Vigil@nce: Linux kernel, executable page on Sparc
March 2010 by Vigil@nce
On a Sparc processor, memory pages tagged as non executable are
actually executable.
– Severity: 2/4
– Consequences: administrator access/rights, privileged
access/rights, user access/rights
– Provenance: user shell
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 24/02/2010
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
The Sparc SUN4U assembler uses signed constants of 13 bits:
or %reg1, constant, %result (result = reg1 OR constant)
and %reg1, constant, %result (result = reg1 AND constant)
etc.
The special "sethi" instruction is used to set the 22 MSB (most
significant bit) of a register, before an instruction:
sethi %hi(constant), %result
or %reg1, %lo(constant), %result
The Linux kernel uses the _PAGE_EXEC_4U (0x1000) constant, which
is the flag for executable pages. However, it does not use sethi
during the test, so the mask is extended (signed) to 0xFFFFF000,
so the test becomes positive because of other bits.
On a Sparc processor, memory pages tagged as non executable are
therefore actually executable. Protections, such as a non
executable stack, are then inefficient.
CHARACTERISTICS
– Identifiers: BID-38393, VIGILANCE-VUL-9472
– Url: http://vigilance.fr/vulnerability/Linux-kernel-executable-page-on-Sparc-9472