Re: [Full-disclosure] [ Suresec Advisories ] - Linux kernel ia32 compatibility (ia64/x86-64) race condition

[Juergen Schmidt <ju () heisec de>]

On Mon, 11 Jul 2005, Suresec Advisories wrote:

> Suresec Security Advisory  - #00004
> 10/07/05
>
> Linux kernel ia32 compatibility race condition
> Advisory: http://www.suresec.org/advisories/adv4.pdf <http://www.suresec.org/advisories/adv3.pdf>
>
> Description:
>
> A race condition vulnerability has been found in the ia32 compatibility
> execve() systemcall. The race condition may lead to heap corruption.
>
> Risk:
>
> Exploitation of this vulnerability may results in panics, oopses or
> in the worst case code exection at ring 0.
>
> Credit:
>
> The vulnerability was discovered by Ilja van Sprundel.

FYI:

While there is no official patch for 2.4 there is one form Andi Kleen in
the HF kernel series:

http://linux.exosec.net/kernel/2.4-hf/2.4.31/LATEST/CHANGELOG

---
Changelog From 2.4.31 to 2.4.31-hf1 (semi-automated)
---------------------------------------
'+' = added ; '-' = removed

...
+ 2.4.31-x86_64-ia64-32bit-execve-overflow-1                       (Andi
Kleen)

  [PATCH] Fix buffer overflow in x86-64/ia64 32bit execve
  Fix buffer overflow in x86-64/ia64 32bit execve. Originally noted
  by Ilja van Sprundel. I fixed it for both x86-64 and IA64. Other
  architectures are not affected.
----

The HF series presents hotfixes for kernels 2.4.[29-31]. See:

http://linux.exosec.net/kernel/2.4-hf/

bye, ju

-- 
Juergen Schmidt       Chefredakteur  heise Security     www.heisec.de
Heise Zeitschriften Verlag,    Helstorferstr. 7,       D-30625 Hannover
Tel. +49 511 5352 300      FAX +49 511 5352 417       EMail ju () heisec de
GPG-Key: 0x38EA4970,  5D7B 476D 84D5 94FF E7C5  67BE F895 0A18 38EA 4970