Bug 62088 (CVE-2004-0887) - VUL-0: CVE-2004-0887: s390: sacf local root exploit.
Summary: VUL-0: CVE-2004-0887: s390: sacf local root exploit.
Status: VERIFIED FIXED
Alias: CVE-2004-0887
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: S/390 Linux
: P3 - Medium : Major
Target Milestone: ---
Assignee: Marcus Meissner
QA Contact: Security Team bot
URL:
Whiteboard: CVE-2004-0887: CVSS v2 Base Score: 7....
Keywords:
Depends on:
Blocks: 50256
  Show dependency treegraph
 
Reported: 2004-10-11 20:08 UTC by Marcus Meissner
Modified: 2021-10-04 10:14 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
sacf.patch (1.55 KB, patch)
2004-10-11 20:08 UTC, Marcus Meissner 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2004-10-11 20:08:00 UTC 
From: Martin Schwidefsky <schwidefsky@de.ibm.com>                                
To: vendor-sec@lst.de                                                            
Subject: [vendor-sec] s390: sacf local root exploit.                             
                                                                                 
Hi,                                                                              
crashme found a problem on s390/zSeries (31/64 bit) that is                      
suitable for a local root exploit. sacf is a semi-privileged                     
instruction that is used to set the address-space control bits                   
in the psw. The address-space mode controls from which address                   
space the cpu fetches instruction and loads/stores data. Naturally               
we can't allow a user process to use the sacf instruction to                     
"leave" the user address space (home space). To prevent the use                  
of the sacf in user space the home-space-switch-event-control                    
bit in control register 13 is enabled. Whenever sacf is used to                  
leave the home space we get a program interruption. The trap                     
now is that we get the program interruption AFTER sacf has                       
switched the address-space mode control bits in the user psw.                    
                                                                                 
The fix for ptrace (ChangeSet 1.1371.585.6) that prevents the                    
removal of the single-step bit due to a signal introduced the                    
problem because the address-space control is not reset to                        
home-space mode anymore. Therefore a signal handler for the                      
illegal operation caused by the sacf will get control in primary                 
space mode which allows a malicious user space program to modify                 
data in the kernel space.                                                        
                                                                                 
Affected kernels are 2.6.5 to 2.6.8.                                             
                                                                                 
blue skies,                                                                      
  Martin.                                                                        
                                                                                 
Martin Schwidefsky                                                               
Linux for zSeries Development & Services                                         
IBM Deutschland Entwicklung GmbH                                                 
                                                                                 
---                                                                              
                                                                                 
[PATCH] s390: sacf local root exploit.                                           
                                                                                 
From: Martin Schwidefsky <schwidefsky@de.ibm.com>                                
                                                                                 
s390 core changes:                                                               
 - Force user process back to home space mode in space switch event              
   exception handler.                                                            
                                                                                 
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>                       
                                                                                 
diffstat:                                                                        
 arch/s390/kernel/traps.c |   17 ++++++++++++++++-                               
 1 files changed, 16 insertions(+), 1 deletion(-)
Comment 1 Marcus Meissner 2004-10-11 20:08:01 UTC 
<!-- SBZ_reproduce  -->
n/a
Comment 2 Marcus Meissner 2004-10-11 20:08:49 UTC 
Created attachment 24849 [details]
sacf.patch
Comment 3 Marcus Meissner 2004-10-11 20:09:19 UTC 
hannes, can you make sure we have it in our next sles9 update kernel
Comment 4 Hannes Reinecke 2004-10-11 20:45:36 UTC 
Patch added to kernel-source-26 GA_BRANCH.
Closing bug.
Comment 5 Marcus Meissner 2004-10-12 17:34:52 UTC 
<!-- SBZ_reopen -->Reopened by meissner@suse.de at Tue Oct 12 11:34:52 2004
Comment 6 Marcus Meissner 2004-10-12 17:34:52 UTC 
thanks
Comment 7 Marcus Meissner 2004-10-12 17:35:16 UTC 
reassign back to us for tracking. 
 
CAN-2004-0887
Comment 8 Marcus Meissner 2004-10-21 16:16:37 UTC 
kernels and advisory released
Comment 9 Marcus Meissner 2004-10-21 19:22:49 UTC 
vor EAL certification comments
Comment 10 Thomas Biege 2009-10-13 19:52:48 UTC 
CVE-2004-0887: CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)