October 28, 2008

Linux Kernel Silent Patching: VMI write_ldt_entry() local privilege escalation

Image Description
Table of contents

Published on:
October 28, 2008
Last modified:
August 22, 2022

Once again, the Linux kernel developers delight us with their always discreet (meaning: silent, no-advisory, no-warning policy) and wonderful patching practices. Sometime between 2.6.24 and 2.6.25 a patch from a Red Hat developer was committed into the Linux kernel git tree, implementing changes to the VMI interfaces hooking some functions dealing with the GDT and LDT.

diff --git a/arch/x86/kernel/vmi_32.c b/arch/x86/kernel/vmi_32.c
index 6ca515d..edfb09f 100644
--- a/arch/x86/kernel/vmi_32.c
+++ b/arch/x86/kernel/vmi_32.c
@@ -235,7 +235,7 @@ static void vmi_write_ldt_entry(struct desc_struct *dt, int entry,
        const void *desc)
  u32 *ldt_entry = (u32 *)desc;
- vmi_ops.write_idt_entry(dt, entry, ldt_entry[0], ldt_entry[1]);
+ vmi_ops.write_ldt_entry(dt, entry, ldt_entry[0], ldt_entry[1]);
 static void vmi_load_sp0(struct tss_struct *tss,

The original commit mentions that it was discovered when JRE caused failures, confirming that it could obviously be triggered by unprivileged user-land processes. It affects only x86 VMI guests.

The entry for CVE-2008-4410 in the NIST NVD database summarizes the vulnerability as follows:

The vmi_write_ldt_entry function in arch/x86/kernel/vmi_32.c in the Virtual Machine Interface (VMI) in the Linux kernel invokes write_idt_entry where write_ldt_entry was intended, which allows local users to cause a denial of service (persistent application failure) via crafted function calls, related to the Java Runtime Environment (JRE) experiencing improper LDT selector state, a different vulnerability than CVE-2008-3247.

It is debatable whether the vulnerability is a mere denial of service, but there are validation checks in sys_modify_ldt and vmi_ops.write_idt_entry that need special care for circumvention.