CVE-2010-3081

24.09.2010, 20:00

The compat_alloc_user_space functions in include/asm/compat.h files in the Linux kernel before 2.6.36-rc4-git2 on 64-bit platforms do not properly allocate the userspace memory required for the 32-bit compatibility layer, which allows local users to gain privileges by leveraging the ability of the compat_mc_getsockopt function (aka the MCAST_MSFILTER getsockopt support) to control a certain length value, related to a "stack pointer underflow" issue, as exploited in the wild in September 2010.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
redhat	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 96%

Vendor	Product	Version
linux	linux_kernel	𝑥 ≤ 2.6.35.4
linux	linux_kernel	2.6.36
linux	linux_kernel	2.6.36:rc1
linux	linux_kernel	2.6.36:rc2
linux	linux_kernel	2.6.36:rc3
vmware	esx	4.0
vmware	esx	4.1

𝑥

= Vulnerable software versions

Ubuntu Releases

Ubuntu Product

Codename

linux

maverick	Fixed 2.6.35-22.32 released
lucid	Fixed 2.6.32-24.43 released
karmic	Fixed 2.6.31-22.65 released
jaunty	Fixed 2.6.28-19.65 released
hardy	Fixed 2.6.24-28.79 released
dapper	dne

linux-fsl-imx51

maverick	dne
lucid	Fixed 2.6.31-608.22 released
karmic	Fixed 2.6.31-112.30 released
hardy	dne
dapper	dne

linux-source-2.6.15

maverick	dne
lucid	dne
karmic	dne
jaunty	dne
hardy	dne
dapper	Fixed 2.6.15-55.88 released

linux-ti-omap4

maverick	Fixed 2.6.35-903.22 released
lucid	dne
karmic	dne
hardy	dne
dapper	dne

Known Exploits!

Common Weakness Enumeration

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer
The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

References

http://archives.neohapsis.com/archives/fulldisclosure/2010-09/0273.html

http://archives.neohapsis.com/archives/fulldisclosure/2010-09/0278.html

http://blog.ksplice.com/2010/09/cve-2010-3081/

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=c41d68a513c71e35a14f66d71782d27a79a81ea6

http://isc.sans.edu/diary.html?storyid=9574

http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.html

http://lists.opensuse.org/opensuse-security-announce/2010-10/msg00003.html

http://lists.opensuse.org/opensuse-security-announce/2011-02/msg00000.html

http://marc.info/?l=oss-security&m=128461522230211&w=2

http://secunia.com/advisories/42384

http://secunia.com/advisories/43315

http://sota.gen.nz/compat1/

http://www.kernel.org/pub/linux/kernel/v2.6/snapshots/patch-2.6.36-rc4-git2.log

http://www.mandriva.com/security/advisories?name=MDVSA-2010:198

http://www.mandriva.com/security/advisories?name=MDVSA-2010:214

http://www.mandriva.com/security/advisories?name=MDVSA-2010:247

http://www.redhat.com/support/errata/RHSA-2010-0758.html

http://www.redhat.com/support/errata/RHSA-2010-0842.html

http://www.redhat.com/support/errata/RHSA-2010-0882.html

http://www.securityfocus.com/archive/1/514938/30/30/threaded

http://www.securityfocus.com/archive/1/516397/100/0/threaded

http://www.vmware.com/security/advisories/VMSA-2010-0017.html

http://www.vmware.com/security/advisories/VMSA-2011-0003.html

http://www.vupen.com/english/advisories/2010/3083

http://www.vupen.com/english/advisories/2010/3117

http://www.vupen.com/english/advisories/2011/0298

https://access.redhat.com/kb/docs/DOC-40265

https://bugzilla.redhat.com/show_bug.cgi?id=634457

http://archives.neohapsis.com/archives/fulldisclosure/2010-09/0273.html

http://archives.neohapsis.com/archives/fulldisclosure/2010-09/0278.html

http://blog.ksplice.com/2010/09/cve-2010-3081/

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=c41d68a513c71e35a14f66d71782d27a79a81ea6

http://isc.sans.edu/diary.html?storyid=9574

http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.html

http://lists.opensuse.org/opensuse-security-announce/2010-10/msg00003.html

http://lists.opensuse.org/opensuse-security-announce/2011-02/msg00000.html

http://marc.info/?l=oss-security&m=128461522230211&w=2

http://secunia.com/advisories/42384

http://secunia.com/advisories/43315

http://sota.gen.nz/compat1/

http://www.kernel.org/pub/linux/kernel/v2.6/snapshots/patch-2.6.36-rc4-git2.log

http://www.mandriva.com/security/advisories?name=MDVSA-2010:198

http://www.mandriva.com/security/advisories?name=MDVSA-2010:214

http://www.mandriva.com/security/advisories?name=MDVSA-2010:247

http://www.redhat.com/support/errata/RHSA-2010-0758.html

http://www.redhat.com/support/errata/RHSA-2010-0842.html

http://www.redhat.com/support/errata/RHSA-2010-0882.html

http://www.securityfocus.com/archive/1/514938/30/30/threaded

http://www.securityfocus.com/archive/1/516397/100/0/threaded

http://www.vmware.com/security/advisories/VMSA-2010-0017.html

http://www.vmware.com/security/advisories/VMSA-2011-0003.html

http://www.vupen.com/english/advisories/2010/3083

http://www.vupen.com/english/advisories/2010/3117

http://www.vupen.com/english/advisories/2011/0298

https://access.redhat.com/kb/docs/DOC-40265

https://bugzilla.redhat.com/show_bug.cgi?id=634457