Vigil@nce: Linux kernel, denial of service on MIPS
December 2008 by Vigil@nce
SYNTHESIS
On a MIPS 64 bit processor, a local attacker can stop the system.
Gravity: 1/4
Consequences: denial of service of computer
Provenance: user shell
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 24/12/2008
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION
Linux system calls on a MIPS processor are located at different
offsets:
– 32 bit : at offset 4000 (__NR_O32_Linux)
– 64 bit : at offset 5000 (__NR_Linux)
There is no system call with an offset less than 4000.
However, the arch/mips/kernel/scall64-o32.S file which implements
32 bit system calls on 64 bit processors always subtract 4000,
even if the offset is inferior to 4000. The kernel thus reads at a
high/negative memory address, which creates a fatal error.
On a MIPS 64 bit processor, a local attacker can therefore stop
the system.
CHARACTERISTICS
Identifiers: CVE-2008-5701, VIGILANCE-VUL-8355