[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE Request: Linux x86_64 userspace address leak
From: Andy Lutomirski <luto () amacapital ! net>
Date: 2014-12-28 15:40:51
Message-ID: CALCETrX_NswMdO1KBu9s0udf3Z9XLpF6xTgy6=orvLJLPGK7aQ () mail ! gmail ! com
[Download RAW message or body]
On Dec 26, 2014 5:49 AM, "P J P" <ppandit@redhat.com> wrote:
>
> +-- On Thu, 18 Dec 2014, Andy Lutomirski wrote --+
> > On all* Linux x86_64 kernels, malicious user programs can learn the
> > TLS base addresses of threads** that they preempt.
> >
> > In principle, this bug will allow programs to partially bypass ASLR
> > when attacking other user programs. Figuring out how to adapt the
> > test code to do that is left as an exercise to the reader.
> >
> >
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/arch/x86?id=f647d7c155f069c1a068030255c300663516420e
> >
> > ** The attack won't work against 64-bit threads with TLS bases > 4GB,
> > but AFAIK that's unusual.
>
> It seems to require 32bit interfaces(CONFIG_X86_32). On x86_64
Fedora/RHEL
> kernels, it says:
Try building with -m32 but running on a 64-bit kernel.
--Andy
>
> ===
> $ cat /etc/redhat-release
> Fedora release 21 (Twenty One)
> $
> $ cc -xc -o estest estest.c
> $ cc -xc -o gsbasetest gsbasetest.c
> $
> $ ./estest
> estest: set_thread_area: Function not implemented
> $
> $ ./gsbasetest
> [OK] ARCH_SET_GS worked
> [OK] Writing 0 to gs worked
> [FAIL] gsbase was corrupted
> $
> ===
>
> --
> Prasad J Pandit / Red Hat Product Security Team
> 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic