First published: Mon Nov 01 2010(Updated: )
Description of problem: The semctl syscall has several code paths that lead to the leakage of uninitialized kernel stack memory (namely the IPC_INFO, SEM_INFO, IPC_STAT, and SEM_STAT commands) during the use of the older, obsolete version of the semid_ds struct. The copy_semid_to_user() function declares a semid_ds struct on the stack and copies it back to the user without initializing or zeroing the 'sem_base', 'sem_pending', 'sem_pending_last', and 'undo' pointers, allowing the leakage of 16 bytes of kernel stack memory. The code is still reachable on 32-bit systems - when calling semctl() newer glibc's automatically OR the IPC command with the IPC_64 flag, but invoking the syscall directly allows users to use the older versions of the struct. Reference: <a href="http://www.openwall.com/lists/oss-security/2010/10/06/6">http://www.openwall.com/lists/oss-security/2010/10/06/6</a> <a href="http://www.spinics.net/lists/mm-commits/msg80234.html">http://www.spinics.net/lists/mm-commits/msg80234.html</a> Acknowledgements: Red Hat would like to thank Dan Rosenberg for reporting this issue.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
debian/linux-2.6 | ||
Linux Kernel | <2.6.36 | |
SUSE Linux | =11.3 | |
SUSE Linux Enterprise Desktop | =10-sp3 | |
SUSE Linux Enterprise Desktop | =11-sp1 | |
SUSE Linux Enterprise Real Time Extension | =11-sp1 | |
SUSE Linux Enterprise Server | =9 | |
SUSE Linux Enterprise Server | =10-sp3 | |
SUSE Linux Enterprise Server | =11-sp1 | |
SUSE Linux Enterprise Software Development Kit | =10-sp3 | |
Debian | =5.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2010-4083 is considered to have moderate severity due to its potential for information leakage.
To mitigate CVE-2010-4083, it is recommended to update to a more recent version of the Linux kernel that does not use the affected semid_ds structure.
CVE-2010-4083 affects the Linux kernel versions prior to 2.6.36 and several specific versions of SUSE and Debian distributions.
CVE-2010-4083 leads to the leakage of uninitialized kernel stack memory which could potentially expose sensitive data.
CVE-2010-4083 is more likely to be exploited locally since it involves kernel memory access through system calls.