oss-sec mailing list archives
CVE Request: Linux x86_64 NT flag issue
From: Andy Lutomirski <luto () amacapital net>
Date: Mon, 24 Aug 2015 17:27:54 -0700
When I fixed Linux's NT flag handling, I added an optimization to Linux 3.19 and up. A malicious 32-bit program might be able to leak NT into an unrelated task. On a CONFIG_PREEMPT=y kernel, this is a straightforward DoS. On a CONFIG_PREEMPT=n kernel, it's probably still exploitable for DoS with some more care. I believe that this could be used for privilege escalation, too, but it won't be easy. The fix is just to revert the optimization: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=512255a2ad2c832ca7d4de9f31245f73781922d0 Mitigation: CONFIG_IA32_EMULATION=n. Seccomp does *not* mitigate this bug. --Andy P.S. This is yet another x86 mis-design leading to garbage results.
Current thread:
- CVE Request: Linux x86_64 NT flag issue Andy Lutomirski (Aug 24)
- Re: CVE Request: Linux x86_64 NT flag issue - Linux kernel cve-assign (Aug 24)
- Re: CVE Request: Linux x86_64 NT flag issue - Linux kernel Andy Lutomirski (Aug 29)
- Re: CVE Request: Linux x86_64 NT flag issue - Linux kernel cve-assign (Sep 14)
- Re: CVE Request: Linux x86_64 NT flag issue - Linux kernel Andy Lutomirski (Aug 29)
- Re: CVE Request: Linux x86_64 NT flag issue - Linux kernel cve-assign (Aug 24)