Re: x86 vulnerability

From: Matt Chapman (matthewcat_private)
Date: Thu Apr 26 2001 - 19:24:01 PDT

  • Next message: Dale Southard: "Re: IRIX /usr/lib/print/netprint local root symbols exploit."

    On Fri, Apr 27, 2001 at 10:29:48AM +1000, Matt Chapman wrote:
    > On Thu, Apr 26, 2001 at 03:41:49PM +0200, Florian Weimer wrote:
    > >
    > > Has anybody looked at the LDT modification syscall in the Linux
    > > kernel?  The most severe problems with it were fixed back in 1997 or
    > > so, but the code seems to have changed substantially since then.
    >
    > As far as I can see Linux modify_ldt syscall only allows you to
    > create code/data segments, not system descriptors (e.g. call gates).
    > It is true that some of the values are OR'd in to the destination
    > descriptor without masking.  However, system segments need bit
    > 12 of entry_2 set to 0, and there is a fixed or with 0x7000 which
    > thwarts this possibility (lucky the Intel designers didn't choose
    > the inverse logic!), and also enforces privilege level 3.
    
    I've since realised that the values which are OR'd in without masking
    are actually bitfields of the right size, so this is not a problem in
    any case.
    
    	Matt
    



    This archive was generated by hypermail 2b30 : Thu Apr 26 2001 - 23:55:58 PDT