Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 28 Dec 2014 07:40:51 -0800
From: Andy Lutomirski <luto@...capital.net>
To: P J P <ppandit@...hat.com>
Cc: oss security list <oss-security@...ts.openwall.com>
Subject: Re: CVE Request: Linux x86_64 userspace address leak

On Dec 26, 2014 5:49 AM, "P J P" <ppandit@...hat.com> wrote:
>
> +-- On Thu, 18 Dec 2014, Andy Lutomirski wrote --+
> | On all* Linux x86_64 kernels, malicious user programs can learn the
> | TLS base addresses of threads** that they preempt.
> |
> | In principle, this bug will allow programs to partially bypass ASLR
> | when attacking other user programs.  Figuring out how to adapt the
> | test code to do that is left as an exercise to the reader.
> |
> |
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/arch/x86?id=f647d7c155f069c1a068030255c300663516420e
> |
> | ** The attack won't work against 64-bit threads with TLS bases > 4GB,
> | but AFAIK that's unusual.
>
>   It seems to require 32bit interfaces(CONFIG_X86_32). On x86_64
Fedora/RHEL
> kernels, it says:

Try building with -m32 but running on a 64-bit kernel.

--Andy

>
> ===
> $ cat /etc/redhat-release
> Fedora release 21 (Twenty One)
> $
> $ cc -xc -o estest estest.c
> $ cc -xc -o gsbasetest gsbasetest.c
> $
> $ ./estest
> estest: set_thread_area: Function not implemented
> $
> $ ./gsbasetest
> [OK]    ARCH_SET_GS worked
> [OK]    Writing 0 to gs worked
> [FAIL]  gsbase was corrupted
> $
> ===
>
> --
> Prasad J Pandit / Red Hat Product Security Team
> 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.