Bugzilla – Bug 483819
VUL-0: CVE-2009-0834: kernel: x86-64: syscall-audit: 32/64 syscall hole
Last modified: 2020-04-21 10:56:51 UTC
Your friendly security team received the following report via oss-security. Please respond ASAP. The issue is public. Date: Mon, 2 Mar 2009 14:46:44 +0800 From: Eugene Teo <eugeneteo@kernel.sg> To: oss-security@lists.openwall.com Subject: [oss-security] CVE request: kernel: x86-64: syscall-audit: 32/64 syscall hole On x86-64, a 32-bit process (TIF_IA32) can switch to 64-bit mode with ljmp, and then use the "syscall" instruction to make a 64-bit system call. A 64-bit process make a 32-bit system call with int $0x80. In both these cases, audit_syscall_entry() will use the wrong system call number table and the wrong system call argument registers. This could be used to circumvent a syscall audit configuration that filters based on the syscall numbers or argument details. Credit: Roland McGrath. References: https://bugzilla.redhat.com/show_bug.cgi?id=487990 http://scary.beasts.org/security/CESA-2009-001.html http://lkml.org/lkml/2009/2/27/451 summary http://lkml.org/lkml/2009/2/27/452 syscall-audit http://lkml.org/lkml/2009/2/27/453 seccomp -------8<------- ====================================================== Name: CVE-2009-0834 The audit_syscall_entry function in the Linux kernel 2.6.28.7 and earlier on the x86_64 platform does not properly handle (1) a 32-bit process making a 64-bit syscall or (2) a 64-bit process making a 32-bit syscall, which allows local users to bypass certain syscall audit configurations via crafted syscalls, a related issue to CVE-2009-0342 and CVE-2009-0343. Reference: CONFIRM: https://bugzilla.redhat.com/show_bug.cgi?id=487990 Reference: XF: http://xforce.iss.net/xforce/xfdb/49061 Reference: BID: http://www.securityfocus.com/bid/33951 Reference: SECUNIA: http://secunia.com/advisories/34084 Reference: MISC: http://scary.beasts.org/security/CESA-2009-001.html Reference: MLIST: http://marc.info/?l=oss-security&m=123597642832637&w=2 Reference: MLIST: http://marc.info/?l=linux-kernel&m=123579065130246&w=2 Reference: MLIST: http://marc.info/?l=linux-kernel&m=123579056530191&w=2 Reference: CONFIRM: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=ccbe495caa5e604b04d5a31d7459a6f6a76a756c
set default priority
Applied to SLES10_SP2_BRANCH, SLES10_SP3_BRANCH, SL103_BRANCH, and SL110_BRANCH. It was included in SLE11 as part of 2.6.27.20.
Update released for: kernel-default, kernel-default-debuginfo, kernel-iseries64, kernel-iseries64-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-ppc64, kernel-ppc64-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms Products: SLE-DEBUGINFO 10-SP2 (ppc) SLE-SDK 10-SP2 (ppc) SLE-SERVER 10-SP2 (ppc)
Update released for: kernel-bigsmp, kernel-bigsmp-debuginfo, kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-kdumppae, kernel-kdumppae-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-syms-debuginfo, kernel-vmi, kernel-vmi-debuginfo, kernel-vmipae, kernel-vmipae-debuginfo, kernel-xen, kernel-xen-debuginfo, kernel-xenpae, kernel-xenpae-debuginfo Products: SLE-DEBUGINFO 10-SP2 (i386) SLE-DESKTOP 10-SP2 (i386) SLE-SDK 10-SP2 (i386) SLE-SERVER 10-SP2 (i386)
Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms Products: SLE-DEBUGINFO 10-SP2 (ia64) SLE-SDK 10-SP2 (ia64) SLE-SERVER 10-SP2 (ia64)
Update released for: kernel-default, kernel-default-debuginfo, kernel-source, kernel-syms Products: SLE-DEBUGINFO 10-SP2 (s390x) SLE-SERVER 10-SP2 (s390x)
Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-xen, kernel-xen-debuginfo Products: SLE-DEBUGINFO 10-SP2 (x86_64) SLE-DESKTOP 10-SP2 (x86_64) SLE-SDK 10-SP2 (x86_64) SLE-SERVER 10-SP2 (x86_64)
Update released for: kernel-bigsmp, kernel-debug, kernel-default, kernel-kdump, kernel-ppc64, kernel-rt, kernel-rt_debug, kernel-source, kernel-syms, kernel-xen, kernel-xenpae Products: openSUSE 10.3 (i386, ppc, x86_64)
Update released for: acerhk-kmp-debug, acx-kmp-debug, appleir-kmp-debug, at76_usb-kmp-debug, atl2-kmp-debug, aufs-kmp-debug, dazuko-kmp-debug, drbd-kmp-debug, gspcav-kmp-debug, iscsitarget-kmp-debug, ivtv-kmp-debug, kernel-debug, kernel-default, kernel-docs, kernel-kdump, kernel-pae, kernel-ppc64, kernel-ps3, kernel-source, kernel-syms, kernel-vanilla, kernel-xen, kqemu-kmp-debug, nouveau-kmp-debug, omnibook-kmp-debug, pcc-acpi-kmp-debug, pcfclock-kmp-debug, tpctl-kmp-debug, uvcvideo-kmp-debug, virtualbox-ose-kmp-debug, vmware-kmp-debug, wlan-ng-kmp-debug Products: openSUSE 11.0 (debug, i386, ppc, x86_64)
fixed in the necessary branches, and eizther released or in qa
A SLERT 10 SP2 kernel update was just released with this bug referenced, version 2.6.22.19-0.22.
Update released for: ib-bonding-kmp-rt, ib-bonding-kmp-rt_bigsmp, ib-bonding-kmp-rt_debug, ib-bonding-kmp-rt_timing, kernel-rt, kernel-rt_bigsmp, kernel-rt_debug, kernel-rt_timing, kernel-source, kernel-syms, ofed, ofed-cxgb3-NIC-kmp-rt, ofed-cxgb3-NIC-kmp-rt_bigsmp, ofed-cxgb3-NIC-kmp-rt_debug, ofed-cxgb3-NIC-kmp-rt_timing, ofed-doc, ofed-kmp-rt, ofed-kmp-rt_bigsmp, ofed-kmp-rt_debug, ofed-kmp-rt_timing Products: SLE-RT 10-SP2 (i386, x86_64)
Starting L3 here
Closing L3 here (based on email from Roberto).
CVE-2009-0834: CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)