发布时间 :2005-01-10 00:00:00
修订时间 :2016-10-17 22:51:48

[原文]Multiple buffer overflows in the (1) sys32_ni_syscall and (2) sys32_vm86_warning functions in sys_ia32.c for Linux 2.6.x may allow local attackers to modify kernel memory and gain privileges.

[CNNVD]Linux Kernel sys_ia32.c/sys32_ni_syscall.c 缓冲区溢出漏洞(CNNVD-200501-146)

        Linux Kernel是开源操作系统Linux所使用的内核。
        Linux Kernel 2.6.x版本中sys_ia32.c的sys32_ni_syscall及sys32_vm86_warning函数存在多个缓冲区溢出漏洞。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:linux:linux_kernel:2.6.8Linux Kernel 2.6.8
cpe:/o:linux:linux_kernel:2.6.1:rc2Linux Kernel 2.6.1 Release Candidate 2
cpe:/o:linux:linux_kernel:2.6.1:rc1Linux Kernel 2.6.1 Release Candidate 1
cpe:/o:linux:linux_kernel:2.6.0:test4Linux Kernel 2.6 test4
cpe:/o:linux:linux_kernel:2.6.0:test5Linux Kernel 2.6 test5
cpe:/o:linux:linux_kernel:2.6.0:test2Linux Kernel 2.6 test2
cpe:/o:linux:linux_kernel:2.6.0:test3Linux Kernel 2.6 test3
cpe:/o:linux:linux_kernel:2.6.0:test8Linux Kernel 2.6 test8
cpe:/o:linux:linux_kernel:2.6.0:test9Linux Kernel 2.6 test9
cpe:/o:linux:linux_kernel:2.6.0:test6Linux Kernel 2.6 test6
cpe:/o:linux:linux_kernel:2.6.0:test7Linux Kernel 2.6 test7
cpe:/o:linux:linux_kernel:2.6.3Linux Kernel 2.6.3
cpe:/o:linux:linux_kernel:2.6.2Linux Kernel 2.6.2
cpe:/o:linux:linux_kernel:2.6.1Linux Kernel 2.6.1
cpe:/o:linux:linux_kernel:2.6.0Linux Kernel 2.6.0
cpe:/o:linux:linux_kernel:2.6.0:test11Linux Kernel 2.6 test11
cpe:/o:linux:linux_kernel:2.6.0:test1Linux Kernel 2.6 test1
cpe:/o:linux:linux_kernel:2.6.6:rc1Linux Kernel 2.6.6 Release Candidate 1
cpe:/o:linux:linux_kernel:2.6.0:test10Linux Kernel 2.6 test10
cpe:/o:linux:linux_kernel:2.6.7:rc1Linux Kernel 2.6.7 Release Candidate 1
cpe:/o:linux:linux_kernel:2.6.8:rc1Linux Kernel 2.6.8 Release Candidate 1
cpe:/o:linux:linux_kernel:2.6.8:rc2Linux Kernel 2.6.8 Release Candidate 2
cpe:/o:linux:linux_kernel:2.6.8:rc3Linux Kernel 2.6.8 Release Candidate 3
cpe:/o:linux:linux_kernel:2.6.10:rc2Linux Kernel 2.6.10 Release Candidate 2
cpe:/o:linux:linux_kernel:2.6.7Linux Kernel 2.6.7
cpe:/o:linux:linux_kernel:2.6.6Linux Kernel 2.6.6
cpe:/o:linux:linux_kernel:2.6.5Linux Kernel 2.6.5
cpe:/o:linux:linux_kernel:2.6.4Linux Kernel 2.6.4

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BUGTRAQ  20041214 [USN-38-1] Linux kernel vulnerabilities
(UNKNOWN)  MLIST  [linux-kernel] 20041130 Buffer overrun in arch/x86_64/sys_ia32.c:sys32_ni_syscall()

- 漏洞信息

Linux Kernel sys_ia32.c/sys32_ni_syscall.c 缓冲区溢出漏洞
高危 缓冲区溢出
2005-01-10 00:00:00 2005-10-20 00:00:00
        Linux Kernel是开源操作系统Linux所使用的内核。
        Linux Kernel 2.6.x版本中sys_ia32.c的sys32_ni_syscall及sys32_vm86_warning函数存在多个缓冲区溢出漏洞。

- 公告与补丁


- 漏洞信息 (F35339)

Ubuntu Security Notice 38-1 (PacketStormID:F35339)
2004-12-30 00:00:00

Ubuntu Security Notice USN-38-1 - This advisory covers all the recent vulnerabilities discovered in the Linux 2.6 kernel series.

Ubuntu Security Notice USN-38-1		  December 14, 2004
linux-source- vulnerabilities
CAN-2004-0814, CAN-2004-1016, CAN-2004-1056, CAN-2004-1058, 
CAN-2004-1068, CAN-2004-1069, CAN-2004-1137, CAN-2004-1151

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)

The following packages are affected:


The problem can be corrected by upgrading the affected package to
version You need to reboot the computer after doing a
standard system upgrade to effect the necessary changes.

ATTENTION: Due to an unavoidable ABI change this kernel got a new
version number, which requires to recompile and reinstall all third
party kernel modules you might have installed. If you use
linux-restricted-modules, you have to update that package as well to
get modules which work with the new kernel version.

Details follow:


  Vitaly V. Bursov discovered a Denial of Service vulnerability in the "serio"
  code; opening the same tty device twice and doing some particular operations on
  it caused a kernel panic and/or a system lockup.  

  Fixing this vulnerability required a change in the Application Binary
  Interface (ABI) of the kernel. This means that third party user installed
  modules might not work any more with the new kernel, so this fixed kernel got
  a new ABI version number. You have to recompile and reinstall all third party


  Paul Starzetz discovered a buffer overflow vulnerability in the "__scm_send"
  function which handles the sending of UDP network packets. A wrong validity
  check of the cmsghdr structure allowed a local attacker to modify kernel
  memory, thus causing an endless loop (Denial of Service) or possibly even
  root privilege escalation.


  Thomas Hellstr    

- 漏洞信息

Linux Kernel sys32_ni_syscall Function Local Overflow
Local Access Required Input Manipulation
Loss of Integrity, Loss of Availability
Exploit Unknown

- 漏洞描述

A local overflow exists in the linux kernel. The issue is due to function "sys32_ni_syscall()" copying a 16 chars variable "task_struct.comm" to a static 8 byte buffer, resulting in a buffer overflow. With a specially crafted request, an attacker can cause a denial of service or execute arbitrary code on the system, resulting in a loss of availability or integrity.

- 时间线

2004-11-30 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Jeremy Fitzhardinge has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Linux Kernel Sys32_NI_Syscall/Sys32_VM86_Warning Local Buffer Overflow Vulnerability
Boundary Condition Error 11938
No Yes
2004-12-14 12:00:00 2009-07-12 09:26:00
Discovery of this vulnerability is credited to Ross Kendall Axe.

- 受影响的程序版本

Ubuntu Ubuntu Linux 4.1 ppc
Ubuntu Ubuntu Linux 4.1 ia64
Ubuntu Ubuntu Linux 4.1 ia32
Red Hat Fedora Core3
Red Hat Fedora Core2
Mandriva Linux Mandrake 10.1 x86_64
Mandriva Linux Mandrake 10.1
Mandriva Linux Mandrake 10.0 AMD64
Mandriva Linux Mandrake 10.0
Mandriva Linux Mandrake 9.2 amd64
Mandriva Linux Mandrake 9.2
MandrakeSoft Multi Network Firewall 2.0
MandrakeSoft Corporate Server 3.0
MandrakeSoft Corporate Server 2.1 x86_64
MandrakeSoft Corporate Server 2.1
Linux kernel 2.6.10 rc2
Linux kernel 2.6.9
Linux kernel 2.6.8 rc3
Linux kernel 2.6.8 rc2
Linux kernel 2.6.8 rc1
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
Linux kernel 2.6.8
+ S.u.S.E. Linux Personal 9.2 x86_64
+ S.u.S.E. Linux Personal 9.2
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
Linux kernel 2.6.7 rc1
Linux kernel 2.6.7
Linux kernel 2.6.6 rc1
Linux kernel 2.6.6
Linux kernel 2.6.5
+ S.u.S.E. Linux Enterprise Server 9
+ S.u.S.E. Linux Personal 9.1 x86_64
+ S.u.S.E. Linux Personal 9.1 x86_64
+ S.u.S.E. Linux Personal 9.1
+ S.u.S.E. Linux Personal 9.1
Linux kernel 2.6.4
Linux kernel 2.6.3
Linux kernel 2.6.2
Linux kernel 2.6.1 -rc2
Linux kernel 2.6.1 -rc1
Linux kernel 2.6.1
Linux kernel 2.6 -test9-CVS
Linux kernel 2.6 -test9
Linux kernel 2.6 -test8
Linux kernel 2.6 -test7
Linux kernel 2.6 -test6
Linux kernel 2.6 -test5
Linux kernel 2.6 -test4
Linux kernel 2.6 -test3
Linux kernel 2.6 -test2
Linux kernel 2.6 -test11
Linux kernel 2.6 -test10
Linux kernel 2.6 -test1
Linux kernel 2.6

- 漏洞讨论

The Linux kernel for 64-Bit architectures is reported prone to a local buffer overflow vulnerability.

This vulnerability exists in 'sys32_ni_syscall()' and 'sys32_vm86_warning()' as a result of an unbounded copy of a 16 byte string into an 8 byte buffer using the strcpy() function.

Immediate consequences of exploitation of this vulnerability could be a kernel panic; this could be used to deny service to legitimate users. It is not currently known whether this vulnerability may be leveraged to provide for execution of arbitrary code.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: <>.

- 解决方案

Ubuntu Linux has released advisory USN-38-1 along with fixes to address this, and other issues. Please see the referenced advisory for further information.

SuSE Linux has released an advisory (SUSE-SA:2004:044) along with fixes dealing with this and other issues. Please see the referenced advisory more information.

SuSE Linux has reported that the fixes they released for SuSE Linux 9.2 caused computers that had applied them to fail to boot. This issue is apparently due caused by a script that is no longer creating the vmlinuz and initrd symlinks, which are required for successful booting. The offending fixes have been removed. The BID will be updated as more fixes are released.

SuSE Linux has reported additional problems with fixes they released for SuSE Linux 9.2. Please see the referenced SuSE advisory SUSE-SA:2004:044 for more information.

Red Hat has released advisories FEDORA-2004-581, and FEDORA-2004-582 to address this issue in Fedora Core 2, and 3 respectively. Please see the referenced advisories for further information.

MandrakeSoft has issued fixes in advisory MDKSA-2005:022. See reference section.

TurboLinux has released Turbolinux Security Announcement 28/Feb/2005 dealing with this and other issues. Please see the referenced advisory for more information.

Linux kernel 2.6

Linux kernel 2.6.3

Linux kernel 2.6.4

Linux kernel 2.6.5

Linux kernel 2.6.8 rc1

- 相关参考