FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- amd64 swapgs local privilege escalation

Affected systems
6.3 < FreeBSD < 6.3_4
7.0 < FreeBSD < 7.0_4

Details

VuXML ID 6d4e4759-7b67-11dd-80ba-000bcdf0a03b
Discovery 2008-09-03
Entry 2008-09-05

Problem Description:

If a General Protection Fault happens on a FreeBSD/amd64 system while it is returning from an interrupt, trap or system call, the swapgs CPU instruction may be called one extra time when it should not resulting in userland and kernel state being mixed.

Impact:

A local attacker can by causing a General Protection Fault while the kernel is returning from an interrupt, trap or system call while manipulating stack frames and, run arbitrary code with kernel privileges.

The vulnerability can be used to gain kernel / supervisor privilege. This can for example be used by normal users to gain root privileges, to break out of jails, or bypass Mandatory Access Control (MAC) restrictions.

Workaround:

No workaround is available, but only systems running the 64 bit FreeBSD/amd64 kernels are vulnerable.

Systems with 64 bit capable CPUs, but running the 32 bit FreeBSD/i386 kernel are not vulnerable.

References

CVE Name CVE-2008-3890
FreeBSD Advisory SA-08:07.amd64