Severity: 2/4
 Consequences: administrator access/rights, privileged access/rights, user access/rights
 Provenance: user shell
 Means of attack: no proof of concept, no attack
 Ability of attacker: expert (4/4)
 Confidence: confirmed by the editor (5/5)
 Diffusion of the vulnerable configuration: high (3/3)
 Creation date: 24/02/2010

IMPACTED PRODUCTS

 Linux kernel

DESCRIPTION OF THE VULNERABILITY

The Sparc SUN4U assembler uses signed constants of 13 bits: or %reg1, constant, %result (result = reg1 OR constant) and %reg1, constant, %result (result = reg1 AND constant) etc. The special "sethi" instruction is used to set the 22 MSB (most significant bit) of a register, before an instruction: sethi %hi(constant), %result or %reg1, %lo(constant), %result

The Linux kernel uses the _PAGE_EXEC_4U (0x1000) constant, which is the flag for executable pages. However, it does not use sethi during the test, so the mask is extended (signed) to 0xFFFFF000, so the test becomes positive because of other bits.

On a Sparc processor, memory pages tagged as non executable are therefore actually executable. Protections, such as a non executable stack, are then inefficient.

CHARACTERISTICS

 Identifiers: BID-38393, VIGILANCE-VUL-9472
 Url: http://vigilance.fr/vulnerability/L...