CVE-2010-3081

24.09.2010, 20:00

The compat_alloc_user_space functions in include/asm/compat.h files in the Linux kernel before 2.6.36-rc4-git2 on 64-bit platforms do not properly allocate the userspace memory required for the 32-bit compatibility layer, which allows local users to gain privileges by leveraging the ability of the compat_mc_getsockopt function (aka the MCAST_MSFILTER getsockopt support) to control a certain length value, related to a "stack pointer underflow" issue, as exploited in the wild in September 2010.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 91%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	𝑥 ≤ 2.6.35.4
linux	linux_kernel	2.6.36
linux	linux_kernel	2.6.36:rc1
linux	linux_kernel	2.6.36:rc2
linux	linux_kernel	2.6.36:rc3
vmware	esx	4.0
vmware	esx	4.1

𝑥

= Vulnerable software versions

Ubuntu Releases

Ubuntu Product

Codename

linux

dapper	dne
hardy	Fixed 2.6.24-28.79 released
jaunty	Fixed 2.6.28-19.65 released
karmic	Fixed 2.6.31-22.65 released
lucid	Fixed 2.6.32-24.43 released
maverick	Fixed 2.6.35-22.32 released

linux-fsl-imx51

dapper	dne
hardy	dne
karmic	Fixed 2.6.31-112.30 released
lucid	Fixed 2.6.31-608.22 released
maverick	dne

linux-source-2.6.15

dapper	Fixed 2.6.15-55.88 released
hardy	dne
jaunty	dne
karmic	dne
lucid	dne
maverick	dne

linux-ti-omap4

dapper	dne
hardy	dne
karmic	dne
lucid	dne
maverick	Fixed 2.6.35-903.22 released

openSUSE / SLES Releases

openSUSE Product

Release

kernel-default

suse enterprise desktop 15	4.12.14-23.1 fixed
suse enterprise sap 15	4.12.14-23.1 fixed
suse enterprise server 15	4.12.14-23.1 fixed

kernel-docs

suse enterprise desktop 15	4.12.14-23.1 fixed
suse enterprise sap 15	4.12.14-23.1 fixed
suse enterprise server 15	4.12.14-23.1 fixed

kernel-macros

suse enterprise desktop 15	4.12.14-23.1 fixed
suse enterprise sap 15	4.12.14-23.1 fixed
suse enterprise server 15	4.12.14-23.1 fixed

kernel-obs-build

suse enterprise desktop 15	4.12.14-23.1 fixed
suse enterprise sap 15	4.12.14-23.1 fixed
suse enterprise server 15	4.12.14-23.1 fixed

kernel-source

suse enterprise desktop 15	4.12.14-23.1 fixed
suse enterprise sap 15	4.12.14-23.1 fixed
suse enterprise server 15	4.12.14-23.1 fixed

kernel-syms

suse enterprise desktop 15	4.12.14-23.1 fixed
suse enterprise sap 15	4.12.14-23.1 fixed
suse enterprise server 15	4.12.14-23.1 fixed

kernel-vanilla-base

suse enterprise desktop 15	4.12.14-23.1 fixed
suse enterprise sap 15	4.12.14-23.1 fixed
suse enterprise server 15	4.12.14-23.1 fixed

Red Hat Enterprise Linux Releases

Red Hat Product

Release

kernel

RHEL 6

0:2.6.32-71.7.1.el6

fixed

kernel-bootwrapper

RHEL 6

0:2.6.32-71.7.1.el6

fixed

kernel-debug

RHEL 6

0:2.6.32-71.7.1.el6

fixed

kernel-debug-devel

RHEL 6

0:2.6.32-71.7.1.el6

fixed

kernel-devel

RHEL 6

0:2.6.32-71.7.1.el6

fixed

kernel-doc

RHEL 6

0:2.6.32-71.7.1.el6

fixed

kernel-firmware

RHEL 6

0:2.6.32-71.7.1.el6

fixed

kernel-headers

RHEL 6

0:2.6.32-71.7.1.el6

fixed

kernel-kdump

RHEL 6

0:2.6.32-71.7.1.el6

fixed

kernel-kdump-devel

RHEL 6

0:2.6.32-71.7.1.el6

fixed

perf

RHEL 6

0:2.6.32-71.7.1.el6

fixed

Known Exploits!

Common Weakness Enumeration

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer
The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

References

http://archives.neohapsis.com/archives/fulldisclosure/2010-09/0273.html

http://archives.neohapsis.com/archives/fulldisclosure/2010-09/0278.html

http://blog.ksplice.com/2010/09/cve-2010-3081/

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=c41d68a513c71e35a14f66d71782d27a79a81ea6

http://isc.sans.edu/diary.html?storyid=9574

http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.html

http://lists.opensuse.org/opensuse-security-announce/2010-10/msg00003.html

http://lists.opensuse.org/opensuse-security-announce/2011-02/msg00000.html

http://marc.info/?l=oss-security&m=128461522230211&w=2

http://secunia.com/advisories/42384

http://secunia.com/advisories/43315

http://sota.gen.nz/compat1/

http://www.kernel.org/pub/linux/kernel/v2.6/snapshots/patch-2.6.36-rc4-git2.log

http://www.mandriva.com/security/advisories?name=MDVSA-2010:198

http://www.mandriva.com/security/advisories?name=MDVSA-2010:214

http://www.mandriva.com/security/advisories?name=MDVSA-2010:247

http://www.redhat.com/support/errata/RHSA-2010-0758.html

http://www.redhat.com/support/errata/RHSA-2010-0842.html

http://www.redhat.com/support/errata/RHSA-2010-0882.html

http://www.securityfocus.com/archive/1/514938/30/30/threaded

http://www.securityfocus.com/archive/1/516397/100/0/threaded

http://www.vmware.com/security/advisories/VMSA-2010-0017.html

http://www.vmware.com/security/advisories/VMSA-2011-0003.html

http://www.vupen.com/english/advisories/2010/3083

http://www.vupen.com/english/advisories/2010/3117

http://www.vupen.com/english/advisories/2011/0298

https://access.redhat.com/kb/docs/DOC-40265

https://bugzilla.redhat.com/show_bug.cgi?id=634457

http://archives.neohapsis.com/archives/fulldisclosure/2010-09/0273.html

http://archives.neohapsis.com/archives/fulldisclosure/2010-09/0278.html

http://blog.ksplice.com/2010/09/cve-2010-3081/

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=c41d68a513c71e35a14f66d71782d27a79a81ea6

http://isc.sans.edu/diary.html?storyid=9574

http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.html

http://lists.opensuse.org/opensuse-security-announce/2010-10/msg00003.html

http://lists.opensuse.org/opensuse-security-announce/2011-02/msg00000.html

http://marc.info/?l=oss-security&m=128461522230211&w=2

http://secunia.com/advisories/42384

http://secunia.com/advisories/43315

http://sota.gen.nz/compat1/

http://www.kernel.org/pub/linux/kernel/v2.6/snapshots/patch-2.6.36-rc4-git2.log

http://www.mandriva.com/security/advisories?name=MDVSA-2010:198

http://www.mandriva.com/security/advisories?name=MDVSA-2010:214

http://www.mandriva.com/security/advisories?name=MDVSA-2010:247

http://www.redhat.com/support/errata/RHSA-2010-0758.html

http://www.redhat.com/support/errata/RHSA-2010-0842.html

http://www.redhat.com/support/errata/RHSA-2010-0882.html

http://www.securityfocus.com/archive/1/514938/30/30/threaded

http://www.securityfocus.com/archive/1/516397/100/0/threaded

http://www.vmware.com/security/advisories/VMSA-2010-0017.html

http://www.vmware.com/security/advisories/VMSA-2011-0003.html

http://www.vupen.com/english/advisories/2010/3083

http://www.vupen.com/english/advisories/2010/3117

http://www.vupen.com/english/advisories/2011/0298

https://access.redhat.com/kb/docs/DOC-40265

https://bugzilla.redhat.com/show_bug.cgi?id=634457