Vigil@nce: Linux kernel, buffer overflow of LDT
July 2008 by Vigil@nce
SYNTHESIS
A local attacker can use an overflow in the LDT on a x86_64
processor, in order to create a denial of service or to execute
code.
Gravity: 1/4
Consequences: user access/rights, denial of service of computer
Provenance: user shell
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 22/07/2008
Identifier: VIGILANCE-VUL-7962
IMPACTED PRODUCTS
– Linux kernel [confidential versions]
– OpenSUSE [confidential versions]
DESCRIPTION
On a x86 processor, each process has a LDT (Local Descriptor
Table).
On a x86_64 processor, the size of the buffer used by the LDT is
incorrectly computed, which leads to a buffer overflow.
This vulnerability may be related to an error in a multiplication
located in the native_set_ldt() function of the
include/asm-x86/desc.h file. The multiplication factor is
sizeof(ldt) (16 on a 64bits processor) instead of LDT_ENTRY_SIZE
(8). This error is corrected in version 2.6.25.11.
A local attacker can therefore use an overflow in the LDT on a
x86_64 processor, in order to create a denial of service or to
execute code.
CHARACTERISTICS
Identifiers: CVE-2008-3247, SUSE-SA:2008:037, VIGILANCE-VUL-7962