search menu icon-carat-right cmu-wordmark

CERT Coordination Center

BSD i386_set_ldt syscall does not appropriately validate call gate targets

Vulnerability Note VU#358960

Original Release Date: 2001-02-16 | Last Revised: 2001-03-02

Overview

There are a set of kernel interfaces called "call gates" which are code primitives used to build system-level calls into an operating system's kernel. A subset of these "calls gates" may be able to be manipulated on some operating systems which use improper privilege checking when accessing local descriptor tables (LDTs)

Description

Of specific concern is the syscall "i386_set_ldt" , which accesses a call gate without first validating whether a ring transition to a more privileged segment in the LDT is appropriate.

Of special note is an observation shared in the NetBSD security advisory on this issue:

A common misunderstanding of how gate descriptors work may result in
the programmer believing they've defended against this attack (by
checking the gate's DPL) without having done so (you need to check the
DPL of the code segment that the gate targets).

Note that this behaviour is not restricted to Intel processors; the bug
applies to implementations of the x86 architecture by other
manufacturers as well.


This programming defect is likely to affect other platforms as well.

Impact

A user with access to a local account may gain privileges reserved for the kernel.

Solution

Apply kernel patches provided by your vendor.

The fix to NetBSD [for example]:

Index: i386/sys_machdep.c
===================================================================
RCS file: /cvsroot/syssrc/sys/arch/i386/i386/sys_machdep.c,v
retrieving revision 1.54
diff -u -r1.54 sys_machdep.c
--- i386/sys_machdep.c\t2001/01/16 01:50:36\t1.54
+++ i386/sys_machdep.c\t2001/01/16 02:37:22
@@ -222,6 +222,15 @@
break;
case SDT_SYS286CGT:
case SDT_SYS386CGT:
+/*
+ * Only allow call gates targeting a segment in the LDT or
+ * a user segment in the fixed part of the gdt.
+ * Segments in the LDT are constrained (below) to be user segments.
+ */
+if (desc.gd.gd_p != 0 && !ISLDT(desc.gd.gd_selector) &&
+    ((IDXSEL(desc.gd.gd_selector) >= NGDT) ||
+     (gdt[IDXSEL(desc.gd.gd_selector)].sd.sd_dpl != SEL_UPL)))
+return (EACCES);
/* Can't replace in use descriptor with gate. */
if (n == fsslot || n == gsslot)
return (EBUSY);

Vendor Information

358960
 

CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This was initially reported by Bill Sommerfeld.

This document was written by Jeff S Havrilla

Other Information

CVE IDs: None
Severity Metric: 7.13
Date Public: 2001-02-16
Date First Published: 2001-02-16
Date Last Updated: 2001-03-02 22:12 UTC
Document Revision: 7

Sponsored by CISA.