Software Engineering Institute

Of specific concern is the syscall "i386_set_ldt" , which accesses a call gate without first validating whether a ring transition to a more privileged segment in the LDT is appropriate.

Of special note is an observation shared in the NetBSD security advisory on this issue:

A common misunderstanding of how gate descriptors work may result in
the programmer believing they've defended against this attack (by
checking the gate's DPL) without having done so (you need to check the
DPL of the code segment that the gate targets).

Note that this behaviour is not restricted to Intel processors; the bug
applies to implementations of the x86 architecture by other
manufacturers as well.


This programming defect is likely to affect other platforms as well.

A user with access to a local account may gain privileges reserved for the kernel.

Apply kernel patches provided by your vendor.

The fix to NetBSD [for example]:

Index: i386/sys_machdep.c
===================================================================
RCS file: /cvsroot/syssrc/sys/arch/i386/i386/sys_machdep.c,v
retrieving revision 1.54
diff -u -r1.54 sys_machdep.c
--- i386/sys_machdep.c\t2001/01/16 01:50:36\t1.54
+++ i386/sys_machdep.c\t2001/01/16 02:37:22
@@ -222,6 +222,15 @@
break;
case SDT_SYS286CGT:
case SDT_SYS386CGT:
+/*
+ * Only allow call gates targeting a segment in the LDT or
+ * a user segment in the fixed part of the gdt.
+ * Segments in the LDT are constrained (below) to be user segments.
+ */
+if (desc.gd.gd_p != 0 && !ISLDT(desc.gd.gd_selector) &&
+    ((IDXSEL(desc.gd.gd_selector) >= NGDT) ||
+     (gdt[IDXSEL(desc.gd.gd_selector)].sd.sd_dpl != SEL_UPL)))
+return (EACCES);
/* Can't replace in use descriptor with gate. */
if (n == fsslot || n == gsslot)
return (EBUSY);