Vigil@nce: Linux kernel, denial of service on x86_64
February 2010 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
On a x86_64 processor, a local attacker can use a malicious ELF
program, in order to stop the system.
Severity: 1/4
Consequences: denial of service of computer
Provenance: user shell
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 01/02/2010
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
System calls (select(), poll(), etc.) and memory layout are
different between systems. For example, a program conceived to use
the select() of Solaris may not work with the Linux select()
because of minor behavior changes.
Personalities (or execution domains) indicate how the kernel has
to behave:
– PER_LINUX: normal mode for Linux
– PER_SOLARIS: emulate the Solaris kernel
– PER_IRIX32: emulate the IRIX kernel
– etc.
On a x86_64 processor, an attacker can start a 32 bit application,
which calls via execve() a 64 bit program, which fails. However,
the SET_PERSONALITY() macro was called during the execve(). The
program thus obtained a 64 bit personality, whereas it is a 32 bit
program, which corrupts its state, and stops the kernel.
On a x86_64 processor, a local attacker can therefore use a
malicious ELF program, in order to stop the system.
CHARACTERISTICS
Identifiers: BID-38027, CVE-2010-0307, VIGILANCE-VUL-9395
http://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-on-x86-64-9395