Linux Kernel Privilege Escalation Vulnerability in PARISC Architecture via LWS Gateway Calls

A vulnerability in the Linux kernel's handling of user read access on PARISC architecture can lead to privilege escalation. The issue arises because read access interruptions, which are crucial for enforcing memory protection, are only triggered at privilege levels 2 and 3. User code can exploit this by performing a compare-and-swap operation on addresses protected at privilege level 3, bypassing the intended access controls. The vulnerability exists in the kernel's gateway page, which operates at privilege level 0, allowing unauthorized access to protected memory.

Impact

Exploitation of this vulnerability could allow user code to bypass memory protection mechanisms, potentially leading to unauthorized access or modification of kernel memory, and allowing for privilege escalation.

Reproduction

The vulnerability can be reproduced by executing user code that performs a LWS compare-and-swap operation on an address protected at privilege level 3. The code can be crafted to trigger memory reference interruptions without writing to memory, effectively bypassing the read access checks that are supposed to enforce protection at this privilege level.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for downloading the patched version are available on the official Linux kernel website.