[UNIX] IA32 System Call Emulation Vulnerability



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



IA32 System Call Emulation Vulnerability
------------------------------------------------------------------------


SUMMARY

Insufficient validation of general-purpose register in IA32 system call
emulation code may lead to local system compromise on x86_64 platform.

DETAILS

Vulnerable Systems:
* Linux 2.6
* Linux 2.4

On x86_64 platform the Linux kernel supports compatibility emulation for
IA32 userland applications providing 32-bit system calls amongst other
32-bit resources.

As a result of arch/x86_64/ia32/ia32entry.S code optimization invalid
opcodes was used in the low level assembler routines providing
insufficient validation of %RAX register in the following part of code
(2.6):

---8<---
sysenter_do_call:
cmpl $(IA32_NR_syscalls-1),%eax
ja ia32_badsys
IA32_ARG_FIXUP 1
call *ia32_sys_call_table(,%rax,8)
---8<---
cstar_do_call:
cmpl $IA32_NR_syscalls-1,%eax
ja ia32_badsys
IA32_ARG_FIXUP 1
call *ia32_sys_call_table(,%rax,8)
---8<---
ia32_do_syscall:
cmpl $(IA32_NR_syscalls-1),%eax
ja ia32_badsys
IA32_ARG_FIXUP
call *ia32_sys_call_table(,%rax,8) # xxx: rip relative
---8<---

Improperly validated 64-bit values stored in the %RAX register may lead to
out-of-bounds system call table access resulting in the ability to execute
arbitrary code in the context of the Linux kernel.

Impact:
Unprivileged local user may execute arbitrary code in the context of the
Linux kernel running on x86_64 platform.

Disclosure timeline:
18th September 2007 - Vendor notification
24th September 2007 - Public disclosure


ADDITIONAL INFORMATION

The information has been provided by <mailto:cliph@xxxxxxxxxxxxxxxxxxxx>
Wojciech Purczynski.



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [UNIX] Linux Kernel ALSA snd_mem_proc_read Information Disclosure Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Linux Kernel ALSA snd_mem_proc_read Information Disclosure Vulnerability ...
    (Securiteam)
  • [UNIX] Linux Kernel SCTP-AUTH API Information Disclosure Vulnerability and NULL Pointer Derefere
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Linux Kernel SCTP-AUTH API Information Disclosure Vulnerability and NULL ... SCTP_STATIC int sctp_getsockopt(struct sock *sk, int level, int optname, ...
    (Securiteam)
  • [UNIX] FUSE Information Disclosure
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Lack of range validation in FUSE allows attackers to reveal information ... * Linux kernel 2.2 ... static int fuse_copy_pages(struct fuse_copy_state *cs, unsigned nbytes, ...
    (Securiteam)
  • [EXPL] Linux Kernel do_mremap Improved Test
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Linux Kernel ... do_mremap Local Privilege Escalation Vulnerability, ... * GNU General Public License for more details. ...
    (Securiteam)
  • [UNIX] Linux Kernel cpuset tasks Information Disclosure Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Linux Kernel cpuset tasks Information Disclosure Vulnerability ... In order to exploit this vulnerability, an attacker would need access to ...
    (Securiteam)