What is really the attack surface of the kernel running a SECCOMP process?
In a previous post, I said the attack surface of the kernel for processes running SECCOMP was really
To confirm this assumption, each vulnerability affecting the 2.6 kernel was reviewed.
Only those triggerable from a SECCOMPed process were kept. On 440 vulnerabilities, 13 were qualified:
Impact Description Architecture Reference
HIGH infinite loop triggering signal handler i386 CVE-2004-0554
audit_syscall_entry bypass amd64 CVE-2009-0834
SECCOMP bypass amd64 CVE-2009-0835
MEDIUM Non-sign extension of syscall arguments s390 CVE-2009-0029
MEDIUM EFLAGS leak on context switch amd64/i386 CVE-2006-5755
MEDIUM Nested faults amd64 CVE-2005-1767
MEDIUM Not handling properly certain privileged instructions s390 CVE-2004-0887
LOW Fix register leak in 32 bits syscall audititing amd64 81766741f
LOW 64-bit kernel register leak to 32-bit processes amd64 24e35800c
LOW Register leak amd64 CVE-2009-2910
LOW DoS by using malformed LDT amd64 CVE-2008-3247
LOW DoS on floating point exceptions powerpc HTX CVE-2007-3107
LOW DoS on 32-bit compatibility mode amd64 CVE-2005-1765
In other words, if you are running a pure 32 bits environment, our initial intuition was almost good with two bugs so far (in 2004 and 2006). However, on AMD64, I wouldn’t bet.
Disclaimer: Off course, theses numbers are meaningless because of the non-disclosure policy of the kernel’s developpers.