Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 18 Mar 2015 11:14:05 +0100
From: Quentin Casasnovas <quentin.casasnovas@...cle.com>
To: CVE-assign <cve-assign@...re.org>,
        oss-sec <oss-security@...ts.openwall.com>
Cc: Jamie Iles <jamie.iles@...cle.com>, Allan Xavier <mr.a.xavier@...il.com>
Subject: CVE Request: Linux kernel unprivileged denial-of-service due to
 mis-protected xsave/xrstor instructions.

Hi,

Jamie and I discovered there was a flaw in the way the xsave/xrstor (and
their alternative instructions) were being protected against a fault in
kernel space from linux 3.15.  The problem was introduced in commit f31a9f7
("x86/xsaves: Use xsaves/xrstors to save and restore xsave area") which
ends up protecting the .altinstr_replacement from faulting instead of the
target of the alternative in .text, leaving the instruction un-protected.

You can find a reproducer (thanks to Allan for his help with/comments on
it!) triggering the fault in kernel space attached to this e-mail but it
should be noted there are a few different places where these instructions
are used un-protected and the reproducer only uses one of them present in
the kvm code.  You can find a list of all such places in the attached
unprotected_xsave_faults attachment which was generated against a v4.0-rc1
defconfig + CONFIG_KVM vmlinux.o (the most concerning one probably being in
__switch_to()).  The reproducer is a patch to apply on top of lkvm
(https://github.com/penberg/linux-kvm) but it should be trivial to write as
a standalone C application.

It should be noted that this vulnerability is present even if the hardware
does not support xsaveS.

This is fixed by upstream commit 06c8173eb:

  https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit?id=06c8173eb92bbfc03a0fe8bb64315857d0badd06

Other patches to prevent introduction of the same class of vulnerability
are currently being reviewed on lkml:

  https://lkml.org/lkml/2015/3/17/462

I haven't received any news from cve-assign when this issue was previously
discussed on security@...nel.org.  Could a CVE be assigned to this please?

Thanks,
Quentin

View attachment "xsave-fault-reproducer.patch" of type "text/x-diff" (2168 bytes)

View attachment "unprotected_xsave_faults" of type "text/plain" (8956 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ