Reported on Vendor-Sec Hello, in my recent work I noticed that you can force x86-64 kernel to execute arbitrary code at CPL0 by just issuing int $0x80 with properly prepared %rax register - ia32 handler checks %eax only, but uses %rax while accessing syscall table. By mapping memory at user accessible address at address of syscall table + k*32GB and then issuing int $0x80 with %rax set to 1 + k*4G kernel will jump at CPL0 at address you (userspace) specified, causing execution of untrusted code at CPL0. Note that using 32bit userspace does not prevent this bug from being exploited, any user process can switch to 64bit mode and load %rax with any value it wants. 2.6.x kernels are immune to this, as they have this mov in place for almost two years. Thanks, Petr Vandrovec Signed-off-by: Petr Vandrovec <vandrove@vc.cvut.cz> --- linux-2.4.28/arch/x86_64/ia32/ia32entry.S.orig 2004-08-08 01:26:04.000000000 +0200 +++ linux-2.4.28/arch/x86_64/ia32/ia32entry.S 2004-12-06 21:36:06.000000000 +0100 @@ -52,6 +52,7 @@ ENTRY(ia32_syscall) swapgs sti + mov %eax,%eax pushq %rax cld SAVE_ARGS
AMD64 doesn't support 2.6 kernels or recommend them in any fashion so I don't see if we should even bother with this one as it's 2.4 only...
If this affects only amd64 (not ia64 or whatever) I agree to close it as WONTFIX.
Yeah, this is AMD64 only. Closing as INVALID; see comment #1...
