Bug 634449 - (CVE-2010-3301) CVE-2010-3301 kernel: IA32 System Call Entry Point Vulnerability
CVE-2010-3301 kernel: IA32 System Call Entry Point Vulnerability
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
public=20100915,reported=20100916,sou...
: Security
Depends On: 634450 634451 634452
Blocks:
  Show dependency treegraph
 
Reported: 2010-09-16 00:51 EDT by Eugene Teo (Security Response)
Modified: 2012-07-10 19:04 EDT (History)
18 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-03-28 04:47:51 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Eugene Teo (Security Response) 2010-09-16 00:51:43 EDT
Description of problem:
CVE-2007-4573 regression

Reintroduced in v2.6.27-rc1 via commit d4d67150.

Upstream commits:
http://git.kernel.org/linus/36d001c70d8a0144ac1d038f6876c484849a74de
http://git.kernel.org/linus/eefdca043e8391dcd719711716492063030b55ac

References:
http://sota.gen.nz/compat2/

Acknowledgements:

Red Hat would like to thank Ben Hawkes for reporting this issue.
Comment 2 Eugene Teo (Security Response) 2010-09-16 00:56:21 EDT
Statement:

This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5, and Red Hat Enterprise MRG, as they do not contain the upstream commit d4d67150 that introduced this flaw.

More information can be found in this kbase: https://access.redhat.com/kb/docs/DOC-40330
Comment 3 Eugene Teo (Security Response) 2010-09-16 00:59:06 EDT
Public exploit: http://sota.gen.nz/compat2/robert_you_suck.c
Comment 5 AccessD 2010-09-17 06:31:32 EDT
There is exploit:
http://seclists.org/fulldisclosure/2010/Sep/268
work on Red Hat
Comment 6 AccessD 2010-09-17 06:47:32 EDT
CentOS 5.5 example (same kernel as RHEL 5.5):

2.6.18-194.3.1.el5 #1 SMP Thu May 13 13:08:30 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux
[hacky@ks310439 ~]$ id
uid=518(hacky) gid=518(hacky) groups=518(hacky)
[hacky@ks310439 ~]$ ./a.out
Ac1dB1tCh3z VS Linux kernel 2.6 kernel 0d4y
$$$ Kallsyms +r
$$$ K3rn3l r3l3as3: 2.6.18-194.3.1.el5
??? Trying the F0PPPPPPPPPPPPPPPPpppppppppp_____ m3th34d
$$$ L00k1ng f0r kn0wn t4rg3tz..
$$$ c0mput3r 1z aqu1r1ng n3w t4rg3t...
$$$ selinux_ops->ffffffff80327ac0
$$$ dummy_security_ops->ffffffff804b9540
$$$ capability_ops->ffffffff80329380
$$$ selinux_enforcing->ffffffff804bc2a0
$$$ audit_enabled->ffffffff804a7124
$$$ Bu1ld1ng r1ngzer0c00l sh3llc0d3 - F0PZzzZzZZ/LSD(M) m3th34d
$$$ Prepare: m0rn1ng w0rk0ut b1tch3z
$$$ Us1ng st4nd4rd s3ash3llz
$$$ 0p3n1ng th3 m4giq p0rt4l
$$$ bl1ng bl1ng n1gg4 :PppPpPPpPPPpP
sh-3.2# id
uid=0(root) gid=518(hacky) groups=518(hacky)
Comment 7 Eugene Teo (Security Response) 2010-09-17 07:56:47 EDT
(In reply to comment #6)
> CentOS 5.5 example (same kernel as RHEL 5.5):
> 
> 2.6.18-194.3.1.el5 #1 SMP Thu May 13 13:08:30 EDT 2010 x86_64 x86_64 x86_64
> GNU/Linux
> [hacky@ks310439 ~]$ id
> uid=518(hacky) gid=518(hacky) groups=518(hacky)
> [hacky@ks310439 ~]$ ./a.out
> Ac1dB1tCh3z VS Linux kernel 2.6 kernel 0d4y

Err, but you pasted them to the wrong bug. Please see CVE-2010-3081 instead.

Thanks.
Comment 8 Eugene Teo (Security Response) 2010-09-20 04:57:58 EDT
Kbase: https://access.redhat.com/kb/docs/DOC-40330
Comment 9 Chuck Ebbert 2010-09-20 23:35:10 EDT
Fixed in 2.6.27.54, 2.6.32.22 and 2.6.35.5
Comment 10 Adam Williamson 2010-09-27 21:43:45 EDT
Beta's now out, so moving from Beta nice-to-have list to Final nice-to-have list.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 11 Chuck Ebbert 2010-09-30 17:10:21 EDT
This was already fixed in F14:
  https://admin.fedoraproject.org/updates/kernel-2.6.35.4-28.fc14
Comment 13 errata-xmlrpc 2010-11-10 14:07:46 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2010:0842 https://rhn.redhat.com/errata/RHSA-2010-0842.html
Comment 14 errata-xmlrpc 2010-11-22 14:34:32 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2010:0842 https://rhn.redhat.com/errata/RHSA-2010-0842.html

Note You need to log in before you can comment on or make changes to this bug.