Title: Linux Kernel 32 Bit Ptrace Emulation Full Kernel Rights Vulnerability
Severity: MODERATE
Description:
Unix and Unix-like kernels offer a debugging facility called ptrace. Ptrace allows for one process to 'attach' to another and inspect/modify it's memory. Updating certain sections of memory (system registers) that control a process's privileges must be carefully verified to ensure that privilege is not escalated.
A vulnerability has been discovered in the 32-bit ptrace emulation in the Linux kernel on x86_64 (AMD64) architectures. This vulnerability allows a user space program to gain full control of the kernel due to a failure to validate information stored in a system register.
It has been reported that due to improper validation of the data written to the EFLAGS register of a child process it is possible for a user process to set itself, or another process, to ring 0 privileges. Ring 0 is the highest possible privilege level, and so the user space process can gain full control of the vulnerable kernel.
This issue arises because the PTRACE_SETREGS request, when used to set the EFLAGS register, fails to retain the previous state of the system flags. At every write to the EFLAGS register, the ptrace software clears all of the EFLAGS flags that a restricted to privileged processes. This results in setting the I/O Privilege Level (via the IOPL flag in the EFLAGS register) to ring 0, giving the process the ability to write to memory space outside of its own. Another result of this is that all maskable interrupts become disabled. This could be used to crash the kernel and therefor result in denial of service.
This issue is known to affect the 2.4 Linux kernels that support the x86_64 (AMD 64) architecture, however other version of the kernel may also be vulnerable for x86_64 (AMD64) processors.
Further information concerning this issue is not currently available. This BID will be updated as more information becomes available.
Affected Products:
- Conectiva Linux 9.0.0
- Linux kernel 2.4.21
- MandrakeSoft Linux Mandrake 9.1.0
- MandrakeSoft Linux Mandrake 9.1.0 ppc
- RedHat Desktop 3.0.0
- RedHat Enterprise Linux AS 3
- RedHat Enterprise Linux ES 3
- RedHat Enterprise Linux WS 3
- RedHat Fedora Core1
- S.u.S.E. Linux Enterprise Server 8
- S.u.S.E. Linux Personal 9.0.0
- S.u.S.E. Linux Personal 9.0.0 x86_64
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
