639708 – (CVE-2010-3301) VUL-0: CVE-2010-3301: kernel: IA32 System Call local privilege escalation

Bug 639708 (CVE-2010-3301) - VUL-0: CVE-2010-3301: kernel: IA32 System Call local privilege escalation

Summary: VUL-0: CVE-2010-3301: kernel: IA32 System Call local privilege escalation

Status:	RESOLVED FIXED

Alias:	CVE-2010-3301

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	General (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P1 - Urgent Severity: Critical
Target Milestone:	---
Deadline:	2010-09-20
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:released:11.3:35928 maint:relea...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2010-09-16 07:33 UTC by Ludwig Nussel
Modified:	2018-07-03 20:34 UTC (History)
CC List:	7 users (show)

See Also:
Found By:	Other
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
exploit from http://sota.gen.nz/compat2/robert_you_suck.c (4.99 KB, text/x-c) 2010-09-16 07:39 UTC, Ludwig Nussel	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ludwig Nussel 2010-09-16 07:33:26 UTC

Your friendly security team received the following report via oss-security.
Please respond ASAP.
The issue is public.

CVE-2010-3301

------------------------------------------------------------------------------
Date: Thu, 16 Sep 2010 12:56:46 +0800
From: Eugene Teo <eugeneteo@kernel.sg>
Subject: [oss-security] CVE-2010-3301 kernel: IA32 System Call Entry Point Vulnerability

CVE-2007-4573 regression. Local privilege escalation.

Introduced in v2.6.27-rc1 via commit d4d67150.

Upstream commits:
http://git.kernel.org/linus/36d001c70d8a0144ac1d038f6876c484849a74de
http://git.kernel.org/linus/eefdca043e8391dcd719711716492063030b55ac

References:
http://sota.gen.nz/compat2/
https://bugzilla.redhat.com/CVE-2010-3301

Thanks, Eugene
-- 
main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }

Comment 1 Ludwig Nussel 2010-09-16 07:39:46 UTC

Created attachment 389884 [details]
exploit from http://sota.gen.nz/compat2/robert_you_suck.c

Comment 2 Marcus Meissner 2010-09-16 12:07:16 UTC

also for SLE11 submission.

Comment 3 Marcus Meissner 2010-09-16 12:12:43 UTC

worked nicely out of the box on 11.3.

Comment 4 Swamp Workflow Management 2010-09-16 12:18:51 UTC

The SWAMPID for this issue is 35853.
This issue was rated as critical.
Please submit fixed packages until 2010-09-20.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.

Comment 5 Jeff Mahoney 2010-09-16 18:59:08 UTC

Fix applied to SLE11.
Fix applied to openSUSE 11.2.
Fix applied to SLE11 SP1.
Fix applied to openSUSE 11.3.
Fix applied to openSUSE Factory.

SLERT and Moblin/Meego may be affected.

Comment 6 Jan Beulich 2010-09-17 08:56:56 UTC

Please note that the patches (actually being redundant of one another afaict) will need Xen counterparts before the issue can be considered done. I'm in the process of doing this.

Comment 7 Jan Beulich 2010-09-17 09:40:49 UTC

Xen variant applied to SLE11 SP1, SLE11, openSUSE 11.3, and openSUSE 11.2.

Comment 8 Mike Galbraith 2010-09-17 10:32:24 UTC

Applied to SLE11-RT-SP1.

Comment 9 Marcus Meissner 2010-09-17 13:53:27 UTC

build exploit with

gcc -m32 -O2 -o robert_you_suck ./robert_you_suck.c
./robert_you_suck

Comment 10 Sebastian Krahmer 2010-09-22 09:05:18 UTC

I wonder how this can work with -m32 since the C file has
inline asm refering to %rax?!
Was not able to reproduce on my 11.2 (not compiling with -m32
and not working without).

Comment 11 Swamp Workflow Management 2010-09-22 16:10:22 UTC

Update released for: kernel-debug, kernel-debug-base, kernel-debug-base-debuginfo, kernel-debug-debuginfo, kernel-debug-debugsource, kernel-debug-devel, kernel-debug-devel-debuginfo, kernel-default, kernel-default-base, kernel-default-base-debuginfo, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-desktop, kernel-desktop-base, kernel-desktop-base-debuginfo, kernel-desktop-debuginfo, kernel-desktop-debugsource, kernel-desktop-devel, kernel-desktop-devel-debuginfo, kernel-devel, kernel-ec2, kernel-ec2-base, kernel-ec2-base-debuginfo, kernel-ec2-debuginfo, kernel-ec2-debugsource, kernel-ec2-devel, kernel-ec2-devel-debuginfo, kernel-ec2-extra, kernel-ec2-extra-debuginfo, kernel-pae, kernel-pae-base, kernel-pae-base-debuginfo, kernel-pae-debuginfo, kernel-pae-debugsource, kernel-pae-devel, kernel-pae-devel-debuginfo, kernel-source, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-base-debuginfo, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-vanilla, kernel-vanilla-base, kernel-vanilla-base-debuginfo, kernel-vanilla-debuginfo, kernel-vanilla-debugsource, kernel-vanilla-devel, kernel-vanilla-devel-debuginfo, kernel-vmi, kernel-vmi-base, kernel-vmi-base-debuginfo, kernel-vmi-debuginfo, kernel-vmi-debugsource, kernel-vmi-devel, kernel-vmi-devel-debuginfo, kernel-xen, kernel-xen-base, kernel-xen-base-debuginfo, kernel-xen-debuginfo, kernel-xen-debugsource, kernel-xen-devel, kernel-xen-devel-debuginfo, preload-kmp-default, preload-kmp-desktop
Products:
openSUSE 11.3 (debug, i586, x86_64)

Comment 12 Swamp Workflow Management 2010-09-22 16:13:20 UTC

Update released for: kernel-debug, kernel-debug-base, kernel-debug-debuginfo, kernel-debug-debugsource, kernel-debug-extra, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-extra, kernel-docs, kernel-kdump, kernel-kdump-debuginfo, kernel-kdump-debugsource, kernel-pae, kernel-pae-base, kernel-pae-debuginfo, kernel-pae-debugsource, kernel-pae-extra, kernel-ppc64, kernel-ppc64-base, kernel-ppc64-debuginfo, kernel-ppc64-debugsource, kernel-ppc64-extra, kernel-ps3, kernel-ps3-debuginfo, kernel-ps3-debugsource, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-extra, kernel-vanilla, kernel-vanilla-debuginfo, kernel-vanilla-debugsource, kernel-xen, kernel-xen-base, kernel-xen-debuginfo, kernel-xen-debugsource, kernel-xen-extra
Products:
openSUSE 11.1 (debug, i586, ppc, x86_64)

Comment 13 Swamp Workflow Management 2010-09-22 20:01:50 UTC

Update released for: cluster-network-kmp-default, ext4dev-kmp-default, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-extra, kernel-default-man, kernel-source, kernel-source-debuginfo, kernel-syms
Products:
SLE-DEBUGINFO 11 (s390x)
SLE-HAE 11 (s390x)
SLE-SERVER 11 (s390x)

Comment 14 Swamp Workflow Management 2010-09-22 20:07:53 UTC

Update released for: cluster-network-kmp-default, ext4dev-kmp-default, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-extra, kernel-source, kernel-source-debuginfo, kernel-syms
Products:
SLE-DEBUGINFO 11 (ia64)
SLE-HAE 11 (ia64)
SLE-SERVER 11 (ia64)

Comment 15 Swamp Workflow Management 2010-09-22 20:12:54 UTC

Update released for: cluster-network-kmp-default, ext4dev-kmp-default, ext4dev-kmp-ppc64, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-extra, kernel-kdump, kernel-kdump-debuginfo, kernel-kdump-debugsource, kernel-ppc64, kernel-ppc64-base, kernel-ppc64-debuginfo, kernel-ppc64-debugsource, kernel-ppc64-extra, kernel-source, kernel-source-debuginfo, kernel-syms
Products:
SLE-DEBUGINFO 11 (ppc64)
SLE-HAE 11 (ppc64)
SLE-SERVER 11 (ppc64)

Comment 16 Swamp Workflow Management 2010-09-22 20:56:32 UTC

Update released for: btrfs-kmp-default, cluster-network-kmp-default, ext4dev-kmp-default, gfs2-kmp-default, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-default-extra, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-trace-extra
Products:
SLE-DEBUGINFO 11-SP1 (ia64)
SLE-HAE 11-SP1 (ia64)
SLE-SERVER 11-SP1 (ia64)

Comment 17 Swamp Workflow Management 2010-09-22 21:11:38 UTC

Update released for: btrfs-kmp-default, btrfs-kmp-pae, btrfs-kmp-xen, cluster-network-kmp-default, cluster-network-kmp-pae, cluster-network-kmp-xen, ext4dev-kmp-default, ext4dev-kmp-pae, ext4dev-kmp-xen, gfs2-kmp-default, gfs2-kmp-pae, gfs2-kmp-xen, hyper-v-kmp-default, hyper-v-kmp-pae, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-extra, kernel-desktop-devel, kernel-pae, kernel-pae-base, kernel-pae-debuginfo, kernel-pae-debugsource, kernel-pae-devel, kernel-pae-extra, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-devel, kernel-trace-extra, kernel-xen, kernel-xen-base, kernel-xen-debuginfo, kernel-xen-debugsource, kernel-xen-devel, kernel-xen-extra
Products:
SLE-DEBUGINFO 11-SP1 (i386)
SLE-DESKTOP 11-SP1 (i386)
SLE-HAE 11-SP1 (i386)
SLE-SERVER 11-SP1 (i386)
SLES4VMWARE 11-SP1 (i386)

Comment 18 Swamp Workflow Management 2010-09-22 21:26:43 UTC

Update released for: cluster-network-kmp-default, cluster-network-kmp-pae, cluster-network-kmp-xen, ext4dev-kmp-default, ext4dev-kmp-pae, ext4dev-kmp-vmi, ext4dev-kmp-xen, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-extra, kernel-pae, kernel-pae-base, kernel-pae-debuginfo, kernel-pae-debugsource, kernel-pae-extra, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-vmi, kernel-vmi-base, kernel-vmi-debuginfo, kernel-vmi-debugsource, kernel-vmi-extra, kernel-xen, kernel-xen-base, kernel-xen-debuginfo, kernel-xen-debugsource, kernel-xen-extra
Products:
SLE-DEBUGINFO 11 (i386)
SLE-DESKTOP 11 (i386)
SLE-HAE 11 (i386)
SLE-SERVER 11 (i386)

Comment 19 Swamp Workflow Management 2010-09-22 21:44:22 UTC

Update released for: cluster-network-kmp-default, cluster-network-kmp-xen, ext4dev-kmp-default, ext4dev-kmp-xen, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-extra, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-xen, kernel-xen-base, kernel-xen-debuginfo, kernel-xen-debugsource, kernel-xen-extra
Products:
SLE-DEBUGINFO 11 (x86_64)
SLE-DESKTOP 11 (x86_64)
SLE-HAE 11 (x86_64)
SLE-SERVER 11 (x86_64)

Comment 20 Swamp Workflow Management 2010-09-22 21:51:40 UTC

Update released for: btrfs-kmp-default, btrfs-kmp-ppc64, cluster-network-kmp-default, cluster-network-kmp-ppc64, ext4dev-kmp-default, ext4dev-kmp-ppc64, gfs2-kmp-default, gfs2-kmp-ppc64, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-extra, kernel-kdump, kernel-kdump-debuginfo, kernel-kdump-debugsource, kernel-ppc64, kernel-ppc64-base, kernel-ppc64-debuginfo, kernel-ppc64-debugsource, kernel-ppc64-devel, kernel-ppc64-extra, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-extra
Products:
SLE-DEBUGINFO 11-SP1 (ppc64)
SLE-HAE 11-SP1 (ppc64)
SLE-SERVER 11-SP1 (ppc64)

Comment 21 Swamp Workflow Management 2010-09-22 22:06:26 UTC

Update released for: btrfs-kmp-default, cluster-network-kmp-default, ext4dev-kmp-default, gfs2-kmp-default, iscsitarget-kmp-default, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-default-extra, kernel-default-man, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-trace-extra, kernel-trace-man, oracleasm-kmp-default
Products:
SLE-DEBUGINFO 11-SP1 (s390x)
SLE-HAE 11-SP1 (s390x)
SLE-SERVER 11-SP1 (s390x)

Comment 22 Swamp Workflow Management 2010-09-22 23:34:32 UTC

Update released for: btrfs-kmp-default, btrfs-kmp-xen, cluster-network-kmp-default, cluster-network-kmp-xen, ext4dev-kmp-default, ext4dev-kmp-xen, gfs2-kmp-default, gfs2-kmp-xen, hyper-v-kmp-default, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-default-extra, kernel-desktop-devel, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-trace-extra, kernel-xen, kernel-xen-base, kernel-xen-debuginfo, kernel-xen-debugsource, kernel-xen-devel, kernel-xen-devel-debuginfo, kernel-xen-extra
Products:
SLE-DEBUGINFO 11-SP1 (x86_64)
SLE-DESKTOP 11-SP1 (x86_64)
SLE-HAE 11-SP1 (x86_64)
SLE-SERVER 11-SP1 (x86_64)
SLES4VMWARE 11-SP1 (x86_64)

Comment 23 Swamp Workflow Management 2010-09-23 01:08:50 UTC

Update released for: kernel-default-extra, kernel-ppc64-extra
Products:
SLE-SERVER 11-EXTRA (ppc64)

Comment 24 Swamp Workflow Management 2010-09-23 01:09:13 UTC

Update released for: kernel-default-extra
Products:
SLE-SERVER 11-EXTRA (ia64)

Comment 25 Swamp Workflow Management 2010-09-23 01:09:56 UTC

Update released for: kernel-default-extra
Products:
SLE-SERVER 11-EXTRA (s390x)

Comment 26 Swamp Workflow Management 2010-09-23 01:10:21 UTC

Update released for: kernel-default-extra, kernel-pae-extra, kernel-xen-extra
Products:
SLE-SERVER 11-EXTRA (i386)

Comment 27 Swamp Workflow Management 2010-09-23 01:11:05 UTC

Update released for: kernel-default-extra, kernel-xen-extra
Products:
SLE-SERVER 11-EXTRA (x86_64)

Comment 28 Swamp Workflow Management 2010-09-23 03:09:10 UTC

Update released for: kernel-default-extra, kernel-xen-extra
Products:
SLE-SERVER 11-EXTRA (x86_64)

Comment 29 Swamp Workflow Management 2010-09-23 03:12:06 UTC

Update released for: kernel-default-extra
Products:
SLE-SERVER 11-EXTRA (s390x)

Comment 30 Swamp Workflow Management 2010-09-23 03:13:25 UTC

Update released for: kernel-default-extra
Products:
SLE-SERVER 11-EXTRA (ia64)

Comment 31 Swamp Workflow Management 2010-09-23 03:13:49 UTC

Update released for: kernel-default-extra, kernel-pae-extra, kernel-xen-extra
Products:
SLE-SERVER 11-EXTRA (i386)

Comment 32 Swamp Workflow Management 2010-09-23 03:14:33 UTC

Update released for: kernel-default-extra, kernel-ppc64-extra
Products:
SLE-SERVER 11-EXTRA (ppc64)

Comment 33 Swamp Workflow Management 2010-09-23 13:12:30 UTC

Update released for: kernel-debug, kernel-debug-base, kernel-debug-base-debuginfo, kernel-debug-debuginfo, kernel-debug-debugsource, kernel-debug-devel, kernel-debug-devel-debuginfo, kernel-default, kernel-default-base, kernel-default-base-debuginfo, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-desktop, kernel-desktop-base, kernel-desktop-base-debuginfo, kernel-desktop-debuginfo, kernel-desktop-debugsource, kernel-desktop-devel, kernel-desktop-devel-debuginfo, kernel-pae, kernel-pae-base, kernel-pae-base-debuginfo, kernel-pae-debuginfo, kernel-pae-debugsource, kernel-pae-devel, kernel-pae-devel-debuginfo, kernel-source, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-base-debuginfo, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-vanilla, kernel-vanilla-base, kernel-vanilla-base-debuginfo, kernel-vanilla-debuginfo, kernel-vanilla-debugsource, kernel-vanilla-devel, kernel-vanilla-devel-debuginfo, kernel-xen, kernel-xen-base, kernel-xen-base-debuginfo, kernel-xen-debuginfo, kernel-xen-debugsource, kernel-xen-devel, kernel-xen-devel-debuginfo, preload-kmp-default, preload-kmp-desktop
Products:
openSUSE 11.2 (debug, i586, x86_64)

Comment 34 Marcus Meissner 2010-09-27 11:00:42 UTC

open and unreleased:

-slert 11 sp1
-moblin 2.0, 2.1

Comment 35 Swamp Workflow Management 2010-09-29 12:46:41 UTC

Update released for: ib-bonding-kmp-default, oracleasm-kmp-default
Products:
SLE-SERVER 10-SP3 (s390x)

Comment 36 Swamp Workflow Management 2010-10-20 17:59:27 UTC

Update released for: adminfs, novell-cluster-services, novell-cluster-services-cli, novell-cluster-services-km, novell-evms-snapins, novell-nss, novell-sms-zapishim, novell-sms-zapishim-bigsmp, novell-sms-zapishim-default, novell-sms-zapishim-smp, python-xml
Products:
Open-Enterprise-Server 9 (i386)

Comment 37 Dirk Mueller 2010-10-21 07:33:15 UTC

all updates released

Comment 38 Swamp Workflow Management 2011-02-07 11:51:13 UTC

Update released for: brocade-bna-kmp-rt, iscsitarget-kmp-rt, kernel-rt, kernel-rt-base, kernel-rt-debuginfo, kernel-rt-debugsource, kernel-rt-devel, kernel-rt-devel-debuginfo, kernel-rt-extra, kernel-rt_trace, kernel-rt_trace-base, kernel-rt_trace-debuginfo, kernel-rt_trace-debugsource, kernel-rt_trace-devel, kernel-rt_trace-devel-debuginfo, kernel-rt_trace-extra, kernel-source-rt, kernel-source-rt-debuginfo, kernel-syms-rt, ofed-kmp-rt
Products:
SLE-RT 11-SP1 (x86_64)