Bug 487990 (CVE-2009-0834)

Summary: CVE-2009-0834 kernel: x86-64: syscall-audit: 32/64 syscall hole
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: atangrin, bhu, dhoward, lgoncalv, lwang, nobody, qcai, rkhan, sgrubb, vgoyal, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-10 22:28:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 487997, 487998, 487999, 488000, 488001, 488002, 549238    
Bug Blocks:    
Description Flags
RHEL5 patch for audit case (vs kernel-2.6.18-132.el5) none

Description Eugene Teo (Security Response) 2009-03-02 04:11:30 UTC
Description of problem:
On x86-64, a 32-bit process (TIF_IA32) can switch to 64-bit mode with ljmp, and then use the "syscall" instruction to make a 64-bit system call.  A 64-bit process make a 32-bit system call with int $0x80.

In both these cases, audit_syscall_entry() will use the wrong system call number table and the wrong system call argument registers.  This could be used to circumvent a syscall audit configuration that filters based on the syscall numbers or argument details.

http://lkml.org/lkml/2009/2/27/451 summary
http://lkml.org/lkml/2009/2/27/452 syscall-audit

Comment 2 Eugene Teo (Security Response) 2009-03-02 04:39:00 UTC
Created attachment 333681 [details]
RHEL5 patch for audit case (vs kernel-2.6.18-132.el5)

Comment 5 Eugene Teo (Security Response) 2009-03-19 04:15:25 UTC
CVSS2 score of low, 3.6 (AV:L/AC:L/Au:N/C:P/I:P/A:N)

Comment 6 Eugene Teo (Security Response) 2009-04-14 02:50:45 UTC
Upstream patch:

Comment 7 errata-xmlrpc 2009-04-29 09:28:30 UTC
This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2009:0451 https://rhn.redhat.com/errata/RHSA-2009-0451.html

Comment 8 errata-xmlrpc 2009-04-30 21:24:58 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2009:0459 https://rhn.redhat.com/errata/RHSA-2009-0459.html

Comment 9 errata-xmlrpc 2009-05-07 10:53:15 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:0473 https://rhn.redhat.com/errata/RHSA-2009-0473.html

Comment 11 errata-xmlrpc 2010-02-02 21:01:38 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5.2 Z Stream

Via RHSA-2010:0079 https://rhn.redhat.com/errata/RHSA-2010-0079.html