search menu icon-carat-right cmu-wordmark

CERT Coordination Center


BSD i386_set_ldt syscall does not appropriately validate call gate targets

Vulnerability Note VU#358960

Original Release Date: 2001-02-16 | Last Revised: 2001-03-02

Overview

There are a set of kernel interfaces called "call gates" which are code primitives used to build system-level calls into an operating system's kernel. A subset of these "calls gates" may be able to be manipulated on some operating systems which use improper privilege checking when accessing local descriptor tables (LDTs)

Description

Of specific concern is the syscall "i386_set_ldt" , which accesses a call gate without first validating whether a ring transition to a more privileged segment in the LDT is appropriate.

Of special note is an observation shared in the NetBSD security advisory on this issue:

A common misunderstanding of how gate descriptors work may result in
the programmer believing they've defended against this attack (by
checking the gate's DPL) without having done so (you need to check the
DPL of the code segment that the gate targets).

Note that this behaviour is not restricted to Intel processors; the bug
applies to implementations of the x86 architecture by other
manufacturers as well.


This programming defect is likely to affect other platforms as well.

Impact

A user with access to a local account may gain privileges reserved for the kernel.

Solution

Apply kernel patches provided by your vendor.

The fix to NetBSD [for example]:

Index: i386/sys_machdep.c
===================================================================
RCS file: /cvsroot/syssrc/sys/arch/i386/i386/sys_machdep.c,v
retrieving revision 1.54
diff -u -r1.54 sys_machdep.c
--- i386/sys_machdep.c2001/01/16 01:50:361.54
+++ i386/sys_machdep.c2001/01/16 02:37:22
@@ -222,6 +222,15 @@
break;
case SDT_SYS286CGT:
case SDT_SYS386CGT:
+/*
+ * Only allow call gates targeting a segment in the LDT or
+ * a user segment in the fixed part of the gdt.
+ * Segments in the LDT are constrained (below) to be user segments.
+ */
+if (desc.gd.gd_p != 0 && !ISLDT(desc.gd.gd_selector) &&
+    ((IDXSEL(desc.gd.gd_selector) >= NGDT) ||
+     (gdt[IDXSEL(desc.gd.gd_selector)].sd.sd_dpl != SEL_UPL)))
+return (EACCES);
/* Can't replace in use descriptor with gate. */
if (n == fsslot || n == gsslot)
return (EBUSY);

Vendor Information

358960
Expand all

NetBSD

Notified:  January 16, 2001 Updated:  February 16, 2001

Status

  Vulnerable

Vendor Statement

NetBSD is vulnerable on x86 platforms only. Please see NetBSD-SA2001-002, "Vulnerability in x86 USER_LDT validation":

ftp://ftp.netbsd.org/pub/NetBSD/misc/security/advisories/NetBSD-SA2001-002.txt.asc

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenBSD

Notified:  January 19, 2001 Updated:  March 02, 2001

Status

  Vulnerable

Vendor Statement

Please see OpenBSD 2.8 Errata 022: SECURITY FIX: Mar 2, 2001 at

http://www.openbsd.com/errata.html#userldt

The OpenBSD Project also released a security announcement on Mar 2 titled: "Vulnerability in USER_LDT i386 kernel option"

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Some excerpts from the OpenBSD advisory:

This USER_LDT kernel option is not in the OpenBSD kernel by default, and is
only suggested for use by users running the WINE port. This option is not
documented elsewhere.

----------------------------------------------------------------------------

AFFECTED SYSTEMS

OpenBSD/i386 does not use or document the USER_LDT option. Only users of
the WINE port are instructed to enable this option.

A patch for this option was commited to the source tree on January 19, 2001.

----------------------------------------------------------------------------

RESOLUTION

If you are using an OpenBSD kernel compiled with "option USER_LDT", apply
the patch supplied at the bottom of this advisory and recompile your
kernel.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

This was initially reported by Bill Sommerfeld.

This document was written by Jeff S Havrilla

Other Information

CVE IDs: None
Severity Metric: 7.13
Date Public: 2001-02-16
Date First Published: 2001-02-16
Date Last Updated: 2001-03-02 22:12 UTC
Document Revision: 7

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.