CVE-2010-0307
First published: Mon Feb 01 2010(Updated: )
Description of problem: The problem seams to be located in fs/binfmt_elf.c:load_elf_binary(). It calls SET_PERSONALITY() prior checking that the ELF interpreter is available. This in turn makes the previously 32 bit process a 64 bit one which would be fine if execve() would succeed. But after the SET_PERSONALITY() the open_exec() call fails (because it cannot find the interpreter) and execve() almost instantly returns with an error. If you now look at /proc/PID/maps you'll see, that it has the vsyscall page mapped which shouldn't be. But the process is not dead yet, it's still running. By now generating a segmentation fault and in turn trying to generate a core dump the kernel just dies. Steps to Reproduce: 1. Enable core dumps 2. Start an 32 bit program that tries to execve() an 64 bit program 3. The 64 bit program cannot be started by the kernel because it can't find the interpreter, i.e. execve returns with an error 4. Generate a segmentation fault 5. panic (EDIT: This is triggerable on 2.6.31.9-174.fc12.x86_64). Upstream commit: <a href="http://git.kernel.org/linus/221af7f87b97431e3ee21ce4b0e77d5411cf1549">http://git.kernel.org/linus/221af7f87b97431e3ee21ce4b0e77d5411cf1549</a> Discussions: <a href="http://marc.info/?t=126466700200002&r=1&w=2">http://marc.info/?t=126466700200002&r=1&w=2</a> Acknowledgements: Red Hat would like to thank Mathias Krause for reporting this issue.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linux Linux kernel | <2.6.32.8 | |
| Debian Debian Linux | =5.0 | |
| Debian Debian Linux | =4.0 | |
| Canonical Ubuntu Linux | =6.06 | |
| Canonical Ubuntu Linux | =9.04 | |
| Canonical Ubuntu Linux | =8.04 | |
| Canonical Ubuntu Linux | =8.10 | |
| Canonical Ubuntu Linux | =9.10 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.32.8
- http://www.securityfocus.com/bid/38027
- http://www.openwall.com/lists/oss-security/2010/02/04/1
- http://www.openwall.com/lists/oss-security/2010/02/01/1
- http://marc.info/?t=126466700200002&r=1&w=2
- https://bugzilla.redhat.com/show_bug.cgi?id=560547
- http://www.openwall.com/lists/oss-security/2010/02/04/9
- http://www.openwall.com/lists/oss-security/2010/02/01/5
- http://marc.info/?l=linux-mm&m=126466407724382&w=2
- http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035159.html
- http://www.debian.org/security/2010/dsa-1996
- http://secunia.com/advisories/38492
- http://www.ubuntu.com/usn/USN-914-1
- http://www.vupen.com/english/advisories/2010/0638
- https://rhn.redhat.com/errata/RHSA-2010-0146.html
- http://www.mandriva.com/security/advisories?name=MDVSA-2010:066
- http://secunia.com/advisories/38922
- http://www.redhat.com/support/errata/RHSA-2010-0398.html
- http://secunia.com/advisories/39649
- http://secunia.com/advisories/38779
- http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00000.html
- http://support.avaya.com/css/P8/documents/100088287
- http://www.redhat.com/support/errata/RHSA-2010-0771.html
- http://www.vmware.com/security/advisories/VMSA-2011-0003.html
- http://secunia.com/advisories/43315
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10870
- http://www.securityfocus.com/archive/1/516397/100/0/threaded
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=221af7f87b97431e3ee21ce4b0e77d5411cf1549
- http://www.globalsecuritymag.com/Vigil-nce-Linux-kernel-denial-of%2C20100202%2C15754.html
- http://git.kernel.org/linus/221af7f87b97431e3ee21ce4b0e77d5411cf1549
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=387971
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=387971&action=edit
- http://git.kernel.org/linus/05d43ed8a89c159ff641d472f970e3f1baa66318
- http://git.kernel.org/linus/94673e968cbcce07fa78dac4b0ae05d24b5816e1
- http://admin.fedoraproject.org/updates/kernel-2.6.30.10-105.2.13.fc11
- http://admin.fedoraproject.org/updates/kernel-2.6.31.12-174.2.17.fc12
- http://marc.info/?l=linux-kernel&m=126636290420589&q=raw
- https://rhn.redhat.com/errata/RHSA-2010-0398.html
- https://rhn.redhat.com/errata/RHSA-2010-0771.html
- collector/nvd-historical
- collector/nvd-index
- agent/severity
- agent/references
- agent/weakness
- agent/author
- agent/type
- agent/description
- agent/event
- agent/first-publish-date
- agent/softwarecombine
- agent/last-modified-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2010-0307
- vendor/linux
- canonical/linux linux kernel
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/5.0
- version/debian debian linux/4.0
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/6.06
- version/canonical ubuntu linux/9.04
- version/canonical ubuntu linux/8.04
- version/canonical ubuntu linux/8.10
- version/canonical ubuntu linux/9.10