Bug 62088 (CVE-2004-0887)

Summary: VUL-0: CVE-2004-0887: s390: sacf local root exploit.
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Marcus Meissner <meissner>
Status: VERIFIED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: afx, hare, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: S/390   
OS: Linux   
Whiteboard: CVE-2004-0887: CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 50256    
Attachments: sacf.patch

Description Marcus Meissner 2004-10-11 20:08:00 UTC 
From: Martin Schwidefsky <schwidefsky@de.ibm.com>                                
To: vendor-sec@lst.de                                                            
Subject: [vendor-sec] s390: sacf local root exploit.                             
                                                                                 
Hi,                                                                              
crashme found a problem on s390/zSeries (31/64 bit) that is                      
suitable for a local root exploit. sacf is a semi-privileged                     
instruction that is used to set the address-space control bits                   
in the psw. The address-space mode controls from which address                   
space the cpu fetches instruction and loads/stores data. Naturally               
we can't allow a user process to use the sacf instruction to                     
"leave" the user address space (home space). To prevent the use                  
of the sacf in user space the home-space-switch-event-control                    
bit in control register 13 is enabled. Whenever sacf is used to                  
leave the home space we get a program interruption. The trap                     
now is that we get the program interruption AFTER sacf has                       
switched the address-space mode control bits in the user psw.                    
                                                                                 
The fix for ptrace (ChangeSet 1.1371.585.6) that prevents the                    
removal of the single-step bit due to a signal introduced the                    
problem because the address-space control is not reset to                        
home-space mode anymore. Therefore a signal handler for the                      
illegal operation caused by the sacf will get control in primary                 
space mode which allows a malicious user space program to modify                 
data in the kernel space.                                                        
                                                                                 
Affected kernels are 2.6.5 to 2.6.8.                                             
                                                                                 
blue skies,                                                                      
  Martin.                                                                        
                                                                                 
Martin Schwidefsky                                                               
Linux for zSeries Development & Services                                         
IBM Deutschland Entwicklung GmbH                                                 
                                                                                 
---                                                                              
                                                                                 
[PATCH] s390: sacf local root exploit.                                           
                                                                                 
From: Martin Schwidefsky <schwidefsky@de.ibm.com>                                
                                                                                 
s390 core changes:                                                               
 - Force user process back to home space mode in space switch event              
   exception handler.                                                            
                                                                                 
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>                       
                                                                                 
diffstat:                                                                        
 arch/s390/kernel/traps.c |   17 ++++++++++++++++-                               
 1 files changed, 16 insertions(+), 1 deletion(-)
Comment 1 Marcus Meissner 2004-10-11 20:08:01 UTC 
<!-- SBZ_reproduce  -->
n/a
Comment 2 Marcus Meissner 2004-10-11 20:08:49 UTC 
Created attachment 24849 [details]
sacf.patch
Comment 3 Marcus Meissner 2004-10-11 20:09:19 UTC 
hannes, can you make sure we have it in our next sles9 update kernel
Comment 4 Hannes Reinecke 2004-10-11 20:45:36 UTC 
Patch added to kernel-source-26 GA_BRANCH.
Closing bug.
Comment 5 Marcus Meissner 2004-10-12 17:34:52 UTC 
<!-- SBZ_reopen -->Reopened by meissner@suse.de at Tue Oct 12 11:34:52 2004
Comment 6 Marcus Meissner 2004-10-12 17:34:52 UTC 
thanks
Comment 7 Marcus Meissner 2004-10-12 17:35:16 UTC 
reassign back to us for tracking. 
 
CAN-2004-0887
Comment 8 Marcus Meissner 2004-10-21 16:16:37 UTC 
kernels and advisory released
Comment 9 Marcus Meissner 2004-10-21 19:22:49 UTC 
vor EAL certification comments
Comment 10 Thomas Biege 2009-10-13 19:52:48 UTC 
CVE-2004-0887: CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)