Vulnerability Note VU#358960

BSD i386_set_ldt syscall does not appropriately validate call gate targets

Original Release date: 16 Feb 2001 | Last revised: 02 Mar 2001

Overview

There are a set of kernel interfaces called "call gates" which are code primitives used to build system-level calls into an operating system's kernel. A subset of these "calls gates" may be able to be manipulated on some operating systems which use improper privilege checking when accessing local descriptor tables (LDTs)

Description

Of specific concern is the syscall "i386_set_ldt" , which accesses a call gate without first validating whether a ring transition to a more privileged segment in the LDT is appropriate.

Of special note is an observation shared in the NetBSD security advisory on this issue:

A common misunderstanding of how gate descriptors work may result in
the programmer believing they've defended against this attack (by
checking the gate's DPL) without having done so (you need to check the
DPL of the code segment that the gate targets).

Note that this behaviour is not restricted to Intel processors; the bug
applies to implementations of the x86 architecture by other
manufacturers as well.


This programming defect is likely to affect other platforms as well.

Impact

A user with access to a local account may gain privileges reserved for the kernel.

Solution

Apply kernel patches provided by your vendor.

The fix to NetBSD [for example]:

Index: i386/sys_machdep.c
===================================================================
RCS file: /cvsroot/syssrc/sys/arch/i386/i386/sys_machdep.c,v
retrieving revision 1.54
diff -u -r1.54 sys_machdep.c
--- i386/sys_machdep.c 2001/01/16 01:50:36 1.54
+++ i386/sys_machdep.c 2001/01/16 02:37:22
@@ -222,6 +222,15 @@
break;
case SDT_SYS286CGT:
case SDT_SYS386CGT:
+ /*
+ * Only allow call gates targeting a segment in the LDT or
+ * a user segment in the fixed part of the gdt.
+ * Segments in the LDT are constrained (below) to be user segments.
+ */
+ if (desc.gd.gd_p != 0 && !ISLDT(desc.gd.gd_selector) &&
+    ((IDXSEL(desc.gd.gd_selector) >= NGDT) ||
+     (gdt[IDXSEL(desc.gd.gd_selector)].sd.sd_dpl != SEL_UPL)))
+ return (EACCES);
/* Can't replace in use descriptor with gate. */
if (n == fsslot || n == gsslot)
return (EBUSY);

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
NetBSDAffected16 Jan 200116 Feb 2001
OpenBSDAffected19 Jan 200102 Mar 2001
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This was initially reported by Bill Sommerfeld.

This document was written by Jeff S Havrilla

Other Information

  • CVE IDs: Unknown
  • Date Public: 16 Feb 2001
  • Date First Published: 16 Feb 2001
  • Date Last Updated: 02 Mar 2001
  • Severity Metric: 7.12
  • Document Revision: 7

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.