Bug 73837 (CVE-2005-0749) - VUL-0: CVE-2005-0749: kernel: Potential DoS in load_elf_library
Summary: VUL-0: CVE-2005-0749: kernel: Potential DoS in load_elf_library
Status: RESOLVED FIXED
Alias: CVE-2005-0749
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other All
: P5 - None : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: CVE-2005-0749: CVSS v2 Base Score: 7....
Keywords:
Depends on:
Blocks:
 
Reported: 2005-03-18 14:45 UTC by Ludwig Nussel
Modified: 2021-11-08 16:36 UTC (History)
1 user (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
load_elf_library-kfree-fix.patch (2.70 KB, patch)
2005-03-24 10:15 UTC, Ludwig Nussel 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ludwig Nussel 2005-03-18 14:45:16 UTC 
We received the following report via vendor-sec.
The issue is public.

Alan forwarded this to vendor-sec without comment.

Date: Fri, 18 Mar 2005 13:04:34 +0000
From: Alan Cox <alan@lxorguk.ukuu.org.uk>
To: vendor-sec@lst.de
Subject: [vendor-sec] [Fwd: Re: Potential DOS in load_elf_library?]

-----Forwarded Message-----
> From: Andrew Morton <akpm@osdl.org>
> To: Herbert Xu <herbert@gondor.apana.org.au>
> Cc: yxie@cs.stanford.edu, linux-kernel@vger.kernel.org
> Subject: Re: Potential DOS in load_elf_library?
> Date: Fri, 18 Mar 2005 01:05:01 -0800
> 
> Herbert Xu <herbert@gondor.apana.org.au> wrote:
> >
> > Yichen Xie <yxie@cs.stanford.edu> wrote:
> >  > Hi guys, I was looking at the load_elf_library function (fs/binfmt_elf.c) 
> >  > in 2.6.10, and noticed the following:
> >  > 
> >  >        elf_phdata = (struct elf_phdr *) kmalloc(j, GFP_KERNEL);
> >  >        ...
> >  >        while (elf_phdata->p_type != PT_LOAD) elf_phdata++;
> >  >        ...
> >  >        kfree(elf_phdata);
> >  > 
> >  > Could this be problematic since the pointer being freed might be different 
> >  > from that returned from kmalloc?
> > 
> >  Indeed.  This bug has been around since last century.
> 
> Duh, I was looking at the wrong function.  Thanks.
> 
> >  How does this look?
> 
> I think it'd be better to use epptr everywhere, so we can see that it only
> gets assigned, tested then freed.
> 
> --- 25/fs/binfmt_elf.c~load_elf_binary-kfree-fix	2005-03-18 01:00:49.000000000 -0800
> +++ 25-akpm/fs/binfmt_elf.c	2005-03-18 01:03:14.000000000 -0800
> @@ -1028,6 +1028,7 @@ out_free_ph:
>  static int load_elf_library(struct file *file)
>  {
>  	struct elf_phdr *elf_phdata;
> +	struct elf_phdr *eppnt;
>  	unsigned long elf_bss, bss, len;
>  	int retval, error, i, j;
>  	struct elfhdr elf_ex;
> @@ -1051,44 +1052,47 @@ static int load_elf_library(struct file 
>  	/* j < ELF_MIN_ALIGN because elf_ex.e_phnum <= 2 */
>  
>  	error = -ENOMEM;
> -	elf_phdata = (struct elf_phdr *) kmalloc(j, GFP_KERNEL);
> +	elf_phdata = kmalloc(j, GFP_KERNEL);
>  	if (!elf_phdata)
>  		goto out;
>  
> +	eppnt = elf_phdata;
>  	error = -ENOEXEC;
> -	retval = kernel_read(file, elf_ex.e_phoff, (char *) elf_phdata, j);
> +	retval = kernel_read(file, elf_ex.e_phoff, (char *)eppnt, j);
>  	if (retval != j)
>  		goto out_free_ph;
>  
>  	for (j = 0, i = 0; i<elf_ex.e_phnum; i++)
> -		if ((elf_phdata + i)->p_type == PT_LOAD) j++;
> +		if ((eppnt + i)->p_type == PT_LOAD)
> +			j++;
>  	if (j != 1)
>  		goto out_free_ph;
>  
> -	while (elf_phdata->p_type != PT_LOAD) elf_phdata++;
> +	while (eppnt->p_type != PT_LOAD)
> +		eppnt++;
>  
>  	/* Now use mmap to map the library into memory. */
>  	down_write(&current->mm->mmap_sem);
>  	error = do_mmap(file,
> -			ELF_PAGESTART(elf_phdata->p_vaddr),
> -			(elf_phdata->p_filesz +
> -			 ELF_PAGEOFFSET(elf_phdata->p_vaddr)),
> +			ELF_PAGESTART(eppnt->p_vaddr),
> +			(eppnt->p_filesz +
> +			 ELF_PAGEOFFSET(eppnt->p_vaddr)),
>  			PROT_READ | PROT_WRITE | PROT_EXEC,
>  			MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE,
> -			(elf_phdata->p_offset -
> -			 ELF_PAGEOFFSET(elf_phdata->p_vaddr)));
> +			(eppnt->p_offset -
> +			 ELF_PAGEOFFSET(eppnt->p_vaddr)));
>  	up_write(&current->mm->mmap_sem);
> -	if (error != ELF_PAGESTART(elf_phdata->p_vaddr))
> +	if (error != ELF_PAGESTART(eppnt->p_vaddr))
>  		goto out_free_ph;
>  
> -	elf_bss = elf_phdata->p_vaddr + elf_phdata->p_filesz;
> +	elf_bss = eppnt->p_vaddr + eppnt->p_filesz;
>  	if (padzero(elf_bss)) {
>  		error = -EFAULT;
>  		goto out_free_ph;
>  	}
>  
> -	len = ELF_PAGESTART(elf_phdata->p_filesz + elf_phdata->p_vaddr + ELF_MIN_ALIGN - 1);
> -	bss = elf_phdata->p_memsz + elf_phdata->p_vaddr;
> +	len = ELF_PAGESTART(eppnt->p_filesz + eppnt->p_vaddr + ELF_MIN_ALIGN - 1);
> +	bss = eppnt->p_memsz + eppnt->p_vaddr;
>  	if (bss > len) {
>  		down_write(&current->mm->mmap_sem);
>  		do_brk(len, bss - len);
> _
> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
_______________________________________________
Vendor Security mailing list
Vendor Security@lst.de
https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec
Comment 1 Hubert Mantel 2005-03-23 14:39:11 UTC 
Do we also have the proposed fix in a usable form somewhere? Pasting it into
bugzilla more or less destroys it; I would need to apply it manually line by
line taking the risk of messing things up.
Comment 2 Sebastian Krahmer 2005-03-23 15:07:28 UTC 
CAN-2005-0749

Afaik Alan already forwarded the fix to the list; already
messed up. I will ask
for clean one
Comment 4 Chris L Mason 2005-03-30 13:35:29 UTC 
Patch looks fine to me
Comment 5 Hubert Mantel 2005-04-01 12:04:06 UTC 
Ok, fix is in all trees now.
Comment 6 Ludwig Nussel 2005-06-09 12:49:33 UTC 
updates released
Comment 7 Thomas Biege 2009-10-13 21:12:24 UTC 
CVE-2005-0749: CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)