Date: Wed, 18 Mar 2015 11:14:05 +0100 From: Quentin Casasnovas <quentin.casasnovas@...cle.com> To: CVE-assign <cve-assign@...re.org>, oss-sec <oss-security@...ts.openwall.com> Cc: Jamie Iles <jamie.iles@...cle.com>, Allan Xavier <mr.a.xavier@...il.com> Subject: CVE Request: Linux kernel unprivileged denial-of-service due to mis-protected xsave/xrstor instructions. Hi, Jamie and I discovered there was a flaw in the way the xsave/xrstor (and their alternative instructions) were being protected against a fault in kernel space from linux 3.15. The problem was introduced in commit f31a9f7 ("x86/xsaves: Use xsaves/xrstors to save and restore xsave area") which ends up protecting the .altinstr_replacement from faulting instead of the target of the alternative in .text, leaving the instruction un-protected. You can find a reproducer (thanks to Allan for his help with/comments on it!) triggering the fault in kernel space attached to this e-mail but it should be noted there are a few different places where these instructions are used un-protected and the reproducer only uses one of them present in the kvm code. You can find a list of all such places in the attached unprotected_xsave_faults attachment which was generated against a v4.0-rc1 defconfig + CONFIG_KVM vmlinux.o (the most concerning one probably being in __switch_to()). The reproducer is a patch to apply on top of lkvm (https://github.com/penberg/linux-kvm) but it should be trivial to write as a standalone C application. It should be noted that this vulnerability is present even if the hardware does not support xsaveS. This is fixed by upstream commit 06c8173eb: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit?id=06c8173eb92bbfc03a0fe8bb64315857d0badd06 Other patches to prevent introduction of the same class of vulnerability are currently being reviewed on lkml: https://lkml.org/lkml/2015/3/17/462 I haven't received any news from cve-assign when this issue was previously discussed on security@...nel.org. Could a CVE be assigned to this please? Thanks, Quentin View attachment "xsave-fault-reproducer.patch" of type "text/x-diff" (2168 bytes) View attachment "unprotected_xsave_faults" of type "text/plain" (8956 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ