Bug 479969 - (CVE-2009-0029) CVE-2009-0029 Linux Kernel insecure 64 bit system call argument passing
CVE-2009-0029 Linux Kernel insecure 64 bit system call argument passing
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 480864 480866 486908 486909 486910 486911 486912
  Show dependency treegraph
Reported: 2009-01-14 05:50 EST by Eugene Teo (Security Response)
Modified: 2012-07-16 15:06 EDT (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-12-21 12:57:40 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
the whole patch series that went upstream as tarball (31.41 KB, application/x-bzip2)
2009-01-15 09:58 EST, Eugene Teo (Security Response)
no flags Details

  None (edit)
Description Eugene Teo (Security Response) 2009-01-14 05:50:48 EST
From vendor-sec:
Christian Borntraeger found a security relevant problem with the Linux system calls argument passing for at least s390, powerpc, sparc64 and mips:

The ABI for some architectures defines that the caller of a function has to sign extend each parameter to full register width. This is a problem in Linux system call handling.

For example with this system call on 64 bit:

asmlinkage long sys_example(unsigned int index)
        if (index > 5)
                return -EINVAL;
        return example_array[index];

It would mean that the caller has to sign extend index to 64 bit. In this case the caller is userspace. So we cannot rely on a correct sign extension.

But actually we just pass userspace delivered parameters unmodified to the system call function.

The above example could break like this:

The compiler can create code that will only test the lower 32 bits of the register that contain index to make sure its value is <= 5. However to access the memory location to get the value out of the array it can use the same unmodified (64 bit) register as index register, since the caller had to make sure that the upper 32 bits of the register contain zeroes. But since the value came from user space this isn't guaranteed and can lead to an addressing exception. Or userspace reads or even writes from/to memory locations it is not allowed to have access to.

Please note that this has nothing to do with compat system calls. This is an issue with 64 bit kernel and 64 bit userspace but 32 bit arguments.

Unfortunately the issue must be considered to be already public:

Comment 7 Jan Lieskovsky 2009-01-16 08:58:09 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-0029 to
the following vulnerability:

The ABI in the Linux kernel 2.6.28 and earlier on s390, powerpc,
sparc64, and mips 64-bit platforms requires that a 32-bit argument in
a 64-bit register was properly sign extended when sent from a
user-mode application, but cannot verify this, which allows local
users to cause a denial of service (crash) or possibly gain privileges
via a crafted system call.

Comment 8 Eugene Teo (Security Response) 2009-02-23 01:39:47 EST
Created attachment 329100 [details]
the whole patch series that went upstream as tarball
Comment 11 Eugene Teo (Security Response) 2009-06-09 00:24:49 EDT
This flaw affects most 64-bit architectures, including IBM S/390 and 64-bit PowerPC, but it does not affect x86_64 or Intel Itanium. The risks associated with fixing this flaw are greater than the security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux 3, 4, or 5. Red Hat Enterprise MRG is not affected as it is not supported on 64-bit architectures other than x86_64.

Note You need to log in before you can comment on or make changes to this bug.