CVE-2010-3301

The IA32 system call emulation functionality in arch/x86/ia32/ia32entry.S in the Linux kernel before 2.6.36-rc4-git2 on the x86_64 platform does not zero extend the %eax register after the 32-bit entry path to ptrace is used, which allows local users to gain privileges by triggering an out-of-bounds access to the system call table using the %rax register. NOTE: this vulnerability exists because of a CVE-2007-4573 regression.

Weakness

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Affected Software

Potential Mitigations

Related Attack Patterns

• https://cwe.mitre.org/data/definitions/122.html
• https://cwe.mitre.org/data/definitions/233.html
• https://cwe.mitre.org/data/definitions/58.html

References

• http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=36d001c70d8a0144ac1d038f6876c484849a74de
• http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=eefdca043e8391dcd719711716492063030b55ac
• http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.html
• http://lists.opensuse.org/opensuse-security-announce/2011-02/msg00000.html
• http://secunia.com/advisories/42758
• http://sota.gen.nz/compat2/
• http://www.kernel.org/pub/linux/kernel/v2.6/snapshots/patch-2.6.36-rc4-git2.log
• http://www.mandriva.com/security/advisories?name=MDVSA-2010:198
• http://www.mandriva.com/security/advisories?name=MDVSA-2010:247
• http://www.openwall.com/lists/oss-security/2010/09/16/1
• http://www.openwall.com/lists/oss-security/2010/09/16/3
• http://www.redhat.com/support/errata/RHSA-2010-0842.html
• http://www.ubuntu.com/usn/USN-1041-1
• http://www.vupen.com/english/advisories/2010/3117
• http://www.vupen.com/english/advisories/2011/0070
• http://www.vupen.com/english/advisories/2011/0298
• https://bugzilla.redhat.com/show_bug.cgi?id=634449