oss-sec mailing list archives

Re: CVE Request: Linux x86_64 userspace address leak

From: P J P <ppandit () redhat com>
Date: Fri, 26 Dec 2014 19:19:27 +0530 (IST)

+-- On Thu, 18 Dec 2014, Andy Lutomirski wrote --+
| On all* Linux x86_64 kernels, malicious user programs can learn the
| TLS base addresses of threads** that they preempt.
| 
| In principle, this bug will allow programs to partially bypass ASLR
| when attacking other user programs.  Figuring out how to adapt the
| test code to do that is left as an exercise to the reader.
| 
| 
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/arch/x86?id=f647d7c155f069c1a068030255c300663516420e
| 
| ** The attack won't work against 64-bit threads with TLS bases > 4GB,
| but AFAIK that's unusual.

  It seems to require 32bit interfaces(CONFIG_X86_32). On x86_64 Fedora/RHEL 
kernels, it says:

===
$ cat /etc/redhat-release 
Fedora release 21 (Twenty One)
$ 
$ cc -xc -o estest estest.c 
$ cc -xc -o gsbasetest gsbasetest.c 
$ 
$ ./estest 
estest: set_thread_area: Function not implemented
$ 
$ ./gsbasetest 
[OK]    ARCH_SET_GS worked
[OK]    Writing 0 to gs worked
[FAIL]  gsbase was corrupted
$
===

--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

Current thread:

CVE Request: Linux x86_64 userspace address leak Andy Lutomirski (Dec 18)
- Re: CVE Request: Linux x86_64 userspace address leak cve-assign (Dec 24)
- Re: CVE Request: Linux x86_64 userspace address leak P J P (Dec 26)
  - Re: CVE Request: Linux x86_64 userspace address leak Andy Lutomirski (Dec 28)