (Privilege escalation in ELF core dump (fs/binfmt_elf.c))
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Re: Kernel Security Updates for Sarge
Next by Date: Processed: reassign
Previous by thread: Processed: Re: Processed: reassign 308495 to pmud, severity of 308495 is important
Next by thread: Bug#308855: marked as done (Privilege escalation in ELF core dump (fs/binfmt_elf.c))
Index(es):
- Date
- Thread