Vigil@nce: Linux kernel, denial of service on x86_64
February 2010 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
On a x86_64 processor, a local attacker can use a malicious ELF program, in order to stop the system.
Severity: 1/4
Consequences: denial of service of computer
Provenance: user shell
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 01/02/2010
IMPACTED PRODUCTS
Linux kernel
DESCRIPTION OF THE VULNERABILITY
System calls (select(), poll(), etc.) and memory layout are different between systems. For example, a program conceived to use the select() of Solaris may not work with the Linux select() because of minor behavior changes.
Personalities (or execution domains) indicate how the kernel has to behave:
PER_LINUX: normal mode for Linux
PER_SOLARIS: emulate the Solaris kernel
PER_IRIX32: emulate the IRIX kernel
etc.
On a x86_64 processor, an attacker can start a 32 bit application, which calls via execve() a 64 bit program, which fails. However, the SET_PERSONALITY() macro was called during the execve(). The program thus obtained a 64 bit personality, whereas it is a 32 bit program, which corrupts its state, and stops the kernel.
On a x86_64 processor, a local attacker can therefore use a malicious ELF program, in order to stop the system.
CHARACTERISTICS
Identifiers: BID-38027, CVE-2010-0307, VIGILANCE-VUL-9395
Tweeter