Bug 64493 (CVE-2004-1234)

Date: Wed, 22 Dec 2004 12:08:29 -0200
From: Marcelo Tosatti <marcelo.tosatti@cyclades.com>
To: Mark J Cox <mjc@redhat.com>
Cc: vendor-sec@lst.de
Subject: Re: [vendor-sec] 2.4 load_elf_binary error path flaw

On Tue, Dec 21, 2004 at 01:19:44PM +0000, Mark J Cox wrote:
> Chris fixed a flaw found by Kirill Korotaev on April 9th 2004.
> http://linux.bkbits.net:8080/linux-2.4/cset@4076466d_SqUm4azg4_v3FIG2-X6XQ
> Therefore it affects <2.4.26
> 
> Anyway it got reported to us with a reproducer that can cause a crash, 
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=142965
> 
> So since we're going to fix it and it's now a proven local DoS I've 
> assigned it CAN-2004-1234

The recent binfmt_aout v2.6 backport changes also fix a DoS:

ChangeSet@1.1527.1.13, 2004-12-16 16:06:31-02:00, chrisw@osdl.org
  [PATCH] a.out: error check on set_brk
                                                                                
  It's possible for do_brk() to fail during set_brk() when exec'ing and
  a.out.  This was noted with Florian's a.out binary and overcommit set to
  0.
                                                                                
  Capture this error and terminate properly.

ChangeSet@1.1527.1.16, 2004-12-17 21:45:58-02:00, chrisw@osdl.org
  [PATCH] Backport of 2.6 fix to insert_vm_struct to make it return an error
rather than BUG().
                                                                                
  Backport of 2.6 fix to insert_vm_struct to make it return an error
  rather than BUG().  This eliminates a user triggerable BUG() when user
  created a large vma that overlapped with arg pages during exec (could be
  triggered with a.out on i386 and x86_64 and elf on ia64).
                                                                                
  Signed-off-by: Chris Wright <chrisw@osdl.org>