Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 24 Aug 2015 17:27:54 -0700
From: Andy Lutomirski <luto@...capital.net>
To: oss security list <oss-security@...ts.openwall.com>
Subject: CVE Request: Linux x86_64 NT flag issue

When I fixed Linux's NT flag handling, I added an optimization to
Linux 3.19 and up.  A malicious 32-bit program might be able to leak
NT into an unrelated task.  On a CONFIG_PREEMPT=y kernel, this is a
straightforward DoS.  On a CONFIG_PREEMPT=n kernel, it's probably
still exploitable for DoS with some more care.

I believe that this could be used for privilege escalation, too, but
it won't be easy.

The fix is just to revert the optimization:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=512255a2ad2c832ca7d4de9f31245f73781922d0

Mitigation: CONFIG_IA32_EMULATION=n.  Seccomp does *not* mitigate this bug.

--Andy

P.S. This is yet another x86 mis-design leading to garbage results.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ