CVE-2010-3081

The compat_alloc_user_space functions in include/asm/compat.h files in the Linux kernel before 2.6.36-rc4-git2 on 64-bit platforms do not properly allocate the userspace memory required for the 32-bit compatibility layer, which allows local users to gain privileges by leveraging the ability of the compat_mc_getsockopt function (aka the MCAST_MSFILTER getsockopt support) to control a certain length value, related to a "stack pointer underflow" issue, as exploited in the wild in September 2010.

From the Ubuntu Security Team

Ben Hawkes discovered that the Linux kernel did not correctly validate memory ranges on 64bit kernels when allocating memory on behalf of 32bit system calls. On a 64bit system, a local attacker could perform malicious multicast getsockopt calls to gain root privileges.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
linux	10.10 maverick	Fixed 2.6.35-22.32
	10.04 LTS lucid	Fixed 2.6.32-24.43
	9.10 karmic	Fixed 2.6.31-22.65
	9.04 jaunty	Fixed 2.6.28-19.65
	8.04 LTS hardy	Fixed 2.6.24-28.79
	6.06 LTS dapper	Not in release
linux-fsl-imx51	10.10 maverick	Not in release
	10.04 LTS lucid	Fixed 2.6.31-608.22
	9.10 karmic	Fixed 2.6.31-112.30
	8.04 LTS hardy	Not in release
	6.06 LTS dapper	Not in release
linux-source-2.6.15	10.10 maverick	Not in release
	10.04 LTS lucid	Not in release
	9.10 karmic	Not in release
	9.04 jaunty	Not in release
	8.04 LTS hardy	Not in release
	6.06 LTS dapper	Fixed 2.6.15-55.88
linux-ti-omap4	10.10 maverick	Fixed 2.6.35-903.22
	10.04 LTS lucid	Not in release
	9.10 karmic	Not in release
	8.04 LTS hardy	Not in release
	6.06 LTS dapper	Not in release

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
linux	Upstream: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=c41d68a513c71e35a14f66d71782d27a79a81ea6 Hardy: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-3081/patches/hardy/linux/0001-compat-Make-compat_alloc_user_space-incorporate-the-ac.txt Jaunty: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-3081/patches/jaunty/linux/0001-compat-Make-compat_alloc_user_space-incorporate-the-ac.txt Karmic: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-3081/patches/karmic/linux/0001-compat-Make-compat_alloc_user_space-incorporate-the-ac.txt Lucid: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-3081/patches/lucid/linux/0001-compat-Make-compat_alloc_user_space-incorporate-the-ac.txt
linux-source-2.6.15	Dapper: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-3081/patches/dapper/linux/0001-compat-Make-compat_alloc_user_space-incorporate-the-ac.txt

Package

Patch details

linux

linux-source-2.6.15

Dapper: http://chinstrap.ubuntu.com/~smb/CVEs/CVE-2010-3081/patches/dapper/linux/0001-compat-Make-compat_alloc_user_space-incorporate-the-ac.txt

Severity score breakdown

Parameter	Value
Base score	7.8 · High
Attack vector	Local
Attack complexity	Low
Privileges required	Low
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	High
Availability impact	High
Vector	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Related Ubuntu Security Notices (USN)

USN-988-1
Linux kernel vulnerabilities
17 September 2010

USN-1074-1
Linux kernel vulnerabilities
25 February 2011

USN-1119-1
Linux kernel (OMAP4) vulnerabilities
20 April 2011

USN-1074-2
Linux kernel vulnerabilities
28 February 2011

Other references

https://www.cve.org/CVERecord?id=CVE-2010-3081

Cvss 3 Severity Score

From the Ubuntu Security Team

Status

Patch details

Severity score breakdown

References

Related Ubuntu Security Notices (USN)

Other references