{"vuid":"VU#358960","idnumber":"358960","name":"BSD i386_set_ldt syscall does not appropriately validate call gate targets","keywords":["USER_LDT","i386_set_ldt","rings","segment selectors","\nsegment descriptors","gates","descriptor tables","NetBSD","OpenBSD"],"overview":"There are a set of kernel interfaces called \"call gates\" which are code primitives used to build system-level calls into an operating system's kernel. A subset of these \"calls gates\" may be able to be manipulated on some operating systems which use improper privilege checking when accessing local descriptor tables (LDTs)","clean_desc":"Of specific concern is the syscall \"i386_set_ldt\" , which accesses a call gate without first validating whether a ring transition to a more privileged segment in the LDT is appropriate. Of special note is an observation shared in the NetBSD security advisory on this issue: A common misunderstanding of how gate descriptors work may result in\nthe programmer believing they've defended against this attack (by\nchecking the gate's DPL) without having done so (you need to check the\nDPL of the code segment that the gate targets). Note that this behaviour is not restricted to Intel processors; the bug\napplies to implementations of the x86 architecture by other\nmanufacturers as well. This programming defect is likely to affect other platforms as well.","impact":"A user with access to a local account may gain privileges reserved for the kernel.","resolution":"Apply kernel patches provided by your vendor.","workarounds":"The fix to NetBSD [for example]: Index: i386/sys_machdep.c RCS file: /cvsroot/syssrc/sys/arch/i386/i386/sys_machdep.c,v\nretrieving revision 1.54\ndiff -u -r1.54 sys_machdep.c\n--- i386/sys_machdep.c\t2001/01/16 01:50:36\t1.54\n+++ i386/sys_machdep.c\t2001/01/16 02:37:22\n@@ -222,6 +222,15 @@\n \t\t\tbreak; case SDT_SYS286CGT: case SDT_SYS386CGT: +\t\t\t * Only allow call gates targeting a segment in the LDT or\n+\t\t\t * a user segment in the fixed part of the gdt. +\t\t\t * Segments in the LDT are constrained (below) to be user segments. +\t\t\tif (desc.gd.gd_p != 0 && !ISLDT(desc.gd.gd_selector) &&\n+\t\t\t    ((IDXSEL(desc.gd.gd_selector) >= NGDT) ||\n+\t\t\t     (gdt[IDXSEL(desc.gd.gd_selector)].sd.sd_dpl != SEL_UPL)))\n+\t\t\t\treturn (EACCES); /* Can't replace in use descriptor with gate. if (n == fsslot || n == gsslot)\n \t\t\t\treturn (EBUSY);","sysaffected":"","thanks":"This was initially reported by Bill Sommerfeld.","author":"This document was written by Jeff S Havrilla","public":["ftp://ftp.netbsd.org/pub/NetBSD/misc/security/advisories/NetBSD-SA2001-002.txt.asc","http://www.openbsd.org/errata.html#userldt"],"cveids":[""],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2001-01-18T01:52:49Z","publicdate":"2001-02-16T00:00:00Z","datefirstpublished":"2001-02-16T17:14:42Z","dateupdated":"2001-03-02T22:12:22Z","revision":7,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"5","cam_exploitation":"0","cam_internetinfrastructure":"15","cam_population":"20","cam_impact":"19","cam_easeofexploitation":"5","cam_attackeraccessrequired":"10","cam_scorecurrent":"7.125","cam_scorecurrentwidelyknown":"12.46875","cam_scorecurrentwidelyknownexploited":"19.59375","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":7.125,"vulnote":null}