Your submission was sent successfully! Close

You have successfully unsubscribed! Close

CVE-2010-3301

Published: 15 September 2010

The IA32 system call emulation functionality in arch/x86/ia32/ia32entry.S in the Linux kernel before 2.6.36-rc4-git2 on the x86_64 platform does not zero extend the %eax register after the 32-bit entry path to ptrace is used, which allows local users to gain privileges by triggering an out-of-bounds access to the system call table using the %rax register. NOTE: this vulnerability exists because of a CVE-2007-4573 regression.

From the Ubuntu Security Team

Ben Hawkes discovered that the Linux kernel did not correctly filter registers on 64bit kernels when performing 32bit system calls. On a 64bit system, a local attacker could manipulate 32bit system calls to gain root privileges.

Notes

AuthorNote
kees 
only exploitable on x86_64, regression of CVE-2007-4573
was originally fixed in 2.6.22, but regressed after this commit:
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.35.y.git;a=commitdiff;h=d4d67150165df8bf1cc05e532f6efca96f907cab
smb 
Which was 2.6.27 upstream, the original fix was in 2.6.23
kees 
it was later discovered that the Xen kernels (linux-ec2) needed an additional patch.

Priority

High

Status

Package Release Status
linux-source-2.6.15
Launchpad, Ubuntu, Debian 		upstream
Released (2.6.36~rc5)
dapper Not vulnerable

hardy Does not exist

jaunty Does not exist

karmic Does not exist

lucid Does not exist

maverick Does not exist

linux
Launchpad, Ubuntu, Debian 		upstream
Released (2.6.36~rc5)
dapper Does not exist

hardy Not vulnerable

jaunty
Released (2.6.28-19.65)
karmic
Released (2.6.31-22.65)
lucid
Released (2.6.32-24.43)
maverick
Released (2.6.35-22.32)
Patches:
upstream: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=36d001c70d8a0144ac1d038f6876c484849a74de
upstream: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=eefdca043e8391dcd719711716492063030b55ac
jaunty: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-3301/patches/jaunty/linux/0001-x86-64-compat-Test-rax-for-the-syscall-number-not-eax.txt
jaunty: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-3301/patches/jaunty/linux/0002-x86-64-compat-Retruncate-rax-after-ia32-syscall-entry-.txt
karmic: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-3301/patches/karmic/linux/0001-x86-64-compat-Test-rax-for-the-syscall-number-not-eax.txt
karmic: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-3301/patches/karmic/linux/0002-x86-64-compat-Retruncate-rax-after-ia32-syscall-entry-.txt
lucid: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-3301/patches/lucid/linux/0001-x86-64-compat-Test-rax-for-the-syscall-number-not-eax.txt
lucid: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-3301/patches/lucid/linux/0002-x86-64-compat-Retruncate-rax-after-ia32-syscall-entry-.txt
linux-ec2
Launchpad, Ubuntu, Debian 		upstream
Released (2.6.36~rc5)
dapper Does not exist

hardy Does not exist

jaunty Does not exist

karmic
Released (2.6.31-307.23)
lucid
Released (2.6.32-311.23)
maverick Not vulnerable
(binary packages replaced)
linux-fsl-imx51
Launchpad, Ubuntu, Debian 		upstream
Released (2.6.36~rc5)
dapper Does not exist

hardy Does not exist

karmic
Released (2.6.31-112.30)
lucid
Released (2.6.31-608.22)
maverick Does not exist

linux-lts-backport-maverick
Launchpad, Ubuntu, Debian 		upstream
Released (2.6.36~rc5)
dapper Does not exist

hardy Does not exist

karmic Does not exist

lucid
Released (2.6.35-25.44~lucid1)
maverick Does not exist

References

Bugs

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

Further reading