oss-sec mailing list archives
CVE Request: Linux kernel unprivileged denial-of-service due to mis-protected xsave/xrstor instructions.
From: Quentin Casasnovas <quentin.casasnovas () oracle com>
Date: Wed, 18 Mar 2015 11:14:05 +0100
Hi, Jamie and I discovered there was a flaw in the way the xsave/xrstor (and their alternative instructions) were being protected against a fault in kernel space from linux 3.15. The problem was introduced in commit f31a9f7 ("x86/xsaves: Use xsaves/xrstors to save and restore xsave area") which ends up protecting the .altinstr_replacement from faulting instead of the target of the alternative in .text, leaving the instruction un-protected. You can find a reproducer (thanks to Allan for his help with/comments on it!) triggering the fault in kernel space attached to this e-mail but it should be noted there are a few different places where these instructions are used un-protected and the reproducer only uses one of them present in the kvm code. You can find a list of all such places in the attached unprotected_xsave_faults attachment which was generated against a v4.0-rc1 defconfig + CONFIG_KVM vmlinux.o (the most concerning one probably being in __switch_to()). The reproducer is a patch to apply on top of lkvm (https://github.com/penberg/linux-kvm) but it should be trivial to write as a standalone C application. It should be noted that this vulnerability is present even if the hardware does not support xsaveS. This is fixed by upstream commit 06c8173eb: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit?id=06c8173eb92bbfc03a0fe8bb64315857d0badd06 Other patches to prevent introduction of the same class of vulnerability are currently being reviewed on lkml: https://lkml.org/lkml/2015/3/17/462 I haven't received any news from cve-assign when this issue was previously discussed on security () kernel org. Could a CVE be assigned to this please? Thanks, Quentin
Attachment:
xsave-fault-reproducer.patch
Description:
Attachment:
unprotected_xsave_faults
Description:
Current thread:
- CVE Request: Linux kernel unprivileged denial-of-service due to mis-protected xsave/xrstor instructions. Quentin Casasnovas (Mar 18)