SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#358960

BSD i386_set_ldt syscall does not appropriately validate call gate targets

Overview

There are a set of kernel interfaces called "call gates" which are code primitives used to build system-level calls into an operating system's kernel. A subset of these "calls gates" may be able to be manipulated on some operating systems which use improper privilege checking when accessing local descriptor tables (LDTs)

I. Description

Of specific concern is the syscall "i386_set_ldt" , which accesses a call gate without first validating whether a ring transition to a more privileged segment in the LDT is appropriate.

Of special note is an observation shared in the NetBSD security advisory on this issue:

A common misunderstanding of how gate descriptors work may result in
the programmer believing they've defended against this attack (by
checking the gate's DPL) without having done so (you need to check the
DPL of the code segment that the gate targets).

Note that this behaviour is not restricted to Intel processors; the bug
applies to implementations of the x86 architecture by other
manufacturers as well.


This programming defect is likely to affect other platforms as well.

II. Impact

A user with access to a local account may gain privileges reserved for the kernel.

III. Solution

Apply kernel patches provided by your vendor.

The fix to NetBSD [for example]:

Index: i386/sys_machdep.c
===================================================================
RCS file: /cvsroot/syssrc/sys/arch/i386/i386/sys_machdep.c,v
retrieving revision 1.54
diff -u -r1.54 sys_machdep.c
--- i386/sys_machdep.c 2001/01/16 01:50:36 1.54
+++ i386/sys_machdep.c 2001/01/16 02:37:22
@@ -222,6 +222,15 @@
break;
case SDT_SYS286CGT:
case SDT_SYS386CGT:
+ /*
+ * Only allow call gates targeting a segment in the LDT or
+ * a user segment in the fixed part of the gdt.
+ * Segments in the LDT are constrained (below) to be user segments.
+ */
+ if (desc.gd.gd_p != 0 && !ISLDT(desc.gd.gd_selector) &&
+    ((IDXSEL(desc.gd.gd_selector) >= NGDT) ||
+     (gdt[IDXSEL(desc.gd.gd_selector)].sd.sd_dpl != SEL_UPL)))
+ return (EACCES);
/* Can't replace in use descriptor with gate. */
if (n == fsslot || n == gsslot)
return (EBUSY);

Systems Affected

VendorStatusDate NotifiedDate Updated
NetBSDVulnerable16-Feb-2001
OpenBSDVulnerable2-Mar-2001

References


ftp://ftp.netbsd.org/pub/NetBSD/misc/security/advisories/NetBSD-SA2001-002.txt.asc
http://www.openbsd.org/errata.html#userldt

Credit

This was initially reported by Bill Sommerfeld.

This document was written by Jeff S Havrilla

Other Information

Date Public:2001-02-16
Date First Published:2001-02-16
Date Last Updated:2001-03-02
CERT Advisory: 
CVE-ID(s): 
NVD-ID(s): 
US-CERT Technical Alerts: 
Metric:7.12
Document Revision:7

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2001 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader