Verification of SYScall changes because of CVE-2009-0029

Verification of SYScall changes because of CVE-2009-0029

[Mitchell Erblich]

he ABI in the Linux kernel 2.6.28 and earlier on s390, powerpc, sparc64, and mips 64-bit platforms requires that a 32-bit argument in a 64-bit register was properly sign extended when sent from a user-mode application, but cannot verify this, which allows local users to cause a denial of service (crash) or possibly gain privileges via a crafted system call.

Has anyone been able to verify  (a program that exploits this issue) ?

Thanks,
		Please copy me if you respond.		
		Mitchell Erblich

Re: Verification of SYScall changes because of CVE-2009-0029

[Christian Borntraeger]

Am 21.10.2010 07:40, schrieb Mitchell Erblich:
> he ABI in the Linux kernel 2.6.28 and earlier on s390, powerpc, sparc64, and mips
> 64-bit platforms requires that a 32-bit argument in a 64-bit register was properly
> sign extended when sent from a user-mode application, but cannot verify this, which
> allows local users to cause a denial of service (crash) or possibly gain privileges 
> via a crafted system call.
> 
> Has anyone been able to verify  (a program that exploits this issue) ?

I found the problem with crashme and I was able to reduce the test to a
5 line C program - so yes, the problem can happen for real. The thing is
that this was no generic exploit, the problem from the testcase existed 
only with specific gcc, kernel, syscall and architecture but there might
be others - we dont know. So sorry, there is no generic test case that 
checks if the problem is fixed.

Christian