[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request: Linux x86_64 userspace address leak
From:       Andy Lutomirski <luto () amacapital ! net>
Date:       2014-12-28 15:40:51
Message-ID: CALCETrX_NswMdO1KBu9s0udf3Z9XLpF6xTgy6=orvLJLPGK7aQ () mail ! gmail ! com
[Download RAW message or body]


On Dec 26, 2014 5:49 AM, "P J P" <ppandit@redhat.com> wrote:
> 
> +-- On Thu, 18 Dec 2014, Andy Lutomirski wrote --+
> > On all* Linux x86_64 kernels, malicious user programs can learn the
> > TLS base addresses of threads** that they preempt.
> > 
> > In principle, this bug will allow programs to partially bypass ASLR
> > when attacking other user programs.  Figuring out how to adapt the
> > test code to do that is left as an exercise to the reader.
> > 
> > 
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/arch/x86?id=f647d7c155f069c1a068030255c300663516420e

> > 
> > ** The attack won't work against 64-bit threads with TLS bases > 4GB,
> > but AFAIK that's unusual.
> 
> It seems to require 32bit interfaces(CONFIG_X86_32). On x86_64
Fedora/RHEL
> kernels, it says:

Try building with -m32 but running on a 64-bit kernel.

--Andy

> 
> ===
> $ cat /etc/redhat-release
> Fedora release 21 (Twenty One)
> $
> $ cc -xc -o estest estest.c
> $ cc -xc -o gsbasetest gsbasetest.c
> $
> $ ./estest
> estest: set_thread_area: Function not implemented
> $
> $ ./gsbasetest
> [OK]    ARCH_SET_GS worked
> [OK]    Writing 0 to gs worked
> [FAIL]  gsbase was corrupted
> $
> ===
> 
> --
> Prasad J Pandit / Red Hat Product Security Team
> 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F



[prev in list] [next in list] [prev in thread] [next in thread]