Just Another Geek

25 Aug 2010

What is really the attack surface of the kernel running a SECCOMP process?

In a previous post, I said the attack surface of the kernel for processes running SECCOMP was really low. To confirm this assumption, each vulnerability affecting the 2.6 kernel was reviewed.

Only those triggerable from a SECCOMPed process were kept. On 440 vulnerabilities, 13 were qualified:

Impact Description Architecture Reference

HIGH infinite loop triggering signal handler i386 CVE-2004-0554 MEDIUM audit_syscall_entry bypass amd64 CVE-2009-0834 MEDIUM SECCOMP bypass amd64 CVE-2009-0835 MEDIUM Non-sign extension of syscall arguments s390 CVE-2009-0029 MEDIUM EFLAGS leak on context switch amd64/i386 CVE-2006-5755 MEDIUM Nested faults amd64 CVE-2005-1767 MEDIUM Not handling properly certain privileged instructions s390 CVE-2004-0887 LOW Fix register leak in 32 bits syscall audititing amd64 81766741f LOW 64-bit kernel register leak to 32-bit processes amd64 24e35800c LOW Register leak amd64 CVE-2009-2910 LOW DoS by using malformed LDT amd64 CVE-2008-3247 LOW DoS on floating point exceptions powerpc HTX CVE-2007-3107 LOW DoS on 32-bit compatibility mode amd64 CVE-2005-1765

In other words, if you are running a pure 32 bits environment, our initial intuition was almost good with two bugs so far (in 2004 and 2006).¬†However, on AMD64, I wouldn’t bet.

Disclaimer: Off course, theses numbers are meaningless because of the non-disclosure policy of the kernel’s developpers.