Linux Kernel ELF Binary Loader Bad Return Value Issue

2004-11-10T14:24:40
ID OSVDB:11597
Type osvdb
Reporter Paul Starzetz(ihaquer@isec.pl)
Modified 2004-11-10T14:24:40

Description

Vulnerability Description

The ELF binary loader in the Linux kernel contains a flaw that may allow a malicious user to manipulate the system into returning a smaller value than requested when filling kernel buffers. The issue is triggered when the kernel_read() function returns a positive but smaller value than requested. It is possible that the flaw may allow the attacker to supply an arbitrary memory layout for the binary, resulting in a loss of integrity.

Technical Description

The following code from linux/fs/binfmt_elf.c of the 2.4.27 Linux kernel shows how the return value check while filling kernel buffers can be passed incorrect small positive values:

static int load_elf_binary(struct linux_binprm * bprm, struct pt_regs * regs) { size = elf_ex.e_phnum * sizeof(struct elf_phdr); elf_phdata = (struct elf_phdr *) kmalloc(size, GFP_KERNEL); if (!elf_phdata) goto out;

477: retval = kernel_read(bprm->file, elf_ex.e_phoff, (char *) elf_phdata, size); if (retval < 0) goto out_free_ph;

The return value of kernel_read is checked to make sure it's not negative, but read() can also perfectly return less bytes than the requested buffer size bytes. This is not checked or corrected. This bug is also found on lines 301, 523, and 545 of the same file.

This could allow an attacker to arbitrarily modify the loading into memory of the binary by supplying suitable header information in the kernel buffer, creating whatever offset is desired, and thereby gaining control over the flow of execution for many setuid binaries. Setuid binaries which have ELF headers stored below the 4096th byte are probably not exploitable on i386 architecture.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

The ELF binary loader in the Linux kernel contains a flaw that may allow a malicious user to manipulate the system into returning a smaller value than requested when filling kernel buffers. The issue is triggered when the kernel_read() function returns a positive but smaller value than requested. It is possible that the flaw may allow the attacker to supply an arbitrary memory layout for the binary, resulting in a loss of integrity.

References:

Vendor URL: http://www.kernel.org/ Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Security Tracker: 1012165 Secunia Advisory ID:13457 Secunia Advisory ID:13126 Secunia Advisory ID:20162 Secunia Advisory ID:20163 Secunia Advisory ID:13395 Secunia Advisory ID:13458 Secunia Advisory ID:14002 Secunia Advisory ID:19607 Secunia Advisory ID:20202 Secunia Advisory ID:20338 Related OSVDB ID: 11600 Related OSVDB ID: 11598 Related OSVDB ID: 11599 RedHat RHSA: RHSA-2004:505 RedHat RHSA: RHSA-2004:504 Other Solution URL: http://linux.bkbits.net:8080/linux-2.6/gnupatch@41925edcVccsXZXObG444GFvEJ94GQ Other Advisory URL: http://www.suse.de/de/security/2004_03_sr.html Other Advisory URL: http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:022 Other Advisory URL: http://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2004-11/0317.html Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-03/0820.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-11/0125.html Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2004-11/0314.html ISS X-Force ID: 18025 CVE-2004-1070