oss-sec mailing list archives
Re: CVE Request: Linux x86_64 userspace address leak
From: Andy Lutomirski <luto () amacapital net>
Date: Sun, 28 Dec 2014 07:40:51 -0800
On Dec 26, 2014 5:49 AM, "P J P" <ppandit () redhat com> wrote:
+-- On Thu, 18 Dec 2014, Andy Lutomirski wrote --+ | On all* Linux x86_64 kernels, malicious user programs can learn the | TLS base addresses of threads** that they preempt. | | In principle, this bug will allow programs to partially bypass ASLR | when attacking other user programs. Figuring out how to adapt the | test code to do that is left as an exercise to the reader. | |
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/arch/x86?id=f647d7c155f069c1a068030255c300663516420e
| | ** The attack won't work against 64-bit threads with TLS bases > 4GB, | but AFAIK that's unusual. It seems to require 32bit interfaces(CONFIG_X86_32). On x86_64
Fedora/RHEL
kernels, it says:
Try building with -m32 but running on a 64-bit kernel. --Andy
=== $ cat /etc/redhat-release Fedora release 21 (Twenty One) $ $ cc -xc -o estest estest.c $ cc -xc -o gsbasetest gsbasetest.c $ $ ./estest estest: set_thread_area: Function not implemented $ $ ./gsbasetest [OK] ARCH_SET_GS worked [OK] Writing 0 to gs worked [FAIL] gsbase was corrupted $ === -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
Current thread:
- CVE Request: Linux x86_64 userspace address leak Andy Lutomirski (Dec 18)
- Re: CVE Request: Linux x86_64 userspace address leak cve-assign (Dec 24)
- Re: CVE Request: Linux x86_64 userspace address leak P J P (Dec 26)
- Re: CVE Request: Linux x86_64 userspace address leak Andy Lutomirski (Dec 28)