7548256 2001-11-21 10:52 +0100  /33 rader/ Juergen Pabel <spamtrap@invalid.domain>
Sänt av: joel@lysator.liu.se
Importerad: 2001-11-22  01:01  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <19834>
Ärende: SuSE 7.3 : Kernel 2.4.10-4GB Bug
------------------------------------------------------------
From: Juergen Pabel <spamtrap@invalid.domain>
To: bugtraq@securityfocus.com
Message-ID: <20011121094913.46F385046@server01.intra.akkaya.de>

Summary:
  Any local user can crash a SuSE 7.3 Kernel 2.4.10-4GB (I imagine
this is a  buffer overflow or pointer verification problem while in
kernel mode)

Details:
  I updated my SuSE 7.2 installation to 7.3 and now I can
reproducably crash  the system as any local user (ie: non-root). Out
of curiousity i started the  file /usr/src/linux/vmlinux (basically:
the file "vmlinux" in the base kernel  source directory) which is the
"pure" (for lack of a better word) kernel  after a successful kernel
compilation. Since this file is essentially an ELF  executable it's
possible to start it (whether or not it actually "runs" is a
different story). On a correctly running kernel it should (and does)
exit  with SIGSEGV, while on a 2.4.10-4GB kernel it crashes the whole
system (hard  reset, instantly...kaputt).
  I have not tested this any further except to verify that this is
actually a  problem with the kernel and not some other kernel module
i use (vmware,  pcmcia, ...) or even hardware (tested with same
result on a different machine)

I have also not notified the vendor yet because I haven't verified if
the  cause is a SuSE patch or if the problem resides within the
original kernel  code (I haven't even started looking for the source
of the problem).

If you want to contact me do so via email "jpabel at akkaya dot de"

Juergen Pabel
Akkaya Consulting GmbH
www.akkaya.de
(7548256) /Juergen Pabel <spamtrap@invalid.domain>/(Ombruten)
Kommentar i text 7548537 av Luciano Miguel Ferreira Rocha <strange@nsk.yi.org>
7548537 2001-11-22 00:04 +0000  /25 rader/ Luciano Miguel Ferreira Rocha <strange@nsk.yi.org>
Sänt av: joel@lysator.liu.se
Importerad: 2001-11-22  02:55  av Brevbäraren
Extern mottagare: Juergen Pabel <jpabel@akkaya.dot.de>
Extern kopiemottagare: bugtraq@securityfocus.com
Externa svar till: strange@nsk.yi.org
Mottagare: Bugtraq (import) <19841>
Kommentar till text 7548256 av Juergen Pabel <spamtrap@invalid.domain>
Ärende: Re: SuSE 7.3 : Kernel 2.4.10-4GB Bug
------------------------------------------------------------
From: Luciano Miguel Ferreira Rocha <strange@nsk.yi.org>
To: Juergen Pabel <jpabel@akkaya.dot.de>
Cc: bugtraq@securityfocus.com
Message-ID: <20011122000458.A1022@nsk.yi.org>


I've been able to reproduce the results (instant reboot) by running
the vmlinux as a normal user in a clean Linux 2.4.10 plus ext3, on
Red Hat Linux system, Pentium 233 MMX processor.

I coulnd't reproduce the reboot in a Piii 750, kernel 2.4.15-pre2,
either normal or root user (good SIGSEGV :)).

It looks like it is a problem within the original kernel, and that it
has been fixed in later releases...

Regards
-- 
Luciano Rocha, strange@nsk.yi.org

The trouble with computers is that they do what you tell them, not
what you want.
                -- D. Cohen
(7548537) /Luciano Miguel Ferreira Rocha <strange@nsk.yi.org>/(Ombruten)
Kommentar i text 7562516 av Seth Arnold <sarnold@marcelothewonderpenguin.com>
Kommentar i text 7563030 av Andrea Arcangeli <andrea@suse.de>
7562516 2001-11-21 17:47 -0800  /23 rader/ Seth Arnold <sarnold@marcelothewonderpenguin.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-11-23  21:46  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <19849>
Kommentar till text 7548537 av Luciano Miguel Ferreira Rocha <strange@nsk.yi.org>
Ärende: Re: SuSE 7.3 : Kernel 2.4.10-4GB Bug
------------------------------------------------------------
On Thu, Nov 22, 2001 at 12:04:58AM +0000, Luciano Miguel Ferreira Rocha wrote:
> I've been able to reproduce the results (instant reboot) by running the
> vmlinux as a normal user in a clean Linux 2.4.10 plus ext3,
> on Red Hat Linux system, Pentium 233 MMX processor.

I have a hunch of where the problem may have been fixed:

[2,4.11-pre5]
- Jakub Jelinek: ELF loader cleanups
[2.4.11-pre3]
 - various: embarrassing lack of error checking in ELF loader
[2.4.11-pre2]
- Jakub Jelinek: handle more ELF loading special cases


Vendors wishing to backport patches into their kernels may wish to
start by looking at these patches.

(I've long felt that the ELF loader is a likely place for festering
problems. If anyone else wants to audit the binfmt_elf loader, I know
I would be greatful. :)
(7562516) /Seth Arnold <sarnold@marcelothewonderpenguin.com>/(Ombruten)
Bilaga (application/pgp-signature) i text 7562517
7562517 2001-11-21 17:47 -0800  /10 rader/ Seth Arnold <sarnold@marcelothewonderpenguin.com>
Importerad: 2001-11-23  21:46  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <19850>
Bilaga (text/plain) till text 7562516
Ärende: Bilaga till: Re: SuSE 7.3 : Kernel 2.4.10-4GB Bug
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7/Fko1XMg6PgdEDQRAqEsAJ9PKPwnCnXrWPuox+WXUjxbtdMjMgCg4EJp
mPiB17He4LzhAchx3nWL42Y=
=fN8r
-----END PGP SIGNATURE-----
(7562517) /Seth Arnold <sarnold@marcelothewonderpenguin.com>/
7563030 2001-11-22 04:40 +0100  /54 rader/ Andrea Arcangeli <andrea@suse.de>
Sänt av: joel@lysator.liu.se
Importerad: 2001-11-23  23:45  av Brevbäraren
Extern mottagare: Luciano Miguel Ferreira Rocha <strange@nsk.yi.org>
Extern kopiemottagare: Juergen Pabel <jpabel@akkaya.dot.de>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <19854>
Kommentar till text 7548537 av Luciano Miguel Ferreira Rocha <strange@nsk.yi.org>
Ärende: Re: SuSE 7.3 : Kernel 2.4.10-4GB Bug
------------------------------------------------------------
From: Andrea Arcangeli <andrea@suse.de>
To: Luciano Miguel Ferreira Rocha <strange@nsk.yi.org>
Cc: Juergen Pabel <jpabel@akkaya.dot.de>, bugtraq@securityfocus.com
Message-ID: <20011122044057.M7955@athlon.random>

On Thu, Nov 22, 2001 at 12:04:58AM +0000, Luciano Miguel Ferreira Rocha wrote:
> 
> I've been able to reproduce the results (instant reboot) by running the
> vmlinux as a normal user in a clean Linux 2.4.10 plus ext3,
> on Red Hat Linux system, Pentium 233 MMX processor.
> 
> I coulnd't reproduce the reboot in a Piii 750, kernel 2.4.15-pre2, either
> normal or root user (good SIGSEGV :)).
> 
> It looks like it is a problem within the original kernel, and that it
> has been fixed in later releases...

Correct. The bug is been fixed in 2.4.11pre3 (most of the credit for
the finding the bug and fixing it goes to Linus btw).

All 2.4 kernels before 2.4.12 are affected by such bug. It shouldn't
be expoitable, it should only lead to a local DoS.

A patch to fix vanilla 2.4.10 can be downloaded from here:

	ftp://ftp.us.kernel.org/pub/linux/kernel/people/andrea/patches/v2.4/2.4.10/binfmt_elf-checks-1

A patch to fix the 2.4.10.SuSE-7.3 kernel (both the original one in
the CDs, and also the first kernel security update) can be downloaded
from here:

	ftp://ftp.us.kernel.org/pub/linux/kernel/people/andrea/patches/v2.4/2.4.10.SuSE-7.3/binfmt_elf-checks-1

The above two fixes cures more than just the vmlinux crash, there were
further checks missing, and the above two patches just includes the
further checks as well. If you run a recent kernel (>=2.4.12) and you
want the further checks (even if not necessary just for the vmlinux
crash) this is the patch that you can apply:

	ftp://ftp.us.kernel.org/pub/linux/kernel/people/andrea/kernels/v2.4/2.4.15pre7aa1/00_binfmt-elf-checks-1

The crash is generated by the missing error checks for the mmap/brk
implicit calls while mapping the elf files during execve. The x86
vmlinux elf image claims to be mapped over 3G (that's the kernel image
and the kernel runs there), so the binfmt elf loader tries to map the
vmlinux elf image there, and the mapping fails (because that's kernel
space, not userspace) but the loader doesn't notice and crashes.

On the SuSE side, more about SuSE kernel update rpm packages is to be
announced soon.

Andrea
(7563030) /Andrea Arcangeli <andrea@suse.de>/(Ombruten)