[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CALCETrUvz+ABna38d-at13Z=X=O_juH1FROqg5YDNSvzAZj3sQ@mail.gmail.com>
Date: Mon, 24 Aug 2015 17:27:54 -0700
From: Andy Lutomirski <luto@...capital.net>
To: oss security list <oss-security@...ts.openwall.com>
Subject: CVE Request: Linux x86_64 NT flag issue
When I fixed Linux's NT flag handling, I added an optimization to
Linux 3.19 and up. A malicious 32-bit program might be able to leak
NT into an unrelated task. On a CONFIG_PREEMPT=y kernel, this is a
straightforward DoS. On a CONFIG_PREEMPT=n kernel, it's probably
still exploitable for DoS with some more care.
I believe that this could be used for privilege escalation, too, but
it won't be easy.
The fix is just to revert the optimization:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=512255a2ad2c832ca7d4de9f31245f73781922d0
Mitigation: CONFIG_IA32_EMULATION=n. Seccomp does *not* mitigate this bug.
--Andy
P.S. This is yet another x86 mis-design leading to garbage results.
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
