SYNTHESIS OF THE VULNERABILITY

On a x86_64 processor, a local attacker can use a malicious ELF program, in order to stop the system.

Severity: 1/4

Consequences: denial of service of computer

Provenance: user shell

Means of attack: 1 attack

Ability of attacker: technician (2/4)

Confidence: confirmed by the editor (5/5)

Diffusion of the vulnerable configuration: high (3/3)

Creation date: 01/02/2010

IMPACTED PRODUCTS

 Linux kernel

DESCRIPTION OF THE VULNERABILITY

System calls (select(), poll(), etc.) and memory layout are different between systems. For example, a program conceived to use the select() of Solaris may not work with the Linux select() because of minor behavior changes.

Personalities (or execution domains) indicate how the kernel has to behave:

 PER_LINUX: normal mode for Linux
 PER_SOLARIS: emulate the Solaris kernel
 PER_IRIX32: emulate the IRIX kernel
 etc.

On a x86_64 processor, an attacker can start a 32 bit application, which calls via execve() a 64 bit program, which fails. However, the SET_PERSONALITY() macro was called during the execve(). The program thus obtained a 64 bit personality, whereas it is a 32 bit program, which corrupts its state, and stops the kernel.

On a x86_64 processor, a local attacker can therefore use a malicious ELF program, in order to stop the system.

CHARACTERISTICS

Identifiers: BID-38027, CVE-2010-0307, VIGILANCE-VUL-9395

http://vigilance.fr/vulnerability/L...