Bug 479969 (CVE-2009-0029)

Summary: CVE-2009-0029 Linux Kernel insecure 64 bit system call argument passing
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: anton, dhoward, dhowells, hannsj_uhl, jlieskov, jpirko, lwang, rcvalle, security-response-team, vgoyal, zaitcev
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,source=vendorsec,reported=20090114,public=20090110,cvss2=7.2/AV:L/AC:L/Au:N/C:C/I:C/A:C,cwe=CWE-681->CWE-119
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-21 12:57:40 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 480864, 480866, 486908, 486909, 486910, 486911, 486912    
Bug Blocks:    
Description Flags
the whole patch series that went upstream as tarball none

Description Eugene Teo (Security Response) 2009-01-14 05:50:48 EST
From vendor-sec:
Christian Borntraeger found a security relevant problem with the Linux system calls argument passing for at least s390, powerpc, sparc64 and mips:

The ABI for some architectures defines that the caller of a function has to sign extend each parameter to full register width. This is a problem in Linux system call handling.

For example with this system call on 64 bit:

asmlinkage long sys_example(unsigned int index)
        if (index > 5)
                return -EINVAL;
        return example_array[index];

It would mean that the caller has to sign extend index to 64 bit. In this case the caller is userspace. So we cannot rely on a correct sign extension.

But actually we just pass userspace delivered parameters unmodified to the system call function.

The above example could break like this:

The compiler can create code that will only test the lower 32 bits of the register that contain index to make sure its value is <= 5. However to access the memory location to get the value out of the array it can use the same unmodified (64 bit) register as index register, since the caller had to make sure that the upper 32 bits of the register contain zeroes. But since the value came from user space this isn't guaranteed and can lead to an addressing exception. Or userspace reads or even writes from/to memory locations it is not allowed to have access to.

Please note that this has nothing to do with compat system calls. This is an issue with 64 bit kernel and 64 bit userspace but 32 bit arguments.

Unfortunately the issue must be considered to be already public:

Comment 7 Jan Lieskovsky 2009-01-16 08:58:09 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-0029 to
the following vulnerability:

The ABI in the Linux kernel 2.6.28 and earlier on s390, powerpc,
sparc64, and mips 64-bit platforms requires that a 32-bit argument in
a 64-bit register was properly sign extended when sent from a
user-mode application, but cannot verify this, which allows local
users to cause a denial of service (crash) or possibly gain privileges
via a crafted system call.

Comment 8 Eugene Teo (Security Response) 2009-02-23 01:39:47 EST
Created attachment 329100 [details]
the whole patch series that went upstream as tarball
Comment 11 Eugene Teo (Security Response) 2009-06-09 00:24:49 EDT
This flaw affects most 64-bit architectures, including IBM S/390 and 64-bit PowerPC, but it does not affect x86_64 or Intel Itanium. The risks associated with fixing this flaw are greater than the security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 3, 4, or 5. Red Hat Enterprise MRG is not affected as it is not supported on 64-bit architectures other than x86_64.