oss-sec mailing list archives

Re: Partial SMAP bypass on 64-bit Linux kernels

From: cve-assign () mitre org
Date: Thu, 31 Mar 2016 16:31:25 -0400 (EDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

https://git.kernel.org/cgit/linux/kernel/git/tip/tip.git/commit/?h=x86/urgent&id=3d44d51bd339766f0178f0cf2e8d048b4a4872aa

That patch fixes a bug that exposed a fairly large kernel code surface
to a straightforward SMAP bypass.

From: Salvatore Bonaccorso <carnil () debian org>
Date: Tue, 29 Mar 2016 17:00:03 +0200

@MITRE CVE assignment team: Would it make sense to have a CVE id
assigned for this issue for better trackability?


We're going to approach this one in the same way as the issue that was
later assigned CVE-2016-2847.

Specifically, is there anyone who believes
3d44d51bd339766f0178f0cf2e8d048b4a4872aa must not have a CVE ID?

The situation, very roughly, seems to be that the upstream vendor has
announced that the behavior is a bug. CLAC occurs at a correct place
for some types of entries, but accidentally did not occur at a correct
place in the case of entries through the int80 gate. Consequently,
exploits of kernel vulnerabilities can cause more damage in some
cases.

However, it seems to be a bug in how the kernel responds to a
post-exploitation attack pattern. This is not a topic area that
commonly has CVE ID assignments. Access by the kernel to a user space
page is not an action that "crosses a privilege boundary" in a
traditional sense.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJW/YinAAoJEL54rhJi8gl5LXcQAJ71fH0G8ucsjSEuUOhrxA27
4cklfaLGWRTExNNHVbHLKKt2kl2QakS5U37z3phkAoji3X7fhK2qBZNL5TLnVae6
7wZ8j+oMZaQTob7mf5AN/WYA/C30MnjqpABPb8iiBdM+7utiVrZW5aOFiKdXyFfM
sg1gmYuGzPdcxc0yYjfX4CLvaljUbnzB0ZQNqO8OuCyj8eKR94pbhXBhw1sIWmje
07Km2qy3NzIZuZj0QC51yy05fPRf1kQUgsDLWGknnLNDGKc5iXA+o7yufDYF1468
MFDYcMz7kOoDefxtakZRXfq430Bs6wzt0dvPMVo27fHTXwTqIV609rX76mXoJEoM
7v+i5b9u+IWIpkOJyorB0pIP10Sd501uIjlfNUMVu1pGzF7iGmbkDWdyXVGx2RHZ
JFD4VRK5KTMAFrb1CeO7JCNkNHoQp55Dj1qeZZUHoPFI7CpCkeIWU+m3NC2IiYTe
F+eTeedFkPb7HPJ04QPY2821ETZfjVsii0ocMACQa5lQD5NwS3DIEy8dYmam3P90
EIRqafs94Bc02u4gvskIqDHTPjep9x/x2ODtbE/fPfpjUwpIE2H4ymR2WD6Cvj7E
EP0zmvip5Ec3kBx62r4yUFp6TQmf1EY7l2w+CdkotPFuuh+/L8Px8thg+hKV39Jo
QxUGU9yWdo2caoenKZi2
=ADv/
-----END PGP SIGNATURE-----

Current thread:

Partial SMAP bypass on 64-bit Linux kernels Andy Lutomirski (Feb 26)
- Re: Partial SMAP bypass on 64-bit Linux kernels Salvatore Bonaccorso (Mar 29)
- Re: Partial SMAP bypass on 64-bit Linux kernels cve-assign (Mar 31)
  - Re: Re: Partial SMAP bypass on 64-bit Linux kernels Steve Grubb (Mar 31)
  - Re: Re: Partial SMAP bypass on 64-bit Linux kernels P J P (Mar 31)