Re: CVE Request: Linux x86_64 userspace address leak

[Andy Lutomirski <luto () amacapital net>]

On Dec 26, 2014 5:49 AM, "P J P" <ppandit () redhat com> wrote:
> +-- On Thu, 18 Dec 2014, Andy Lutomirski wrote --+
> | On all* Linux x86_64 kernels, malicious user programs can learn the
> | TLS base addresses of threads** that they preempt.
> |
> | In principle, this bug will allow programs to partially bypass ASLR
> | when attacking other user programs.  Figuring out how to adapt the
> | test code to do that is left as an exercise to the reader.
> |
> |
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/arch/x86?id=f647d7c155f069c1a068030255c300663516420e
> |
> | ** The attack won't work against 64-bit threads with TLS bases > 4GB,
> | but AFAIK that's unusual.
>
>   It seems to require 32bit interfaces(CONFIG_X86_32). On x86_64
Fedora/RHEL
> kernels, it says:

Try building with -m32 but running on a 64-bit kernel.

--Andy

> ===
> $ cat /etc/redhat-release
> Fedora release 21 (Twenty One)
> $
> $ cc -xc -o estest estest.c
> $ cc -xc -o gsbasetest gsbasetest.c
> $
> $ ./estest
> estest: set_thread_area: Function not implemented
> $
> $ ./gsbasetest
> [OK]    ARCH_SET_GS worked
> [OK]    Writing 0 to gs worked
> [FAIL]  gsbase was corrupted
> $
> ===
>
> --
> Prasad J Pandit / Red Hat Product Security Team
> 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F