Joseph Furches

COSC 440 (Prof. Yasinovskyy)

CVE-2010-3081-review

CVE-2010-3081
CVE-2010-3081 is a critical vulnerability in the “compat_mc_getsockopt” function which is used for

sockets. The vulnerability was introduced during the creation of a subroutine that was designed to
make the 64-bit versions of Linux compatible with 32-bit when it came to memory allocating similar to
malloc in C.

In this particular case the programmers failed to check if the memory being allocated was valid
in a the “getsockopt” function. So by passing an optname parameter of MCAST_MSFILTER to
getsockopt we can also send in a struct and specify a length of memory that we want to allocate for that
struct. Because the memory allocation subroutine that is used does not check if the memory address
being used is valid, and because it locates the address to start allocating by subtracting the length of the
struct from the stack pointer, a user can underflow the stack by sending in a very large number for the
length. This will cause the routine to wrap around and start writing at the bottom of the stack where
the kernel is held, allowing the user to plant code where it should not be.

Once the user has planted his code in the kernel he needs only wait for it to execute and viola,
planted code executing at the kernel level. This could be used to open a root shell, or crash the system,
or any number of other malicious things.

A patch for the exploit was to simply make the memory allocation method call another function
“accessok()” which verifies the memory being written if valid. It was a simple oversight on the part of
the programmers but the exploit was widely used against several systems in the time between it’s
discovery and the patch being released.

The effect systems are 64-bit Linux systems that are using the un-patched
“compat_alloc_user_space()” which is the vulnerable memory allocating subroutine.